Silver Tail Systems Blog

Preventing Online Fraud Through Web Session Intelligence

RSA Conference Thoughts: Part III

As we get further into the week, my attention span is waning. So, today’s blog will be a bit lighter. Here are some things I observed this year.

1. There is an energy at the conference that has been missing during the past few conferences. You can tell that security is a hot field again.

2. I am surprised by the number of people I see in suits. As usual, most of the people in the hotel lobbies are wearing suits and there are a lot fewer suits in the conference itself. I’m wearing a suit, though, so I’m contributing to the trend.

3. There seem to be more small companies this year. It’s refreshing to not have all of the booths be from the incumbents.

4. There seems to be a higher proportion of women attendees this year.

Overall, it has been a very good show. I’ll be interested to hear others’ comments about how things went this year.

March 2, 2012 Posted by | General | | Leave a Comment

RSA Conference Thoughts: Part I

Yesterday kicked off another RSA Conference. I was honored to attend the eFraud Global Forum. The caliber of presenters and attendees at this event is always fantastic.

There have already been some themes I am hearing as part of this year’s conference. The obvious one is mobile threats. What has surprised me about the commentary around mobile is that people are somewhat optimistic about how we will address it. Many have commented on how mobile is different from trying to secure the browser or the operating system. When we were trying to protect browsers and operating systems, we were starting from scratch. Mobile is different. We’re starting from a great baseline, namely everything we learned with desktops and browsers, so that does provide us with an edge.

That’s not to say that mobile will be easy, however: it won’t. But it should be easier for a couple of reasons. First, many of the calls that are used by mobile apps are the same calls used by web browsers. Therefore, the security around those calls should already be quite strong. Second, even though there are several mobile platforms, they are each managed by very large corporations who already have processes in place for dealing with escalations, getting patches out quickly, etc.

There are a few other reasons mobile will be easier, but it’s time for the next event so I’ll cover those another time! More on RSA Conference soon!

February 29, 2012 Posted by | Detection | , , | Leave a Comment

RSA Conference 2011 recap

Many of the things I noticed at RSA Conference this year were similar to what I’ve heard other people say.  1) It was busier than previous years.  2) There were a few more brands attending compared to previous years.  3) There was a bit less focus on cloud (which is a good thing).

The thing that struck me was the breadth of impacted verticals that attended this year.  In the sessions I hosted and in other venues I noticed more participation from some of the non-standard types of companies.  There were gaming companies, e-commerce companies, even shipping companies.  As I’ve been talking about for a while, the issues that RSA Conference discusses impacts these types of companies as much as it does financial institutions.

A frustration I have – the conference tends to focus on outdated threats.  At the eFraudNetwork someone said “I bet next year we’ll have a lot of talk about Man in the Mobile”.  But MitMo is here now!  The conference’s tactic on carefully vetting content is a good one, but given that you have to apply almost a year in advance means that it can be difficult to talk about anything new.

One other comment – in past years it seemed like “fraud” was the “f-word” at RSA Conference.  Starting last year, and even more so this year, there were quite a few discussions about fraud.  My belief is that fraud and security are actually fighting the same fight – one from the reconnaissance level, the other from the execution side – but in the end, the people who perpetrate security attacks are often the people who are perpetrating the fraud attacks as well.  It was great to see more joint conversations.

February 24, 2011 Posted by | Fraud | , | Leave a Comment

Silver Tail Systems Unveils the Hot Topics for RSA 2011: e-Commerce Fraud and Man in the Mobile

It’s that time of year again – everyone is gearing up for the annual RSA conference.  There is a lot of discussion  about what the main areas of interest will be, but I thought I’d talk a bit about what I see as the key points.

First, I think you’ll see more focus on fraud in e-commerce.  I’m hosting a panel at the RSA eFraudNetwork on how fraud in e-commerce is similar to fraud in financial services.   Also, my panel on Tuesday afternoon will cover how authentication is being subverted for both e-commerce and financial services.

Having just returned from the FinovateEurope Conference in London, I think the second hot topic will be Man in the Mobile attacks.  Europe is already being hit by these and they are the latest threat on everyone’s radar, as evidenced in a recent report, published in PC World Magazine, on the rise of mobile gadgets and malware threats. If you get a chance, please stop by and see my presentation at the Innovation Sandbox on Monday afternoon.  It should be an interesting presentation – 3 minutes followed by 2 minutes of questions.  That will keep my on my toes!

Please drop me a line if you are planning to be at the conference and want to get together.  See you there!

February 9, 2011 Posted by | Fraud | , , | Leave a Comment

Business Logic Abuse – a recognized threat

rsa_conference_365The eFraudNetwork published a survey last week as part of the RSA conference.  The purpose of the survey was to “…try and understand how online fraud and data breaches are impacting multiple industries and organizations.” 

