FloCon 2018

This presentation walks through a three-part model of analytic development and applies it to a series of analytic problems. The first part is single-path development, directly suited to triage and incident-response-related problems, where query and summarization provide a focused series of results. The second part is multi-path development, where different pools of data must be separately queried and analyzed, then integrated into the results of interest – a process which is more suited to capabilities estimation, both on the aggressive and defensive sides. The third part is exploratory development, where dynamic associations must be constructed and applied in both a conditional and iterative manner to isolate behavior of interest – a process which is more suited to identification of unknown threats and clarifying new network behaviors. Through a series of examples, ranging from network flow data, network inventory data, and passively-collected domain data, this presentation will both clarify this model and apply it to several sorts of data relevant to network security. Taken together, this model provides a structure by which the effort involved in analytic development can be regularized and organized. Such structure can permit application of maturity models, whereby more predictable, repeatable, and manageable effort can be applied. It can also identify cases where the currently-established processes may not be sufficient to meet the need in analytical development.

What will attendees learn?
The presentation will aid attendees by providing a structure in which the effort involved in developing analytics can be scoped, structured, and tracked. This will help to make this effort more organized and more manageable.