Reducing Time it Takes to Investigate Incidents Proactively Identifying
Value Proposition: Identify, diagnose, and mitigate complex threats in moments, as opposed to days, weeks, or months.
Reducing Time it Takes to Investigate Incidents Value Proposition Case Studies
• Ability to quickly answer “what if” questions associated with possible attacks via analyst-‐driven GUI, export actionable clickstream data, and streamline incident detection/response processes. • 75% reduction in level of effort to diagnose a web-‐based incident vs. SIEM tool, from 2 minutes per incident to 30 seconds per incident. • Identified layer 7 DDoS prior to any other InfoSec tools in use. Saved ~$100,000/hour by blocking bad actors prior to take down. • Persistent fraud pattern required manual review of 20,000+ cases per year prior to WTD. WTD detects the fraud pattern within the first 3 clicks of a web session with 97% accuracy. Automated actions against this fraud trend prevented $300,000+ in losses and removed 20,000+ cases per year from manual review caseload.
Proactively Identifying Anomalous Behaviors • • •
•
•
Determine if strange traffic patterns are being used to hide real fraud. Automatically distinguish normal behavior from fraudster activity. Identified previously unknown aggregators and misconfigured vendor applications, allowing rigorous analysis of their data protection standards, identification of risky applications, and blocking access when necessary. Identified large-‐scale, high-‐speed password guessing attack (15K login attempts < 5 minutes, single IP). Password guessing attack mitigation saves the organization ~$48,800 per incident or $1.2MM annually. Delivered $1MM+ in 2013 fraud loss reductions to a leading US bank in mitigating business logic abuse and wire fraud.
Customer Use Cases: WTD delivers visibility and context needed to distinguish – in real time -‐ legitimate web and mobile customers from fraudsters.
Customer Challenge
Visibility Impact of Web Threat Detection
Account registration fraud
Web & Mobile: Required insight into and detection of fraudulent registration patterns across Web & Mobile channels Compromised credentials: Believed fabricated credentials were being used to setup accounts and open credit using someone else’s ID. Lacked real-‐time visibility to validate these concerns and disrupt fraudulent activities prior to successful compromise.
Discovered bulk registration + online enrollment fraud patterns – High volume/velocity registrations & enrollments from single IP. – Thousands per day over sustained period of several weeks. – Triggered real-‐time rules within first hour of deployment alerting analysts to excessive clicks through registration/enrollment pages. – Routed alerts to load balancer for automated blocking.
ACH wire transfer fraud
• ACH manipulation: Fraud and losses associated with fraudulent ACH Provided real-‐time visibility: exact play-‐by-‐play of fraudster activities transfers which circumvented ACH Wire Creation MFA policies revealed attack patterns customer had been previously unaware of. • ACH transfers to fraudulent accounts: Loss was occurring because it -‐ ACH manipulation: WTD discovered previously unknown pattern of was taking too long to identify ACH transfers to known fraudulent business logic abuse, in which wire creation fraud controls were not accounts. applied to wire-‐edit logic. For instance, fraudster would create a • Despite new SOC environment and technologies, lacked real-‐time $95.25 wire, and later modify 10x to $9,525, circumventing security visibility, alerting, and robust threat detection for online and mobile controls. channels. -‐ Transfers to fraudulent accounts: Utilized WTD’s External Data Source feature to load “known fraud accounts” watch lists. Real-‐ time alerts for activity against these accounts allowed enough time to initiate a stop on the transfer and mitigate the pending loss.
Mobile account takeover
• Mobile Visibility: Had no visibility into mobile application traffic patterns. • Concerns that fraudsters were shifting account takeover strateg67ies to the mobile channel.
• Discovered persistent, successful password guessing attacks occurring unchecked against mobile channel. -‐ Deployment included both mobile and web traffic. -‐ Out of the box rules picked up fraudster behaviors within first hour of proof of concept deployment.
Web Threat Detection – Value Across the Enterprise Systems Integration Opportunities
End User Communities User Communities Information Security
Fraud
Malware Analysts
Authentication
Identify ways to increase the value and effectiveness of existing/future investments
• “One stop shop” for web fraud data • Fraud/phishing patterns • DDoS, brute force, SQL injection attack visibility
•Updated config gives fraud team visibility into raw transactional data •Coverage as fraud goes to mobile channel
•Analyze behavioral aspects of live malware •Identify “early stage” malware activity
•Combine risk and behavior-‐based policies •Additional source of risk data
Web Threat Detection
Real-‐Time Clickstream Analysis
Integration Layer
Action Server (Push) / Data Stream (Pull)
SIEM
ArcSight, Splunk, etc.
