The Newest Element of Risk Metrics: Social Media

SESSION ID:

TheNewestElementofRiskMetrics:SocialMedia

GRC-T10R

IanAmitVicePresident ZeroFOXinc. @iiamit

BasicMo<va<on-ho?est/easiestvector!

“…inpreviousyears,wesawphishingmessagescomeandgoandreportedthattheoveralleffecAvenessofphishingcampaignswasbetween10and20%.Thisyear,wenotedthatsomeofthesestatswenthigher,with23%ofrecipientsnowopeningphishingmessagesand11%clickingona?achments.Somestatswerelower,though,withaslightdeclineinusersactuallygoingtophishingsitesandgivinguppasswords.”

“Fortwoyears,morethantwo-thirdsofincidentsthatcomprisetheCyber-EspionagepaNernhavefeaturedphishing.”

2015DBIR

2

WhydoIwantthis?

Everyoneisonsocialmedia.Whetheryoutellyouremployeesthattheycanorcan’t.

OrganizaAonsfindthattheyconductbusinesscommunicaAonsoversocialmedia.

Thegapbetweenonlineandphysicalisverynarrowwhenfactoringinsocialmedia.

ANackerstargetorganizaAonsthroughthepathofleastresistance.Socialmediaistheeasiestas:

Thereareless(ifany)controlsoverit.Itprovidesamorepersonalized“experience”fortheuser(unlikeemail).ItismoreinteracAveandaNackerscanquicklyadapttheirapproach.

ItiseasytoimpersonatesomeoneonsocialmediaandimpacttheorganizaAon.

3

Whoispoten<allyaffected?

Areyouengagedina“controversial”pracAce?

4

FinancialServices DIB Healthcare

Pharma Agribusiness LEA

Energy

CanIreallypredictriskbasedonSMac<vity?

SenAmentanalysisandtheGermanelecAons

PredicAngElecAonswithTwiNer:What140CharactersRevealaboutPoliAcalSenAment

“TwiNercanbeseenasavalidreal-AmeindicatorofpoliAcalsenAment.”

hNp://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/1441/1852

5

#RSAC

Comingupwithasolu<on

Frameworkformeasuringtheriskofaperson/organizaAon’ssocialmediaacAvity

Whatisitthatweneedtoaddress?

Aframeworkforyoutolookathowinflammatoryor“risky”individualsinyourorganizaAonare.Individuals:

likeexecuAves,technicalcontractors&employeeswho,youknow,mighthaveadminaccess,and/oremployeessuscepAbletootherriskcategorieslikeFraud,ReputaAon,andStrategicrisk.

8

WhatwillIgetoutofthis?

Theabilitytobuildascorecardallowingyoutorankemployeerisk.

TheabilitytodrilldownintotheSMbehaviorsthatcontributetorisk

AndsubsequentlylowerariskprofilethroughapplyingcontrolstoselectelementsidenAfiedthroughtheprocess.

TheabilitytoenhanceOSINTfuncAonswithSM-focusedfuncAons

9

Basicconceptsbehindthemodel

WeuAlizedtheGQMapproach:

Conceptuallevel(goal)Goalsdefinedforanobjectforavarietyofreasons,withrespecttovariousmodels,fromvariouspointsofview.

OperaAonallevel(ques<on)QuesAonsareusedtodefinemodelsoftheobjectofstudyandthenfocusesonthatobjecttocharacterizetheassessmentorachievementofaspecificgoal.

QuanAtaAvelevel(metric)Metrics,basedonthemodels,isassociatedwitheveryquesAoninordertoansweritinameasurableway.

10

GQM

11

VictorBasili

Goalsestablishwhatwewanttoaccomplish.

Questionshelpusunderstandhowtomeetthegoal.Theyaddresscontext.

Metricsidentifythemeasurementsthatareneededtoanswerthequestions.

Goal 1 Goal 2

Q1 Q2 Q3 Q4 Q5

M1 M2 M3 M4 M5 M6 M7

11

OurGQMdata

Goal:Provideasocialmediariskscorecardforaperson/organizaAon.

QuesAons:Howwouldone’sOAaffectthelikelihoodofathreat?Howwouldone’sOAaffectstheimpactofathreat,andtheareasofimpact?HowdoesunsancAonedpresenceofsomeoneaffectsaidthreats?

