Providence – Monitoring Insider Threats

 

What is Providence?

 

Providence is a web based, open source intelligence platform, developed by WorldStack, which collects and analyses information from social media platforms. It provides users with a directed approach to the intelligence and investigations process, allowing for easy identification and prioritization of important information and events.

Why Providence?
  • Manual collection ties up experts whose time can be better spent analyzing information.
  • Automation helps identify events of interest that experts may miss.
  • Assists with discovery of social media accounts associated with an entity, saving analyst’s time.

  Why is Providence different to other products?

Common issues customers have with existing open source intelligence tools are:

  • Generic – The vast majority of open source intelligence software on the market are rebadged brand management and marketing tools. These products have been developed based on a marketing process, rather than an intelligence or investigation process, and so do not support the needs of these users.
  • Information overload – There is too much information to process and it is hard for an analyst to identify which events to look at.

WorldStack has  taken a different approach:

  • Intelligence and investigation based – The platform has been purpose developed by intelligence professionals to be used for intelligence gathering and investigations.
  • Focused – The data model is built around the concept of an entity. An Entity in Providence could be a Person, Group, Event, Topic or Location. Having an entity based data model means users of Providence have the ability to collect, investigate and monitor at a fine grained level.
  • Prioritized– Data is presented in a way that highlights important events and allows analysts to prioritize what they investigate.

For example, you could collect information about an individual from open sources and detect changes in behavior or other suspicious indicators. Providence’s alerting system then surfaces interesting events related to a person, such as making a post about a particular topic, as they occur, in near real time. In the use case below we will demonstrate how Providence can be used in a Security Clearance after care program. However, the same method can be used in other use cases, such as counter terrorism.

Scenario: Monitoring vetted personnel

In the case of security after care, we are interested in monitoring those individuals that hold high level security clearances. Due to the type of information they may have access to, they present the greatest risk. Incidents such as the cases of Bradley Manning and more recently Edward Snowden are prime examples.   In the example use case we are monitoring Joe Bloggs, he is the holder of a Top Secret security clearance and has access to information that if compromised could damage the national security of his country.   Note: Joe Bloggs is a fictional profile we have set up for the purposes of this use case demonstration.   So, what are some of the suspicious indicators we may want to monitor for and be alerted to in this use case?   Some indicators may be that he is having financial problems, gambling, excessive alcohol or drug use and anti-government sentiment. We are also interested in what is normal usage patterns in terms of amount of social media use. This will allow us to identify anomalies in usage which may be of concern, i.e. spikes in activity or conversely troughs in usage.   Below we can see Joe Blogg’s posting activity for the past 30 days.

From Joe Bloggs activity we can baseline what is normal levels of use and detect anomalies when usage falls outside of this range.   All data is interactive in Providence, making it easy for users to drill down into the underlying data to understand its meaning. Selecting a data point such as in the screen shot below will change the underlying data and provide only the data that created that particular peak or trough.  

In the case of Joe Bloggs we are interested in whether there is a risk of him leaking classified information that he has access to through his work. We have set up Providence to collect everything he posts on social media as well as what others may post about him.   Within the information we collect about him we have set up filters to help us identify suspicious indicators.  Of particular interest are pieces of information that may indicate anti-government sentiment. The below graph is set up to track Joe Blogg’s activity over time in relation to information of interest to us.

 

As can be seen by the key to the right of the graph we are tracking a number of topics that may constitute suspicious indicators. We can see the peaks and troughs associated with Joe Bloggs posting about these topics and others posting to him about them. Again, all data is interactive allowing users to easily drill down into the data and gain further insights.

In the chart below, we can easily identify through the data we have collected and analysed that the two things Joe Bloggs talks about most are his work and WikiLeaks. This combination is a red flag, an indicator that Joe may at risk of disclosing classified information. To add to these two indicators, he also posts about Edward Snowden and dislike of Government, adding further indicators and lending weight to this potential risk.

 

We can see in the below screen capture that we have selected the WikiLeaks slice from the above chart to understand what it means. The user can easily read what the post is from the below detailed view or access the original post from here.

Providence also allows for users to be tracked via geolocation. Joe Bloggs has posted on a number of occasions with location services enabled. Users can then select the ‘hotspot’ and see what he has posted and from what location, as with all data in Providence, it is interactive.

From these indicators users can then investigate and validate suspicious indicators quickly. There is no need to blindly search through masses of data manually, Providence will do the leg work for you.   The same methodology can be used in Providence to identify and monitor issues around counter terrorism and a host of other use cases.