Ultimately we all know that having the right security strategy in place from the outset is cheaper and better because it means that protections are in place from the get-go, and you avoid the potential losses associated with data breaches, business logic abuse and various forms of cyberattacks. However, what kinds of costs are organizations looking at if they have to now (with greater awareness) go back to their Websites and applications and make sure that they are secure at the Navigation Layer so as not to be taken advantage of by cybercriminals?

Re-doing your security from scratch is not a viable option as it requires enormous development efforts and project resources as well as the expertise to actually build systems to monitor the Navigation layer,which is typically not readily available. Moreover, it’s an ongoing challenge to keep home-grown systems up to date with the latest attack signatures and advanced analytics. Patch jobs are also tough for the same reasons, though depending on the site this may be more or less expensive and resourcing the expertise remains a key hurdle.

Companies can’t, however, sit back and ignore the Navigation Layer threat, as that approach pretty much equates to covering your eyes and ears and pretending everything is a-OK.

As a result, more companies are turning to third party solutions to supplement or solely provide risk detection and mitigation systems at the Navigation Layer. A few key things for companies to consider when evaluating third party solutions include:

·       How much back-end development work is needed to get the solution deployed?  Does site code need to be modified?
·       Does the solution provide signature-based detection, heuristic models, or both?
·       How much visibility will the solution have into the site traffic?  Will it be able to see more than individual login and transaction events?
·       Is it able to monitor for emerging threats or can it only detect attacks that are already known?  How quickly can it adapt to new threats?
·       How well does the solution scale for larger websites?

Companies certainly have their work cut out for them, but an accurate evaluation of build vs. buy options – once you consider development, deployment, project management, product management, statisticians/scientists, fraud analysis, hardware, and resource bandwidth made unavailable for other projects – will almost always show that purchasing a proven solution is the more cost effective option.

One of the barriers cited by the EU that prevents the proliferation of e-commerce is the limited protection available for internet users. In a Financial Times article detailing the recent Zappos.com breach, Cathy Halligan, a former chief marketing officer at Walmart.com, said that people who do not shop online cite security worries as the main reason. The interesting point that Halligan brings up is that while online shoppers are worried about security, they will ultimately buy the products if they really want them, regardless of security.

Mobile payments and e-commerce will continue to grow over time and this industry presents somewhat of a greenfield to cybercriminals, so merchants must take steps to better protect their customers’ data. This will be increasingly important as mobile payment devices become common in brick-and-mortar stores – as is the case with cosmetics company Sephora, which has deployed dozens of iPads as mobile point-of-sale devices in several of its stores and in several new stores, they are relying solely on mobile devices for their points of payment.

It is essential for merchants to monitor the Navigation Layer of websites for any malicious activity. The Navigation Layer is where customers interact with the Web, and behavioral analysis has been proven to be the most effective way to detect and mitigate abnormal activity both at the user and population level. The more we can work to protect e-commerce, mobile platforms, and third party integrated websites, the more confident consumers can be when shopping online or paying via mobile devices in-store. Customers need to have peace-of-mind when making their purchases, and it’s up to the merchants to ensure that their information is safeguarded to the absolute best of their ability.

Additionally, in 2011, an increasing number of respondents noted that they had experienced negative events. Even with improved security best practices and technology, financial organizations are still falling behind.

As it’s been historically the case, financial institutions continue to be among the top targets for cybercriminals. In a recent Wall Street Journal article, Gartner analyst Avivah Litan noted that she expects fraud detection spending and customer authentication systems to increase by as much as 12% to $1 billion across financial companies in the next two years. This will be a record.

That said, financial organizations are beginning to work together to share intelligence surrounding cybercrime in order to better identify potential attacks and negative events. Banks have often shied away from sharing internal data so as not to provide anyone with a competitive advantage – but not sharing has begun to give criminals that advantage instead. Keith Gordon, Bank of America senior vice president of security said it well, “We realized that just as the fraudsters collaborate with each other, we as an industry must collaborate.”

