Bringing Historical User Behavior into the Monitoring Mix

Today is a big day for Silver Tail Systems. It marks one of the most substantial updates to our technology yet, and we’re calling it Profile Analyzer.

As social media drives organizations to be much more agile in their engagement with their customers, we are seeing much more innovation and agility when it comes to consumer facing websites and mobile applications. This innovation, however, has also opened additional windows for cybercriminals looking to exploit this new functionality to commit fraud or attacks of other kinds.

The issue is that traditional monitoring and end point protection tools aren’t enough, which is apparent in the number of breaches and attacks we continue to see publicized. Real-time analysis of web traffic and user behavior is key to protecting websites and maintaining user trust. With Profile Analyzer, Silver Tail Systems is introducing the first product on the market to leverage both historical user and crowd behavior to better establish a baseline of normal activity per user and for the population. Our customers can now see deviations from historical usage patterns, giving them a more accurate portrayal of abnormal behavior. And it all occurs in real-time.

With Profile Analyzer, we are also introducing a capability called Parameter Injection. This capability uses analytics to identify users being targeted by malware that modifies legitimate website content in the browser to request sensitive information such as social security numbers, debit card numbers, pin numbers and more without the users’ knowledge. We continue to see the evolution of malware and sophisticated attacks like parameter injection will gain increasing popularity over the next 12 to 24 months.

These exciting new capabilities will be critical to helping our customers identify and remediate criminals looking to exploit and abuse their web properties. The level of visibility that Profile Analyzer delivers is unprecedented, and so far we have received rave reviews from our customer base. Definitely take a look at our website for more details and let us know if you have further questions!

March 14, 2012 Posted by Laura Mather | Detection, education, Fraud | Profile Analyzer | Leave a Comment

What Will Internet Governance Look Like?

With the recent discussions around Internet governance within the US legislature and the UN, it is clear that the method of governing the Internet will soon be defined.

Given the occurrences of cyber bullying, cross border attacks against Internet properties, online fraud, and even hacktivism, I do believe that some sort of governance is necessary. We are a long way from creating that kind of governance, but the best way to make this proposed governance body successful will be to think outside the box.

To analyze where we should end up, I’ve put together a list of qualities the Internet governance body, policies, or procedures should have to be effective. Basically, I think the body, policies, procedures, etc. should have the same characteristics as the Internet.

1. They must be agile. Policy issues associated with electronic mediums arise and change with incredible velocity and momentum. It is critical that the governance of these issues be able to adapt as quickly. Current legislative and ICANN procedures take years too long to be meaningful.
2. They must be multi-national. The Internet spans all countries, cultures, and legal systems. Governing this body will require a way to accommodate all of these different mores and values.
3. They must be scalable. The Internet is growing at an immeasurable rate. Policies, procedures, etc. must be able to accommodate this growth.

Other things I’ve considered:

1. They should be flexible. The biggest risk I’ve seen with Internet governance is that there will be unintended ramifications of various policy enactments. I look at this much like I look at my company: you have to be willing to take risks and you have to be able to quickly clean up any problems that arise from misguided decisions.
2. They must be relevant. This sounds obvious, but giving a brick and mortar entity (a police department, for example) jurisdiction over an electronic body would not be efficient.

One question – what else should go on these lists of must haves and things to be considered?

Given the above items, what would a governance body look like? My current thought is that the Internet should be self policing. A self-policing entity would address all of my must-haves and at least the relevant component of my nice-to-haves. Can we look at the successful self-policing models (electronic and otherwise) and use these to model what a governance body for the Internet should be?

March 5, 2012 Posted by Laura Mather | Compliance, education, information security | Detection, information security | Leave a Comment

Being Proactive About Data Protection

On Monday, January 30th HelpNetSecurity.com posted an interesting article–When it Comes to Customer Data Protection, Firms are Phoning it In—which highlights research from credit reporting firm Experian and the Ponemon Institute in their survey of 500 IT professionals. According to the article, those who had experienced a data breach at their organization found that 60% of respondents said the customer data that was lost or stolen was not encrypted. I’m in 100% agreement with Ozz Fonesca of Experian Data Breach Resolution, in that these breaches could have been prevented.

The problem isn’t that companies just don’t want to encrypt their sensitive information, it’s the lack of knowledge on the security front-lines that tends to be the issue. Implementing security systems is complex and when IT professionals aren’t directly working with a CSO or risk professional, there is significant room for error. It doesn’t surprise me that following the data breach, 61% of respondents said their organizations increased their security budget and 28% hired additional IT security staff. This is the appropriate next step but in this situation, it’s a bit too late.

As I discussed in a previous blog post—E-Commerce and Mobile Payments are Expected to Grow in 2012–mobile payments and e-commerce will continue to grow over time and this industry presents somewhat of a greenfield to cybercriminals, so merchants must take steps to better protect their customers’ data. This will be increasingly important as mobile payment devices become common in brick-and-mortar stores – as is the case with cosmetics company Sephora, which has deployed dozens of iPads as mobile point-of-sale devices in several of its stores and in several new stores, they are relying solely on mobile devices for their points of payment.

With 73% of respondents saying their organization did not offer identity protection products or services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans, and alerts, to victims, I predict this will be even more of a concern as 2012 progresses. One worry I have is that people will begin to fear the internet, meaning purchasing items off Amazon or eBay, logging into their online bank accounts, etc. At the end of the day, there are thousands of online threats in cyberspace lurking to cripple an end-user. I’m endorsing that organizations take that extra step, which could be a simple training program, and be proactive before these data breaches become even more of an epidemic.

February 1, 2012 Posted by Laz | education, Fraud, information security, Man-in-the-Browser, Online Fraud | Online Fraud, online security | 1 Comment

2012 Security Predictions Starting to Appear – Thinking Outside the Box

Imperva recently noted some of their predictions for security trends in 2012. I must admit that when I think about future trends, I often end up with something like “more of the same.” This set of trends, is nothing like that. It really brings together a lot of what is happening or going to happen in the industry.

Some observations about these predictions: First, many attacks are moving to the application layer. HTML 5 giving more functionality to hackers, DDoS moving up the stack, internal collaborations’ evil twin, and anti-social media all are examples of the application layer being used more frequently in attacks.

Second, security will trump compliance. While I’m not sure if this will come true, I am hopeful it will. As I’ve been looking at regulations from 2011 (FFIEC, SEC, etc.), I am dismayed about the checklist approach to security. I understand why these regulations are important, but it would be so much better if companies took a thoughtful, realistic approach to the systems they have in place and make sure that there is organizational integrity around the security of their infrastructure. Given the lack of resources, I struggle to see a world where this has happened, though I will always be hopeful.

We’ll publish our own predictions soon, but it’s great to see people who really think outside the box on these things.

December 8, 2011 Posted by Laura Mather | education, information security | predictions | Leave a Comment

Good Guys Collaborating as well as the Bad Guys? Congress Taking Steps

Many of you may be tired of me harping about how well the criminals coordinate with one another and how poorly we, on the other side, work together. It looks like the government may be taking a step to help organizations work more closely together to protect each other.

The article talks about how the government doesn’t want to add too much burden to businesses and that is obviously critical. But, I’m thrilled by the idea that corporations and other organizations can have the opportunity to work together in a way that could benefit the entire ecosystem.

One of the biggest hurdles I see with this is that many times organizations see their data about attacks as a valuable asset. If it takes an organization fifty man hours and $200,000 in development of tools to identify a particular threat or set of data, why would they want to share that with others? Should they get paid for sharing this data? Is there some other way that these organizations could be compensated for this information?

December 6, 2011 Posted by Laura Mather | Detection, education, information security, Investigation | cybersecurity, government, information security, online security | Leave a Comment

Stopping Business Logic Attacks Does Not Have to be Cumbersome

My previous blog referenced an article by Imperva about business logic attacks.  In that blog I talked about how it can be relatively simple to detect business logic attacks.

