The Cyber5 Podcast

EP74: Evolving the Physical Security and the GSOC with Open Source Intelligence Collection and Analysis

Episode 74 | June 8, 2022

In episode 74 of The Cyber5, we are joined by Robert Gummer, the Director of the Global Security Operations Center (GSOC) for the National Football League (NFL).

Episode 74 | June 8, 2022

In episode 74 of The Cyber5, we are joined by Robert Gummer, the Director of the Global Security Operations Center (GSOC) for the National Football League (NFL).

First, we talk about how to expand the mission of a global security operations center (GSOC) using open source intelligence. We talk about the role of vendors in the GSOC ecosystem and how open source intelligence can be aggregated in the case management systems across all facets of a GSOC fusion center. We also talk about how to educate business stakeholders to make them a valuable intelligence consumer. We further discuss how a GSOC can model collection and analysis around successful outcomes for the business, both from a risk management function, but also as a business enabler.


Here are the 5 Topics We Cover in This Episode:


1) APIs are at the Forefront of Digital Transformation and Must be Protected:

A GSOC is a fusion center – the blend of physical security, cyber security, emergency preparedness, business continuity, and global investigations around any and all threats to an enterprise.

Most physical security threats have a cyber or digital nexus. Active shooters, someone flying a drone over a location, and ransomware threats that shut down business continuity all have equal threats to business that need to be dealt with in a collaborative environment.


2) Key for Open Source Intelligence to Solve Business Problems: Eliminating Coverage Gaps is an 18-Month Process:

There are two main categories of datasets to map, those are traditional open-source intelligence and non-traditional open-source intelligence. Traditional open-source intelligence datasets encompass the qualitative and quantitative collection and analysis of public, non-classified sources that deliver context such as archives, business records, dating sites and dark web. 

Non-traditional open-source intelligence datasets include the human, signals, and imagery intelligence equivalents in OSINT – based on anything from threat actor engagement on social media to external telemetry (netflow, passive DNS, cookies) to social media photos used to pinpoint locations.

Dialing in the threat intelligence landscape and reviewing vendors to determine who has the better social media and data coverage is a lengthy process, sometimes taking 18 months to get right.


3) Aggregation of Intelligence is Still a Maturing Process for Many Physical Security Teams:

While mature physical security teams have an incident system that sends notifications for action, there still is not a single source of truth that aggregates everything together.

Finding vendors that want to integrate with other vendor platforms is still a challenge. Vendors should not look to displace other vendors, rather they should try to integrate with systems like a Virtual Contact Center (VCC) platform.


4) Vendor Relationships are Partnerships and Real Intelligence Providers; GSOC Focuses on Educating Stakeholders to Drive Feedback and Integration with Business Requirements:

There is no turnkey solution for triaging alerts in a GSOC and business stakeholders do not understand the GSOC and open source intelligence space. It takes months of triaging alerts and molding filters to get the right information that boils down real threats.

Vendor relationships should be leveraged as partnerships to help triage the right alerts, give actionable intelligence, and integrate with existing enterprise systems.

Then, GSOC stakeholders can spend more of their time educating the business stakeholders to become more valuable intelligence consumers where feedback is given that gives enterprises a competitive advantage with regard to risk.


5) Top 10 Use Cases for OSINT; Review of Tangible Examples: