Webinars & Video

The Four Pillars of Successful Threat Protection Programs

Learn about highly impactful threat protection programs that master signal detection, signal enrichment, threat assessment, and response.

January 4, 2024 · DURATION: 61 MIN

Organizations with highly impactful threat protection programs master four key capabilities: signal detection, signal enrichment, threat assessment, and response. Join us to learn how leading threat teams master these areas and provide a template for building greater maturity in your threat program, so you can find the potential in your data and prevent the next major incident.

In this webinar for security leaders and threat professionals, you’ll learn how to:

  • Reliably identify leading indicators and uncover more threats before they materialize
  • Rapidly enrich a threat signal to enable effective initial triage
  • Consistently deliver accurate threat assessments
  • Ensure threat intelligence materializes into loss reduction

Webinar transcript:

Raquel Alleyne:
Hello and thank you for joining. Our program will begin shortly. ASIS International presents the “Four Pillars of Successful Threat Protection Programs.” I’m Raquel Alleyne, Learning Program Manager at ASIS and today’s host. We have a great program ahead. First, a few housekeeping items. ASIS International acknowledges and thanks Resolver, a global business, for sponsoring today’s webinar. Resolver is an end-to-end security platform that enhances and integrates their clients’ threat, security risk, incident management, and security operations capabilities to ensure the protection of organizations. Whether using one application or the entire suite, Resolver helps your team access better information, operate more efficiently, and reduce the frequency and severity of incidents. The platform’s advanced analytics and reporting capabilities allow you to demonstrate impact to the rest of the organization. For more information, visit www.resolver.com.

Centered on your screen are the presentation slides. To the left of the slides is the media player where you’ll see today’s presenters and their biographies directly below. Under the slides is the Q&A box. If you have a question during the presentation, type it there and, if time permits, we’ll address it during the Q&A at the end. To the right of the slides, you’ll find webinar materials and resources, including today’s presentation slides and other useful resources. Icons and images at the top and bottom of your screen provide access to additional tools and information, so feel free to click each and explore. If you experience sound or audio disruptions, refresh your browser. For additional support, click the question mark icon at the bottom of your screen. An evaluation will pop up at the end of the webinar.

Your feedback is crucial for determining future programming. This webinar is eligible for one CPE credit, which will be updated in your user profile within 48 hours after the webinar’s conclusion. Self-reporting for CPE is not required. Today’s presentation is recorded and will be available on demand within 48 hours. ASIS certificate courses can be a powerful tool to advance your career and demonstrate proficiency in core security areas. These programs help both newcomers and experienced professionals build competencies, confidence, and earn CPE credits. More information on current certificate course offerings is available in the webinar materials and resources modules.

Thank you for joining today’s webinar, “The Four Pillars of Successful Threat Protection Programs,” sponsored by Resolver. It’s my pleasure to introduce our speakers. Harrison Levy is the Director of Product Marketing at Resolver, where he has been instrumental in translating the knowledge and practices of leading security teams into products that enable organizations to develop mature, effective security programs. Artem Sherman, Product Manager at Resolver, brings an 18-year background in security, including a 12-year tenure at TJX Canada leading technology, analytics, and centralized investigations. He is now dedicated to developing investigations and threat solutions at Resolver. You can find complete bios for both speakers in the speaker biography module. Welcome, Harrison and Artem. Now, Harrison, I’ll turn things over to you.

Harrison Levy:
Thank you, Raquel, and thank you all for joining us today. We are eager to discuss “The Four Pillars of Successful Threat Protection Programs.” I’ll skip our company overview, as Raquel has already provided it, and dive into our agenda. We’ll approach this in two segments. First, we’ll explore why investing in threat protection is a prudent and cost-effective strategy for most security teams and how it can enhance organizational protection. Then, we’ll delve into how to build a successful program.

We identify four essential pillars of a successful threat program. The first is threat detection — recognizing potential threats early to allow sufficient response time. The second is triage — rapidly and accurately evaluating these signals to identify legitimate threats to your organization. The third is investigation —thoroughly examining high-priority threats to understand their potential impact. The final pillar is response and mitigation — using gathered intelligence to reduce actual risk and loss by ensuring an appropriate organizational response.

