RSA Web Threat Detection

Similar documents
RSA Web Threat Detection

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

RSA Fraud & Risk Intelligence Solutions

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Aktueller Überblick über das RSA Portfolio

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

The Interactive Guide to Protecting Your Election Website

Unique Phishing Attacks (2008 vs in thousands)

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Imperva Incapsula Website Security

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Account Takeover: Why Payment Fraud Protection is Not Enough

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Security Architect Northeast US Enterprise CISSP, GCIA, GCFA Cisco Systems. BRKSEC-2052_c Cisco Systems, Inc. All rights reserved.

EMC & VMWARE STRATEGIC FORUM NEW YORK MARCH Tom Heiser President, RSA. Tom Corn SVP & Chief Strategy Officer, RSA

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Behavioral Analytics A Closer Look

Corrigendum 3. Tender Number: 10/ dated

Protect Your Endpoint, Keep Your Business Safe. White Paper. Exosphere, Inc. getexosphere.com

Automated Context and Incident Response

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

Solutions Business Manager Web Application Security Assessment

Application Security. Rafal Chrusciel Senior Security Operations Analyst, F5 Networks

Copyright

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Joe Stocker, CISSP, MCITP, VTSP Patriot Consulting

Ethical Hacking and Prevention

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Intelligent and Secure Network

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Service Provider View of Cyber Security. July 2017

Business Logic Attacks BATs and BLBs

Gladiator Incident Alert

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

FREQUENTLY ASKED QUESTIONS

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Introducing MVISION. Cohesive Cloud-based Management of Threat Countermeasures and Devices Leveraging Built-in Device Controls. Jon Parkes.

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

AKAMAI CLOUD SECURITY SOLUTIONS

Understanding Cisco Cybersecurity Fundamentals

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Endpoint Protection : Last line of defense?

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Cyber security tips and self-assessment for business

Synchronized Security

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

RSA Security Analytics

Identiteettien hallinta ja sovellusturvallisuus. Timo Lohenoja, CISPP Systems Engineer, F5 Networks

Data Privacy and Protection GDPR Compliance for Databases

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Cyber Defense Operations Center

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Octopus Online Service Safety Guide

Accelerating growth and digital adoption with seamless identity trust

ADC im Cloud - Zeitalter

WHAT IS MALICIOUS AUTOMATION? Definition and detection of a new pervasive online attack

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Presenting the VMware NSX ECO System May Geert Bussé Westcon Group Solutions Sales Specialist, Northern Europe

CASE STUDY TOP 10 AIRLINE SOLVES AUTOMATED ATTACKS ON WEB & MOBILE

2016 Tri-State CF Partnership Webinar Series. Cyber Crime Trends a State of the Union April 7, 2016

Best Practices Guide to Electronic Banking

Security

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Keep the Door Open for Users and Closed to Hackers

SECURITY TESTING. Towards a safer web world

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

PULLING OUR SOCS UP VODAFONE GROUP AT RSAC Emma Smith. Andy Talbot. Group Technology Security Director Vodafone Group Plc

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

CyberArk Privileged Threat Analytics

A Layered Approach to Fraud Mitigation. Nick White Product Manager, FIS Payments Integrated Financial Services

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

2014 CliftonLarsonAllen LLP Cyber Crime and Payment Fraud Trends Key Threats to All Businesses CliftonLarsonAllen LLP. CLAconnect.

Authentication Technology for a Smart eid Infrastructure.

2010 Online Banking Security Survey:

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

We re Different. Founded in 2007, Secure Source specializes in Network Security technology and compliance solutions.

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

WHITE PAPER 2019 AUTHENTICATOR WHITE PAPER

Automation is changing the modern world. DevOps, Infrastructure Automation, Process Automation

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Transcription:

RSA Web Threat Detection Online Threat Detection in Real Time Alaa Abdulnabi. CISSP, CIRM RSA Pre-Sales Manager, TEAM Region 1

Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web Threat Landscape Phishing Site Scraping Vulnerability Probing Layer 7 DDoS Attacks InfoSec Pre-Authentication Threats Password Cracking/Guessing Parameter Injection New Account Registration Fraud Advanced Malware (e.g. Trojans) Promotion Abuse Man in the Middle/Browser Account Takeover New Account Registration Fraud Unauthorized Account Activity Fraudulent Money Movement Fraud Post-Authentication Threats 2

How are Websites Protected Today? User 2 Factor Authentication Device ID Network Firewall IPS/IDS Application WAF Penetration Testing Dynamic Scanning Log Analysis/SIEM Source Code Analysis 3

Intelligent Risk-Based Fraud Prevention Pre-Authentication Threats Shared Threat Intelligence Post-Authentication Threats Anti-Phishing/ -Trojan/-Rogue Apps Behavioral Analysis Risk Based Authentication Transaction Monitoring In the Wild Beginning of Session Login Transaction Logout Web and Mobile Channels Site Scraping Trojan Attacks Rogue Mobile Apps Vulnerability Probing DDOS Attacks New Account Registration Fraud Phishing Attacks Promotion Abuse Parameter Injection Password Guessing Access From High Risk Country Man In The Browser Unauthorized Account Activity Man In The Middle Account Takeover High Risk Checkout Fraudulent Money Movement 4

Stream Analytics Threat Scores Velocity Behavior Parameter Injection Man in the Middle Man in the Browser Copyright 2011 EMC Corporation. All rights reserved. 5

Web Threat Detection Add Bill Payee Enter Payment Amount Session determined Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Copyright 2011 EMC Corporation. All rights reserved. 6

Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience 1. Data is broken apart into several pieces under a lens. 2. Data is sessionized. Copyright 2011 EMC Corporation. All rights reserved. 7

Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Inspects all Scrubs data Data is compressed, indexed, and stored Copyright 2011 EMC Corporation. All rights reserved. 8

Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Scoring Engine Send API SysLog Incident Create email report Copyright 2011 EMC Corporation. All rights reserved. Web Session Traffic Rules Engine 3 rd Party Systems 9

Summary of clickstream Interactive clickstream Table display Humanreadable click details Copyright 2011 EMC Corporation. All rights reserved. 10

Typical Use Cases Information Security Threats Fraud Threats Business Intelligence Infrastructure Utilisation 11

Information Security Case Examples 12

Site Scraping Overview Example of the Web Scraping process Hypothetical example only! Hotel reviews posted on customer site Bot pulls content from site within minutes of posting Potential traveller searches Google & clicks to travel review site Customer clicks link to hotel booking site Hotel booked & travel plans complete! Travel hotel chosen based on reviews from the original site without the customer actually visiting the original content website Key impacts to the travel review website? 1. Missed web traffic equals missed advertising revenue 2. Travel booking referral to hotel based on original site content but claimed by third party review site 3. Increased market competition from competitors with minimal operational cost overheads 13

Information Security Site scraping Content cycling - the direct approach Brisbane based IP 233 clicks in 1 hour each click to a unique page content number URL 1746 clicks in 1 hour Human-like click velocity - between 1 to 5 seconds Identified via a Web Threat Detection site scraping rule alert 14

Information Security Architecture probing Scripted website probing attack against bank domain Threat Summary Customer typically only has ~150 unique URLs which are actively accessed by customers This attack targeted over four thousand URLs the majority of the page requests were invalid but were still received by their web server Invalid page requests (e.g. 404 errors) are common when identifying website attacks which are looking to map the site or locate vulnerable pages 10945 clicks within 1 hour, to 4484 unique URLs from single US based IP 95% clicks sub-0.5 seconds 15

