25 May Roundtable Discussion: OSINT In The C-Suite
Fortune 500 CISOs on Open Source Intelligence Listen to the podcast
Melbourne, Australia – May 25, 2021
If you’re not using open-source intelligence (OSINT) as part of your security defense strategy, you’re already on the back foot — and may not even know it.
That’s because OSINT, in its various forms, has become a crucial tool in the arsenal of corporate security professionals — an essential capability that must be invested in and developed like any other part of your security defense.
But what is it, and how can it be used to improve cybersecurity postures in the real world? To better understand current thinking around OSINT, Cybercrime Magazine assembled a panel of CISOs and security experts to share how they are using OSINT to complement their threat-intelligence strategies.
The right data, in the right way
Staying on top of the publicly available information about a company and its markets might seem intuitive, but the sheer volume of information online can be hard to track without a strategy and appropriate tools.
Yet in a fast-moving online environment, letting the wrong data get into the wrong places can be a significant problem, noted Deneen DeFiore, vice president and CISO with United Airlines.
Cybercrime Radio: Fortune 500 CISOs Discuss OSINT
Sponsored by Fortalice
With airlines fighting to recover in the wake of the COVID-19 pandemic, conventional cybersecurity tasks have been complemented with a need to protect the brand by scouring OSINT for signs that strategic decisions have been compromised.
“I describe OSINT to our C-suite as the cybersecurity version of strategic market intelligence,” she explained. “You have to understand the environment, what is happening there, and what you look like compared to that environment.”
Being exposed is particularly a risk in aviation, where enthusiasts love to publish any bit of information they can find — which may, in the process, compromise a strategic move such as moving into a new market or opening up additional capacity.
By working with OSINT partners, United has been monitoring online forums and social media to detect potentially compromising information before it becomes a business risk.
“It’s a little bit different than the standard threat profile that we were doing before,” DeFiore said, “but protecting our brand has been something that has bubbled up to the top over the past six months.”
OSINT, particularly where it’s being curated and provided by a third-party specialist, is also proving valuable for companies that are finding they lack the time to keep abreast of changing cybersecurity threats.
“There’s only so many people to go around talent-wise,” said Theresa Payton, CEO at Fortalice, “and only so many things that tools can do to protect you. So, intelligence can be a great way to supercharge both the human element that you have protecting your organization, but also the tools, techniques and tactics that you’re using to protect and defend.”
Handle with care
Awareness of OSINT’s value has already spread across a range of industries, although some warn that it’s easy to get carried away.
“I have come across folks using OSINT as gospel, or as the truth,” said Adam Keown, global CISO with Eastman Chemical Company and a former FBI special agent working in cybersecurity forensics.
“Sometimes there can be a vast amount of disinformation out there around a certain situation — so OSINT should be considered raw data, or material that you wouldn’t use to make a decision, but can help guide you or to give you direction to look in additional areas.”
“It becomes very important to the boardroom, or something that we can use as a cybersecurity organization to not only protect the business but also to enhance capabilities and ensure the company is properly posturing themselves with whatever situation may be coming up.”
Context can make all the difference in effectively using OSINT, notes Teresa Zielinski, senior vice president and global CISO (and product security) with GE Gas Power.
“We know we need to use it,” she said, “but the value of the intel has to be contextualized so we can best use it. I always say that having too much data is kind of the same problem as not having enough data.”
The key to making the most of OSINT, Zielinski said, is considering not only what data is available but how it relates to the company’s highest-priority goals.
“You might have a lot of the OSINT data on the top products and top platforms that you use,” she said, “but then you have to marry it up to really consider what’s most critical to you?”
Taking that approach has helped GE Gas Power integrate OSINT streams into its business in a number of productive ways — such as partnering with OSINT companies to expand their data collection, and using tools like Shodan to understand what parts of the company are publicly accessible.
“We want to use [OSINT] to really differentiate how we work with our customers,” Zielinski said, “so it’s imperative that we use it. I think it’s about marrying what’s out there to what’s really important, and how we really make that data sing for us so it’s the most useful.”
Yet effectively using OSINT also requires a measure of caution, Fortalice EMEA region co-director Ben Owen noted in pointing out that companies should be aware of where their OSINT is coming from.
This means being aware of the potential for false positives to be buried in OSINT dumps, and considering where open-source aggregators are finding the data.
“Are they getting that information legally? And are they getting it proportionately?” Owen asked.
“We always teach our delegates in OSINT classes to think: if you’re put in front of a very clever, argumentative defense barrister, and he’s asking you where you’ve got your information from, you can’t really tell him you’ve gotten it from a source that isn’t perhaps well-respected.”
Driving the executive convers(at)ion
Increasingly cyber-aware board members are readily engaging with CISOs who bring them information sourced through OSINT processes — particularly in the healthcare sector, which has been particularly under attack since the COVID-19 pandemic began.
