Beavers, Analysts, and the Ecosystem of Threat Intelligence
A personal story will help set the scene for this article.
My lovely wife and I got married earlier this year. Rather than beating the weather in Boston by going to some tropical island for our honeymoon, my wife and I doubled down on the cold and went to Jackson Hole, Wyoming. We decided not to test our limited skiing abilities, and instead spent our time touring the valley and the surrounding area.
One of the outings we had lined up was a sunrise wildlife tour of Grand Teton National Park. Despite the elements, the tour did not disappoint. We saw bald eagles and bison, moose and elk, bighorn sheep, and even a coyote. But there’s one animal we didn’t see that caught my attention — one that got me thinking about the ecosystem that is threat intelligence.
Engineers of the Ecosystem
During the tour, I asked our tour guide the following question: What one animal, if removed from the ecosystem, would cause the whole ecosystem to collapse? His answer caught me by surprise.
“Beavers,” he said.
Not elk, not bison, not birds of prey, not some other large animal that might serve as the poster creature for a place as large Grand Teton National Park. Beavers. This answer might be obvious to those better acquainted with natural ecosystems than me, but my ignorance led me to wonder, “Beavers? Really?”
Through the dams they build, however, beavers create grounds for other species to thrive. This is true both for animals in the nearby environment and for riparian vegetation. Native Americans have referred to beavers as the “sacred center” of the land, underscoring the central role they play in the lands they inhabit. Indeed, our guide referred to beavers as “ecosystem engineers.”
How Threat Intelligence Analysts Relate
As I got to thinking more about it, I wondered if in the ecosystem of threat intelligence, analysts play the role of beavers. After all, without them, the whole thing falls down. It's hard for CISOs, managers, and others to make decisions when they don't have the intelligence provided by their analysts — just as it is difficult for elk, bison, and other high-profile animals to thrive if not for the diligence of the beaver.
If we extend this metaphor and think of information as a stream of data, analysts are the ones who help parse it out, and in a way that is not all that dissimilar from the dams beavers build and the filtering and pooling of water that is a natural consequence. The result is left for the benefit of others — remove the analyst, and the floodgates open.
Like beavers, analysts might not be the most visible, but they are critical to the success of a threat intelligence ecosystem. Imagine working as an analyst in a windowless security operations center (or maybe you don’t have to imagine it) — your inbox is probably hemorrhaging with alerts. But for your ability to brave the deluge, made easier by Recorded Future, you stem a tide that otherwise would have made its way to any number of other teams downstream in your organization. Not only that, but you refine the information you pass along, similar to how a beaver dam improves the quality of water that passes through it.
Or what if you run a vulnerability management team? If not for the analysts under your guidance, you might be left having to make patching decisions without the necessary insight provided by folks who live in the data. With their expertise multiplied by their use of Recorded Future, your analysts help turn data into information, and information into actionable intelligence. This transformative process is not unlike that which occurs in the immediate vicinity of beaver ponds — a rich wetland that attracts and benefits all sorts of wildlife and fauna. The result is an enriched environment — and what manager doesn’t like an enriched environment in which to make decisions?
So if you’re an analyst, bravo for the outsize role that you play in the threat intelligence ecosystem. If you’re a manager, CISO, or even a CEO, and you find that your team of analysts is “busy as a beaver,” you’ll know why.