Executive Guardian

Product Description

Senior executives and/or highly sensitive access individuals (HSA's) are a valuable target for threat actors and, if left unprotected, can represent a significant vulnerability in a company's security posture. Threat actors exploit the human attack surface, including PII, financial data, or other identifiable information regarding these individuals, in order to extort or attack individuals and the companies at which they work.

RiskIQ provides automated discovery, threat attribution, and expertise in order to help organizations effectively protect their most important security assets, their HSA's. The RiskIQ Incident, Investigation, and Intelligence (i3) team, comprised of former national security and intelligence officers, model both internet and physical threats with precision-focus on the enterprise's people.

Executive Guardian is priced per covered individual per year, and can be purchased at the Social, Premium, or Enterprise level: 

Executive Guardian Product TierWeb Portal and API AccessExpert Support by RiskIQ i3Social Media Impersonation Monitoring
PII MonitoringPhysical Threat MonitoringPersonalized Risk and Vulnerability Reports
SocialXXX


PremiumXXXXX
EnterpriseXXXXXX

Detection 

RiskIQ leverages its Internet intelligence datasets and proprietary virtual user technology to automate and streamline the detection and monitoring of threats over time. RiskIQ enriches the observations captured by virtual users simulating human Internet users to discover, analyze, and interact with web content, or via other data sources with the intelligence gathered by the full RiskIQ platform in order to contextualize risks and prevent false positives. 

When threats are detected according to the workspace policies, RiskIQ automatically creates alerts in the form of events within the platform and schedules virtual users to re-examine the threat resource at scheduled intervals to observe changes over time and track the entire lifecycle of a threat.

Full records of virtual user sessions, including screenshots, the captured document object model of each page, and preserved sequence of links and redirects are analyzed automatically to classify each threats and enrich data with additional insights to determine the appropriate response. Raw data is stored and retained for a period of time in order to act as forensic evidence and enable historical analysis.

Social Media Impersonation

RiskIQ detects social media profiles impersonating company executives or HSA employees in major social networks (Facebook, Twitter, LinkedIn, Instagram, YouTube, Pinterest, and Google+) via combination of integrations with social networks' public API's and virtual user crawling mimicking the ways human users search social networks for user accounts. Recorded observations are stored and analyzed locally in order to generate events for suspicious profiles.

PII

RiskIQ virtual users covertly search for private information about high profile individuals in the same way that hackers do, but in an automated, recurring manner, and from a variety of different geographic locations to increase visibility. Searches are based on a combination of known likely sites to check (e.g. paste sites, personal data aggregation sites, social media sites) and general, source-agnostic searches via search engines. The full recorded contents of each virtual user session is analyzed to detect any personal information along with the location and context in which it was encountered. Searches are indirect in order to prevent entering any personal information into a search engine (which can inadvertently cause such data to become easier for others to find online). See the Data Security for more details on RiskIQ's search engine use policies and protocols for transferring and storing HSA's personal data.

Physical Threats

RiskIQ uses a combination of virtual user crawling and integrations with intelligence platforms to detect doxxing and physical threats made in social media posts and the open internet. Our team of trained former national security and intelligence analysts monitor these events and provide mitigation/suppression services as well as investigative services and attribution for targeted HSA individuals and/or executives in order to protect them from risks and threats of both cyber and physical nature.

Data Security

All client-provided data and events detected by RiskIQ in relation to the Executive Guardian product are securely stored in a PCI-compliant environment isolated from the rest of RiskIQ's products and functions. To protect the privacy of HSA's, all initial workspace configuration and tuning changes directly handling this data are performed by authorized staff during CST business hours in a dedicated secure room.

For the purposes of PII detection, organizations may securely transfer all personal data for which they want monitoring and detection coverage for their HSA's to RiskIQ via completing an onboarding questionnaire and indicating consent for which types of data may be entered into search engines related to each individual as well as which steps RiskIQ is authorized to take on their behalf in order to remove data published on the Internet wherever it is detected. 

RiskIQ supports detection for the following types of data in the list below. See the right-hand column for whether/how that value can be entered into a search engine under RiskIQ's policies or if it is considered too great a privacy risk to do so. Additional types of data outside of the values on this list may be requested if the client wants to add them to monitoring, but must be reviewed and approved for inclusion by RiskIQ.