Metrics:ProvideaqualitaAve*approachtomeasuringtheoverallrisk,aswellasspecificaspectsofthesocialmediapresence.

12

*And when we say qualitative we lie a little bit…

MoreGoals

1.ProvideameasurablewaytoquanAfyriskassociatedwithonlineacAvityoftheorganizaAonandit'semployees.

2.ProvideanothermeasureforquanAfyingriskofworkingwith3rdparAesandcontractors.

3.CreateascoreforexecuAvestomeasuretheirsocialmediaexposure(fromanexecprotecAonperspecAve,insidertrading,etc...)

4.CreateascoreformeasuringandcomparingintraandextraindustrysocialmediariskraAngs

5.BeabletoquanAfytheeffectofchangingcontrols,processesandpoliciesontheriskassociatedwithsocialmedia.

13

Mindmap(seeexternalreferences)

14

Developingthescoreboard

Startedwiththebasics,comparaAvemeasurements…

QualitaAveapproachdictatestryingtoleavequanAtaAveelementsout(whichwekind’atryto).Sothecompromisewastoprovideafairlydetailedbreakdownofelements,andinsteadofmeasuringthemonascale,onlyindicatepresence(1or0).

AggregaAondidn'twork(per-se),Averagingwouldnottakeintoaccountthefullmagnitudeofthelargestelements,MAX()wouldnotfactorincontribuAonfromsmallerones.Wehavetoprovidemoreaccurateweights…

15

ScoringApproach

EndedupwithprovidingaweighAngsystemforthemajorelementsandtheirimportancetotheorganizaAon(context?!).

GivenXpointstodistributebetweenYelements.Weight=Y’/XwhereY’isthenumberofpointsgiventoeachelement.

Sum(Y’…Y’’)=1

ApplyweighAngtothescorecardtogetweightedriskscore.(whereweightsareappropriatefortheorganizaAon’soperaAonalcontext).

16

Weigh<ng

17 Sample

Scorecardroadmap

Current:BreakdownofLikelihood,Manifesta<on,Impact,andanesAmatedfactorofthenumberofonlinethreats(bycompoundingmonitoredinstancesofthreatactorswiththemediumused).

Future:Addbreakdowntopersonalvscorporaterisk,andfurthersemanAcssuchasexposuretomaliciouscontent,negaAvesenAment,informaAonleaks,etc…

18

Whatkindofdataisneeded?

OrganizaAonsize,andthesizeofthemanagement.

HowmanyintheorganizaAonaremonitored(andinmanagement)

LocalityinformaAon(HQ,offices,sizeperlocaAon)

ChaNer-menAoning,conversingwith,andtalkingaboutmonitoredassets.Also-assetsposAng/conversing/menAoningothers.

ImpersonaAons-whoisbeingimpersonated?What’stheintent(nefariousvs.parody)

SenAmentanalysis-inchaNer,brokendowntomanagementvscompanyvsindividuals(perlocaAon),andbydistancefromasset(1st,2nd,3rddegree)

19

HowcanYOUdoit?

STEP1:DeterminehowyourorganizaAonwillsupportprofiling.NoneatallNonebutpubliclyavailableinformaAonVoliAonalEnforced

20

HowcanYOUdoit?

STEP2:DeterminewhoyoumightwanttoprotectprivilegedITusersexecuAves/boardmembersmarkeAng/PRpeoplesales

21

HowcanYOUdoit?

STEP3:DeterminewhereyouwillprofilethemSocialMediasitesWebsitesBlogcomments

22

HowcanYOUdoit?

STEP4:Collect<ALL>thedata.Extract/Tranform/Load

Scrape/Transform/LoadAnalysispostscrapeAnalysisinreal-ishAme(stormuw) (twiNerapi->spout->boltforprocessing)

23

HowcanYOUdoit?

STEP5:Storethedata.Whateveryouwant.

24

HowcanYOUdoit?

STEP6A:AnalysisAmishhandcraued

Scorecommentsregardingthefactorsthatcontributetothelikelihood/manifestaAon/impactelementsofthemodelUsefreebietoolsordoityourselftoolslike…hNps://tone-analyzer-demo.mybluemix.net/hNps://watson-pi-demo.mybluemix.net/Scoreinourhandy-dandyexceltool(orsomevariaAonthereof)

25

HowcanYOUdoit?(automatedanalysis)

26

HowcanYOUdoit?