Now, let’s begin with why investing in threat protection is crucial. Duty of care is a key motivator. Many incidents are binary — they either occur, causing damage, or they are prevented. For instance, workplace violence cost U.S. businesses up to $330 billion in 2021, according to the US Department of Labor. While post-incident responses may mitigate some litigation aspects, they cannot reverse harm. The only way to truly prevent such outcomes is to preempt the threats.

In 2021, 58% of CEOs received physical threats after taking a position on a racial or political issue. That’s from our 2022 Protective Intel Report. If you think about your organization and those individuals most important to your organization’s success, to live up to our duty of care and ensure their protection, it’s critical to be forward-looking and pick up threats where possible. By doing so, we can ensure that the harm is avoided and the threat is mitigated. We believe that a successful threat program can significantly impact the incident volume experienced by your organization. This also comes from the 2022 Protective Intel Report.

Security leaders from around North America were surveyed and asked, “What percentage of the incidents that interrupted your business operations or harmed your employees could have been prevented if an integrated threat program was in place?” They identified that around 51% of those serious incidents could have been stopped. We not only have a duty of care to be forward-looking, but by setting up these threat programs, we can majorly impact the number of serious incidents our organization experiences. The third factor is today’s climate. Many might feel that things are a bit more tense now than in the past few years.

The U.S. Department of Homeland Security says, “In the coming months, we expect the threat environment to become more dynamic. Threat actors have mobilized to violence due to personal grievances, reactions to current events, or adherence to violent extremist ideologies.” Given the climate, it’s particularly relevant to consider this. Lastly, while threat programs can reduce the total number of incidents, some incidents will still occur. The other benefit of a threat program is that when incidents do occur, they can reduce the harm from those incidents, reducing the average impact. This is particularly true for incidents such as insider threats, as reported in the 2022 Ponemon Cost of Insider Threats Global Report.

Several hundred security leaders from North America were surveyed, asking, “What percentage of incidents that interrupted business operations or harmed employees could have been prevented with an integrated threat program?” They believed around 51% of serious incidents could have been stopped. It’s crucial for our duty of care to be forward-looking and set up threat programs, which can significantly reduce the number of serious incidents an organization experiences. Today’s climate feels more tense, and according to the US Department of Homeland Security, “We expect the threat environment to become more dynamic, with threat actors mobilized to violence due to personal grievances, reactions to current events, or adherence to violent extremist ideologies.” This makes threat programs particularly relevant now.

Despite the effectiveness of threat programs, some incidents will inevitably occur. The value of a threat program is also in its ability to reduce harm when incidents happen, lowering the average impact. This is especially true for insider threats, as reported in the 2022 Ponemon Cost of Insider Threats Global Report. Insider threats identified within 30 days cost an average of 11.2 million, significantly less than those undetected for over 90 days, averaging 17.2 million. Threat programs help not only to prevent incidents but also to catch them earlier, limiting damage to the organization.

These points form a compelling case for why security groups should invest in threat protection, which we believe will have a net positive impact on the organization. Moving from why to invest to how to invest, the first pillar is threat detection: ensuring early detection to allow time for response. The second is triage: establishing an effective program to assess incoming information and focus on the highest priority threats. The third is investigation: developing strong investigative methods to assess threats and determine the correct response and mitigation. This final step transforms threat information into risk reduction. I’ll now pass it over to Artem, who will discuss setting up your threat detection capability.

Artem Sherman:
Thanks, Harrison. Our first pillar is threat protection setup, which includes several steps. First is doing an inventory of your assets. You’ll want to inventory your critical people, typically your executive team, brand ambassadors, and other high-profile employees with public responsibilities. Consider closely tied partners and whether any risk to them could impact your organization. Also, assess anyone within your organization at particular risk.

Next, inventory your physical locations, not just obvious places like offices and distribution centers but also partner facilities that, if disrupted, could pose a risk to your business. In addition to people and locations, inventory your intellectual property, brands, products, and online presence. Tailor this to your organization’s unique aspects, discovered through discussions with your executive team, business partners, and your knowledge of the organization.

After inventorying your assets, assess your threat landscape. Reflect on past events that caused harm or disruption and analyze the threats that could have been detected with monitoring. Benchmark against your industry segment, as threats vary by sector—retail, manufacturing, financial, etc. If you’re new to monitoring, conduct online research to identify existing threats. Finally, categorize these topics into the most relevant areas affecting your business and operations.