Data Type

Search Engine Use Policy

Legal Name (first and last) - Principal

Only with customer’s unambiguous written consent after disclosure

Alias / Nickname / Pseudonym- Principal

Only with customer’s unambiguous written consent after disclosure

Date of Birth - Principal

Never

Current / Former Home Address(es) - Principal

City / State used only with customer’s unambiguous written consent after disclosure (other content never used)

Current / Former Phone Number(s) - Principal

Area Code used only with customer’s unambiguous written consent after disclosure (other content never used)

Job Title - Principal

Only with customer’s unambiguous written consent after disclosure

Current Employer - Principal

Only with customer’s unambiguous written consent after disclosure

Current / Former email address(es) - Principal

Never

Current / Former Social Account Usernames - Principal

Only with customer’s unambiguous written consent after disclosure

Business Interests - Principal

Only with customer’s unambiguous written consent after disclosure

Internal Job Title / ID Number - Principal

Never

VIN Number / Plate Number - Principal

Never

Legal Name (first and last) - Spouse / Partner

Only with customer’s unambiguous written consent after disclosure

Alias / Nickname / Pseudonym - Spouse / Partner

Only with customer’s unambiguous written consent after disclosure

Date of Birth - Spouse / Partner

Never

Current / Former Home Address(s) - Spouse / Partner

City / State  used only with customer’s unambiguous written consent after disclosure (other content never used)

Current / Former Phone Number(s) - Spouse / Partner

Area Code used only with customer’s unambiguous written consent after disclosure (other content never used)

Job Title - Spouse / Partner

Only with customer’s unambiguous written consent after disclosure

Current Employer - Spouse / Partner

Only with customer’s unambiguous written consent after disclosure

Current / Former email address(es) - Spouse / Partner

Never

Current / Former Social Account Usernames - Spouse / Partner

Only with customer’s unambiguous written consent after disclosure

Business Interests - Spouse / Partner

Only with customer’s unambiguous written consent after disclosure

Internal Job Title / ID Number - Spouse / Partner

Never

VIN Number / Plate Number - Spouse / Partner

Never

Legal Name (first and last) - Parent / Sibling / Adult Children

Never

Alias / Nickname / Pseudonym - Parent / Sibling / Adult Children

Never

Date of Birth - Parent / Sibling / Adult Children

Never

Current / Former Home Address - Parent / Sibling / Adult Children

City / State  used only with customer’s unambiguous written consent after disclosure (other content never used)

Current / Former Phone Number(s) - Parent / Sibling / Adult Children

Never

Current / Former Social Account Usernames - Parent / Sibling / Adult Children

Only with customer’s unambiguous written consent after disclosure

Business Interests - Parent / Sibling / Adult Children

Only with customer’s unambiguous written consent after disclosure

Internal Job Title / ID Number - Parent / Sibling / Adult Children

Never

VIN Number / Plate Number - Parent / Sibling / Adult Children

Never

Legal Name (first and last) - Children

Never

Alias / Nickname / Pseudo Name - Children

Never

Date of Birth - Children

Never

Current / Former Home Address(es) - Children

Never

Current School Name - Children

Never

Current School Address - Children

Never

Current / Former Phone Number(s) - Children

Never

Current / Former Social Account User Names - Children

Never

Current / Former email address(es) - Children

Never

Threat Management & Mitigation

At both the Premium and Enterprise levels, RiskIQ provides both a web interface and API access to client users and RiskIQ's team of trained former government analysts, who act as an extension of the client's security team to investigate incoming events. The web interface is designed to provide users with all the necessary details for each type of threat in a single view to facilitate fast review and investigation, as well as enable analysts to respond to the threat via built-in workflow to notify the customer security team as appropriate and/or request the removal of detected private information from sites if necessary according to the standards and protocols described in RiskIQ's Managed Intelligence Services (MIS) Agreement. 

Email alerts for new or updated events are available to configure according to the client's preferences. Alerts contain a link to login and view it the event in the RiskIQ web interface, but due to the sensitive nature of Executive Guardian data, no identifying information about the event itself or the individual it concerns is included in the email content in order to ensure that only authenticated users can ever view such data. 

Recurring automated monitoring of events with pending enforcement actions every 48 hours lets users know when threat content has been successfully taken down, and monitoring post-resolution automatically reopens events should any previously removed content come back up in the future.

Reporting

For Enterprise clients, RiskIQ provides an initial Risk and Vulnerability Report, including privacy best practices for each covered individual, as well as detailed findings on their online presence upon onboarding. Monthly reports thereafter are provided detailing the number of events detected, their current statuses, and other metrics including performance metrics related to event generation, risk assessment, management, and mitigation over time. Monthly reports are provided to Premium and Social clients as well for the scope of the detection coverage included.

Additionally, RiskIQ’s web interface provides a live dashboard of events by status, geographic distribution, and trend in event generation over time. The web interface includes the ability for authorized users to export event metadata to CSV on-demand as well. 

For security reasons, reports and exports do not include the raw data values detected--only metadata about events.