The Six Critical Considerations of Social Media Threat Intelligence
Every day, angry rhetoric and hints of potential danger flow though streams of social media data. Some of these threats may affect your company, employees, reputation, and facilities. When should you be concerned? Here s how to identify threats before they become realities. Anticipating, assessing and ultimately avoiding an ever-growing array of threats communicated against your organization is a multi-dimensional challenge. Each new social channel adds to the data volume, integration complexities, and language variations that must be analyzed in near-real time. It s this continual flow of unstructured data that can quickly overrun the resources assigned to monitor it. People alone simply can t cover the workload. But before threat analytics can be used to its full potential, several critical readiness steps must be considered and evaluated. These steps will ultimately determine the clarity of anticipatory intelligence provided as well as the ability to consume and use the information in a timely manner. These six critical considerations are based on lessons learned in both corporate and government security operations. Threat analytics uses machine learning science to sift through massive flows of disparate information and identify threatening communications. The most relevant potential threats are then prioritized and delivered to analysts as anticipatory intelligence. When combined with human insight, anticipatory intelligence provides the force multiplier required to gain the upper hand by distinguishing potential threat windows from benign noise.
1. Multilingual Ontology Multilingual Internet traffic is growing at an exponential rate as people discuss business activities, product reviews, shareholders meetings, corporate sponsorships, and customer events in all parts of the world. When these communications occur in multiple languages, determining the true intent of the chatter becomes increasingly difficult. The goals of these rants can vary: people may be venting frustration; they may wish to gain press exposure; or they may want to create actual business disruption and/or physical harm to your business facilities or employees. The more you know about each threat, the more likely you are to pinpoint its outcome and protect your interests. But gathering such intelligence is not easy or straightforward. Relying solely on human translators would be impossible. The expense and time requirements would simply be too great. In order to get a comprehensive and near-time view of potential threats, threat analytics must be used to monitor and understand threatening content in dozens of native languages. Simple translation engines are not sufficient for threat detection. For threat analytics to be effective, they require the use of a wordassociation ontology that spans native languages. This allows the machine learning algorithms to understand word context across each language. Unlike Google Translate, which does simple translation, sophisticated computational linguistics are necessary to properly understand context. By design, translation engines will miss subtle nuances that are critical to anticipatory intelligence. Once a multilingual ontology is applied, native-language human experts can be employed to comprehensively translate the most relevant and pressing threat content.
2. Hyper-Focused Threat Scoring Engines Not all threats are created equal, so the assessment engines used to identify potential threats must be finely tuned for each type of threat being evaluated. At a minimum, four primary threat assessment engines, each with dedicated threat analytics, should be in place to provide comprehensive threat coverage: Violent Threats: Searches for threats of action that may lead to imminent physical or bodily injury against personnel or property. Nonviolent Threats: Uncovers threats related to nonviolent disruption of operations. Examples include demonstrations, protests, and work stoppages. Event Threats: Focuses on time-based threats that target specific events such as sporting events, public gatherings, and holiday celebrations. Proximity Threats: Identifies indirect threats that may affect your interests. If you have personnel or property located near an event that may attract threatening acts, how do you react? Events such as civil disobedience or social unrest near your location may affect your operations even if not directly targeted at your organization.