The typical threats include physical threats, violence, protests, business disruptions, cyber threats, doxxing, impersonations, and many more. Tailor these to your operating context. Track your known threats upfront—specific special interest groups, disgruntled ex-employees, or prior threat actors involved in incidents.

Once you’ve inventoried your assets and topics, match and refine them. Avoid the common mistake of monitoring everything, as it leads to information overload. Match brands to brand-specific threats, differing from threats to locations or individuals. For instance, a brand won’t face a physical violence threat, so don’t monitor for that; it would just add noise. Classifying your assets and matching them to threats must be precise.

Recognize that your first matching attempt will be educated but still an initial effort. As you execute your threat monitoring, you’ll need to adjust based on the information volume, responses, and events like financial results, product launches, recalls, or executive statements. This rubric must adapt to current realities and threats, an evolving process.

Setting up a program is complex, and you don’t have to do it alone. There are resources and experienced professionals available. Don’t hesitate to hire consultants to help make the process more manageable. Now, let’s discuss where these threats come from.

Awesome. Thanks, Artem. Once you’ve identified the various people, assets, and brands to monitor and categorized the threat landscape, you’re set to consider how to effectively monitor and ensure protection. There are three general sources of threat intelligence to consider. The first is online sources, which include tools and services monitoring social media and online forums like 4chan, QAnon, and even the deep and dark web. They provide threat data relevant to the entities you’re monitoring.

A real example we encountered involved a Facebook group planning a protest at a company’s headquarters. The group had about 200 registrants, and there was specific intent to cause property damage and disrupt operations. Early detection gave the security team time to prepare and collaborate with law enforcement to manage the protest safely.

The next major source is internal systems, often underutilized for threat detection. These include access control, video analytics, and data loss prevention systems. They’re excellent for alerting to potential insider threats. For example, an alert about an employee accessing the office at unusual hours, like two or three in the morning, could indicate malicious intent. This provides an opportunity to investigate before any damage occurs.

And then there’s the third category, your human sources. These are typically utilized for incident management and are invaluable. Reports can come through a portal or hotline, anonymously or otherwise. Many organizations employ these tools for incident management, but they’re also crucial for threat prevention. A pertinent example is receiving a report through an anonymous portal about a manager threatening harm to their direct reports. It’s far more advantageous to respond to such a report proactively rather than reactively, to investigate and take necessary action before any harm occurs, potentially avoiding irreversible damage.

So, we have online monitoring, internal systems, and human sources as the main buckets for gathering intelligence. I’d now like to ask our audience: What are you currently using to collect intel from? Please select all that apply — open source intelligence, internal systems, and human reporting. Remember, select only those you’re using for threat prevention, not just all available options. We’ll give some time now for responses before we review the results.

To our audience, please take a moment to respond: Which systems do you actively collect threat intel from today? As a reminder, Resolver has provided resources you can download in the webinar materials module. We’ll allow a little more time for responses. We’re about halfway through, so make your selection now. If the poll allows only one choice, choose the most applicable one. We have about 61% of our audience responding. Harrison, I’ll pass it back to you to discuss the results.

Thank you. Apologies, the poll was set to allow only one response, which might skew the data. We’ve got some results, though. Artem, could you share some insights on how commonly these sources are used, considering the limitation?

Certainly. With the limitation, we have a distribution with online sources being the most popular, followed by human reporting, then internal systems. This aligns with what we know; many organizations have the data and systems capable of generating alerts but don’t integrate them into their threat monitoring. The data often goes underutilized until after an incident, especially with insider threats, when it’s discovered there were unnoticed patterns and alerts. Integrating internal systems into threat monitoring is a significant opportunity we see.

Now, let’s discuss triage. You’ve set up your program, mapped assets and threats, and chosen sources to monitor. You’ll have incoming data and threat signals, and the key is to consolidate and enrich this intel. Bring signals from various systems into one place for a complete picture. It’s crucial to consistently tag and classify data, preparing it for analysis. This requires tools to connect the dots between siloed data to understand relevance and significance quickly and consistently.

Creating a triage process involves establishing clear standards and rubrics, allowing consistent decision-making regardless of who performs the triage. Empower your team to make decisions in line with well-defined, documented standards. Automate notifications and workflows post-triage, and periodically review and adjust the process for accountability and improvement.

Training your investigators is essential for them to quickly and reliably evaluate threat signals. Train them to assess specificity, practicality, and viability of threats. This helps determine the significance of each signal.

