the newest element of risk metrics: social media · session id: the newest element of risk metrics:...
TRANSCRIPT
SESSION ID:
TheNewestElementofRiskMetrics:SocialMedia
GRC-T10R
IanAmitVicePresident ZeroFOXinc. @iiamit
BasicMo<va<on-ho?est/easiestvector!
“…inpreviousyears,wesawphishingmessagescomeandgoandreportedthattheoveralleffecAvenessofphishingcampaignswasbetween10and20%.Thisyear,wenotedthatsomeofthesestatswenthigher,with23%ofrecipientsnowopeningphishingmessagesand11%clickingona?achments.Somestatswerelower,though,withaslightdeclineinusersactuallygoingtophishingsitesandgivinguppasswords.”
“Fortwoyears,morethantwo-thirdsofincidentsthatcomprisetheCyber-EspionagepaNernhavefeaturedphishing.”
2015DBIR
2
WhydoIwantthis?
Everyoneisonsocialmedia.Whetheryoutellyouremployeesthattheycanorcan’t.
OrganizaAonsfindthattheyconductbusinesscommunicaAonsoversocialmedia.
Thegapbetweenonlineandphysicalisverynarrowwhenfactoringinsocialmedia.
ANackerstargetorganizaAonsthroughthepathofleastresistance.Socialmediaistheeasiestas:
Thereareless(ifany)controlsoverit.Itprovidesamorepersonalized“experience”fortheuser(unlikeemail).ItismoreinteracAveandaNackerscanquicklyadapttheirapproach.
ItiseasytoimpersonatesomeoneonsocialmediaandimpacttheorganizaAon.
3
Whoispoten<allyaffected?
Areyouengagedina“controversial”pracAce?
4
FinancialServices DIB Healthcare
Pharma Agribusiness LEA
Energy
CanIreallypredictriskbasedonSMac<vity?
SenAmentanalysisandtheGermanelecAons
PredicAngElecAonswithTwiNer:What140CharactersRevealaboutPoliAcalSenAment
“TwiNercanbeseenasavalidreal-AmeindicatorofpoliAcalsenAment.”
hNp://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/1441/1852
5
Whatisitthatweneedtoaddress?
Aframeworkforyoutolookathowinflammatoryor“risky”individualsinyourorganizaAonare.Individuals:
likeexecuAves,technicalcontractors&employeeswho,youknow,mighthaveadminaccess,and/oremployeessuscepAbletootherriskcategorieslikeFraud,ReputaAon,andStrategicrisk.
8
WhatwillIgetoutofthis?
Theabilitytobuildascorecardallowingyoutorankemployeerisk.
TheabilitytodrilldownintotheSMbehaviorsthatcontributetorisk
AndsubsequentlylowerariskprofilethroughapplyingcontrolstoselectelementsidenAfiedthroughtheprocess.
TheabilitytoenhanceOSINTfuncAonswithSM-focusedfuncAons
9
Basicconceptsbehindthemodel
WeuAlizedtheGQMapproach:
Conceptuallevel(goal)Goalsdefinedforanobjectforavarietyofreasons,withrespecttovariousmodels,fromvariouspointsofview.
OperaAonallevel(ques<on)QuesAonsareusedtodefinemodelsoftheobjectofstudyandthenfocusesonthatobjecttocharacterizetheassessmentorachievementofaspecificgoal.
QuanAtaAvelevel(metric)Metrics,basedonthemodels,isassociatedwitheveryquesAoninordertoansweritinameasurableway.
10
GQM
11
VictorBasili
Goalsestablishwhatwewanttoaccomplish.
Questionshelpusunderstandhowtomeetthegoal.Theyaddresscontext.
Metricsidentifythemeasurementsthatareneededtoanswerthequestions.
Goal 1 Goal 2
Q1 Q2 Q3 Q4 Q5
M1 M2 M3 M4 M5 M6 M7
11
OurGQMdata
Goal:Provideasocialmediariskscorecardforaperson/organizaAon.
