Investigators need tools to let them drill into terabytes of data.
Five years ago, FBI's technical analysts might examine 500 gigabytes of data for a specific incident. Today, it's in the range of 1 to 2 terabytes, on average, according to agent Gabe Maxwell, part of the bureau's Cyber Division.
When Maxwell started as an analyst more than a decade ago, he said during a recent Government Executive webcast, he studied ZIP codes and phone books. As today's analysts try identify whether cyberincidents are normal or malicious—combing through larger data sets, often records of web traffic and information collected from sensors—"it's not possible to do line by line, manually any longer."
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Analysts need technology that can help them process terabytes of data at a time, but also lets them manipulate the data according to the leads they want to pursue—either drilling down into a specific data point or data set, or pivoting to a related set, Maxwell explained.
"We have to be better at capturing the biggest questions that our investigators and analysts have," and passing those onto the people who can query the data, he said. An ideal management tool would let both parties collaborate, Maxwell explained. Within the cyber division, some analysts can write code to manipulate data, but not all investigators have the skillset.
Effective tools should also have some kind of "heads-up visualization" so investigators can easily identify the data points they want to examine further, he said. They should also allow analysts to send instant messages to each other while they're looking at data sets, collaborating on analyses.
The challenge is "not removing the creativity and the analytics foundation of hunting from the shoulders of our analysts and investigators," Maxwell said. "We need tools that free up our investigators [from writing script and programming] ... and instead empowers them to find new patterns.”