3. Automated Alerting It is important for responsible security personnel and organizations to receive threat alerts in a timely and consumable manner. These alerts should be delivered as a per event notification and/or a scheduled event such as a daily briefing document. This capability requires that direct and adjacent threats be prioritized according to severity and immediacy. The prioritization logic must also be configurable, so organizations can adjust thresholds based on the investigative resources that are available. Threats should be prioritized across three levels: high, medium, and low. Each type of threat engine being used should have its own prioritization logic. This will enable optimal use of security resources by delivering the highest severity threats to all personnel while delivering low-level threats to juniorlevel analysts. Severity routing allows for preventative measures to be employed immediately for high severity threats while low severity threats are investigated further. Threat prioritization is complex. While people tend to focus on violent threats, nonviolent proximity threats may actually cause more severe operational damage. Even when violent threats are absent, public protests can cause business disruption, negative publicity, and loss in valuation. Adjustments to the prioritization methodology are typically made over time as the dynamics of a region, such as crime rate, terrorism, drug trafficking, gang violence, public unrest, economic turmoil, or election cycles fluctuate. 4. Ad Hoc Search Capabilities In addition to receiving automated threat alerts, it is also necessary for security personnel to further investigate potential threats. This investigative process may involve searching across multiple languages and contexts depending on a company s geographic footprint. Historical depth is also necessary when evaluating localized threats, which may have developed and evolved over time. Ad hoc search capabilities allow analysts to understand and interpret the dynamic relationships and sentiment between entities such as people, places, and organizations. In some cases these dynamic relationships exist openly while others must be uncovered by the tradecraft of expert security personnel.
5. Determining Influence An ever-increasing number of channels are used to communicate online. A few of these channels include mainstream social media, blogs, news sites, video comments, radical forums, and dark nets. That said, some authors are proven to be more influential than others when it comes to getting people to act via these channels. Threat analytics should provide the ability to determine the influence of an author within forum settings. The ability of an author to influence others should be reflected in the threat level (e.g. the score) as well as the prioritization ranking of an identified threat. Influence is determined by multiple and interlocking factors, such as the breadth of followers, the number of responders, resends of an author s writings, and how far their messages reach into the network of forum users. 6. Threat Customization Even after all the above elements are in place, you must have an ability to customize components of your threat analytics. This control enables two critical capabilities. First, the threat analytics can be focused on specific interests, such as corporate executives, key office locations, or upcoming corporate events. Second, you can employ in-house experience that may be specific to a particularly dynamic threat environment. One security organization may have different threat thresholds than another organization, even for the same time window and location. Customization provides for the unique preferences of individual security analysts, as they may be focused on particular people or groups of interest. By following certain geographies or trends in prevailing sentiment, these analysts can fine-tune the threat algorithms to remove or lower the prioritization of certain threats that may not be as relevant as originally suggested.
Bringing It All Together Sifting out potential threats from continually flowing streams of online data is an incredibly complex task. Fortunately, threat analytics powered by machine learning algorithms have an impressive track record of identifying, categorizing, and prioritizing threatening language. When properly focused and fed by a robust, multilingual ontology, this technology can deliver a force-multiplier effect to security analysts. SignalSensorTM SignalSensor from Opera Solutions Government Services provides an ongoing threat monitoring and assessment platform that identifies various threats (violent, nonviolent, proximity, and event-specific) on a 24/7 basis. This unique platform continually searches over 200 million potential hiding places for indications of danger websites, forums, social media, and more and extracts valuable insights in time to react. It uses a comprehensive and continually updated ontology of 80 million terms and 420 million relationships and searches in more than 55 native languages. For more information, contact us at 1-855-OPERA-22 or signalsensor@operasolutions.com or subscribe to our blog at blog.operasolutions.com. Profit from Big Data flow New York Jersey City Boston San Diego London Shanghai New Delhi ABOUT OPERA SOLUTIONS, LLC Opera Solutions (www.operasolutions.com, @OperaSolutions) provides Big Data predictive and prescriptive analytics, delivered as an ongoing service, to business, healthcare, and government organizations globally. With approximately 180 machine learning scientists among its 600 employees, Opera Solutions is a global leader in using advanced techniques to extract value from Big Data. Its solutions, software, and services combine science with technology and domain expertise, providing new, Big Data fueled pathways to profit and productivity. Opera Solutions is headquartered in Jersey City, NJ, with other offices in North America, Europe, and Asia. For more information, visit our website or call 1-855-OPERA-22. 2014 by Opera Solutions, LLC. All rights reserved.