Reducing Hay to Find Needles


I recently participated in a televised C-SPAN panel on counterterrorism and intelligence at the Center for Cyber and Homeland Security at George Washington University.

One of the ideas we explored is an analogy that is often used in the security industry: how to “find the needle in a haystack” or “find the needle in a stack of needles.” Several of my fellow panelists referenced the need to reduce the hay, that is, reduce the amount of data we analyze. As the number of needles (security events) in the haystack continues to increase, this may be the most efficient approach.

One example of reducing the hay is the TSA Trusted Traveler program, the security screening program that pre-checks and qualifies travellers who are determined to be low-risk for expedited screening at the airport. The program doesn’t eradicate the risk associated with the nearly 2 million travellers who are enrolled in the program, that’s why they still go through security. But it does reduce the level of scrutiny that is applied to them in person at the airport, allowing them through security checkpoints without taking their laptops out or removing their shoes. It’s a more convenient, more efficient security screening process that allows TSA staff to focus more resources on the people outside the program who go through traditional security checkpoints.

When it comes to cyber, reducing the hay is all about context. Leveraging user and entity behavioral analytics helps organizations separate activity that looks normal (based on historic patterns, peers and other organizational constructs) from abnormal activity that requires a higher level of scrutiny. This way, security analysts concentrate their time and resources on the abnormal activities that indicate high risk. And when analysts can utilize automated tools to further enrich the analysis with supporting variables and prioritize risk, the seemingly untenable process of threat identification for insiders, cyber threats, fraud, anti-money laundering and even trade surveillance becomes tenable.