Protecting against phishing, malware and other cyber threats is a difficult cybersecurity challenge for any organization -- but when your business has over 20,000 employees and runs a service used by almost a billion people, the challenge is even tougher.

But that's precisely the challenge that's facing LinkedIn: the world's largest professional network has over 875 million members, ranging from entry-level employees, all the way up to high-level executives, who all use it to network with colleagues and peers, discuss ideas, and find new jobs. 

Security

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next

With hundreds of millions of users, LinkedIn needs to ensure its systems are secure against a range of ever-evolving cyber threats, a task that falls to LinkedIn's Threat Detection and Incident Response team. 

Heading up the operation is Jeff Bollinger, the company's director of incident response and detection engineering, and he's under no illusions about the significance of the challenge the company faces from cyber threats. 

It's well known that highly sophisticated hacking groups have high-profile companies like LinkedIn in their sights, whether that's trying to trick users into clicking phishing links or installing malware via manipulative social-engineering attacks. 

Also: These are the cybersecurity threats of tomorrow that you should be thinking about today

"Well-funded attackers are definitely challenging because they can just keep coming -- we have to be right every single time, and they've only got to be right once," says Bollinger.  

"That's one of the challenges -- we always have to be watching. We always have to be ready -- whether it's an opportunistic attacker or if it's a dedicated, persistent attacker, we need to have our sensors and our signals collection in place to do it, no matter who it is."

Building significant, more mature cybersecurity for the business was no small task, something which Bollinger describes as "akin to shooting for the moon" -- so the program was named Moonbase.

Moonbase set out to improve threat detection and incident response, and it aimed to do so while improving quality of life for LinkedIn's security analysts and engineers with the aid of automation, reducing the need for manually examining files, and server logs.

It was with this goal in mind that, over a period of six months between March 2022 and September 2022, LinkedIn rebuilt its threat-detection and monitoring capabilities, along with its security operations centre (SOC) -- and that process started with reevaluating how potential threats are analyzed and detected in the first place 

"Every good team and program begins with a proper threat model. We have to understand what are the actual threats that are facing our company," Bollinger explains. 

That awareness begins with analyzing what data most urgently needs protecting; things like intellectual property, customer information, and information regulated by laws or standards -- then thinking about the potential risks to that data.

For LinkedIn and Bollinger, a threat is "anything that harms or interferes with the confidentiality, integrity, and availability of a system or data".

Examining patterns and data of real-world incidents provides information on what a range of cyberattacks look like, what classes as malicious activity, and what type of unusual behavior should set off alerts. But solely relying on people to do this work is a time-consuming challenge. 

By using automation as part of this analysis process, Moonbase shifted the SOC towards a new model; a software-defined and cloud-centric security operation. The goal of the software-defined SOC is that much of the initial threat detection is left to automation, which flags potential threats that investigators can examine.

Also: Cybersecurity: These are the new things to worry about in 2023

But that's not to say humans aren't involved in the detection process at all. While many cyberattacks are based around common, tried-and-tested techniques, which malicious hackers rely on throughout the attack chain, the evolving nature of cyber threats means that there's always new, unknown threats being deployed in efforts to breach the network -- and it's vital that this activity can also be detected. 

"When it comes to what we don't know, it really depends on us just looking for strange signals in our threat hunting. And that's really the way to get it -- by dedicating time to looking for unusual signals that could eventually be rolled into a permanent detection," says Bollinger. 

However, one of the challenges surrounding this effort is that cyber attackers often use legitimate tools and services to conduct malicious activity -- so, while it might be possible to detect if malware has been installed on the system, finding malicious behavior that could also realistically be legitimate user behavior is a challenge, and something LinkedIn's rebuild has been focused around. 

"Normal, legitimate administration activity often looks exactly like hacking because attackers are going for the highest level of privileges -- they want to be domain admin or they want to obtain root access, so they can have all persistence and do whatever they want to do. But normal administration activities look similar," Bollinger explains. 

However, by using the SOC to analyze unusual behavior detected by automation, it's possible to either confirm it was legitimate activity, or find potential malicious activity before it becomes a problem. 

Privacy

• How to delete yourself from internet search results and hide your identity online
• The best browsers for privacy
• Samsung's smartphone 'Repair Mode' stops technicians from viewing your photos
• Are period tracking apps safe?

The SOC also does so without requiring information security personnel to methodically oversee what each user at the company is doing, only getting hands-on with individual accounts if strange or potentially malicious behavior is detected.

And by using this strategy, it means that the threat-hunting team can use time to quickly examine more data in more detail and, if necessary, take action against real threats, rather than having to take time to to manually examine every single alert, especially when many of those alerts are false warnings.

"I think that gives us a lot more people power to work on these problems," says Bollinger. 

But threat detection is only part of the battle -- like any organization when a threat is detected, LinkedIn must be able to act against it as quickly and smoothly as possible to avoid disruption and prevent a full