2009-01-15

Analysis or Synthesis?

I have a new, formal job classification at work. Since security - more specifically, security intelligence - as a profession is "new", this is really our HR department coming to grips with that reality. The classification I now have is Cyber Intel Analyst. I detest that the word "cyber" is in my title, but I'll save that for another day.

Partially as a consequence of this change, I began thinking on the definition of the word "analysis" and how its use has been watered down in our industry. On one hand, to the extent which my job encompasses computer and network forensic analysis, the word is most certainly applicable. Digging into the most nuanced details of the history of reads and writes to a hard disk, inspecting TCP sessions and packets to observe content, absolutely fits the definition of a word whose meaning is "to take apart." But security intelligence often represents an inflection point in vision, between re-creating the events that took place as a forensic task, and painting broader picture - assembling the comparatively scant data offered by forensic investigation, monitoring tools, logs, and other artifact sources to develop a modus operandi, discover other past or future actions perpetrated in the same vein, and possibly even discover the individuals behind the activity and their motives. In short, intrusion synthesis - the antonym of analysis.

Of course, this is all very academic. I will be doing the job I've done in the past regardless of whether my title is Cyber Intel Analyst or Banana Peeler. But as I've said in the past, vocabulary is important, and it's an insightful exercise to see where such a description intersects and diverges from what one does, as that activity itself can yield insights into how to better do whatever it is we do.