Information Security Password guessing Attempted account takeover via scripted attacks Do you have visibility of brute force attacks on your login pages? RSA Web Threat Detection is very effective at both types of password guessing: Vertical. Same user ID, guess the password Horizontal. Same password, guess the user ID Often banks & other online organisations allocate user IDs based on number. If you run a script with a common password (e.g. P@ssword1), then it is simply a matter of time until an account logon is compromised as the script cycles through sequential login numbers Analysis of header data detects Linux operating system which is very common for scripted attacks Single user ID, multiple password attempts. Note: Password has one-way encryption which still allows for value profiling 16

Distributed Denial of Service (DDoS) Attack Behavior indicating the onset of a DDoS Web Threat Detection identified a single page being hit 1.6 million times over the course of one hour without the activity being blocked normal peak traffic is 1.2 million hits IPs originating from high-risk countries Single IP executing 70,000 page requests in one hour 10 IP s executing 366,000 page requests in one hour Mitigation Categorized 10 IPs as a threat group and sent to firewall 17

Fraud Threat Case Examples 18

Fraud Threats Credential Testing Account peeking. Multiple test logins from Nigerian IP address Early Detection = Reduced impact Detection of account peeking via Web Threat Detection allows for at-risk user accounts to be identified & treated before the customer or business is impacted Account peeking is a very common behaviour by Fraudsters as it allows them to: 1. Validate the login credentials 2. Identify higher value accounts 3. Understand the controls which must be defeated to complete future unauthorised transactions Single login test click for each account Multiple users from single Nigerian IP within 1 hour 19

Man in the Middle (MITM) One account accessed by 2 or more IP addresses in different geographies First attack vector used against online banking targets 20

Detecting Zeus Variants Production Web App / Transactional Systems Client infected with Zeus variant Accesses banking site Telltale signs detected by rules in real-time U S E R A G E N T C O N TA I N S : Z e u s 5 4 3 6 1 W e b s t e r P r o V 2. 9 21

Dynamic Detection of Man in the Browser / Mobile Malware Initiates T A R G E T : To p 5 F i n a n c i a l S e r v i c e s Sign-in Account Overview Pay Bill Overview Pay Bill Pay Bill Complete Legitimate Flows Add External Account Transfer Funds Transfer Funds Complete Attack Flows P A T T E R N S : M u l t i p l e F l o w s A T T A C K : M A N I N T H E B R O W S E R D A M A G E : F u n d s T r a n s f e r r e d F r o m V i c t i m A c c o u n t 22

Fraud Threats Account Takeover Malware on customer s device attempting account takeover Malware driven password guessing against single user ID 50% clicks in sub 0.5 seconds The user agent for this particular IP contains SIMBAR. This is a characteristic of adware known to be used by malware for account takeover purposes 23

Business Logic Abuse Case Examples 24

Business Logic Abuse Content Click Fraud Inflation of page traffic via automated views Single User Id = username@domain.com Single user cycling through 18 different IP addresses within 24 hours across multiple states/cities Repetitive clickstream behaviour. (1) Login (2) Search (3) View Page (4) Logout (5) Repeat above 25

Business Logic Abuse User rating inflation False sales between common parties to inflate user rating 10 identical orders (same buyer/seller) placed within 9 minutes 21 orders from single user within 1 hour at 5am Each order value ~$1,000 USD 26

Business Logic Abuse Coupon testing Scripted attacks to find valid coupon codes Impact of coupon abuse can include: Genuine customer impact due to unauthorised use of coupon offers Decreased revenue due to offer abuse Increased website overhead due to scripted attacks Site scraping by resellers or coupon aggregator sites Single IP driving 95%+ of all coupon code page traffic 27

Intelligence Data External Data Source API Risk Engines Platform Architecture Case Management SIEM Automated Response Action Server Profile Analyzer Mitigator Forensics Silver Tap Network Switch/TAP Span Port 28

RSA Web Threat Detection Real-Time Visibility Industry Leading Accuracy Understand Customers vs. Criminals Almost Immediate Time To Benefit No Impact To Users or Web App Self Learning 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback