How to choose a digital footprint monitoring solution
An organization’s digital footprint includes any publicly available information about them, whether it’s credentials, exposed services, intellectual property, or any other kind of data. Although monitoring your digital footprint is key to understanding what malicious actors see when they plan a targeted or untargeted attack, choosing a solution to do so can be a challenge.
The steps below outline how to make this process efficient and successful.
1 – Identify gaps
The first step in choosing the right solution is identifying where the gaps lie with the current tools and processes that are already in place.
Case 1: You have no external visibility
Simply put, if there are no resources (tools, professional services, cybersecurity analysts) allocated to looking outside your known infrastructure and perimeter, any solution outlined here will help your organization progress in the right direction.
If you have a very small cybersecurity budget, and no one dedicated to cybersecurity, managed offerings should be seriously considered instead of operating a platform yourself. This will help you access the advantages of digital footprint monitoring without limiting your ability to allocate resources to other fundamental security challenges.
If you have between 1 and 10 people allocated to cybersecurity, a number of options are available depending on the factors outlined below.
Case 2: You do external assessments from time to time
If you do external assessments with a service provider annually, bi-annually or quarterly, the gap lies in the time between the assessments where an issue can arise and be leveraged by a malicious actor. In this case, the priority should be to move to continuous monitoring capabilities to reduce risk in real-time instead of waiting for a certain date in the year.
Case 3: You have certain continuous external monitoring capabilities
If you have cyber threat intelligence (CTI), digital risk protection (DRP) or external attack surface monitoring (EASM) solutions, this step should serve to identify if there are any areas of risk that are not covered by the existing solutions. For example, a threat intel solution will typically not monitor for accidental data leaks by employees and will focus instead on the threat landscape and the threat actors. The coverage section below describes the areas to keep in mind in that regard.
Case 4: You have a very strong external coverage
If you have a set of CTI, DRP and EASM solutions in place, chances are that your organization is highly mature in cybersecurity, but also has critical assets to protect that make you an attractive target for malicious actors. In this case, the challenge relies on identifying very precise areas of risk that may be slipping between the capabilities of the various tools and platforms in place. Running trials or proof-of-concepts of other platforms can help uncover what new innovative solutions can identify when they take a different approach to external threats monitoring.
2 – Identify areas of risk
Whatever the cybersecurity maturity of your organization, there are areas that can pose more risk due to the nature of your business. For example, a software development company may have more exposure to risks of source code and intellectual property leak than a bank, who will have a higher risk of customer accounts being taken over through phishing attacks.
The best way to identify areas of risk is applying some or all components of a risk framework. A service firm can also help with this process if the expertise is not available in-house.
3 – Explore internal development options
In certain cases, it may be efficient to build a solution in-house. This applies especially if the use-case is highly unique and where no solutions on the market are available to reliably reduce the risk. This comes with a number of challenges to keep in mind:
- Resources are needed to build, optimize and maintain these tools: these projects can have a long tail where employees have to keep allocating time and cannot focus on their core work. For example, an organization might choose to build a small tool to monitor a dangerous dark web market, but will underestimate the time and costs needed to keep it running and update it as the market changes and evolves.
- Coverage is limited to the tool’s capabilities: As the digital threat landscape evolves, organizations must follow trends and keep an eye on new and growing risks.
- Expertise is often tied to 1 or 2 employees: In the current hiring landscape, employees can easily find alternate workplaces. Having processes and knowledge depending on key individuals can pose a risk of these capabilities completely disappearing with just a few weeks notice.
4 – Compare internal vs managed offerings
Two options are available to operationalize digital footprint capabilities: internal use of a solution and outsourcing to a managed service provider (MSP or MSSP).
Similar to other security solutions, there are advantages and disadvantages for both.
Internal solutions generally come at a lower initial cost, but require resources to operate. They will provide more control and flexibility and have the potential of delivering more value by being better optimized for your business. Having fewer service providers also reduces the risk of third-party data breaches impacting your organization.
On the other hand, managed service providers generally have the right expertise to operate the platform and can provide additional services in case of an incident. The subscription cost may be higher, although it can be combined with other services to, in the end, provide a positive ROI for the business.
5 – Evaluate solutions
There are a number of key criteria to keep in mind when evaluating a digital footprint monitoring solution.
Each solution has different capabilities in terms of coverage, both in depth and in breadth. The right solution for your organization will map to the risks identified in the earlier step. For example, an organization at higher risk of source code leaks will prefer to opt for a solution having a strong coverage for sources such as GitHub. A financial institution looking to prevent account takeover will make sure the solution has strong capabilities in terms of identifying leaked customer credentials.
Coverage is hard to evaluate – numbers and statistics on websites or shared by salespeople may or may not be accurate and relevant for your business. The best way to validate coverage is by doing a trial or proof-of-concept and comparing the data between the platforms. The section below gives more insights on the benefits of trials and proof-of-concepts.
Large coverage (many sources or websites) may not equal quality coverage. Coverage depth is also critical: the number of pages collected per source, the structuring of the data, the mapping to actual risks, etc.
Finally, look at the transparency of the vendor: some solutions are transparent with their coverage, and help you understand what you know and what you don’t know. Others are opaque and cannot help you confirm that all angles are covered.
Features and functionalities
Various platforms have different features. The technical team that will operate the platform should ensure that it matches their expectations. Key features to look for include:
- Tagging and filtering events
- Case management
Integrations with SIEM, SOARS and ticketing systems are also key in streamlining and optimizing threats and issues found. Making sure the solution is compatible with your existing stack will help reduce the overhead of operating the platform.
Context and Prioritization
All Digital Footprint Monitoring solutions find threats and issues and send out alerts in one way or another. A key differentiating factor is the context that is added around the events, and the capability of the platform to reduce the noise and help your team focus on important issues. When trying out the platform, you will generally be able to see if the context is sufficient for your team to take action, or if significant work is required to investigate and process each alert.
Cost for digital footprint monitoring solutions vary greatly. The more affordable options are generally offered by MSP or MSSPs: these can go as low as $500 per month for a single domain name and limited use cases, which can be sufficient for a small business with 1-50 employees. For SMBs between 50 and 1000 employees with an average digital presence, the cost can vary between $1000 and $3000 per month. For organizations with 1 000 – 10 000 employees, vendors would typically provide the solution for $2000 – $5000 per month. Finally, an organization with over 10 000 employees and a large digital presence would be looking at an expense of over $5000 per month, which can go significantly higher in the six digits depending on the use cases and how the solution is priced.
Ideally, the cost of a digital footprint monitoring solution should scale with the size of your digital presence. This model makes it straightforward to align the value with the business risk it reduces and the expense it involves. Certain vendors will use seat-based or module-based pricing – in these cases, make sure the value of each seat/module aligns with the risk reduction it provides.
Justifying the ROI of a digital footprint solution internally often involves using cost approximation for potential breaches and comparing it to the cost of the platform. Fortunately, in many cases, a trial of the platform will help identify threats and issues that can be presented in the business case.
Additionally, to build a stronger business case among the key stakeholders in the purchasing decision, certain solutions will provide a report of your digital footprint and provide direct visibility on areas of risk, and opportunities for improvements (risk reduction) if the platform were implemented.
6 – Run trials and proof-of-concepts
A number of elements in the evaluation require a hands-on analysis of a platform. Most solutions will provide access to the platform for a number of days to try out the features and evaluate the different criteria outlined above.
In general, this does require starting a process with sales representatives, which can help tailor the experience to your business context. In the case where a sales-rep-free process is preferred, Flare is the only solution to provide a complete access to digital footprint data in a free trial directly accessible by simply creating an account.