• Reduce time to correlate web-‐based threats by up to 75%. • Augment logs data with user clickstream analysis and transaction data. • Provide ability to drill into WTD from SIEM alerts for deeper analysis.
Big Data
User Authentication
Hadoop, Security Analytics, etc.
RSA Adaptive Authentication
• Standards-‐based messaging & APIs reduce data integration efforts. • Allow analysts to quickly pivot from web threat to network analysis. For instance, detect shellshock attempts against web servers and pivot into SA to analyze impact of the exploit inside the network. • Automated threat scores drive down analysts’ time to diagnose web-‐based threats.
• Augment risk-‐based authentication policies with behavior-‐derived custom facts. • Reduce rate of false-‐ negatives (i.e. failed logins data fed into Adaptive Authentication). • Better alignment with FFIEC anomaly detection guidelines stating that fraudster-‐driven activities are “anomalous when compared with… established patterns of behavior”.
Defending the Website Cyber Kill Chain Reconnaissance
Weaponization
What it is: Research, identification,
Delivery
Exploitation
Command & Control
Exfiltration
and selection of targets.
What it is: Creating and transmitting the deliverable payload (exploit + Trojan), to the target environment.
What it is: Executing attacker’s code following delivery to exploit application, OS or users vulnerabilities.
How WTD Helps •Early detection of initial pre-‐ authenticated probing and website enumeration. •Automated behavior scoring detects anomalously behaving IP addresses, activity originating from high risk geo-‐locations, as well as known malicious hosts and referrers.
How WTD Helps •Websites themselves are one of the most common weaponized payload delivery vectors; i.e. exploiting a server vulnerability to embed a watering hole attack into a web site. •WTD can monitor POST arguments for suspicious paramaters and injection points. •WTD can monitor suspicious referrers indicating connections originating from attacker websites.
How WTD Helps •WTD can help provide early warning before new threats are even discovered. Visibility of web sessions provides zero day insights. •Visibility into all HTTP/HTTPS POST/GET Args, headers, IP, geo-‐ location, cookies, STYX, etc. provides visibility into parameters being passed. Quickly search entire data store for occurrances of malware signatures, toolkits, risky args, unexpected parameters. •Bad actors can be anything, not just IP, but page headers, user
Reducing Time it Takes to Investigate Incidents Value Proposition Case Studies
• Ability to quickly answer “what if” questions associated with possible attacks via analyst-‐driven GUI, export actionable clickstream data, and streamline incident detection/response processes. • 75% reduction in level of effort to diagnose a web-‐based incident vs. SIEM tool, from 2 minutes per incident to 30 seconds per incident. • Identified layer 7 DDoS prior to any other InfoSec tools in use. Saved ~$100,000/hour by blocking bad actors prior to take down. • Persistent fraud pattern required manual review of 20,000+ cases per year prior to WTD. WTD detects the fraud pattern within the first 3 clicks of a web session with 97% accuracy. Automated actions against this fraud trend prevented $300,000+ in losses and removed 20,000+ cases per year from manual review caseload.
Proactively Identifying Anomalous Behaviors • • •
•
•
Determine if strange traffic patterns are being used to hide real fraud. Automatically distinguish normal behavior from fraudster activity. Identified previously unknown aggregators and misconfigured vendor applications, allowing rigorous analysis of their data protection standards, identification of risky applications, and blocking access when necessary. Identified large-‐scale, high-‐speed password guessing attack (15K login attempts < 5 minutes, single IP). Password guessing attack mitigation saves the organization ~$48,800 per incident or $1.2MM annually. Delivered $1MM+ in 2013 fraud loss reductions to a leading US bank in mitigating business logic abuse and wire fraud.
Customer Use Cases: WTD delivers visibility and context needed to distinguish – in real time -‐ legitimate web and mobile customers from fraudsters.
Customer Challenge
Visibility Impact of Web Threat Detection
Account registration fraud
Web & Mobile: Required insight into and detection of fraudulent registration patterns across Web & Mobile channels Compromised credentials: Believed fabricated credentials were being used to setup accounts and open credit using someone else’s ID. Lacked real-‐time visibility to validate these concerns and disrupt fraudulent activities prior to successful compromise.
Discovered bulk registration + online enrollment fraud patterns – High volume/velocity registrations & enrollments from single IP. – Thousands per day over sustained period of several weeks. – Triggered real-‐time rules within first hour of deployment alerting analysts to excessive clicks through registration/enrollment pages. – Routed alerts to load balancer for automated blocking.
