Global security operations centers (GSOCs) — regardless of their mission statements — don't always live up to the "global" part of their billing.
Many GSOCs focus on time-worn methods and practices that emphasize physical security, protecting the home base with surveillance cameras. Understandably, an enterprise wants to protect executives, employees and other assets such as buildings and factories. But this approach can neglect the wider world of digital assets. Today's threat landscape includes cybersecurity attacks, theft of intellectual property (IP) stored or transmitted electronically and assaults on corporate reputation via social media.
GSOCs may also limit themselves regarding their operational scope. Corporate security groups are often designed to handle problems only after they have reached the crisis stage. A GSOC set up primarily to manage incident response does, in fact, address an important part of the corporate security narrative. But this restrictive view fails to grasp the broader plot. The whole point of establishing a GSOC is to stay on top of threats before they harm physical or digital assets.
The complexities of corporate security call for truly global visibility and situational awareness. To get there, GSOCs should consider adopting a program of threat intelligence and digital risk protection (DRP) to keep digital assets safe.
A wider scope: threat intelligence and digital risk protection
GSOCs, to provide a full range of protection, need to broaden their field of vision. Threat intelligence offers a strategic perspective, identifying the universe of threats an organization is likely to face. This process involves gathering and analyzing data — largely from web-based sources — to provide an understanding of the current threat environment as well as insight into future dangers.
This understanding can help GSOCs prioritize threats and develop incident response plans. The ability to think strategically about threats, however, only provides a partial remedy. A security operation must also deal proactively with imminent threats. That's where DRP comes in. This tactical process focuses on detecting here-and-now attacks and defending digital assets. Threat intelligence and DRP supplement each other to provide comprehensive security.
Automation is critical to the successful functioning of both processes. A security analyst, or a roomful of security analysts for that matter, will never be able to manually scour the web, day in and day out, and uncover every pressing threat that could harm an organization. Data gathering and analysis must be automated to make threat intelligence and DRP feasible. Automated web intelligence or WEBINT tools, coupled with artificial intelligence (AI) and machine learning, let GSOCs mine vast online resources and data sets for actionable information.
For example, security analysts can use AI-enabled tools to generate customized search parameters, which might include geospatial data, the names of company executives or brands, and hashtags associated with threat actors. Web intelligence tools used to probe the web should be able to span the surface web, as well as unindexed deep web and dark web sites. The latter is especially important to monitor, since dark web markets and dump sites can contain anything from compromised login credentials to leaked source code. The hunt for threats must also cover multiple social media platforms, and not just the popular ones. Threat actors frequently abandon mainstream platforms for alternative social media sites.
Automation and AI can also help a GSOC process the potentially staggering quantities of data uncovered during a web-wide search for threats. In this context, AI can rapidly comb the collected data to pinpoint the relevant pieces of information and find patterns that can help security analysts identify a threat. Automation saves time, which means threats can be mitigated and incidents quickly contained.
COVID-19 complicates matters
The COVID-19 pandemic underscores the importance of threat intelligence and DRP processes and automated tools. Enterprises that have adopted remote work strategies must treat every employee's home network as a potential security exposure. Indeed, threat actors are targeting home-based workers, operating outside the protection of centralized IT security measures.
The rise of remote work, in effect, puts an organization's intellectual property online, from slide decks to video meetings. Here, cybersecurity protocols complement DRP and threat intelligence to silo business-critical data, so it doesn't end up in the wrong hands. If a security incident does occur, a GSOC should have a data breach detection capability to contain the leakage.
As for data loss, external threat actors aren't the only source of concern. Indeed, the pandemic's economic impact has heightened the insider threat risk. An employee facing reduced hours and reduced compensation due to a furlough, for example, could be tempted to exfiltrate digital assets.
Finally, the pandemic's remote workforce trend directly affects GSOCs that have employees plying their trade from home. GSOC managers need to determine whether their home-based security analysts' browsing is non-attributable. Analysts conducting research need to protect their digital footprints whether they are in the GSOC proper or at home.
Unexpected events such as COVID-19, demonstrate the importance of having a 360-degree approach to threat intelligence, identification and mitigation. The best centralized physical security systems won't suffice when executives and employees work from home.
But exclusive reliance on techniques such as dark web and social media monitoring also fall short of providing an unobstructed view of the threat environment. The complete package must include the ability to process big data, real-time alerting, evidence collection and safe browsing — as well as extensive monitoring.