The onslaught of attacks has helped boost business awareness of OSINT’s value, Northwell Health vice president and CISO Kathy Hughes pointed out, noting that managing cyber risk has become such a hot-button topic in the boardroom that senior executives are open to anything that helps them better understand it.
And while they “probably don’t recognize the term OSINT as readily,” Hughes said, “what they do ask in their language is: ‘What’s going on?’ and ‘Is there the potential for it to affect us?’ and ‘Are we protected?’”
“One of the ways that we provide responses to those questions, that we get asked all the time,” she continued, “is through the use of OSINT tools. Because we are protecting patients’ lives and safety, it’s important for us to know at any given time what’s going on in the world, and how that could potentially impact healthcare.”
HCA Healthcare vice president and CSO Paul Connelly agreed, noting that OSINT “definitely has a really important role both operationally and strategically, and is a point of dialogue with our C-suite executives”.
Extensive collection and analysis of OSINT “really makes a big difference for us in terms of being able to understand our potential attack surface, our footprint, and the landscape of threats against us,” he added.
HCA’s board “wants us to have a program that’s not just responding to the day-to-day slings and arrows,” he said. “They want us to be thinking ahead and trying to get out in front of it — and it’s really eye-opening to see what information is publicly available, and how it can be used against us.”
That information often comes from seemingly innocuous sources, noted Lori Havlovitz, senior vice president and CISO with Cardinal Health.
Telling executives that OSINT is the practice of gathering intelligence information about sources that are publicly available is “a starting place,” Havlovitz said, “but I really like to make it something that you can understand in your personal life first for board members, and then apply it to the company.”
Cybercriminals might, for example, monitor a senior executive’s social media posts — or those of their children, who are often less circumspect about what they post online — to find out when the family will be away on vacation.
“It’s more about making it real from an individual perspective,” Havlovitz explained, “and I’m always telling board members that the criminals are always watching us and what’s happening to us as a company.”
“It’s so important to know what the world knows about you, especially when you’re a target.”
– David Braue is an award-winning technology writer based in Melbourne, Australia.
Go here to read all of David’s Cybercrime Magazine articles.
The following people participated in the roundtable:
- Steve Morgan, Founder and CEO at Cybersecurity Ventures, Editor-In-Chief at Cybercrime Magazine, and Executive Producer of Cybercrime Radio.
- Theresa Payton, CEO at Fortalice, author of “Manipulated: Inside the Cyberwar to Hijack Elections and Distort the Truth.” Payton is a former White House CIO. She played the Deputy Commander of Intelligence on the CBS TV show “Hunted.”
- Danni Brooke, co-director of the EMEA region for Fortalice, and lead Hunter on Channel 4’s U.K. hit show “Hunted” which first aired in September 2015.
- Ben Owen, co-director of the EMEA region for Fortalice, and a member of the Hunter force involved in Channel 4’s critically acclaimed U.K. TV show, “Hunted.”
- Paul Connelly, Vice President and CSO at HCA Healthcare. Connelly’s former positions include CISO for The White House Communications Agency and Information Security Analyst at the NSA.
- Deneen DeFiore, Vice President and CISO at United Airlines, previously Senior Vice President, Global Chief Information & Product Security Officer at GE Aviation.
- Lori Havlovitz, Senior Vice President and CISO at Cardinal Health. Havloviz has held technology and security leadership positions at Cardinal Health for more than 22 years.
- Kathy Hughes, Vice President and CISO at Northwell Health, a network of collaborators, research pioneers, entrepreneurs and educators — 76,000 strong — caring for millions of patients each year.
- Adam Keown, Director of Information Security and Global CISO at Eastman Chemical Company. His extensive background includes 10 years as a Special Agent with the FBI.
- Teresa Zielinski, CISSP, Senior Vice President, Global Chief Information Security Officer & Product Security at GE Gas Power. Zielinski has been with GE for nearly 24 years.
Sponsored by Fortalice
OSINT is essential to all online security work conducted by Fortalice, whether offensive cyber operations, defensive cyber operations, incident response, and traditional Internet intelligence and evidence gathering. OSINT can also be used for proactive research to understand the future threat landscape. We insist in remaining agile and preemptive rather than reactive to cyber threats to serve our clients holistically in the digital space.
Our team are global leaders in OSINT collection and training. We utilize world-leading OSINT practitioners and tools to ensure our clients have the very best intelligence possible. Finding information is one thing, but ensuring the information is accurate, corroborated, and actionable is another. Our team does not just rely on tools and automated ‘scraping,’ we use world class human analytical experience and skills to blend all information sources together. The Fortalice Solutions OSINT training department is now the number one OSINT training supplier for many industries across the globe, including the U.K. Metropolitan Police and Royal Air Force.