How to Create a Comprehensive Investigative Research Process
Get insights from security leaders from Capital One, Qualcomm, and Ontic.
In an increasingly digital world, staying informed is not just an option for security teams; it’s a necessity. Corporate security teams can easily be overwhelmed by the sheer amount of threats pouring in, not to mention the variety of sources they’re coming from. As threats evolve, so must the approach to researching and managing them.
Related Resources
To share best practices and new strategies for developing investigative research processes, we gathered a panel of experts to discuss how today’s security teams can establish effective workflows for our webinar What Security Teams Miss When Researching Known (and Unknown) Threats.
In this webinar, Ontic’s Chief Security Officer, Chuck Randolph, sat down with Wendy Bailey, Threat Assessment Manager at Capital One; Allan Vitkosky, Global Security Senior Manager at Qualcomm; and Gigi Simmons, Senior Security Intelligence Analyst at Ontic; to discuss how to prevent important information from slipping through the cracks. They also offered insights on how instating and following research processes can help prove the value of your security program.
With the vast amount of online information, teams need to operationalize how they look at threats to ensure critical intelligence does not get overlooked. The panel explained how their teams are processing information from many sources at a rapid pace to identify risks. Bailey explained how she trains and informs associates and leadership on what her team needs to conduct threat assessments, emphasizing that awareness and preparedness are key to making sure the right threat data is captured when coming from other departments.
The panel then walked through some of the hurdles they face daily. From going down the OSINT rabbit hole to the prevalence of fake social media accounts to filtering out the noise, the panel shared some of their program’s common problems that keep them up at night.
Once the experts explained their unique challenges, Randolph asked the panelists to hone in on their teams’ processes at the organizational and tactical levels. While workflows may vary depending on the threat level and its urgency, the panelists revealed some universal steps taken throughout managing an investigation, such as utilizing social media research to gain context, or talking to HR regarding internal issues. While the panelists discussed the basic workflows their team follows, underscoring the challenge of organizing data, they also shared some unconscious “workflows” — or things they kept in the back of their minds when collecting data — that often accompany the more formal processes their teams followed, such as gaining context from past behaviors of a threat actor to inform future behaviors.
“We’re structuring the unstructured.” – Chuck Randolph
Having a structured research process has boosted all panelists’ security posture within their organizations and has helped them assist other teams. Vitosky and Bailey shared how having a documented process and utilizing the same methods yields consistent results for their teams and the other departments that turn to them for intelligence.
Security at times is the only function with access to the tools needed to derive the proper information to inform business decisions. They shared examples of the tools they use — including OSINT, criminal records, and internal databases — to gain a more comprehensive understanding of potential threats. To make this data more valuable to their organization, the panelists explained how they add color to this research by providing additional context to make it more meaningful.
“You have to ask the right questions. Some clients get a ton of threats daily, but you have to really know your organization to pull the right information into feeds, workflows, etc.” – Gigi Simmons
The panel then shared examples of how their structured processes have led to better decision-making and improved their organizations’ security posture. Using specific workflows, Bailey and her team are able to narrow down who a threat actor is based on information from different sources, giving her team an opportunity to position themselves better by improving their understanding of the risk.
The panel finished with some advice for those looking to optimize their programs. They each suggested steps and processes for individuals looking to do more research or for those with a smaller program who would like to accomplish more. Whether it be utilizing checklists, leveraging personal relationships, or expanding your technology ecosystem, the panel was full of suggestions for optimizing programs.
“Consistency builds relationships with your necessary partners. You have to build the trust with those other departments to establish the credibility and competence of your program.” – Wendy Bailey
After closing with some recommendations for optimizing programs, emphasizing the impact of building personal relationships and networking, the panel answered some questions from the audience. They shared what was on their program “wishlist,” such as a dedicated analyst, additional resources, more time with employees, and an expanded footprint to different regions across the globe.
“In an ever-increasing digital world, remember that threat-hunting is a people business. You can’t do everything behind a keyboard. Don’t forget the personal relationships you need.” – Allan Vitkosky