We expect see more banks sharing critical data to help prevent the proliferation of online fraud. Private discussions around security strategy will also likely be a part of this information exchange, which has been a rarity in times past. The common goal of preventing against cybercrime is quickly uniting the financial services industry, and we hope to see additional steps made in this direction.

As this collaboration begins to take effect in the market, Silver Tail Systems certainly expects to play a large role. We work with some of the biggest banks in the industry, and with our ability to gather web session intelligence in real-time at the Navigation Layer of the web, we can help financial institutions instantly detect and nullify malicious behavior on an even larger scale. Our ability to help share this information across our customer base would enable our banking customers to better thwart potential attacks – and this would be a true industry breakthrough.

We closed out the 2011 holiday season with Anonymous announcing its intention to steal from banks and “bring happiness and gratitude to families around the globe” with its ‘DestructiveSec’ campaign and with that, security experts predict more pain from cybercriminals for the coming year. This is only one group of threats, and many others – particularly in the mobile arena – will remain a priority for cybersecurity professionals and vendors throughout 2012.

The role that web session intelligence plays in the detection and prevention of online fraud  is increasingly important as the use of web-based applications expands and I believe this needs to be a key focus area for 2012. Visibility into the Navigation Layer is so important because it better enables organizations to determine whether or not they need to report a potential risk or attack, and ideally limits the exposure to the attack.

January will mark the launch of the National Critical Infrastructure Cybersecurity Education Initiative, which aims to develop cybersecurity education programs between the private and public sectors. With both private and public companies today undergoing a very real shift in the online security landscape, I believe it is imperative to protect the freedoms and rights of US citizens while protecting their electronic safety. We may not be able to guarantee networks are completely bullet-proof, but we can help fight cybercrime by being more proactive. It is no longer sufficient to monitor only the web pages that support online transactions. Instead, we need to monitor every click on a website to ensure the criminals aren’t finding new means for perpetrating their attacks. By detecting and stopping threats in real-time, we can minimize the impact of cybercriminals and continue to safeguard sensitive computing networks and platforms.

This crime ring was able to steal personal information and gain access to banking accounts, which then enabled money to be transferred out. One thing that allowed them to do this was the involvement of insiders who used their positions to access the personal information and sell the data to either make money themselves or enable their accomplices to do just that. The insiders were the key to the success of this cyber fraud ring, and they were able to prevent immediate detection by the banks’ anti-fraud and anti-money laundering systems.

The insider threat is definitely one to take seriously, and it is imperative that security organizations adopt a zero-trust model, even when it comes to their own teams. As many key internal assets are increasingly accessed via HTTP/HTTPS, web session intelligence is critical for spotting internal traffic that doesn’t look like legitimate usage that comes from the vast majority of typical users. In order to circumvent the security controls, a malicious insider would have to bypass security controls and processes, which web session intelligence would spot and stop before an attack has even happened.

What sort of processes and technologies do you all have in place to prevent insiders from committing fraud? How do you prevent insiders from circumventing your anti-fraud technology? There are many answers and many different approaches that organizations take, and I’d be interested to hear from you.

This is a classic Robin Hood scenario – stealing from the rich and giving to the poor – but the fact that this campaign is being called ‘DestructiveSec’ is a clear indication that this isn’t a heroic action by any means. As we’ve seen from the data breaches in 2011, it’s apparent that attacks will become more prevalent as time goes on and organizations need a better way to protect themselves and their counterparts. Various hacking groups around the world are infiltrating computer networks and web properties to expose data, which is ultimately a sign of poor security compliance. This is quite scary and even unacceptable for any institution, particularly as many attacks have not been all that sophisticated – they were easily preventable.

With hacking and malware acknowledged as the most prominent types of data security attacks, no longer are all web-based attacks targeting sign-on and transactions. Instead, we’re seeing attacks against almost every website function. The only way to stop the impact of cyber criminals is to know immediately that abnormal behavior is occurring, and web session intelligence is key to doing just that.

The actions that are carried out via the web server are defined as the Navigation Layer of a website. Visibility into the Navigation Layer enables organizations to determine whether or not they need to report a potential risk or attack, and ideally limit the exposure to the attack. As the availability of data and functionality continue to be moved to web servers (whether for traditional web browser use or mobile application use) it is critical to monitor this portion of the infrastructure to determine if events are occurring and where appropriate, alert as close to the first occurrence of the event as possible. Using the Navigation Layer to garner true web intelligence is the surest way to ensure you are monitoring and protecting this critical layer of your infrastructure.

Cybercrime is a growing problem that will continue to increase if organizations don’t begin to take necessary security precautions and this concept is a critical component to corporate security strategy.

One of the threat areas we (and Cisco) are seeing on the rise is mobile, and this will likely continue in 2012 – particularly as we see commerce and business soar across mobile platforms. According to another recent report, more than $1 million was stolen from Android users in 2011, the annual likelihood of an Android user encountering malware today has increased to 4% from 1% in early 2011, and Android users now have a 36% chance of clicking on an unsafe link – up 6% since July.

Last March we discussed security issues across the Android platform, and as it remains the most popular mobile operating system, it will likely continue to be the most heavily targeted by cybercriminals moving forward. As we know, bad actors are looking for the most return with the least effort, and the mobile platform presents them with a large opportunity as it simply widens the playing field. I know the industry is working toward better mobile security for 2012, and my hope is that the reports that come out a year from now reflect the efforts that so many of us are making.

Opening the Freedom Online conference on Thursday was U.S. Secretary of State Hillary Clinton with a direct call for companies not to sell surveillance tools to authoritarian regimes. Syrian blogger Amjad Baiazy was arrested and tortured in May for expressing his opinion online. Individuals should be able to exercise their human rights and express their opinions, and the Internet provides a channel for them to do just that. This conference helped stress the importance of this particular liberty, and the hope is that there were changes identified that could help protect Internet freedom and also encourage it amongst a larger audience.

While I don’t condone freedom of speech where a person can exploit government systems or individuals online, I classify myself as an advocate for free expression on the Internet, and Hillary Clinton also discussed the fact that The United Nations and the Organization for Economic Cooperation and Development have issued guidelines to advise companies on how to meet responsibilities and carry out due diligence. The new Global Network Initiative is a forum where companies can work through challenges with other industry partners, and academics, investors and activists, and this sort of collaboration is exactly what can be used to stop a number of bad actors on the Internet – cybercriminals being one of them.

Some observations about these predictions: First, many attacks are moving to the application layer. HTML 5 giving more functionality to hackers, DDoS moving up the stack, internal collaborations’ evil twin, and anti-social media all are examples of the application layer being used more frequently in attacks.

Second, security will trump compliance. While I’m not sure if this will come true, I am hopeful it will. As I’ve been looking at regulations from 2011 (FFIEC, SEC, etc.), I am dismayed about the checklist approach to security. I understand why these regulations are important, but it would be so much better if companies took a thoughtful, realistic approach to the systems they have in place and make sure that there is organizational integrity around the security of their infrastructure. Given the lack of resources, I struggle to see a world where this has happened, though I will always be hopeful.

We’ll publish our own predictions soon, but it’s great to see people who really think outside the box on these things.

The article talks about how the government doesn’t want to add too much burden to businesses and that is obviously critical. But, I’m thrilled by the idea that corporations and other organizations can have the opportunity to work together in a way that could benefit the entire ecosystem.

One of the biggest hurdles I see with this is that many times organizations see their data about attacks as a valuable asset. If it takes an organization fifty man hours and $200,000 in development of tools to identify a particular threat or set of data, why would they want to share that with others? Should they get paid for sharing this data? Is there some other way that these organizations could be compensated for this information?