Performing security, threat, and fraud investigations have been in practice as long as there have been adversaries. The most common way to perform these investigations is to collect all the known pieces of information and manage them in a list of potentially malicious artifacts. Each investigation is done as an independent body of work relying heavily on the analyst’s expertise to draw relationships between the pieces of information and identify overlaps between investigations. In an effort to more easily understand these relationships, some analysts turn to link analysis tools. While these tools have helped analysts individually investigate threats, today’s security teams need to work as exactly that – TEAMS – and this is where current link analysis tools fall short.
So what is link analysis anyway?
Similar to a criminal investigator’s cork board, drawing connections between pieces of data (people, locations, evidence, and events) with string and thumbtacks, a link analysis tool exposes the relationships between those pieces of data. Often times, these relationships are more important than the data itself. Investigators started using these because a visual map of data is more intuitive than lists.
- Link analysis helps draw out visual commonalities between complex data as well as outliers to help target the investigation
- Human brains are largely wired toward processing visual information so analysts spend less time scanning to discover and identify trends and interconnections
- Link analysis helps keep track of the information in context so it is easier to refer back to the body of work at a later time
Why do you need a new link analysis tool?
Using link analysis to perform security, threat, and fraud investigations is not a new practice, especially considering the ever growing volume of data available to analysts. There are legacy tools that enable analysts (at least those who know how to use them) to visualize relationships between pieces of data to help them on their journey. However, many of the tools come with a steep learning curve, are challenging to use, and/or require some heavy lifting to get the data in the right shape for the tool to consume. Unfortunately, this often leaves analysts turning back to their spreadsheets and lists to collect and analyze data, which is both cumbersome and time consuming.
Legacy tools are also very much stand-alone tools that don’t integrate well – if at all – with other tools used during and after an investigation and results from individual analysts’ investigations are not easily shared. Working in a collaborative team setting, team members are typically required to export research and share via long, complicated email threads in an attempt to “collaborate.” Sharing information outside of an analyst’s own organization, say with industry experts or outside vendors with specific expertise is even more complicated – how do you share trusted information without risking exposure? These limitations only add to the burden that security analysts face today and leave them spending more time on manual processes and administrative tasks than on security.
Modern, enterprise link analysis platforms like Avalon enable analysts to move beyond a simple graph of relationships between data points and provide a platform to both perform, manage, and deliver intelligence between individuals, teams, organizations, and sectors. Platforms have moved to the cloud and are focused on user-centric design making link analysis available to anyone, anywhere while simplifying the user experience. Simple data ingestion via API integrations enable users to easily pull in data which is automatically correlated and displayed on the graph so users can easily and quickly use the visual result to find potentially malicious entities based on relationship commonality. Lastly, the best of breed tools move beyond the visual and allow analysts to seamlessly move from data to finished intelligence quickly, storing investigations centrally so entire teams can leverage each other’s works without relying on archives, word of mouth, or subject matter experts.
What should you look for in an enterprise-grade link analysis platform?
|Enterprise Platform||Legacy Tools|
|Real-time, live collaboration||Purpose-built collaboration through chat, live-action link-node graph, and report builder
Flexible sharing model to collaborate inside and outside of an organization as desired
|Requires additional servers and tools to accomplish collaboration and is not central to the investigation process|
|Native centralized investigation repository||All investigations are stored centrally and can be accessed by anyone authorized, anywhere.
Prior investigations become data sources to inform new investigations to prevent duplicative work
|None, each investigation is essentially independent from each other and cannot be used as a centralized knowledge base.
Often times sharing involves emailing archive files.
|Built-in Intelligence Datasets||Multiple cyber threat intelligence feeds are included and continue to grow with no quota limitations
Additional feeds require a simple API key entry to access
|Limited data feeds provided, all with a quota limit. All queries are routed through servers located OCONUS and often times requires management of connectors|
|Seamless investigation workflow||Designed by analysts, for analysts.
Specifically tier 3+ analysts with over 20 years of combined experience supporting US Civilian and DoD activities to ensure that investigations follow a best practices workflow
|Many legacy tools were designed to be open source, flexible link node analysis tools and therefore do not have a common investigation pattern|
|Simple reporting for non-analyst consumption||Seamless one-click transition between the visual investigation to an narrative investigation report asset||No, legacy tools were often designed just to surface relationships between entities and not as a fully featured investigation platform|
|Platform Updates||Built as a SaaS platform allowing for weekly updates weekly and rapid response to customer feedback||No, legacy tools often follow a traditional application development structure with minor releases occuring on a 6 month cycle and major releases every 2-4 years|
|Software Installation||Nothing to install, ever.||Requires installation of the client application and Java at a minimum for local non-enterprise use with the installation of at least 3 additional servers to support a team.|
|Development, Operations and Maintenance Costs||None, all development, operations, and maintenance is performed on behalf of customers, including new data feed integrations||Legacy tools require onsite staff to install, maintain, update, and support multiple layers of software on the client and server. Additionally integration building is left up to the organization.|
|Procurement||Simple subscription model to procure Avalon and out-of-box data feeds.||Complex IT implementation project is required for installing client and server applications as well as O&M|
|Company Location||King & Union is located in Alexandria VA with all development, operations, maintenance, and hosting within the United States||Unknown origins, many foreign sourced code and developers|
It’s time for a change
It’s time for an enterprise link analysis platform to perform the most important activities within an organization. Stop relying on out-dated tools shrouded in secrecy that require hours of training just to become proficient in the tool let alone get data into them reliably and move into the open where sharing and collaboration become the norm and static graph images pasted into documents are a thing of the past. Using these new tools, analysts save significant time gathering upfront data to begin their investigations, performing data enrichment and correlation, and generating outputs required by operators and executives alike.
Ready to try something new? Click below to schedule a demo and register for a free Avalon account. Let us show you how Avalon can help your team work together, faster, and streamline your investigation process.