An example to illustrate triage is comparing two tweets. The first says, “I had the worst coffee at coffee shop A, B, C. I hope they burn to the ground.” There’s a location and violent language. The second tweet states, “I got the worst service at coffee shop X, Y, Z on 123 Kennedy Road. I’m going to come back tomorrow and throw hot coffee in the manager’s face.” Both contain elements that would flag them in most threat feeds. However, the specificity, plausibility, and credibility need to be assessed.

In the second tweet, there is a specific person, location, time, and method of action mentioned, making it a more credible and actionable threat. Hoping a coffee shop burns down is vague, lacks a direct method of action, and is not a practical threat. In contrast, throwing coffee is a plausible action that anyone could carry out.

Another implausible threat example is, “I’m going to nuke the White House.” Despite its apparent severity, it’s not credible. Teams should quickly identify if the threat is from a repeat offender or a known group and if there are any related open cases. Good tooling is essential for referencing prior threats and investigations.

Context is also vital. If the company is in a controversy, the volume of threats may increase, but not all will be significant. Thresholds for action might need adjustment based on the current situation.

Upon identifying a threat as significant, the next step is to investigate. The approach is similar to other security investigations, focusing on breadth and depth. Broaden the scope to understand the context and timeline, while also examining the individuals or groups involved in detail. Investigate online threats by looking at profiles and accounts over time to grasp the entirety of their activity.

You need to examine the relationships and groups that an individual may be involved with to understand the context of their threat. Assess if it’s a broader movement against the organization or a personal grievance. Then, focus on key points identified in this broad overview. For online threats, work to uncover the real person behind the profile. For an employee making a threat, review their employment history and any relevant records.

When you go deep, investigate any significant relationships or groups the individual is associated with, as well as their agendas. Collect quality evidence, keeping in mind that some investigations may lead to legal action. Document and manage evidence meticulously.

I’ll share some anonymized real-life investigation cases. In one, we received an alert from our monitoring tools about a Twitter post mentioning a location and violent language. It was triaged quickly and deemed critical due to a named target, violent intent, and immediacy. We responded rapidly: isolating the targeted employee, involving the police, and conducting a thorough investigation to understand the conflict and motives, leading to a police referral.

A slightly different example was that we received information that there was a large Facebook group that was planning to disrupt our business operations. Because this was a human submitted intelligence through our process, it was determined to be qualified by virtue of where it came from. And very quickly we determined that this is significant. Looking into the group, they had a very strong agenda, they had many followers and they were planning to target multiple locations for a period of time to disrupt their operations. Through rapid investigation, we determined a rough schedule as well as possible locations, as well as the people that were involved in organizing this process activity.

We then conducted a more comprehensive investigation into the group, their past history, profiled their past activity and patterns, as well as individual members. This allowed us to be proactive with the locations we believed were targets by providing information, such as BOLO reports, photos, and vehicles to look out for from these group’s organizers. Active monitoring of the group, internal communications to prepare for protest activity, and consultation with law enforcement were enabled immediately. This did not prevent all of the protests from occurring, but it enabled our business and the affected sites to feel secure, knowing they had response plans and were not caught by surprise.

Once you’ve triaged a threat and done an initial investigation, you want to conduct assessments of those threats, especially when it comes to threats of violence. There are methodologies like RAGE-V, WAVR-21, and MOSAIC, but the key is to implement a consistent and repeatable methodology that can be trained across your organization. This helps understand the level of violence threats with consistency and without bias and to do this more frequently. Many organizations have some violence threat expertise, but it’s limited and often only in response to significant events, not preventative. By putting in a methodology that’s easy to execute, you can regularly conduct assessments and scale that across the organization. It allows staff to understand when to escalate issues and track any escalations, as assessments are not one and done. They are continual, and as new threats occur, you reassess with the new data to have proportional responses and to understand if the situation is escalating or deescalating.

In response and mitigation, there are two components: the immediate response and long-term mitigation. When a threat is identified, and it’s determined action is necessary, the immediate response involves a series of actions you can take based on your initial investigation. Developing a playbook is ideal to reduce ambiguity and indecision at the moment, guiding your team with clear steps, like “for scenario 24, execute these actions.”

Immediate responses are reactive and aim to be quick, efficient, and impactful. This may involve short-term changes to security posture, opportunity denial by closing a site, or removing a target, as well as coordinating with law enforcement.