STEP6B:DIYBIGDATAMAGICSSenAmentanalysis(listfromhNp://breakthroughanalysis.com/2012/01/08/what-are-the-most-powerful-open-source-senAment-analysis-tools/)PythonNLTK(NaturalLanguageToolkit),hNp://www.nltk.org/,butseealsohNp://text-processing.com/demo/senAment/–R,TM(textmining)module,hNp://cran.r-project.org/web/packages/tm/index.html,includingtm.plugin.senAment.–RapidMiner,hNp://rapid-i.com/content/view/184/196/.–GATE,teGeneralArchitectureforTextEngineering,hNp://gate.ac.uk/senAment/.ApacheUIMAistheUnstructuredInformaAonManagementArchitecture,hNp://uima.apache.org/—alsosenAmentclassifiersfortheWEKAdata-miningworkbench,hNp://www.cs.waikato.ac.nz/ml/weka/.SeehNp://www.unal.edu.co/diracad/einternacional/Weka.pdfforoneexample.StanfordNLPtools,hNp://www-nlp.stanford.edu/souware/LingPipe,(pseudo-opensource).SeehNp://alias-i.com/lingpipe/demos/tutorial/senAment/read-me.html.

27

HowcanYOUdoit?

STEP7:SCORECARD!OutputviamodelRemember,it’sthefactorsofstressnotnecessarilya“riskscore”thatmaNers.UlAmategoalisprotect,bethatviatechnologyorbehavioralcontrols.Alsoapplicable-legal,financialhedging,insurance,etc…

28

Wherecanyougetit?

TheSocietyofInformaAonRiskAnalysts

hNp://www.societyinforisk.org

AswellasontheSMRMsite:

hNp://risk-metrics.com/

29

http://www.societyinforisk.org

http://risk-metrics.com/

Take-away

1. Checkwhatisyourcurrentsocialmediasecuritypolicy(ifyouhaveone).

2. Doyouhaveacurrentriskmodelthatincorporatessocialmediaaspartofit(aNacksurface/informaAonleak/intelligence)

3. MeasureyourcurrentsocialmediariskpostureforkeyindividualsinyourorganizaAon.

Andthenin2-3months-measureagaintoseewhetheranychangesyouhaveimplementedinlightoftheiniAalmeasurementhadtherightimpact.

30

#RSAC

Thankyou!

Ques<ons?

IanAmit:@iiamit|[email protected]|hNp://www.iamit.org

mailto:[email protected]

http://www.iamit.org

Resources

SenAmentanalysisandgermanelecAons:hNp://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/1441/1852

Analyzetoneoftext:hNps://tone-analyzer-demo.mybluemix.net/

Analyzepersonalitybasedontext:hNps://watson-pi-demo.mybluemix.net/

SenAmentanalysis(listfromhNp://breakthroughanalysis.com/2012/01/08/what-are-the-most-powerful-open-source-senAment-analysis-tools/)

PythonNLTK(NaturalLanguageToolkit),hNp://www.nltk.org/,butseealsohNp://text-processing.com/demo/senAment/R,TM(textmining)module,hNp://cran.r-project.org/web/packages/tm/index.html,includingtm.plugin.senAment.RapidMiner,hNp://rapid-i.com/content/view/184/196/.GATE,teGeneralArchitectureforTextEngineering,hNp://gate.ac.uk/senAment/.

ApacheUIMAistheUnstructuredInformaAonManagementArchitecture,hNp://uima.apache.org/—alsosenAmentclassifiersfortheWEKAdata-miningworkbench,hNp://www.cs.waikato.ac.nz/ml/weka/.SeehNp://www.unal.edu.co/diracad/einternacional/Weka.pdfforoneexample.

StanfordNLPtools,hNp://www-nlp.stanford.edu/souware/

LingPipe,(pseudo-opensource).SeehNp://alias-i.com/lingpipe/demos/tutorial/senAment/read-me.html.

32

The Newest Element of Risk Metrics: Social Media

Technology

Transcript of The Newest Element of Risk Metrics: Social Media