I realized that I also wanted to comment on the mitigation aspect of the article.  The first assertion of the mitigation piece is that all business logic attacks are robotic.  I can tell you definitely that they are not.  There are many business logic attacks I have seen that have obviously be carried out by a human who is using trial and error to identify ways to take advantage of the legitimate business logic of a website.

To that end, the article says that the way to stop the business logic attacks is to divert the robotic behavior by challenging anything that looks like a business logic attack.  While that can absolutely be a way to address the robotic attacks, it is quite expensive.  It means that every time you identify a new attack against the site, the application must be changed to include a challenge when a bot is detected.

There are other ways to deter business logic attacks.  The best way is to remove the incentive for the attack.  For example, if someone is registering for your sweepstakes thousands of times, do some post-processing that eliminates multiple IP address or multiple email domain entries.

As you understand the reason behind the attack, you can find ways to discourage the attack by removing the goal of the attacker instead of changing the business logic.

November 21, 2011 Posted by Laura Mather | business logic abuse, Detection, education | business logic abuse, Detection | Leave a Comment

Security Pros Don Vieira and Demetrios ‘Laz’ Lazarikos Discuss SEC Guidance

Earlier this week we hosted a webinar that included commentary from industry insiders, Don Vieira – Partner at Wilson, Sonsini, Goodrich and Rosati, and Director of Strategy at Silver Tail – Demetrios ‘Laz’ Lazarikos. With extensive experience in security and the federal government, Don began the discussion by talking about how the SEC guidance impacts public businesses and Washington’s role. He noted that in a way, this updated document could be referred to as the “Disclosure Guidance,” as it clarifies exactly what information public companies need to share with stakeholders and investors. Don continued on to discuss the fact that Washington’s role is broader than regulation, and that they must identify timeframes for specific pieces of legislation to pass.

As the former head of Information Security for the Sears Online Business, Laz discussed specifics about ways companies can flag cybersecurity incidents as well as how web session intelligence can identify where malicious behavior is occurring on the website.

Overall, this latest SEC guidance has been a step in the right direction for the cybersecurity industry as it’s all about becoming aware of and having visibility into various types of attacks on websites. The proper monitoring tools need to be in place to ensure websites and mobile devices are protected and these give companies several benefits:

• Helping to identify and address malicious activity before they become major issues.
• Helping to identify areas where there are vulnerabilities so they can be corrected quickly.
• Should a hack occur, these tools can help measure the extent of the damage.

We look forward to having you participate in our upcoming webinars!

November 16, 2011 Posted by Laura Mather | Detection, education | SEC guidance, web session intelligence, Webinar | 1 Comment

Visibility in the Navigation Layer and Web Session Intelligence Aids Compliance with SEC Guidance

I recently read the SEC guidance for reporting cyber-attack events.  Interestingly enough, the guidelines proposed are written to recommend best practices for businesses wishing to comply with the securities acts from the mid-1930s -

“The information in this disclosure guidance is intended to assist registrants in preparing disclosure required in registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934.”

I doubt the framers of these acts were fore-seeing enough to envision the events described in the latest guidance (malware, information theft, account hijacks, etc…); yet the principle and spirit of these acts are the foundation for which companies today must comply with cyber-attack reporting.  The principles of the Securities Acts of the 1930s are still relevant; however, the specific interpretations are challenging. That said, the one thing the latest guidelines are clear about is the gathering of data for the purpose of establishing the breadth and magnitude of attacks and ultimately calculating business impact.

“Registrants may not immediately know the impact of a cyber incident and may be required to develop estimates to account for the various financial implications. Registrants should subsequently reassess the assumptions that underlie the estimates made in preparing the financial statements. A registrant must explain any risk or uncertainty of a reasonably possible change in its estimates in the near-term that would be material to the financial statements.”

…

“Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.”

Unfortunately, many registrants are ill equipped to adequately comply with the above guidance.  After working at both eBay and PayPal, I know first hand that IT departments struggle enough simply fighting cyber-attacks let alone summarizing and reporting them.  Throw in the added request for estimating future cost, and the inferred liability for missing attacks, and this is enough for many IT organizations to throw up their hands in defeat.

