Open source intelligence has been generating a lot of chatter recently, and as a CISO, I'm curious whether I should have my IT team devote any significant time or resources toward researching activity on social media and online blogs. Do you think monitoring such sources is a good idea? If so, what limitations should be placed on such programs?
It may seem counterintuitive to most CISOs that the greatest source of information about current security threats is actually freely available on the Internet. Executives have grown accustomed to paying for services that pull together threat information from many different sources and provide succinct summaries. But this type of information gathering is time intensive and slow. CISOs often find themselves reviewing information about threats that are several weeks old and may have already penetrated their network defenses.
The Internet is well-suited for information collaboration. Cybercriminals and other black hat hackers have already figured this out and actively use the Web to distribute information. They will even post their victories on the Web through sites like pastebin.com. CISOs need to realize that they could be using these same communication channels to learn about potential threats to their organizations.
I rely heavily on these types of sources. I leave Twitter open on the side of my monitor and scan for any security news of interest. I tend to follow security researchers directly instead of companies because I want unfiltered information. Google alerts are another great way to find information about the latest threats as they evolve. Shodanhq.com is an invaluable tool for reconnaissance for your network, as well as trending attacks and popularly exploited configuration errors. Security podcasts can provide security intelligence for free on the morning drive.
CISOs should monitor how much time their team spends doing this type of research. There is no hard-and-fast rule, but monitoring Twitter won't typically affect employee productivity nearly as much as listening to a security podcast. Podcasts can be approached just like any other online training. You could schedule working lunches where you and your team listen to a certain podcast and discuss the impacts on your network security, for example.
Open source intelligence has many benefits and should be embraced by CISOs. The odds are against organizations because of the sheer number of evolving threats and the limited resources available for defense. When properly managed, open source intelligence can help even those odds and provide a cost-effective means to discover potential threats to your organization's network.
Ask the Expert:
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading