Redesigning Security Strategy to Protect the Navigation Layer

In a recent conversation with Fahmida Rashid, senior writer at eWeek, the concept of the Navigation Layer and how companies can begin to secure this layer of the Web was of particular interest. I wanted to briefly recap the highlights of this discussion, as it may be helpful for organizations looking to improve their Navigation Layer security to protect against malware and abuses of site logic.

Ultimately we all know that having the right security strategy in place from the outset is cheaper and better because it means that protections are in place from the get-go, and you avoid the potential losses associated with data breaches, business logic abuse and various forms of cyberattacks. However, what kinds of costs are organizations looking at if they have to now (with greater awareness) go back to their Websites and applications and make sure that they are secure at the Navigation Layer so as not to be taken advantage of by cybercriminals?

Re-doing your security from scratch is not a viable option as it requires enormous development efforts and project resources as well as the expertise to actually build systems to monitor the Navigation layer,which is typically not readily available. Moreover, it’s an ongoing challenge to keep home-grown systems up to date with the latest attack signatures and advanced analytics. Patch jobs are also tough for the same reasons, though depending on the site this may be more or less expensive and resourcing the expertise remains a key hurdle.

Companies can’t, however, sit back and ignore the Navigation Layer threat, as that approach pretty much equates to covering your eyes and ears and pretending everything is a-OK.

As a result, more companies are turning to third party solutions to supplement or solely provide risk detection and mitigation systems at the Navigation Layer. A few key things for companies to consider when evaluating third party solutions include:

·       How much back-end development work is needed to get the solution deployed?  Does site code need to be modified?
·       Does the solution provide signature-based detection, heuristic models, or both?
·       How much visibility will the solution have into the site traffic?  Will it be able to see more than individual login and transaction events?
·       Is it able to monitor for emerging threats or can it only detect attacks that are already known?  How quickly can it adapt to new threats?
·       How well does the solution scale for larger websites?

Companies certainly have their work cut out for them, but an accurate evaluation of build vs. buy options – once you consider development, deployment, project management, product management, statisticians/scientists, fraud analysis, hardware, and resource bandwidth made unavailable for other projects – will almost always show that purchasing a proven solution is the more cost effective option.

January 26, 2012 Posted by Jesse McKenna | Detection, Fraud, information security, Prevention | Detection, Fraud, information security, Navigation Layer, Prevention | Leave a Comment

E-Commerce and Mobile Payments Expected to Grow in 2012

The European Union recently released a plan that encourages consumers to make purchases via the internet, as the goal is to increase online retail sales from 3.4% to 6.8% by 2015.

One of the barriers cited by the EU that prevents the proliferation of e-commerce is the limited protection available for internet users. In a Financial Times article detailing the recent Zappos.com breach, Cathy Halligan, a former chief marketing officer at Walmart.com, said that people who do not shop online cite security worries as the main reason. The interesting point that Halligan brings up is that while online shoppers are worried about security, they will ultimately buy the products if they really want them, regardless of security.

Mobile payments and e-commerce will continue to grow over time and this industry presents somewhat of a greenfield to cybercriminals, so merchants must take steps to better protect their customers’ data. This will be increasingly important as mobile payment devices become common in brick-and-mortar stores – as is the case with cosmetics company Sephora, which has deployed dozens of iPads as mobile point-of-sale devices in several of its stores and in several new stores, they are relying solely on mobile devices for their points of payment.

It is essential for merchants to monitor the Navigation Layer of websites for any malicious activity. The Navigation Layer is where customers interact with the Web, and behavioral analysis has been proven to be the most effective way to detect and mitigate abnormal activity both at the user and population level. The more we can work to protect e-commerce, mobile platforms, and third party integrated websites, the more confident consumers can be when shopping online or paying via mobile devices in-store. Customers need to have peace-of-mind when making their purchases, and it’s up to the merchants to ensure that their information is safeguarded to the absolute best of their ability.

