RSA Web Threat Detection

Similar documents
RSA Web Threat Detection

RSA Fraud & Risk Intelligence Solutions

Vincent van Kooten, EMEA North Fraud & Risk Intelligence Specialist RSA, The Security Division of EMC

RSA. The security division of EMC. Visibilidad total en el entorno de seguridad. Javier Galvan Systems Engineer Mexico & NOLA

Imperva Incapsula Website Security

Aktueller Überblick über das RSA Portfolio

Behavioral Analytics A Closer Look

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

The Cyber War on Small Business

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Account Takeover: Why Payment Fraud Protection is Not Enough

The Interactive Guide to Protecting Your Election Website

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

The Bots Are Coming The Bots Are Coming Scott Taylor Director, Solutions Engineering

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

WHITE PAPER. Best Practices for Web Application Firewall Management

KASPERSKY FRAUD PREVENTION FOR ENDPOINTS

RSA INCIDENT RESPONSE SERVICES

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

FAQ. Usually appear to be sent from official address

Automated Context and Incident Response

RSA INCIDENT RESPONSE SERVICES

Solutions Business Manager Web Application Security Assessment

White Paper. The Impact of Payment Services Directive II (PSD2) on Authentication & Security

How WebSafe Can Protect Customers from Web-Based Attacks. Mark DiMinico Sr. Mgr., Systems Engineering Security

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

CyberArk Privileged Threat Analytics

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

The Art and Science of Deception Empowering Response Actions and Threat Intelligence

Adaptive Authentication Adapter for Juniper SSL VPNs. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Security Information & Event Management (SIEM)

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

SOLUTION BRIEF FPO. Imperva Simplifies and Automates PCI DSS Compliance

Putting security first for critical online brand assets. cscdigitalbrand.services

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

Business Logic Attacks BATs and BLBs

Cyber security tips and self-assessment for business

War Stories from the Cloud: Rise of the Machines. Matt Mosher Director Security Sales Strategy

10 FOCUS AREAS FOR BREACH PREVENTION

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Service Provider View of Cyber Security. July 2017

Copyright

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

ALIENVAULT USM FOR AWS SOLUTION GUIDE

WHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

Personal Cybersecurity

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

AKAMAI CLOUD SECURITY SOLUTIONS

Keep the Door Open for Users and Closed to Hackers

SOLUTION BRIEF RSA NETWITNESS PLATFORM ACCELERATED THREAT DETECTION & AUTOMATED RESPONSE FROM THE ENDPOINT TO THE CLOUD

WHAT IS MALICIOUS AUTOMATION? Definition and detection of a new pervasive online attack

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall

Fraud Update: Why Fraudsters Love Wires and How to Stop Them. Luis Rojas, Director, Product Management WesPay 2014

CASE STUDY TOP 10 AIRLINE SOLVES AUTOMATED ATTACKS ON WEB & MOBILE

Guide to Getting Started. Personal Online Banking & Bill Pay

Compare Security Analytics Solutions

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

Accelerating growth and digital adoption with seamless identity trust

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

Cyber-Threats and Countermeasures in Financial Sector

Office 365 Buyers Guide: Best Practices for Securing Office 365

Arbor Networks Spectrum. Wim De Niel Consulting Engineer EMEA

Secure Application Development. OWASP September 28, The OWASP Foundation

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Popular SIEM vs aisiem

Security Gap Analysis: Aggregrated Results

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Intelligent and Secure Network

MASTERCARD PRICELESS SPECIALS INDIA PRIVACY POLICY

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Evolution of Cyber Security. Nasser Kettani Chief Technology Officer Microsoft, Middle East and Africa

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS


2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

STAY ONE STEP AHEAD OF THE CRIMINAL MIND. F-Secure Rapid Detection & Response

How AlienVault ICS SIEM Supports Compliance with CFATS

How your network can take on the cloud and win. Think beyond traditional networking toward a secure digital perimeter

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Personal Online Banking & Bill Pay. Guide to Getting Started

Securing Devices in the Internet of Things

PROVE IT! Matt and Dan, Dan and Matt, Those Fookers!

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Security

Cybersecurity with Automated Certificate and Password Management for Surveillance

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Supercharge Your SIEM: How Domain Intelligence Enhances Situational Awareness

Snort: The World s Most Widely Deployed IPS Technology

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Transcription:

RSA Web Threat Detection Online Threat Detection in Real Time Your Name Here 2

The Online Threat Environment 3

Web Threat Landscape In the Wild Begin Session Login Transaction Logout Web Threat Landscape Phishing Site Scraping Vulnerability Probing Layer 7 DDoS Attacks InfoSec Pre-Authentication Threats Password Cracking/Guessing Parameter Injection New Account Registration Fraud Advanced Malware (e.g. Trojans) Promotion Abuse Man in the Middle/Browser Account Takeover New Account Registration Fraud Unauthorized Account Activity Fraudulent Money Movement Fraud Post-Authentication Threats 4

Business & Customer Challenges Security is a Balancing Act Business Challenge Information Sprawl Mobility of End Users More Threats More Regulations Protect Information Mitigate Emerging Threats Meet Regulations Secure Account Access and Use Ease of Use Self-Service Business Requirements End-User Requirements 5

Services for Customers Opportunity for Criminals Next-day shipping Express wire transfers My shipping mule will have it before your fraud team knows its gone I ll cash out before your customer calls about a weird transaction $10 for new accounts promotion One sounds good- 6,000 sounds great Forgot my password link Account locks after 5 failed logins View your statement online If only there was a way to validate accounts Good luck making money when I lock all of your user accounts. Thanks for the identity theft one-stopshop! 6

RSA Fraud & Risk Intelligence Solutions Securing Online User Life Cycle Fraud Action & CyberCrime Intelligence Adaptive Authentication SilverTail Transaction Monitoring In the Wild Begin Session Login Transaction Logout Web Threat Landscape 7

Web Threat Detection Overview Distinguishing Customers from Criminals 8

How are Websites Protected Today? User 2 Factor Authentication Device ID Network Firewall IPS/IDS Application WAF Penetration Testing Dynamic Scanning Log Analysis/SIEM Source Code Analysis 9

Lack of Visibility into Online User Behavior What ARE users doing on your site? Are they browsing? Are they banking? Are they shopping? Are they being disruptive or criminal? Copyright 2011 EMC Corporation. All rights reserved. 10

With Total Visibility into Online Behavior You Can Reduce fraud losses and their additional associated costs Maintain positive corporate reputation Keep a competitive edge prevent competitors from accessing proprietary or other valuable information Significantly reduce chances of site downtime resulting from a successful attack Avoid financial penalties and other negative consequences associated with failing to prevent access to credit card or other personal data Reduce financial and other negative consequences stemming from business logic abuse 11

Mitigating Online Threats with Real- Time Detection What do you need to tell the difference between legitimate and disruptive or criminal use of your web site? Total visibility into web sessions Ability to identify behavioral patterns for crowds and individual users Ability to process this information and draw meaningful conclusions Ability to act on these conclusions and you need to be able to do this in real time 12

Criminals Through Total Visibility into the Web Session 01101001001010010000110101010101001110010001 01010010011100101010010010010100101100101 01010010011100100100101101011001010100101 01101001001010010000110101010101001110 1 1 Providing Continuous Monitoring for Total Visibility into Web Sessions Leveraging Big Data Analytics and Visualization Building Dynamic Behavioral Profiles for the Population and Individuals Calculating Real-time Threat Scores for Use in Rules Copyright 2011 EMC Corporation. All rights reserved. 13

Stream Analytics Threat Scores Velocity Behavior Parameter Injection Man in the Middle Man in the Browser 14

Anomalous Behavior Detection Cyber Criminals Look Different than Online Customers Velocity Page Sequence Origin Contextual Information Sign-in Add Bill Payee Bill Pay Home Select Bill Payee Enter Pay Amount My Account Submit Homepage View Checking Checking Account 15

A Typical Online Bank Transaction Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage View Click Checking Account 16

Add Bill Payee Enter Payment Amount Session determined Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience 17

Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience 1. Data is broken apart into several pieces under a lens. 2. Data is sessionized. 18

Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Inspects all Scrubs data Data is compressed, indexed, and stored 19

Add Bill Payee Enter Payment Amount Sign-In Bill Pay Home Select Bill Payee My Account Submit Homepage Checking Account View Click Behind the User Experience Scoring Engine Send API SysLog Incident Create email report 3 rd Party Systems Web Session Traffic Rules Engine 20