Mitigating risk across the enterprise
Such a comprehensive DRP process, and associated tools, offers risk protection benefits across an enterprise's key functions and divisions. Here's a quick rundown:
- Security: Corporate groups providing physical security can take advantage of digital risk protection (DRP) and its monitoring of direct threats. A scan of open source geospatial intelligence, for instance, can alert security teams of questionable activity along a traveling executive's itinerary. Social media monitoring around an event an enterprise plans to host can bring issues to the attention of the event's security detail. An image of a press pass, for instance, could show up a social media post, inviting a threat actor to replicate the credential, enter the event and potentially threaten executives in attendance.
- Risk and compliance: This corporate division typically takes a strategic view of risk identification, but part of its mission involves rating various risks so the organization can respond appropriately. DRP can help inform the process, analyzing data to determine which threats require immediate handling. In addition, compliance officers in financial institutions typically are on point for meeting know-your-customer requirements. DRP, coupled with threat intelligence, can support customer due diligence.
- Sales: The sales team may possess a range of confidential data and documents – sales plans, proprietary market research and information on customers and prospects, for example. Much of that data likely resides on cloud-based storage or on individual laptops. With business information so widely distributed, the ability to identify a data breach is crucial. Companies need to know if their IP has gone out the door.
- Marketing: Developing and promoting the corporate brand is the job of the marketing department. DRP, in its social media monitoring capacity, can provide marketing managers with a temperature gauge regarding who is saying what – good, bad or indifferent -- about a particular brand.
- HR: Human resources professionals can benefit from DRP tools and their ability to provide comprehensive background checks on prospective employees. This feature becomes especially useful for multi-national organizations that must assess employees in countries where HR practices aren't as rigorous.
5 DRP must-haves for GSOCs
Enterprises ready to pursue those advantages should make sure their deployments address, at minimum, the following critical areas:
- Digital footprinting
A digital footprint typically refers to the data impressions individuals leave behind whenever they use the internet. The trail includes everything from email correspondence to tweets and other social media posts. Collectively, the data creates a profile that marketers use to target consumers with products and services.
Enterprises should be mindful of the digital imprints they leave behind, but should also consider the impact of footprints external parties create – unhappy customers and competitors. Social media comments, for example, contribute to an organization's digital portrait. Accordingly, GSOCs should make corporate officers aware of where the company is being mentioned and what is being said. Is there chatter regarding executives, potential deals or brands? DRP should be able to supply the answers.
- Brand protection
A business may spend millions of dollars cultivating their brand, the standard bearer of their reputation in the market. Tracking online chatter is an important step toward protecting the brand, but not the only one. GSOCs should also be on the lookout for counterfeit products, copyright infringement and patent theft. DRP can help scan the online environment for trouble, monitoring keywords and images associated with the brand, for instance.
- Account takeover
This form of identity theft has multiple dimensions. Threat actors can use brute force attacks or social engineering to obtain an employee's corporate credentials to access sensitive information or breach additional user accounts within the organization. Another form of account takeover attacks the corporate brand, assuming control over the social media accounts of companies or executives, for example. Takeovers let threat actors tarnish a brand through bitcoin giveaway scams among other damaging actions. The task of monitoring social media accounts for suspicious activity and searching the web for fake social media accounts can fall within the purview of DRP.
- Fraud events
From stolen accounts to counterfeit pharmaceuticals, fraud events are many and varied and all are damaging to the corporate reputation. The world of fraud is open ended, limited only by the ingenuity of threat actors. Against that backdrop, a DRP approach must have the flexibility to respond to changes in attack modes. Here, AI and machine learning can play a role in fraud prevention, absorbing patterns of normal activity and flagging anomalous behavior.
- IP protection
IP is mostly digital these days, with product designs, technology roadmaps, business plans and the like stored in electronic form. DRP can help safeguard those assets and detect cases in which propriety information has been leaked to public or dark web sites. Source code theft is another type of risk that organizations need to track. In a recent case, threat actors that attacked cybersecurity vendor FireEye were able to access red team tools used in penetration testing.
Rethinking security
Enterprises must contend with myriad threats of both the physical and virtual variety. Dealing with individual dangers is difficult enough. There are instances, however, when events layer upon each other to complicate risk mitigation and response – ransomware attacks targeting hospitals already overwhelmed with growing COVID-19 patient caseloads providing one example.
Corporate security and risk managers should examine their threat intelligence and DRP capabilities — and upgrade their processes and automated tools, if necessary. A change in security philosophy may also be in order. The expanding threat landscape, the immense range of websites and social media platforms that could harbor threat actors and the increasing importance of non-traditional data sources such as geospatial data all add up to one conclusion: Organizations must commit to the GSOC's "global" component.