With the recently reported security issues with Facebook we have fielded several questions as to whether or not we utilize Facebook ThreatExchange for any of our threat intelligence. The short answer is no, the long answer is more complicated.
In short in 2015 when we first started providing security related services one of our feeds was Facebook threat exchange. Upon ingesting the data we started noting that the service was being "poisoned" with invalid data. Thousands of reports were for common services such as Bing, Amazon AWS and hosting providers (even ones that we use). We started looking into this more and more and realized that there were many individual users that were pushing bad data and that it would require constant monitoring to ensure that the feed provided clean data.
Today Jigsaw analyst look at ThreatExchange data but we are not confident that the data is accurate (or even real). Don't get us wrong even though we have banned Facebook at Work and similar Facebook applications, we do generally like the concept of ThreatExchange even if we don't use it. While we don't find value in the service other users may find it helpful.
Here are some tips for using Facebook ThreatExchange:
Validate the Data
If you start taking action with the data being provided you should correlate that data with other sources to ensure that it is accurate. If we simply took the Facebook data and used it we would have blocked many sites present in the top 1000 Alexa website listings which is not recommended for business use of the Internet. Many of these sites are valuable to business users so again do not trust the data, verify and correlate the information before you take action using the Facebook data.
You get what you pay for
When we first started accessing the data we quickly found that common applications such as PuTTY were listed in the malicious hashes uploaded to the Facebook community. The whole goal of the ThreatExchange is for Facebook to provide a platform for distributing threat intelligence. Don't get us wrong distribution mechanisms are great but there are other products designed specifically for this such as STIX/TAXII and MISP, Alienvault OTX Exchange, ThreatConnect and others. In short if you want highly vetted information you are probably gonna have to pay for it. Just assume that the data is invalid unless the data proves itself otherwise.
Does Jigsaw use Facebook at all?
In short we do use Facebook for advertising and communicating with our customers and the public. Our Facebook page is located here. That is about the extent of it for Jigsaw.
What effect does this have on the Security Industry as a whole?
In short we don't believe it will have any effect long term. In the near term Facebook's stock is suffering as a result of the failure of the company to secure end user data (see below).
Facebook has made some public statements today and has started damage control, hired outside auditors to confirm that the data was in fact deleted by the application developer involved in the story and lastly both the CEO and others at Facebook have started to respond to media inquiries concerning exactly what happened. We fully anticipate that Facebook will recover from this incident and things will blow over but we feel that in the future Facebook will be highly restrictive on what application data will be able to leave their platform in the future.
Where we stand at Jigsaw
In short we don't trust Facebook. But then again we don't really trust anybody. Until we can validate information it is just that, information, unverified and unvalidated. While we utilize Facebook data for some of our analytics, we honestly think that they have too much market share and are highly suspect in many areas of recent concern to include the suspected Russian hacking of US elections, leak and exposure of users data, intrusive advertising practices and the suppression of information.
The last item is of great concern as Facebook is basically a news media arm at this point because of how it displays information. There are much better platforms out there that do not filter or pick and choose what gets displayed to their end users (Twitter as an example).
So in the future we will continue to put out information through Facebook with the knowledge that it will probably not be given priority and will not even reach our end users. This action sounds a little like what China does with the Great Firewall of China and we don't want any part of it!
UPDATE:
Want to know how Facebook treats opinion pieces... Here ya go.. Notice the Boost Unavailable... hahaha. They really don't like negative opinions of their services.
We seem to think "Fake News" is the least of their problem. Their biggest issue is censorship...