How to use social media to implement continuous security vetting
In the case of security after care, we are interested in monitoring those individuals that hold high level security clearances. Due to the type of information they may have access to, they present the greatest risk. Incidents such as the cases of Bradley Manning and more recently Edward Snowden are prime examples.
In the example use case we are monitoring Joe Bloggs, he is the holder of a Top Secret security clearance and has access to information that if compromised could damage the national security of his country.
Note: Joe Bloggs is a fictional profile we have set up for the purposes of this use case demonstration.
So, what are some of the suspicious indicators we may want to monitor for and be alerted to in this use case?
Some indicators may be that he is having financial problems, gambling, excessive alcohol or drug use and anti-government sentiment. We are also interested in what is normal usage patterns in terms of amount of social media use. This will allow us to identify anomalies in usage which may be of concern, i.e. spikes in activity or conversely troughs in usage.
Below we can see Joe Blogg’s posting activity for the past 30 days.
From Joe Bloggs activity we can baseline what is normal levels of use and detect anomalies when usage falls outside of this range.
All data is interactive in Providence, making it easy for users to drill down into the underlying data to understand its meaning. Selecting a data point such as in the screen shot below will change the underlying data and provide only the data that created that particular peak or trough.
In the case of Joe Bloggs we are interested in whether there is a risk of him leaking classified information that he has access to through his work. We have set up Providence to collect everything he posts on social media as well as what others may post about him.
Within the information we collect about him we have set up filters to help us identify suspicious indicators. Of particular interest are pieces of information that may indicate anti-government sentiment. The below graph is set up to track Joe Blogg’s activity over time in relation to information of interest to us.
As can be seen by the key to the right of the graph we are tracking a number of topics that may constitute suspicious indicators. We can see the peaks and troughs associated with Joe Bloggs posting about these topics and others posting to him about them. Again, all data is interactive allowing users to easily drill down into the data and gain further insights.
In the chart below, we can easily identify through the data we have collected and analysed that the two things Joe Bloggs talks about most are his work and WikiLeaks. This combination is a red flag, an indicator that Joe may at risk of disclosing classified information. To add to these two indicators, he also posts about Edward Snowden and dislike of Government, adding further indicators and lending weight to this potential risk.
We can see in the below screen capture that we have selected the WikiLeaks slice from the above chart to understand what it means. The user can easily read what the post is from the below detailed view or access the original post from here.
Providence also allows for users to be tracked via geolocation. Joe Bloggs has posted on a number of occasions with location services enabled. Users can then select the ‘hotspot’ and see what he has posted and from what location, as with all data in Providence, it is interactive.
From these indicators users can then investigate and validate suspicious indicators quickly.