Long-term mitigation involves strategic controls informed by trends and patterns observed over time. This strategic analysis might include a year of data to determine where to invest, which processes to change, and how to alter training to reduce specific risks.

Good reporting is essential for both operational and strategic aspects. Operational reports cover the day-to-day volume of threats and status of ongoing investigations, including any spikes in activity that may require additional resources. Strategic reports inform long-term mitigation and demonstrate the value of your program to executives by showcasing volumes of threats investigated and response performance, highlighting any outliers or patterns to be addressed with risk mitigation controls.

I’ll hand it back to Harrison to discuss the top challenges our threat protection customers face and what our solution offers to help with these challenges.

Thanks, Artem. As we move to conclude our presentation before the Q&A, let’s touch on the common struggles organizations face in establishing a mature threat program, and how Resolver can assist.

The first challenge is connecting siloed threat intelligence. Data often comes from various systems in different formats, making it difficult to form a clear, complete picture. For example, a disgruntled employee making threats on social media might not seem critical until you connect this with an incident report of the same individual appearing on-site. These connections are vital, but many struggle to make them.

Resolver assists by integrating threat intelligence from any source, providing a comprehensive view. Understanding threat actors is another challenge; teams need to rapidly assess and understand them, but the process can be time-consuming and prone to error.

Completing thorough investigations is essential for accurate assessments, yet teams often lack the tools for managing these investigations and ensuring the data is stored effectively for follow-up and analysis.

Finally, actual threat mitigation is crucial. Once a threat is identified and assessed, it’s imperative to act promptly and consistently to reduce loss.

Resolver promises to enable the integration of threat intelligence to build robust profiles of threat actors, supporting strong investigations that lead to the right conclusions consistently.

We provide the workflow to ensure that playbooks are followed and the correct steps are taken to mitigate threats, leading to greater impact and loss reduction. For those considering enhancing their threat program, we encourage you to look at Resolver for support. That concludes our presentation. More detail on Resolver’s threat application capabilities will be included in the deck.

While today’s focus was on threat, it’s just part of our overall offering. We cover incident management case investigations, command center and dispatch support, security risk management, and site assessments. Resolver is a comprehensive security solution designed to provide better information, improve efficiency, and ultimately result in fewer and less harmful incidents. Thank you for your time, and let’s move to the Q&A.

Thank you, Harrison and Artem. We have many questions, so let’s start. First question, “Do you have baseline sets of threats you approach?”

Yes, our applications come with a baseline set of risks and threats, which organizations can customize. We provide this starting point to tailor to specific needs.

Harrison, anything to add, or shall we continue?

No, Artem covered it well.

Next question, “How does one efficiently monitor social networking among a large number of employees?”

That’s a challenge many organizations face. There are vendors that assist with this, and we have partnerships and integrations with some of the top ones to help track relevant areas and threat actors online.

To expand, focusing on assets rather than actors can be more efficient. You can’t monitor everyone potentially threatening, but you can monitor key assets, which then leads you to the most concerning individuals. Start asset-focused to maximize your reach.

Thank you. The next question is about human source reporting and establishing trust with employees to use a web reporting portal regarding colleagues’ misbehavior.

We have multiple ways of bringing in information, including a hotline for anonymous submissions. Our web portal allows for confidential submissions, protecting the identity of the person submitting while enabling them to track the status of their submission and engage with investigators. This builds trust by showing submissions are taken seriously and the submitter’s identity remains anonymous.

One more question: “Does your process change when dealing with faith-based customers?”

The investigation process remains consistent, regardless of the industry. While we support various organizations, including faith-based ones, the process of adapting our platform to their standards and SOPs is part of our service, ensuring it suits their specific needs.

We appreciate all the questions, though we only addressed a fraction. We commit to follow up with answers to the rest. Thank you for the engagement.

Thank you, Harrison and Artem, and thanks to Resolver for sponsoring today’s webinar. Attendees, please complete the evaluation after the webinar. Your feedback is valuable and helps ASIS plan future programs. This webinar is eligible for one CPE credit, updated in your profile within 48 hours; self-reporting is not required. Thank you for attending, and you will now be redirected to the evaluation.

This content was originally published on January 31, 2023.
Harrison Levy

Harrison Levy

Director, Product Marketing, Resolver

Artem Sherman

Artem Sherman

Product Manager, Resolver