The echo’s of investors had started the buzz of the need for new investigative / intelligence platforms a great deal more than there had been in the past few years. The buzz will only gain more traction as more folks apply their hand at a platform for reoccurring revenue.
In typical fashion, venture capitalist and technology enthusiasts who may not have a background in investigations have been creating new investigative / intelligence platforms in hopes of capturing the wave of reoccurring revenue. There is nothing wrong with this, but a few realities that need to be addressed.
3rd Party Integration? What type of Workflow Methodology Exists?
The first problem a platform needs to consider is how it will integrate into other data sources. The bane of success will hinge on integrating easily with data sources or discreet actions from 3rd party providers.
A sub-consideration tied to third party integrations revolves around the platform defining different workflows or methodologies. A few perspectives on different types of platforms follow:
- Is the platform going to be a target-centric analysis platform? An excellent example of target-centric is Maltego, where each piece of data can be discreetly acted upon.
- Will the platform operate as a case management system? A great example of a fantastic case management system is Kaseware. Kaseware founders in a former life had written the FBI’s case management software; this is their second or third case management platform. They are amazing at case-management, and their platform is rooted in this birthplace. Kaseware has also significantly excelled by adding more target centric functions.
- Other platforms with less success operate on what I call consulting and research at scale. They publish “intelligence” in a portal or accessible via an API. This isn’t a platform, but a presentation layer tied around unknown analyst.
- The persistent monitoring platform (similar to our OIMonitor) focuses on the tailored collection, monitoring, and alerting setups. This is vastly different than a platform that enables both OR, target centric analysis, or Link Analysis.
- Platforms like IBM or Datawalk fill very specific niche markets and problem sets as well. For instance, Datawalk (in my opinion) is likely the replacement to Palantir. (Palantir has suffered more than one black eye the last few years in the federal government and local government circles)
- Misc other platforms will also include crap-maps (I mean heat maps), mixed with some type of geofencing type functionality that looks cool, but may or may not represent reality.
The problem the analyst needs to consider truly is their workflow and how each platform will augment a particular capability or need, mixed with having the data and or other actions outside of that platform, and how you can capture data outside of the platform into a more substantial internal system.
Forget about how you feel about the platform.
The second thing to consider when building (or buying) a platform is the simple fact that you aren’t a snowflake. Others have come before you and others will evolve past you, and I say this even as we have had different tools in place for various platforms over the years. If I had to guess, I talk to three to five new platforms on the market every month, and the snowflake syndrome is a reasonably common demeanor. Everyone drinks there own kool-aid, (even us, who are we kidding?) just know you are drinking some dense kool-aid.
Be aware of how you feel about your platform and try to remember what the end users / analyst needs. More times than not, your users want to use your platform with a 3rd party enhancement.
What about Providence, Does the Nationality of Developers Lend Confidentiality and Trust?
Some of the deeper questions that need to be asked about a platform revolve around providence.
- Where are the developers, who are they influenced by and what political realities may be in play?
- We can’t be tone-deaf nor ignore that there is a chance that some “platforms” or “threat intelligence” groups may not be who they appear to be.
- Can you meet the team, do they offer source code audits?
- What is the company demeanor like?
- Are they bootstrapped or VC backed? (Both are good, but how can you engage in dialogue, and what does the demeanor tell you?)
- Can the platform be on-prem or is it only in the cloud?
We haven’t even arrived at the operational uses yet, I know, I know. As we have integrated overtly and behind the scenes into many platforms over the years I have seen the gambit.
End-users always want enhancements, and backers of a platform want the promise of reoccurring revenue. Sadly, many platforms fall to the wayside because they focus only on a platform and not on the way their platform can be unique while also leveraging different data sources.
Many analysts complain about Maltego in various forms, but they solved one problem most elegantly that many others still have major problems doing correctly today. That problem is 3rd party integration and allowing a community to grow or die based on their data sales Etc.
Many analyst need a platform that only enables target centric analysis as the first level of collection and investigation, and all other processes can be augmented elsewhere or prioritized at a different time.
In contrast to Maltego, one of the benefits of a case-centric platform like Kaseware is how it can enable on-the-go investigation, correlation, and data distillation into intelligence across many physical boundaries. While there are things I like better in a target centric approach of other platforms, I do like the on-the-go and affordability of Kaseware, and the enterprise nature of persistent correlation of Datawalk. Something to consider.
What You Can Do?
If there is one thing you can do within your platform, or within the platform you are funding or purchasing is to ask one simple question.
- How fast can you integrate with a 3rd party data provider? If the answer is “What type of data connectivity do they have and usually 2-3 weeks…”, you probably have a platform to consider as this will enable 3rd party data to legitimize a platform you already enjoy.
If the platform doesn’t have 3rd party add-ons, does the platform have full data or metadata?
Always ask how you can get your data out of a platform.
Concluding – there will be a rise in many platforms this year. Architecture, planning, and third party integration will be essential, while secondary questions of investigative methodology will also drive your decision. Look past the geofence and promises of sentiment analysis and AI on everything. Look at the practical nature of a platform that is legitimized by data brokers.
With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel-gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.
Daniel is a member of the Odonata Holdings, Inc.