Redesigning Security Strategy to Protect the Navigation Layer

In a recent conversation with Fahmida Rashid, senior writer at eWeek, the concept of the Navigation Layer and how companies can begin to secure this layer of the Web was of particular interest. I wanted to briefly recap the highlights of this discussion, as it may be helpful for organizations looking to improve their Navigation Layer security to protect against malware and abuses of site logic.

Ultimately we all know that having the right security strategy in place from the outset is cheaper and better because it means that protections are in place from the get-go, and you avoid the potential losses associated with data breaches, business logic abuse and various forms of cyberattacks. However, what kinds of costs are organizations looking at if they have to now (with greater awareness) go back to their Websites and applications and make sure that they are secure at the Navigation Layer so as not to be taken advantage of by cybercriminals?

Re-doing your security from scratch is not a viable option as it requires enormous development efforts and project resources as well as the expertise to actually build systems to monitor the Navigation layer,which is typically not readily available. Moreover, it’s an ongoing challenge to keep home-grown systems up to date with the latest attack signatures and advanced analytics. Patch jobs are also tough for the same reasons, though depending on the site this may be more or less expensive and resourcing the expertise remains a key hurdle.

Companies can’t, however, sit back and ignore the Navigation Layer threat, as that approach pretty much equates to covering your eyes and ears and pretending everything is a-OK.

As a result, more companies are turning to third party solutions to supplement or solely provide risk detection and mitigation systems at the Navigation Layer. A few key things for companies to consider when evaluating third party solutions include:

·       How much back-end development work is needed to get the solution deployed?  Does site code need to be modified?
·       Does the solution provide signature-based detection, heuristic models, or both?
·       How much visibility will the solution have into the site traffic?  Will it be able to see more than individual login and transaction events?
·       Is it able to monitor for emerging threats or can it only detect attacks that are already known?  How quickly can it adapt to new threats?
·       How well does the solution scale for larger websites?

Companies certainly have their work cut out for them, but an accurate evaluation of build vs. buy options – once you consider development, deployment, project management, product management, statisticians/scientists, fraud analysis, hardware, and resource bandwidth made unavailable for other projects – will almost always show that purchasing a proven solution is the more cost effective option.

January 26, 2012 Posted by Jesse McKenna | Detection, Fraud, information security, Prevention | Detection, Fraud, information security, Navigation Layer, Prevention | Leave a Comment