using social media for security monitoring

#SecurityWithSysomos


Agenda• Introduction • Why Threat Detection?• Types of Threats: Cyber, Physical • Means of Protection: Digital Property, Fraud, Copy Cat• How to Start• Q&A


Why Monitor Threat Detection?

Why Monitor Threat Detection?• Social Media is great for broadcasting information…for positive actions as

well as malicious ones

• Remember: there are no limits to what people will post on social media

• Marketers leverage Social Media as their “haystack” for brand, competitive, and influencer purposes

• We can utilize these same ideas and tools for security and threat detection

• We will expect a relatively small number of mentions, but when they occur, they are extremely actionable and relevant. All it takes is one.

How susceptible is your business to security

threats?

What If You Don’t Monitor for Security and Threats?PROACTIVE is always better than REACTIVE when it comes to security threats.


What Is the Cost of Not Looking Out for Threats?


Use Case: Cyber Security

• One of the largest news sources and news distributors in the world

• Owns many digital news properties that are relied on heavily by their advertisers

• Same digital properties are very attractive targets for hackers

• DDoS (Distributed Denial of Service Attack): Overloads company website/network by sending numerous packets of information – making users unable to access

Use Case: Cyber Threats• Can Social Predict DDoS attacks

and other Cyber threats? Indirectly, yes.

• Utilizing email alerts

• Setting post frequency threshold limits for a ‘true attack’

• Creating the threshold: from historical attacks in the past year, 1000 mentions signified an attack and an unusual number of mentions

• Cost to a company between $5,000 to $100,000 /hr

• 49% of DDoS attacks last between 6 – 24 hrs

Use Case: Cyber Threats• Finding the bad apples and repeat

offenders

With a social media research platform you can actively find and make lists of social users and accounts who have:

• Targeted you in the past• Act as early warning systems for

attacks• Use language that indicates

attacks• Are part of communities often

involved in attacks


Use Case: Physical Threats

• Same large news source and distributor

• Has many publically known and recognizable on-air talents, personalities and executives working for them

• Regularly receive physical threats against these people

• Solution was to use long complex trigger tags with keywords for every possible scenario of a physical threat

Use Case: Physical Threats• Example of a trigger tag:

"John Doe Harm"~3 OR "John Doe Hurt"~3 OR "John Doe Vandalize"~3 OR "John Doe Vandalizes"~3 OR "John Doe Vandalizing"~3 OR "John Doe Strike"~3 OR "John Doe Attack"~3 OR "John Doe Loss of Life"~3 OR "John Doe Kill"~3 OR "John Doe Killed"~3 OR "John Doe Killing"~3 OR "John Doe Find"~3 OR "John Doe Hackers"~3 OR "John Doe Hacking"~3 OR "John Doe Cyber Attack"~3 OR "John Doe CyberAttack"~3 OR "John Doe CyberAttacker"~3 OR "John Doe Cyber Army"~3 OR "John Doe CyberArmy"~3 OR "John Doe Al-Qaeda"~3 OR "John Doe AlQaeda"~3 OR "John Doe Al Qaeda"~3 OR "John Doe Hacker"~3 OR "John Doe Threat"~3 OR "John Doe Threatening"~3 OR "John Doe Threatened"~3 OR "John Doe Plane Crash"~3 OR "John Doe Suicide Attack"~3 OR "John Doe Suicide Bomber"~3

• A tag like this can trigger an email alert, be routed into a custom dashboard, or be integrated through an API feed into a command center with additional data points outside of social

• Many different trigger tags can be made for every possible security or threat scenario

• Once these are made they can be replicated for locations, peoples names, various business assets and more#SecurityWithSysomos

Use Case: Copy Cat• Every time a Twitter handle pops up

with the brand name – any derivation thereof – an alert is triggered

• Allows risk and security staff to identify and take action on unauthorized user accounts

• Ensures the reputation of the brand is not compromised by a malicious attack

(from:a*_widget OR from:b*_widget OR from:c*_widget OR from:d*_widget OR from:e*_widget OR from:f*_widget OR from:g*_widget OR from:h*_widget OR from:i*_widget OR from:j*_widget OR from:k*_widget OR from:l*_widget OR from:m*_widget OR from:n*_widget OR from:o*_widget OR from:p*_widget OR from:q*_widget OR from:r*_widget OR from:s*_widget OR from:t*_widget OR from:u*_widget OR from:v*_widget OR from:w*_widget OR from:x*_widget OR from:y*_widget OR from:z*_widget OR from:widget_a* OR from:widget_b* OR from:widget_c* OR from:widget_d* OR from:widget_e* OR from:widget_f* OR from:widget_g* OR from:widget_h* OR from:widget_i* OR from:widget_j* OR from:widget_k*



Use Case: Piracy Protection

• Multinational Media Brand, and a Multinational Sports Entertainment Group

• Heavily rely on revenues generated from pay per view content, as well as protected content, such as TV shows, and movies

• Major issue with leaked content before release dates as well as illegal streaming of content during events

Use Case: Piracy Protection• Finding the source of illegal streaming, and also those helping to

broadcast it

• Look for the most retweeted content, and the largest retweet spreads

• Find the original post promoting an illegal streaming source

• Create lists to track, monitor, and be alerted to these sources((stream OR streaming OR torrent OR livestream OR online OR free OR “free download” OR “streaming online” OR “watch the”) AND ("the martian" OR martian OR themartian) AND NOT (trailer))


Use Case: Fraud Detection• Using visual cues – or ‘listening’ – as

a means to capture and track image-driven content

• Illegal tickets

• Unauthorized apparel

• Phishing Scams



Three Things to Know1. Survey the landscape and out what existing conversations regarding threats are happening on social

To surface conversations, think and search social channels on:

• Related industries• Known threats and security events

from the past• Various market segments you are

involved in


Three Things to Know2. Monitor for threats against your brand, your executives, your office locations, etc.

Things to Consider:

• Have we scoped out a process and workflow for any threats that may occur?– What resources need to

leveraged internally when a threat takes place?

• Can we identify malicious actors that need to monitored on an ongoing basis?


Three Things to Know3. Look beyond the text

Not all conversations about security will happen via copy – think about how people are sharing information:

• Instagram• Facebook• Tumblr • Reddit


After the Presentation• Feel free to contact us for follow up questions @Sysomos

• Please visit sysomos.com/webinars to sign up for great Sysomos webinars

Thank You!@Sysomos