QuesAons:Howwouldone’sOAaffectthelikelihoodofathreat?Howwouldone’sOAaffectstheimpactofathreat,andtheareasofimpact?HowdoesunsancAonedpresenceofsomeoneaffectsaidthreats?
Metrics:ProvideaqualitaAve*approachtomeasuringtheoverallrisk,aswellasspecificaspectsofthesocialmediapresence.
12
*And when we say qualitative we lie a little bit…
MoreGoals
1.ProvideameasurablewaytoquanAfyriskassociatedwithonlineacAvityoftheorganizaAonandit'semployees.
2.ProvideanothermeasureforquanAfyingriskofworkingwith3rdparAesandcontractors.
3.CreateascoreforexecuAvestomeasuretheirsocialmediaexposure(fromanexecprotecAonperspecAve,insidertrading,etc...)
4.CreateascoreformeasuringandcomparingintraandextraindustrysocialmediariskraAngs
5.BeabletoquanAfytheeffectofchangingcontrols,processesandpoliciesontheriskassociatedwithsocialmedia.
13
Developingthescoreboard
Startedwiththebasics,comparaAvemeasurements…
QualitaAveapproachdictatestryingtoleavequanAtaAveelementsout(whichwekind’atryto).Sothecompromisewastoprovideafairlydetailedbreakdownofelements,andinsteadofmeasuringthemonascale,onlyindicatepresence(1or0).
AggregaAondidn'twork(per-se),Averagingwouldnottakeintoaccountthefullmagnitudeofthelargestelements,MAX()wouldnotfactorincontribuAonfromsmallerones.Wehavetoprovidemoreaccurateweights…
15
ScoringApproach
EndedupwithprovidingaweighAngsystemforthemajorelementsandtheirimportancetotheorganizaAon(context?!).
GivenXpointstodistributebetweenYelements.Weight=Y’/XwhereY’isthenumberofpointsgiventoeachelement.
Sum(Y’…Y’’)=1
ApplyweighAngtothescorecardtogetweightedriskscore.(whereweightsareappropriatefortheorganizaAon’soperaAonalcontext).
16
Scorecardroadmap
Current:BreakdownofLikelihood,Manifesta<on,Impact,andanesAmatedfactorofthenumberofonlinethreats(bycompoundingmonitoredinstancesofthreatactorswiththemediumused).
Future:Addbreakdowntopersonalvscorporaterisk,andfurthersemanAcssuchasexposuretomaliciouscontent,negaAvesenAment,informaAonleaks,etc…
18
Whatkindofdataisneeded?
OrganizaAonsize,andthesizeofthemanagement.
HowmanyintheorganizaAonaremonitored(andinmanagement)
LocalityinformaAon(HQ,offices,sizeperlocaAon)
ChaNer-menAoning,conversingwith,andtalkingaboutmonitoredassets.Also-assetsposAng/conversing/menAoningothers.
ImpersonaAons-whoisbeingimpersonated?What’stheintent(nefariousvs.parody)
SenAmentanalysis-inchaNer,brokendowntomanagementvscompanyvsindividuals(perlocaAon),andbydistancefromasset(1st,2nd,3rddegree)
19
HowcanYOUdoit?
STEP1:DeterminehowyourorganizaAonwillsupportprofiling.NoneatallNonebutpubliclyavailableinformaAonVoliAonalEnforced
20
HowcanYOUdoit?
STEP2:DeterminewhoyoumightwanttoprotectprivilegedITusersexecuAves/boardmembersmarkeAng/PRpeoplesales
21
HowcanYOUdoit?
STEP4:Collect<ALL>thedata.Extract/Tranform/Load
Scrape/Transform/LoadAnalysispostscrapeAnalysisinreal-ishAme(stormuw) (twiNerapi->spout->boltforprocessing)
23
HowcanYOUdoit?