The reality is that organizations today need visibility into various components of their infrastructure in order to comply with this onerous task.  One key dimension of this visibility is the activity associated with their web servers.  As the availability of data and functionality continue to be moved to web servers (whether for traditional web browser use or mobile application use) it is critical to monitor this portion of the infrastructure to determine if events are occurring and where appropriate, alert as close to the first occurrence of the event as possible.

We define the Navigation Layer as the actions that are carried out via the web server.  Visibility into the Navigation Layer will enable organizations to determine whether or not they need to report a potential risk or attack, and ideally limit the exposure to the attack.  We all know that the more we can limit an attack, the less likely we will have to report the attack – a critical component to corporate security strategy.

Watching the Navigation Layer to learn customer behaviors, monitor for attacks, and investigate incidents is the best manner for both public and private organizations to adhere to the SEC guidance.  Traditional means of ferreting out attacker signatures via the network layer are obsolete, and in the case of current generation attacks, irrelevant.  Using the Navigation Layer to garner true web intelligence is the surest way to ensure you are monitoring and protecting this critical layer of your infrastructure.

November 8, 2011 Posted by Mike Eynon | education, information security | SEC guideance | Leave a Comment

New SEC Guidance as it Relates to the Navigation Layer

The recent SEC disclosure guidance pertaining to cybersecurity includes very broad descriptions of the threats and associated impacts of cyber incidents, and for good reason.  As the cybersecurity landscape continues to evolve, criminals are finding more and more ways to steal information, commit fraud, game website logic, and impact business operations.  Central to the explosion of cybercrime in recent years is the continued evolution of rich internet applications and exposure of critical business operations to the web.  The more business operations, both internal and external facing, move to web enabled platforms, the more opportunities criminals have to find loopholes, mine for valuable data, and exploit legitimate website functionality.  The attack surface where these activities are conducted is called the Navigation Layer.

Simply put, the Navigation Layer is how users of web services access and interact with various resources and functionality of websites.  Purchasing a digital camera on an e-commerce site, balancing your checkbook using online banking, and interacting with project plans on a company intranet are all examples of the Navigation Layer.  The reason this is such an attractive target for criminals is that the functionality that enables their criminal activities, in large part, has to be made available to legitimate users.  As long as there are websites, criminals will be looking for ways to take advantage of the data and functionality made available through those sites.  Although certainly not an exhaustive list, a significant portion of online criminal activity can be seen in the categories of Business Logic Abuse, Data Scraping, and Architecture Probing.

Business Logic Abuse involves using website functionality as designed, but for malicious or exploitative purposes.  Specific exploits can range from password guessing and email farming to abuse of loyalty point programs and coordination of pump-and-dump schemes.  These types of activities rely on the fact that websites have to expose functionality to the fraudsters if it is also to be exposed to legitimate users.  If a website has a login page, there will be an opportunity to guess passwords.  If a company’s marketing department organizes a sweepstakes administered on the website, there will be chances to rig the outcome through mass registrations.  Similar dynamics rule every bit of functionality on every website across the globe.

Data Scraping is similar to Business Logic Abuse in that it typically leverages functionality built for legitimate users, however it focuses only on the collection of data.  The collected data can then be sold on the black market, used to gain a competitive market advantage, used to further additional criminal activities, or in a multitude of other ways.  Pricing and availability scraping from online merchandise catalogs, collecting of classified internal documents, and capturing customer data records are all examples of Data Scraping.  It is important to realize that Data Scraping is conducted by both individuals and organizations, by both internal and external actors, and using both scripted/programatic access as well as manual processes.  If there is potentially valuable data accessible on a website, it is a target for Data Scraping.

Arguably the most dangerous of the three categories is Architecture Probing, which involves the systematic communication with application or server resources with the intent to expose vulnerabilities.  Vulnerabilities may be exposed through bugs in the application or server code, weak validation of user input on web forms, poor site maintenance where deprecated pages and functionality is still present on the site, or a host of other circumstances.  Architecture Probing typically requires a higher skillet for the criminal than Business Logic Abuse or Data Scraping, however the impacts of a successful Architecture Probing attack can be far more damaging.  Depending on the vulnerability identified, the criminal may be able to perform activities including accessing every user account in the system, extracting the entire backend database, gaining access to other systems not exposed to the web, or even installing malicious code on the server that then infects every user who visits the website.  Many of the large-scale data breaches made public over the past few years have resulted from vulnerabilities identified through Architecture Probing attacks.

The cybersecurity challenge facing businesses and organizations is that it is notoriously difficult to detect and defend against Business Logic Abuse, Data Scraping, Architecture Probing, and other types of attacks executed through the Navigation Layer.  Traditional approaches that leverage deep-authentication of users, transaction risk modeling, link analysis, event correlation, etc. are still critical to have in place, but are rendered largely ineffective when confronted with “low-and-slow” processes scraping site data or with attacks carried out by networks of hundreds of PCs infected with criminal-controlled malware.  Moreover, criminals are continually changing their attack strategies and developing new methods of exploiting website functionality.  Keeping detection systems up-to-date with the latest attack vectors is incredibly challenging.

All of this may seem overwhelming and rightfully so.  However, there are a few aspects of this type of criminal activity that begin to level the playing field.

• First, these attacks all take place through the Navigation Layer and website owners control this layer.  Although the functionality exploited by criminals typically is required for the use of legitimate users, businesses and organizations can have visibility into every aspect of the traffic going through the Navigation Layer.  The ability to monitor this wealth of traffic is invaluable for detecting attacks coming through the website and for performing forensic investigations of past events to better inform detection and mitigation decisions in the future.

• The other area where businesses and organizations have an advantage is that criminals, in order to execute their attacks, have to behave differently than normal users of a website.  Normal users do not try to log in using tens, hundreds, or thousands of different passwords.  Nor do they crawl entire product catalogs on e-commerce sites or submit nonsensical chunks of data to web applications in the hopes that it will break.  By leveraging full visibility into the Navigation Layer, it is possible to perform behavioral analytics on every click on the website and rapidly identify the outliers – those web sessions that are not behaving like everyone else using the website.

As web applications and web-enabled devices continue to rapidly evolve, the attacks on the Navigation Layer will continue to keep pace – using the latest functionality for something other than what it was intended for.  But, by maintaining full visibility into the Navigation Layer and performing adaptive behavioral analytics on every click occurring on the website, these evolving threats can be detected and mitigated in near real-time, thus preventing the often dramatic impacts of attacks that have gone unnoticed until the damage has already been realized.

November 3, 2011 Posted by Jesse McKenna | Data Loss, Detection, education | Navigation Layer, SEC guidance | Leave a Comment

Webinar: Web Session Intelligence: A Key Ingredient for FFIEC Compliance

As banks, brokerages and other organizations are contemplating the best way to address the upcoming FFIEC requirements, there are several things that need to be taken into account. What is really “required”?  What will be “enough”?

On October 26th, join me for a discussion about strategies for addressing the FFIEC guidance and how “Web Session Intelligence” can secure the navigation layer of your website as part of your strategy for addressing the guidance.

I’ll discuss an overall plan for addressing FFIEC, including what is likely to make your review by auditors more successful. We’ll also talk about how cyber criminals are finding new ways to attack websites – from using the registration flow to guessing customer email addresses and scraping data from Intranets. These attacks are not identified by a web application
firewall, an intrusion detection system, or any other mechanism. As you consider a defense-in-depth strategy for FFIEC compliance, protecting the navigation layer through web session intelligence should be at the top of your list.

Be sure to join me on October 26h at 10:00am PDT and register today!  http://silvertailsystems.com/offers/FFIEC/intelligence.php

October 17, 2011 Posted by Laura Mather | Detection, education | Detection, FFIEC, Webinar | Leave a Comment