Summary of clickstream Interactive clickstream Table display Humanreadable click details 21

Page Request Arguments POST/GET HTTP Headers User ID Cookie IP Web Threat Detection Threat Score 0-100 Man in the Middle Man in the Browser Behavior Velocity Parameter Sessionize and Visualize Click Stream Web Threat Detection Rules Engine Forensic Dashboard One Click Investigation Deep Inspection IP User Page Real Time Alerts Hourly Alerts IP User Page Web Threat Detection Action Server SIEM CM Email LB WAF Web Threat Detection User Interface Web Threat Detection Workflow 22

Visibility into Third Party Sites Monitoring Embedded Functionality 23

Web Session Blind Spot Third Party Embedded Applications leave organizations with a blind spot High risk transactions, and threats, are likely to occur in blind spot Session Begins Login Home Page Online Bill Pay Logout 24

Before With Third Party Visibility 25

Web Threat Detection Use Cases 26

Typical Use Cases Information Security Threats Fraud Threats Business Intelligence Infrastructure Utilisation 27

Information Security Case examples 28

Site Scraping Overview Example of the Web Scraping process Hypothetical example only! Hotel reviews posted on customer site Bot pulls content from site within minutes of posting Potential traveller searches Google & clicks to travel review site (not trip advisor) Customer clicks link to hotel booking site Hotel booked & travel plans complete! Travel hotel chosen based on reviews from the original site without the customer actually visiting the original content website Key impacts to the travel review website? 1. Missed web traffic equals missed advertising revenue 2. Travel booking referral to hotel based on original site content but claimed by third party review site 3. Increased market competition from competitors with minimal operational cost overheads 29

Information Security Example #1 Site scraping Type #1 the Search + Scrape Hong Kong IP IP address only hitting 3 page types (1) List here the 3 page types Human-like click velocity - between 1 to 5 seconds 30

Information Security Example #1 Site scraping Type #2 content cycling - the direct approach Brisbane based IP 233 clicks in 1 hour each click to a unique page content number URL 1746 clicks in 1 hour Human-like click velocity - between 1 to 5 seconds Identified via a Web Threat Detection site scraping rule alert 31

Information Security Example #2 Architecture probing Scripted website probing attack against bank domain Threat Summary Customer typically only has ~150 unique URLs which are actively accessed by customers This attack targeted over four thousand URLs the majority of the page requests were invalid but were still received by their web server Invalid page requests (e.g. 404 errors) are common when identifying website attacks which are looking to map the site or locate vulnerable pages 10945 clicks within 1 hour, to 4484 unique URLs from single US based IP 95% clicks sub-0.5 seconds 32

Information Security Example #3 Password guessing Attempted account takeover via scripted attacks Do you have visibility of brute force attacks on your login pages? RSA Web Threat Detection is very effective at both types of password guessing: Vertical. Same user ID, guess the password Horizontal. Same password, guess the user ID Often banks & other online organisations allocate user IDs based on number. If you run a script with a common password (e.g. P@ssword1), then it is simply a matter of time until an account logon is compromised as the script cycles through sequential login numbers Analysis of header data detects Linux operating system which is very common for scripted attacks Single user ID, multiple password attempts. Note: Password has one-way encryption which still allows for value profiling 33

Information Security Example #4 Account aggregators Third party aggregator sites (e.g. Mint, Yodlee) utilising disclosed login credentials to scrape sensitive customer data Why is it important to know the aggregators? Customer data do you know which third parties have your customer login data? Data breach how would you manage if an aggregator had a data breach with thousands of your customer credentials? Liability for Fraud cases may change given customers have disclosed their login credentials Customer terms and conditions. Do you wish to update based on aggregator risk? 40 user details scraped by single account aggregator IP in 1 hour 34

Fraud Threats Case examples 35

Fraud Threats Example #5 - Credential Testing Account peeking. Multiple test logins from Nigerian IP address Early Detection = Reduced impact Detection of account peeking via Web Threat Detection allows for at-risk user accounts to be identified & treated before the customer or business is impacted Account peeking is a very common behaviour by Fraudsters as it allows them to: 1. Validate the login credentials 2. Identify higher value accounts 3. Understand the controls which must be defeated to complete future unauthorised transactions Single login test click for each account Multiple users from single Nigerian IP within 1 hour 36

