#HowTo Choose a Link Analysis Tool

Written by

Cybersecurity investigations are important, but often time-consuming and difficult, tasks. Analysts collect any and all known information and manage it in a list of potentially malicious artifacts, and use multiple tools to perform threat identification and store indicators of compromise (IOCs).

They often use spreadsheets or word documents to combine information from TIP, SIEM, instant messages, and emails to stitch together their analysis. Each investigation is an independent body of work, and proper analysis relies heavily on the analyst’s expertise.

Link Analysis: A P.I.’s Corkboard for Threat Intelligence
Link analysis tools bring simplicity and clarity to cybersecurity investigations by functioning like a private investigator’s corkboard. These tools visualize data and draw relationships between otherwise disparate pieces of information, allowing analysts to streamline investigations.

It is monumentally easier to identify commonalities across data when the analyst can see the relationship instead of having to match text strings in a list. 

Current Challenges
While link analysis tools can be immensely helpful, many have a steep learning curve or require heavy manipulation and organization of data to put it in a format the tool can consume. They can be cumbersome, time-consuming, and difficult to integrate with other tools.

Many solutions only offer visualization, requiring separate tools to complete investigations. Analysts must also search for a format to share the finished intelligence while maintaining the context of the investigation and protecting sensitive data.

It is important to choose a tool that operates swiftly, simply, and securely. When evaluating and choosing a link analysis tool, consider the following:

How easy is the tool to use, and how does it address your team’s needs? 
Ultimately, tools need to be evaluated on how well their features and capabilities meet the organization’s requirements and objectives. A link analysis tool can save significant time by pulling disparate tools, communication methods, and processes into one space.

Consider the return on investment for this tool, both financially and in terms of impact on your team, their time, and their investigations. For optimum efficiency, the platform must be user-centric and intuitive.

Examine the inputs and outputs of your team’s processes. Look at how data is imported and what formats are supported. Are there built-in intelligence datasets and integrations with data providers? Does the tool seamlessly integrate with existing investigation tools and repositories?

Finally, examine how the finished intelligence can be used, exported, and integrated with your security stack to close the investigative loop. Does the platform provide a simple method for translating your data and visual mapping into a narrative report for non-analyst consumption?

Evaluate how well the solution fits in the workflow of the team. The platform should be able to support real-time, live team collaboration across geographies, and--ideally--this should extend to collaboration with partners outside your organization.

What does deployment, maintenance, and total cost of ownership look like?
Look for a solution with a simple and straightforward procurement and deployment process. Think about how much software and/or hardware you will need to install, and whether or not the vendor supports regular platform updates. Who is responsible for performing maintenance, and what will that entail? Does the tool have a steep learning curve or long training process before you can use it effectively and see a return on your investment?

Consider the costs associated not only with purchasing the tool or license subscription, but also with development, integration, operations, and maintenance required to effectively use the tool as part of a holistic intelligence program.

How does the tool store your data and investigations?
To aid future investigations, intelligence and IOCs should be preserved for analysts to easily search and access their previous work. With a native, centralized investigation repository, prior investigations inform new investigations, analysts aren’t required to comb through their email archive files and file shares to get started, and duplicative work is avoided. This can help to identify patterns, compare behaviors, and assist with attribution.

This also ensures that if an employee leaves the company, the team can still access and benefit from that employee’s previous work.

Examine the platform’s security controls, source code origins, and data protections. Ensure that the infrastructure and application are secure to your standards and risk tolerance. You should be able to request information about application controls, penetration testing, and infrastructure or cloud security controls and confirm that measures are in place to mitigate intentional or unintentional misuse of company data.

Modern link analysis platforms are moving beyond merely visual graphing to provide a robust, integrated platform that empowers analysts to perform, manage, share, and deliver intelligence between individuals, teams, and organizations.

When matched appropriately to your team’s needs, a link analysis platform can expedite investigations, improve morale, and keep an organized library of data to aid future investigations.

What’s hot on Infosecurity Magazine?