STEP6A:AnalysisAmishhandcraued
Scorecommentsregardingthefactorsthatcontributetothelikelihood/manifestaAon/impactelementsofthemodelUsefreebietoolsordoityourselftoolslike…hNps://tone-analyzer-demo.mybluemix.net/hNps://watson-pi-demo.mybluemix.net/Scoreinourhandy-dandyexceltool(orsomevariaAonthereof)
25
HowcanYOUdoit?
STEP6B:DIYBIGDATAMAGICSSenAmentanalysis(listfromhNp://breakthroughanalysis.com/2012/01/08/what-are-the-most-powerful-open-source-senAment-analysis-tools/)PythonNLTK(NaturalLanguageToolkit),hNp://www.nltk.org/,butseealsohNp://text-processing.com/demo/senAment/–R,TM(textmining)module,hNp://cran.r-project.org/web/packages/tm/index.html,includingtm.plugin.senAment.–RapidMiner,hNp://rapid-i.com/content/view/184/196/.–GATE,teGeneralArchitectureforTextEngineering,hNp://gate.ac.uk/senAment/.ApacheUIMAistheUnstructuredInformaAonManagementArchitecture,hNp://uima.apache.org/—alsosenAmentclassifiersfortheWEKAdata-miningworkbench,hNp://www.cs.waikato.ac.nz/ml/weka/.SeehNp://www.unal.edu.co/diracad/einternacional/Weka.pdfforoneexample.StanfordNLPtools,hNp://www-nlp.stanford.edu/souware/LingPipe,(pseudo-opensource).SeehNp://alias-i.com/lingpipe/demos/tutorial/senAment/read-me.html.
27
HowcanYOUdoit?
STEP7:SCORECARD!OutputviamodelRemember,it’sthefactorsofstressnotnecessarilya“riskscore”thatmaNers.UlAmategoalisprotect,bethatviatechnologyorbehavioralcontrols.Alsoapplicable-legal,financialhedging,insurance,etc…
28
Wherecanyougetit?
TheSocietyofInformaAonRiskAnalysts
hNp://www.societyinforisk.org
AswellasontheSMRMsite:
hNp://risk-metrics.com/
29
Take-away
1. Checkwhatisyourcurrentsocialmediasecuritypolicy(ifyouhaveone).
2. Doyouhaveacurrentriskmodelthatincorporatessocialmediaaspartofit(aNacksurface/informaAonleak/intelligence)
3. MeasureyourcurrentsocialmediariskpostureforkeyindividualsinyourorganizaAon.
Andthenin2-3months-measureagaintoseewhetheranychangesyouhaveimplementedinlightoftheiniAalmeasurementhadtherightimpact.
30
Resources
SenAmentanalysisandgermanelecAons:hNp://www.aaai.org/ocs/index.php/ICWSM/ICWSM10/paper/viewFile/1441/1852
Analyzetoneoftext:hNps://tone-analyzer-demo.mybluemix.net/
Analyzepersonalitybasedontext:hNps://watson-pi-demo.mybluemix.net/
SenAmentanalysis(listfromhNp://breakthroughanalysis.com/2012/01/08/what-are-the-most-powerful-open-source-senAment-analysis-tools/)
PythonNLTK(NaturalLanguageToolkit),hNp://www.nltk.org/,butseealsohNp://text-processing.com/demo/senAment/R,TM(textmining)module,hNp://cran.r-project.org/web/packages/tm/index.html,includingtm.plugin.senAment.RapidMiner,hNp://rapid-i.com/content/view/184/196/.GATE,teGeneralArchitectureforTextEngineering,hNp://gate.ac.uk/senAment/.
ApacheUIMAistheUnstructuredInformaAonManagementArchitecture,hNp://uima.apache.org/—alsosenAmentclassifiersfortheWEKAdata-miningworkbench,hNp://www.cs.waikato.ac.nz/ml/weka/.SeehNp://www.unal.edu.co/diracad/einternacional/Weka.pdfforoneexample.
StanfordNLPtools,hNp://www-nlp.stanford.edu/souware/
LingPipe,(pseudo-opensource).SeehNp://alias-i.com/lingpipe/demos/tutorial/senAment/read-me.html.
32