Two perspectives on social media for security leaders

What are you doing about social media?

Aside from your personal accounts, how are you helping secure social media in your organization? Have you figured out how to use it as a tool for better security?

Security leaders are in a tough spot when it comes to social media. Social media carries risk. Social media also carries value to marketing and sales (and security, too - read below). Trying to balance the risk with the reward and productively include security is a struggle.

Enter Brian Reed and Ian Amit from ZeroFox (@zerofox). I met Ian at InfoSec World and chatted over a lunch. I wanted to learn more - and we added in Brian. A first for the POV series (two guests), it was a fantastic blend of perspectives -- precisely what we need to advance how we protect social media in the enterprise.

For context, Brian Reed (LinkedIn, @reed_on_the_run) is the Chief Marketing Officer (CMO) of ZeroFox. A Startup product guy and veteran CMO who sees a critical inflection point at the intersection of social media and cyber security. His experience in the space shows in the discussion - and it should. He hails from the early days as a BlackBerry partner to the massive growth of MDM and security at Good Technology working with the world’s most highly regulated and risk averse companies and government agencies.

Ian Amit (LinkedIn, @iiamit) is the VP of Security for ZeroFox. A a hacker and veteran of infosec with over 20 years in the industry. His experience spans consulting, hands-on offensive and defensive roles, development, product management, as even some entrepreneurial experience. You might have read his research or taken in his talks at the myriad of security conferences.

Their blended experience was the perfect backdrop to a discussion about social media in the enterprise and what we need to think about to advance security. We started by talking about the level of awareness of social media as a security risk. Brian and Ian shared compatible, yet different perspectives.

We talked about a 60-40 split in terms of whether this is a blind spot versus a welcome discussion about a known challenge. What does this reveal about how to start internal conversations?

Point of view and experience are critical here. Social media may appear either as a blind spot or a known issue depending on your role. It’s evident when Brian and Ian sit together and look at things based on our own experiences. Brian hails from marketing and knows more about the impact and potential of social media than most people. Ian’s red-team perspective reveals the power of social media to profile and target individuals inside an organization in a highly effective manner.

In reality that’s the two faces of social media.

The internal discussion then can start from either the security team (usually stuck in a blind spot, where the approach is “we filter it anyway” or “we don’t allow it”), or the marketing/sales/audit teams where they are focused on brand reputation and customer engagement on social media (but where impersonations, hacked accounts and malicious links are also a blind spot).

What’s critical is that the conversation must start with sales and marketing together; someone must take the first step.

With our customers we usually end up helping form cross-team partnerships, where marketing takes the lead on the communication strategies internally and externally on social media best practices. Security focuses on taking advantage of the intelligence capabilities that working through the social networks provide them in terms of identifying threats earlier and “farther” away from their existing security perimeter.

Ultimately if security leaders don’t have a strong working relationship with marketing, this is a perfect topic to get engaged with marketing and deliver high value.

You suggest security leaders follow a 3-step approach to better understand the impact of social media in their organization. What are they?

First, we recommend mapping out how the organization is using social media and the social networks. It might sound trivial, but we are talking about more than just the organization’s official brand presence on sites like Twitter, Facebook and LinkedIn, and should include everyone who’s involved with the organization - executives, employees, and partners. Inventory all the accounts across all social networks and perform some basic analysis of the kinds of interactions each one of those accounts have - corporate, marketing, sales and executives are likely to be much more proactive and engaged, while other employees may have a lesser activity on the context of the organization. Nevertheless - this mapping is crucial in order to understand what is the organization’s footprint on social media.

The second step is looking at the content itself that’s being disseminated through all the accounts we’ve identified. What kind of information is published by employees and partners? Is it officially sanctioned? Does it conform to the messaging that marketing/sales have defined? Is there anything that uncovers information that is not supposed to be in the public domain? Is there a documented social media policy in place and are the employees following it? How are customers and external accounts engaged with employees on social media?

The third step is determining how the organization is going to protect itself. This step is based on the previous two, which provided the mapping, and then the exposure. Some controls may end up being legal/contractual (for example when dealing with 3rd parties who aren’t allowed to disclose customer information), some may be HR related (modifying/creating policies for acceptable behavior on social media), and some more technical (such as content filters, DLP, security controls over malicious content and social-engineering/phishing).