The survey covered many topics including data breaches, cross-industry information sharing, the Heartland breach, and spending to prevent fraud.

One the topics near and dear to my heart was the question that asked about attack types.  The answers to this question showed that malware and viruses are at the top of people’s minds – which was to be expected.  What I didn’t expect, though, was the percent of people who said that they have seen attacks against the business logic of their website.

Almost 20% of people said they had seen attacks against the business logic of their site.  While this may seem like a small number to some of you, it is bigger than I was expecting.  Attacks against business logic have been going on for years, but it has only been in the last year or so that the industry is recognizing them for what they are and taking notice of them. 

I was thrilled to see that 20% of people understand that it is the business logic of their website that is allowing attacks.  I’ll be very curious to see how this number changes when the eFN does a similar study next year, especially since it was made clear in the study that business logic attacks are one of the most dangerous attacks against a website.

Is anyone else surprised the number is so high?

April 26, 2009 Posted by | business logic abuse, Online Fraud, Uncategorized | , , , , | 1 Comment

Blogging, again, from RSA Conference 2009

yawn1

At the RSA Conference 2009 – day 2.

Normally blogging from a conference I try to be upbeat and positive on the speakers (I’m usually a glass-half-full guy), but I just can’t say I was wowed today by the keynotes. A lot about collaboration – can’t go wrong there. Definitely a couple mentions about how attacks are now directed at the application layer – can’t agree more, this is why we have Silver Tail. However, nothing inspiring. Anyone disagree?

Spent much of the day in meetings with potential customers and partners – great feedback and a lot of excitement about what we are doing and about our announcements yesterday. Personal note: I’ve noticed an interesting trend of many of my friends from the software development days are now in the security space – must be where all the innovation is happening!

Enjoyed Jeremiah Grossman‘s session on web hacking techniques, though a little technical for me – but I get the picture: the list of top web hacking techniques never goes away… don’t need to be too technical to understand that. Jeremiah filled a very large room in the last session of the day (5.40pm) – testament to the speaker.

I did discover a new (new to me) security news site, threatpost. Good format.

The after parties were in ernest, with even bigger ones scheduled for tomorrow night. See you there…

April 22, 2009 Posted by | General | , | Leave a Comment

Blogging from RSA Conference 2009

rsa09-logoWe are at the RSA Conference 2009 starting today with a couple of interesting pre-conference events.efraudnetwork

First, the eFraudNetwork meeting was held today where Laura Mather moderated a panel of fraud experts from Bank of America, Yahoo! and Medicare/Medicaid. The panel discussed ideas and best practices for protecting customers – everything from encrypting data, education and awareness, and tracking perpetrators of online crime. The panel was titled, “Protecting Customers: Case Studies from Leading Enterprises.”

The Innovation Sandbox was held highlighting ten (out of 50+) new companies who had creative ideas in the area of security. A good mini-conference to help promote the new, young startups get a little more attention. A couple of interesting companies, in my opinion, include Purewire (SaaS-based protection for enterprise client machines) and Behaviosec (behavior analysis of the user on how they interact with their machine: typing, mouse movements, etc.). The most entertaining was seeing the executives pitch their company in 3 minutes, which the winner, AlertEnterprise, did just that – plus, they had the best visually appealing application – hard to beat 3-D images.

Lastly, the welcome reception was a good way to get started on seeing the expo floor… booth discussions are so much better done over a beer.

Looking forward to tomorrow’s keynotes and Jeremiah Grossman‘s Top Ten Web Hacking Techniques of 2008 – usually some good business logic abuse in there!

April 20, 2009 Posted by | behavior analysis, business logic abuse, Online Fraud | , , | Leave a Comment

2009 RSA Conference – eFraudNetwork

rsaI have the privilege of attending the eFraudNetwork day as part of the 2009 RSA security conference.  Prior to the conference, the eFN people had done a survey on the attacks banks and other websites are seeing.  Most of the data wasn’t surprising: identity theft was a big one.

Something that was surprising, though, was that almost 20% of respondents saw attacks against application logic.  When I saw that question in the survey I was worried that people wouldn’t know how to define application logic attacks.  It was very interesting that people are definitely seeing this type of attack.

While 20% seems small, my hypothesis is that most people are getting hit by this type of attack, but 1) many of them don’t know what they are called and 2) many of them don’t understand yet that their websites are being impacted by this type of attack.

I’ll be anxious to see the results of this study going forward to see how this number changes.

April 20, 2009 Posted by | business logic abuse | , , | Leave a Comment

   

Follow

Get every new post delivered to your Inbox.