It’s all about context
Lori McVittie of F5 had an interesting post on how the next level of web application security should look at “context”. I completely agree and enjoy seeing more people shine a light on taking web security to the next level. Context gives you the next level of information to help you make more accurate – and better informed – decisions about what is happening on your website.
What Lori said is exactly right – the key is not only understanding the current user’s session and whether that user is doing something abnormal, or even suspicious, but also understanding that user’s session in context with all other users’ sessions. Does the current session look normal or abnormal compared to all other users of the website? This is the exactly the holistic context websites need to look at.
Though I agree with most of Lori’s post, she is “almost right” about today’s technology as she writes:
The problem with technology, and web applications in general, is that you can’t see the user. Worse, you can’t even really see the entire context of his interactions with the web application because very few security implementations have the capability to evaluate user behavior (interaction with the application) as a holistic experience. Web application security solutions today simply can’t tell what’s normal behavior across the application.
Believe it or not, there are ways you can see the user. You really can get this type of holistic context today. It’s true that it takes some fairly powerful algorithms, but it is possible to get this context without a ton of compute power and in a meaningful way. That’s exactly what we’re working on at Silver Tail – bringing websites the holistic context they need to make better decisions about website events. We even go a step further – giving you the tools you need to take action against the bad events without impacting the legitimate users. Its working today and its an exciting new technique in the fight against online fraud and, specifically, business logic abuse.
Special thanks to Lori for raising awareness on this issue. I welcome your feedback and input…
About
Silver Tail is leading the fight against business logic abuse with 3rd generation fraud prevention.
Hackers are no longer high school kids trying to one-up their friends or criminals trying to just break-in to sites. Instead, today’s sophisticated hacker is organized crime, strategically targeting websites, stealing billions of dollars from companies and their customers. Vendors providing web application security and intrusion prevention have forced hackers to become much more innovative in their means of attacking websites. These hackers now target the legitimate business logic of websites to perpetrate their fraud, including hijack threats, velocity attacks and gaming schemes. Silver Tail is using the deep domain expertise of its team to provide software that combat business logic abuse in real-time.
Silver Tail was founded by a team of fraud prevention experts who built anti-fraud and anti-phishing tools at eBay and PayPal. Through their experience and proprietary algorithms, they have built a system that is scalable, minimizes false positive rates, and is extremely flexible to adapt to changing attack vectors.
Feedburner
RSS Feed
-
Archives
- November 2009 (3)
- October 2009 (8)
- September 2009 (7)
- August 2009 (8)
- July 2009 (7)
- June 2009 (6)
- May 2009 (6)
- April 2009 (14)
- March 2009 (8)
- February 2009 (5)
- January 2009 (8)
- December 2008 (5)
-
Categories
- behavior analysis
- business logic abuse
- Business Logic Flaw
- Business Process Abuse
- Compliance
- Cost of fraud
- Data Loss
- Detection
- education
- Fraud
- Gaming
- General
- information security
- Investigation
- Man-in-the-Browser
- Online Fraud
- Payment
- Phishing
- Prevention
- risk management
- Social engineering
- Social Networks
- Trust
- Uncategorized
- web logic abuse
- Zeus
-
RSS
Entries RSS
Comments RSS