Security leaders tend to focus on the ability of attackers to use social media against you. Is that founded? Anything else to consider?

That’s absolutely founded, and has been practiced heavily in the past few years by attackers. From Ian’s perspective as a red-teamer, social media has proven to be one of the -- if not the -- most effective profiling, intelligence and attack vectors out there. People are highly inclined to share and engage on it, and the implied trust that these networks carry make it very easy for an attacker to engage in a conversations that can build up to an attack. That attack will eventually be facilitated by or through the target as they inadvertently introduce the payload into the organization.

On top of that, you have the broader risks that is brought on through less targeted scams such as fake coupons, discounts, raffles, and other “free-stuff”. These are either tied to financial fraud or end up exposing the target to malicious content-- which may look like a browser plugin, some add-on, or old fashioned malicious websites and files.

Last but not least, and this is where Brian’s expertise shines through, is the direct impact of unsanctioned communications through social media. We’ve all seen how a hacked Twitter/Facebook account can cause a major headache even to small organizations, witness hacks of CFO of Twitter and U.S. Centcom and Terrorist Claims. Some are minor “simple cases” but others can have catastrophic impact. More sophisticated attackers might start utilizing access to these accounts by leveraging their assumed authority over employees and customers, before turning to publicly shaming or abusing the organization.

Click here for a full timeline of social media attacks over the past 2 years.

Security seems to begrudgingly accept social media. You see it as a remarkable advantage. How so?

First - everyone must realize that there’s no denying that social media is here, and everyone is using it. Facebook has more active users than the population of China -- the largest country in the world. In fact, in a single minute of the day, 350,000 tweets are posted to Twitter, 300 hours of video are uploaded to YouTube and users like 1.75 million photos on Instagram.

Those who are averse to using and understanding social networks actually put themselves and their organizations at risk, as they make it easier for attackers to use the social networks against them by leaving an open gap where attackers can create real-looking impersonations of security staff, executives or other key employees

Security leaders need to understand that social media provides a great advantage from a security intelligence perspective, as it allows the organization to push the first line of engagement further outside the perimeter. When analyzed correctly using the proper tools and mostly relying on public shared data, you can identify malicious content, phishing, bot profiles, social engineering profiles, impersonators, and even attack planning (especially when dealing with visible and controversial brands).

This early detection buys the organization more time and context to deal with actual attacks, rather than waiting for the blow to hit them when it’s already too late, and rely on the assumed layer defenses from the perimeter inwards that may or may not work well in these scenarios.

Having a chance to know what the attack target is and what the attack vector/technique/timing is, is a game changer as blue-teams can tune their controls to better handle the attack, and be ready to contain it from an incident response perspective. If as a security leader you are not active on social networks, it’s time to dig in and get smart and engaged as another suite of tools in your arsenal.

What are some steps a security leader can take to change the conversation in their organizations while protecting social media?

It all starts with education and understanding that social media is now part of life and business, and that the social networks can be harnessed for good from a security perspective. Social no longer the stepchild of email, as it exists everywhere, and perforates the traditional view of what a perimeter is and how to defend that perimeter.

Speaking of education and understanding… one important key is the implied trust of the social networks and lack of awareness - there’s a bit of deja vu here. While most employees have been trained and may recognize they should not open or click on strange looking emails because security teams and the industry has trained and communicated about those risks relentlessly for over a decade, the employees’ guard is down when using social media due to implied trust of social networks and lack of training about the risks.

This is where security leaders can lead by adding education about social media security risks to their existing training and communications programs for email and web.

Leaders also need to take a hard look at how their current infrastructure and controls help them both defend from social media borne threats, as well as what kind of visibility they have into the social networks based on their existing footprint. The three step process we discussed earlier is crucial for understanding these elements (footprint and impact) before trying to drink the ocean through a straw, which is probably a fair analogy for how traditional security controls deal with social media.

Last but definitely not least - this isn’t the security leader’s home-field, and realizing that, while finding the right partners inside the organization (marketing / sales) who can provide more domain expertise is a power multiplier. Coming in with a “can-do” partnering approach, sometimes even pushing the boundaries of how engaged is the organization through social media, while providing enablement through security, is the true sign of a leader in our eyes.

This article was originally posted on April 20, 2016, csoonline.com