Reputational Risk Mitigation

All companies want to protect their reputation as any mishandling of it, either self-inflicted or via outside forces, can have a devastating impact. Mitigating reputational issues involves mitigating the risk that leads to them. Since this is a blog on a Splunk website, we’ll talk about it in terms of text based data and mostly from a security point of view. I understand that there are operational risks, investment risks, and so forth that contribute to reputational risks, especially in the financial services industry, but that can be followed up in a future discussion.

Things to Mitigate

Let’s outline four functional areas that can protect a company and for each area, we’ll discuss what may be needed. Although, my focus here may mention the financial services industry for examples, please keep in mind that the topic is cross-industry.


Prevention of external fraud through detection and mitigation are key components of protecting a reputation. After all, doing business with a company that has a high effective fraud rate is sure to lead to a high reputational risk. One timely approach is to collect time series text data (logs, API results, streaming data) from all interactions and analyze the results with Splunk Processing Language (SPL) rules with thresholds to indicate a possible issue. To take it one step further, associate risk scores with the rules and if an aggregate set of risk scores go over a threshold, there is confidence that fraud is being committed leading to further actions.  Here’s an example:


The entire approach is documented step by step in my .conf22 Detecting Modern Financial Crime blog article.

One of the best approaches to avoid fraud committed from the outside world is to identify account takeover and new account abuse scenarios, which leads to a proactive response. That alone goes a long way to protect reputations and save money. Fortunately, Splunk has a free to download, App for Fraud Analytics, for these two use cases that works with Splunk Enterprise Security,

As you can see, detecting fraud early is one step to lowering reputational risk.


Having informational security as part of the Security Operations Center (SOC) is a fundamental offering in most companies. At the heart of SOC’s toolset is their modern Security Information and Event Manager (SIEM). A modern SIEM will be scalable, high in performance, and serve the needs of an entire SOC that may comprise of hundreds of people. It will have features for easy ingestion of any format of time series data, integrations with multiple threat intel, out of the box and customizable dashboards, regular notable event content updates, integrations with other security providers, asset and identity management, case driven workflows, user defined storage to detect active persistent threats, and multiple ways to alert including the usage of SOAR products for automated playbooks for incident responses.

Fortunately, Splunk delivers Splunk Enterprise Security to meet these needs. Splunk ES also provides a Risk Based Alerting (RBA) framework to bubble up critical security threats and lower false positives by aggregating risk scores of notable events into a risk index such that exceeding a risk threshold leads to an alert. A flexible architecture and multiple subcomponents are the hallmarks for the modern SIEM as shown below.


What does this have to do with mitigating reputational risk? Everything. Protecting the assets of a company against network security threats is another step in mitigating reputational risk. By implementing a proper security solution that takes advantage of many facets of managing threatening events, security breaches can be minimized and threats can be identified in advance from becoming a bigger issue than they already are. To summarize this section, it is not just having a SIEM product in place, but having one that is scalable and taking full advantage of all its features is what leads to increased security.

Insider Threats

So far, we have tried to mitigate reputational risks by detecting fraud and protecting the security of the enterprise from outside threats. All that may come to a halt if the company has bad actors that may have more keys to the kingdom than outsiders. An example of this would be downloading internal information in large quantities at odd hours, laterally moving it to machines that have connections to outside vaults using sneakernet, and then at a later date downloading it to a private laptop from the outside vaults. This may sound like something that people did twenty years ago, but it still goes on today. Allowing leaks of information from your company or insider fraud actions will not help mitigate reputational risks.

Some of the same techniques we described in the Fraud and InfoSec section can be applied here to detect bad actors and their actions before they become an active threat, but there may be better ways. What if the behavior of insiders (employees and contractors) can be baselined and then compared with what can be seen as a threat via unsupervised machine learning techniques? The detection can be automated and the risk rules can be supplanted with machine learning to reduce false positives at the individual level. Today, we call this User Behavior Analytics (UBA).

Splunk has a UBA product that does exactly what was described and it integrates with Splunk ES to provide comprehensive views for the SOC to now monitor insider and outsider threat and provides inputs to SOAR products for playbook execution to automate mitigation. By detecting insider threats, we are adding another step to minimize reputational risk.


Social Media

The first three steps all concerned security risks where bad actors would do harm to a company via various types of fraud and breeches. Another type of risk comes from social media as anyone can say anything about any company and if it is not being monitored, the allegations may go unnoticed and more importantly, if they are false, they would not be addressed in a timely manner. Much of what gets posted on social media is time series text based data in unstructured form. Ingesting this data for analytical purposes is a strength of Splunk products. One could easily set up a stream to ingest data from say, Twitter, Facebook, or Instagram, and then use Splunk to search for keywords or tags to analyze further actions. That’s a basic capability that has been around for over a decade.

In today’s automated world, detecting human responses on social media is less of a problem than dealing with Bots that will continuously spread misinformation leading to reputation loss. To spot this spreading of fake news from bots, there is a machine learning technique that can help classify a bot so it can be reported and dealt with in a suitable manner. You can get the complete step by step procedure on how to do this in Splunk by downloading the free ebook, Bringing the Future Forward, and reading the short chapter, Real-Time Social Media Bot Moderation Solutions. 


I realize the description above may be a little too technical, but the purpose is to show that it is real and doable. What makes this approach different is that it provides confidence that you are dealing with a bot rather than human, knowing that it is intentionally spreading misinformation to harm a reputation or spread a lie.

What about sentiments on social media? If a group of people express a lousy sentiment for your company or product, the reputation suffers. This should be detected as it happens. One technique is to ingest the time series data into Splunk Enterprise/Cloud and then compare each event with keywords that are scored for good and bad sentiments via lookups. If the total aggregate score is leaning toward a bad sentiment, an alert can be triggered to then act accordingly. If you prefer to see how this was done in the past in a more organized manner, you can download an old app from Splunkbase called Sentiment Analysis, that shows the techniques for doing this within Splunk.


Because natural language processing has taken off, we realize that not all sentiment is in text and some of it is expressed in voice via podcasts, I found an app on Splunkbase called NLP text analytics to solve the spoken word part of the problem for sentiment analysis.

The final topic of discussion is monitoring news, feeds, and distribution channels for mentions of your company, stakeholders, and products to act upon stories that would affect reputation. In the old days, we could take RSS feeds from various channels and put them into Splunk to then do further analysis. One of my first Splunkbase Add-Ons was for capturing RSS Feeds. This approach still works today, but it should be noted that many information sources have moved beyond RSS and often use streaming or REST based APIs, often as a paid service, to capture their feeds. Nonetheless, this information is still unstructured or structured time series data that can be put into Splunk products using the same techniques outlined above for bot detection, misinformation analysis, and sentiment analysis,We cannot prevent unforced errors that may affect reputation, but detecting the spread of information and reacting appropriately in a timely manner can be done to minimize reputational risks.


Mitigating reputational risks by having the tools and processes in place is a worthwhile endeavor for any organization. I have outlined several areas that include fraud detection, information security, insider threat detection, and social media analysis as places to start to reach this goal. This list is not exhaustive as the channels that create risks to reputation continue to grow, but this is one solid way to encompass this goal. As a bonus, continuous monitoring of different channels of information provides input to the Know Your Customer (KYC) use case that is prevalent in many countries. As always, it takes people, processes and technology to make any of this happen. By seriously looking into many facets of monitoring reputational risks, you’ll be on your way. This blog article is just an introduction to the topic as I’m sure the next steps would be to assign risk scores to each functional domain, find out what it means to have less risk, and to monitor reputational sentiments for upward and downward trends. We are getting there with our first steps.

Happy Splunking!

Nimish Doshi
Posted by

Nimish Doshi

Nimish is Director, Technical Advisory for Industry Solutions providing strategic, prescriptive, and technical perspectives to Splunk's largest customers, particularly in the Financial Services Industry. He has been an active author of Splunk blog entries and Splunkbase apps for a number of years.