January 19, 2012 Posted by Laz | information security, Online Fraud | e-commerce, information security, security | Leave a Comment

Banks Tackle Cybercrime Through Information Sharing

According to PWC’s 2012 Global State of Information Security Survey, only 80% of financial services survey respondents are sure that their organizations are prepared to address the threats that confront their critical information. This is a 12% increase since 2006, and more than just a bit disturbing.

Additionally, in 2011, an increasing number of respondents noted that they had experienced negative events. Even with improved security best practices and technology, financial organizations are still falling behind.

As it’s been historically the case, financial institutions continue to be among the top targets for cybercriminals. In a recent Wall Street Journal article, Gartner analyst Avivah Litan noted that she expects fraud detection spending and customer authentication systems to increase by as much as 12% to $1 billion across financial companies in the next two years. This will be a record.

That said, financial organizations are beginning to work together to share intelligence surrounding cybercrime in order to better identify potential attacks and negative events. Banks have often shied away from sharing internal data so as not to provide anyone with a competitive advantage – but not sharing has begun to give criminals that advantage instead. Keith Gordon, Bank of America senior vice president of security said it well, “We realized that just as the fraudsters collaborate with each other, we as an industry must collaborate.”

We expect see more banks sharing critical data to help prevent the proliferation of online fraud. Private discussions around security strategy will also likely be a part of this information exchange, which has been a rarity in times past. The common goal of preventing against cybercrime is quickly uniting the financial services industry, and we hope to see additional steps made in this direction.

As this collaboration begins to take effect in the market, Silver Tail Systems certainly expects to play a large role. We work with some of the biggest banks in the industry, and with our ability to gather web session intelligence in real-time at the Navigation Layer of the web, we can help financial institutions instantly detect and nullify malicious behavior on an even larger scale. Our ability to help share this information across our customer base would enable our banking customers to better thwart potential attacks – and this would be a true industry breakthrough.

January 12, 2012 Posted by timothyeades | Detection, information security | financial institutions, information security, Investigation, online security | Leave a Comment

2012: A New Year – New Threats?

On behalf of Silver Tail Systems, I’d like to begin this blog post by wishing all of you a very Happy New Year. 2011 has come and gone, and with 2012 officially upon us, that can only mean one thing: new cyber threats. Of course that’s not all 2012 will bring, but it is forecasted to be a top concern for banks, federal organizations, and e-commerce sites worldwide. In fact, according to Gartner,  financial impact of cybercrime will grow 10% per year through 2016, due to the continuing discovery of new vulnerabilities.

We closed out the 2011 holiday season with Anonymous announcing its intention to steal from banks and “bring happiness and gratitude to families around the globe” with its ‘DestructiveSec’ campaign and with that, security experts predict more pain from cybercriminals for the coming year. This is only one group of threats, and many others – particularly in the mobile arena – will remain a priority for cybersecurity professionals and vendors throughout 2012.

The role that web session intelligence plays in the detection and prevention of online fraud  is increasingly important as the use of web-based applications expands and I believe this needs to be a key focus area for 2012. Visibility into the Navigation Layer is so important because it better enables organizations to determine whether or not they need to report a potential risk or attack, and ideally limits the exposure to the attack.

January will mark the launch of the National Critical Infrastructure Cybersecurity Education Initiative, which aims to develop cybersecurity education programs between the private and public sectors. With both private and public companies today undergoing a very real shift in the online security landscape, I believe it is imperative to protect the freedoms and rights of US citizens while protecting their electronic safety. We may not be able to guarantee networks are completely bullet-proof, but we can help fight cybercrime by being more proactive. It is no longer sufficient to monitor only the web pages that support online transactions. Instead, we need to monitor every click on a website to ensure the criminals aren’t finding new means for perpetrating their attacks. By detecting and stopping threats in real-time, we can minimize the impact of cybercriminals and continue to safeguard sensitive computing networks and platforms.

January 4, 2012 Posted by Laz | Fraud, information security, Man-in-the-Browser | Fraud, information security, Man-in-the-Browser | Leave a Comment