ACH wire transfer fraud
• ACH manipulation: Fraud and losses associated with fraudulent ACH Provided real-‐time visibility: exact play-‐by-‐play of fraudster activities transfers which circumvented ACH Wire Creation MFA policies revealed attack patterns customer had been previously unaware of. • ACH transfers to fraudulent accounts: Loss was occurring because it -‐ ACH manipulation: WTD discovered previously unknown pattern of was taking too long to identify ACH transfers to known fraudulent business logic abuse, in which wire creation fraud controls were not accounts. applied to wire-‐edit logic. For instance, fraudster would create a • Despite new SOC environment and technologies, lacked real-‐time $95.25 wire, and later modify 10x to $9,525, circumventing security visibility, alerting, and robust threat detection for online and mobile controls. channels. -‐ Transfers to fraudulent accounts: Utilized WTD’s External Data Source feature to load “known fraud accounts” watch lists. Real-‐ time alerts for activity against these accounts allowed enough time to initiate a stop on the transfer and mitigate the pending loss.
Mobile account takeover
• Mobile Visibility: Had no visibility into mobile application traffic patterns. • Concerns that fraudsters were shifting account takeover strateg67ies to the mobile channel.
• Discovered persistent, successful password guessing attacks occurring unchecked against mobile channel. -‐ Deployment included both mobile and web traffic. -‐ Out of the box rules picked up fraudster behaviors within first hour of proof of concept deployment.
Web Threat Detection – Value Across the Enterprise Systems Integration Opportunities
End User Communities User Communities Information Security
Fraud
Malware Analysts
Authentication
Identify ways to increase the value and effectiveness of existing/future investments
• “One stop shop” for web fraud data • Fraud/phishing patterns • DDoS, brute force, SQL injection attack visibility
•Updated config gives fraud team visibility into raw transactional data •Coverage as fraud goes to mobile channel
•Analyze behavioral aspects of live malware •Identify “early stage” malware activity
•Combine risk and behavior-‐based policies •Additional source of risk data
Web Threat Detection
Real-‐Time Clickstream Analysis
Integration Layer
Action Server (Push) / Data Stream (Pull)
SIEM
ArcSight, Splunk, etc.
• Reduce time to correlate web-‐based threats by up to 75%. • Augment logs data with user clickstream analysis and transaction data. • Provide ability to drill into WTD from SIEM alerts for deeper analysis.
Big Data
User Authentication
Hadoop, Security Analytics, etc.
RSA Adaptive Authentication
• Standards-‐based messaging & APIs reduce data integration efforts. • Allow analysts to quickly pivot from web threat to network analysis. For instance, detect shellshock attempts against web servers and pivot into SA to analyze impact of the exploit inside the network. • Automated threat scores drive down analysts’ time to diagnose web-‐based threats.
• Augment risk-‐based authentication policies with behavior-‐derived custom facts. • Reduce rate of false-‐ negatives (i.e. failed logins data fed into Adaptive Authentication). • Better alignment with FFIEC anomaly detection guidelines stating that fraudster-‐driven activities are “anomalous when compared with… established patterns of behavior”.
Defending the Website Cyber Kill Chain Reconnaissance
Weaponization
What it is: Research, identification,
Delivery
Exploitation
Command & Control
Exfiltration
and selection of targets.
What it is: Creating and transmitting the deliverable payload (exploit + Trojan), to the target environment.
What it is: Executing attacker’s code following delivery to exploit application, OS or users vulnerabilities.
How WTD Helps •Early detection of initial pre-‐ authenticated probing and website enumeration. •Automated behavior scoring detects anomalously behaving IP addresses, activity originating from high risk geo-‐locations, as well as known malicious hosts and referrers.
How WTD Helps •Websites themselves are one of the most common weaponized payload delivery vectors; i.e. exploiting a server vulnerability to embed a watering hole attack into a web site. •WTD can monitor POST arguments for suspicious paramaters and injection points. •WTD can monitor suspicious referrers indicating connections originating from attacker websites.
How WTD Helps •WTD can help provide early warning before new threats are even discovered. Visibility of web sessions provides zero day insights. •Visibility into all HTTP/HTTPS POST/GET Args, headers, IP, geo-‐ location, cookies, STYX, etc. provides visibility into parameters being passed. Quickly search entire data store for occurrances of malware signatures, toolkits, risky args, unexpected parameters. •Bad actors can be anything, not just IP, but page headers, user
