Detective work requires the correct mind-set, which is proactive and forward looking. Because of this, detectives are unique within a craft that is primarily reactive in nature; crime occurs, cops arrive.  When a suspect commits a murder, it is the detective that reviews the evidence with an eye towards prosecution, determines how the emerging fact pattern will impact the investigation going forward, seeks the truth and then proactively hunts down the bad guy.  It’s the proactive work of a detective that results in a hand-cuffed bad guy and a community no longer in fear.  Detective work also requires an acknowledgment by the practitioner that it is he or she who shoulders the responsibility for creating a better future for the community they serve.  The rest of law enforcement is there to disrupt and respond.  It’s the work of the detective that results in a safer community because the bad guy is in prison.

Is InfoSec not the detective equivalent for the global cyber community? And is the front-line security analyst not the practitioner that shoulders the responsibility of safe guarding the organization for which he, or she, works?  Of course they are.  InfoSec needs to embrace this role and fix the fact that the craft has not provided the proper trade craft tools for its detectives to be successful.  InfoSec has been stuck in “detect and report” for way too long.  Detect and report all you want, but the bad guy is still free to have his way with your data.  As a homicide detective, if all I did was detect a murder had occurred and created a report, I would have…well, I would have InfoSec as we know it today.



The evidence InfoSec needs to move beyond “detect and report” is out there.  The data exists.  In fact, it exists and is available within the systems that most organizations already have! How did Yahoo figure out that they had been compromised three years prior to knowing it? Same for the OPM breach? By looking at existing data they had in their possession! You want your analyst to see that data and make sense of it, other than on a bi-annual basis? Get ‘em the right tools and professionally develop them with a detective’s mind-set.

The same holds true for InfoSec managers.  If you can provide mangers with an investigative effort summary, or what detective supervisors call “case briefings”, they will remain situationally aware of the threats within their network.  By being able to review the entire investigative effort of a SOC for example, a manager will be able to view patterns or trends not visible within a single case.  This will then allow for some level of predictive analysis and the ability to template what threats the network may face in the future.  Armed with this “Threat Profile”, a manager can anticipate what an attack surface may look like and develop pre-incident indicators for his analysts to be aware of.   This same information will facilitate more accurate and timely reporting to the CISO,  the CEO, and the Board.



The detective mind-set is the first step towards having security analysts that are proactive and forward looking,  SOC managers who proactively assess known network threats and develop pre-incident indicators with which to template future attacks, and a CISO  who proactively supports with the right mix of personnel and effective trade craft tools .  Add in a dash of high-performing team dynamics and InfoSec starts to look like a mature and competent craft.

All of that is what leads to regular conversations similar to…“Hey Boss, I noticed this particular pattern and based on previously observed MOs, it appears a suspect may be attempting to develop an attack surface capable of circumventing our security measures.  I would like to open this as an active case and see if we can ID this guy, develop his modus operandi (MO) and quickly get that information out to the entire InfoSec community before he attacks us or anyone else”.

We have nuclear submarines under the polar ice cap and remote control cars on Mars, Let’s make this happen already!

Share This