How to leverage social media data in your SIEM platform

public://webform/writeforus/profile-pictures/yls.png
Lee Shin Yau, Technical Consultant, Micro Focus

The risks of social media for consumers frequently make headlines, but platforms such as Facebook, Twitter, and LinkedIn can be used to attack enterprises, too.

A lot of loopholes can be exploited through social media to steal credentials, compromise access, and exfiltrate data. Social media can also be leveraged by malicious actors to expose employee-to-employee and employee-to-vendor communication or to leak sensitive internal pricing information.

Social media threats via phishing attacks, misuse of account information, poisoned websites, and spam and malware can be mitigated with a security information and event management (SIEM) system, which is designed to give security teams the kind of visibility across applications, systems, and networks needed to counter those threats. However, getting the information the SIEM needs to do that can be challenging, because it has to come from the social media provider and external sources.

Social media providers, understandably, are reluctant to share their data with external sources, not only for competitive reasons, but because they've been pilloried for massive data breaches affecting users' personal data. Recently, a data breach at Facebook exposed 50 million user accounts. In May, Twitter advised all 330 million of its users to change their passwords after discovering a bug had exposed them in plaintext. And in 2016, LinkedIn announced that more than 100 million email and password combinations of members, a higher total than originally disclosed, had been compromised some four years earlier.

So instead of sharing more data, which would be beneficial to organizations trying to counter social media threats, social networks are tightening the screws on what they share, so much so that a number of websites have been "broken" because social media sites have choked off the APIs those sites needed to function. For example, Facebook forced a migration to Graph API 2.0, resulting in the shutdown of its Friends data API.

Meanwhile, third-party providers can be guarded about collaborating and sharing threat intelligence. Many of them compete with one another for selling that kind of information.

Here's how to best leverage social media data in your SIEM platform.

State of Security Operations 2018: Go Inside World SOCs

A better exchange for threat data

Facebook has made some efforts to facilitate sharing threat information. It established the ThreatExchange in 2015, an API-based platform for that purpose.

While the exchange helps companies participating in the project to better share data, the social network isn't contributing the kind of information to the exchange that would allow organizations to identify threats originating from Facebook itself. The project is designed to address threats from malware and spam, and it has never really taken off, failing to emerge from beta for three years.

By refusing to share user data with trusted parties, the social networks invite abuse of their systems by nation-states and other malicious actors. Unless the model for sharing is improved, social networks are always going to be playing catch-up, responding to events after they occur. That's too late.

What the cybersecurity community needs is something like a ThreatExchange, but with the ability for both cybersecurity specialists and social media users to report, share, and exchange information about threats in social media. That would keep everyone's social media accounts and the systems impacted by them safer.

A cache of that information already exists for Facebook. The company has implemented a comprehensive and complex reporting guide that lets its users report anything that could evolve into a real threat. Without a doubt, Facebook is storing that data somewhere in a repository or a database. Think how invaluable that data would be to security teams trying to thwart social media threats. Unfortunately, it's unlikely Facebook will ever share that data.

That's why an open-source exchange is needed. Instead of reporting potential threats to social media providers, users would be encouraged to report them to the exchange running on an open platform based on industry standards and accessible to trusted parties. Social media providers such as Facebook could work with the platform operator to craft the standards used on the exchange and to ensure that data on the system has been anonymized to protect the privacy of users.

The idea is to create a pool of social media threat data without opening up privacy risks to users if the data were to be compromised by unauthorized parties.

Modifying standards

For the exchange to work, existing sharing standards such as STIX and TAXII would need to be modified to include indicators for social media threats. For example, in STIX, at the high level, these are the eight indicator constructs:

  • Observable (activity)
  • Indicator (what to watch)
  • Incident (where)
  • Techniques and procedures (TTP)
  • Exploit target
  • Campaign (why)
  • Threat actor (who)
  • Course of action

To address social media threats, those constructs may need to be extended and enriched with some additions, such as these:

  • Information leak exposure/risk (receiver)
  • Identity genuineness
  • Consensus (content integrity)
  • Page/object access frequency (pull factor)
  • Publish frequency (push factor)

[ Webinar: Get Started with Seamless App Sec in a Single Day (Jan. 23) ]

Better social media threat intelligence through AI

Even without an open-source exchange platform, organizations can address social media threats. This can occur by correlating social media threat intelligence provided by external parties—including social media users, cybersecurity experts, and service providers—with the internal information collected by a SIEM solution, which can crunch that data through the use of artificial intelligence (AI) and machine learning.

The volume of internal information together with that from AI and machine learning can be humongous. It may need many rounds of evaluation to be carried out real-time,  before a meaningful threat intelligence can be derived out of the data.  The quality of the intelligence will improve with a powerful correlation engine in the SIEM tool. The end result will give defenders a much better vision of the context of attacks and allow them to proactively defend themselves against emerging threats, especially in an organizational setting.

Clearly, this combination of SIEM solution, AI, and machine learning poses a huge opportunity for organizations looking to incorporate social media threat intelligence into their security operations. Not only can the organization benefit from a reduction in the workload on their analysts, but it can also produce genuine actionable threat intelligence by being able to consider multiple data and information sources concurrently.