Fraud Threats Example #6 Account Takeover Malware on customer s device attempting account takeover Malware driven password guessing against single user ID 50% clicks in sub 0.5 seconds The user agent for this particular IP contains SIMBAR. This is a characteristic of adware known to be used by malware for account takeover purposes 37

Fraud Threats Example #7 Fraudulent Payments High frequency, high velocity spend by single IP Web traffic spike to paycomplete page 30 transactions within 15 minutes to paycomplete page All transactions identical. Item, value & payment type Individual transactions were all of a lower value to decrease probability of detection 38

Business Logic Abuse Case examples 39

Business Logic Abuse Example #8 - Content Click Fraud Inflation of page traffic via automated views Identified as High Risk Users by elevated Behaviour Score Repetitive page view behaviour Human-like click velocity 40

Business Logic Abuse Example #8 - Content Click Fraud Inflation of page traffic via automated views Single User Id = username@domain.com Single user cycling through 18 different IP addresses within 24 hours across multiple states/cities Repetitive clickstream behaviour. (1) Login (2) Search (3) View Page (4) Logout (5) Repeat above 41

Business Logic Abuse Example #9 User rating inflation False sales between common parties to inflate user rating 10 identical orders (same buyer/seller) placed within 9 minutes 21 orders from single user within 1 hour at 5am Each order value ~$1,000 USD 42

Business Logic Abuse Example #10 Coupon testing Scripted attacks to find valid coupon codes Impact of coupon abuse can include: Genuine customer impact due to unauthorised use of coupon offers Decreased revenue due to offer abuse Increased website overhead due to scripted attacks Site scraping by resellers or coupon aggregator sites Single IP driving 95%+ of all coupon code page traffic 43

Business Intelligence Case examples 44

Business Intelligence Example #11 - Robotic Click Traffic Google & Microsoft (Bing) driving material % of site click traffic Microsoft IP NN% to XYZ page 1746 clicks in 1 hour 45

Business Intelligence Example #11 - Robotic Click Traffic Google & Microsoft (Bing) driving material % of site click traffic User Agent = Microsoft bingbot 46

Business Intelligence Example #11 - Robotic Click Traffic Google & Microsoft (Bing) driving material % of site click traffic Traffic to content search URL Google, Microsoft or site scrapers generated 100% of traffic for top 100 IPs to content search page (early morning) 47

Business Intelligence Example #12 Page transition statistics User behaviour intelligence from macro to micro level 68% of users click search page again after first search result 48

Business Intelligence Example #13 Decommissioned Pages 1 million hits per month to a decommissioned RSS feed page RSS feed officially disabled however content still being posted & still receiving ~1 million hits per month Google bots requesting RSS page 769 times in single hour (typical) which is 64% of all requests to RSS pages 49

Account Takeover via Scripted Attack Large Financial Institution The Threat Script attempting multiple log in attempts How Web Threat Detection Identified the Threat Anomalous click behavior almost 4,000 clicks in just over 7 and a half minutes Excessive log in attempts for a single IP in a single session over 2,600 login attempts How We Used The Information Redirect IP to Contact Customer Service page Send IP to SIEM for correlation Temporarily block IP 50

Account Takeover via Man-in-the-Middle Large Financial Institution The Threat A classic Man-in-the-Middle attack How Web Threat Detection Identified the Threat Anomalous web session activity a second IP address from Africa had joined a session initiated by a US IP address associated with the account Ongoing anomalous behavior over two weeks the IP from Africa had accessed 60 different user accounts How We Used The Information Force re-authentication Place IP associated with account on grey list 51

Robotic Money Movement Behavior indicating robotic money movement Elevated behavior threat score Hits to the money movement page per session were outside of the norm Average: 5 This Case: 52 Indicators of robotic navigation IP hitting page almost exactly one minute apart multiple times (20:22:02, 20:23:01, 20:24:03, 20:25:02, etc). Session Executed with Linux operating system (a favorite for running scripts against web sites) 52

Distributed Denial of Service (DDoS) Attack Behavior indicating the onset of a DDoS Web Threat Detection identified a single page being hit 1.6 million times over the course of one hour without the activity being blocked normal peak traffic is 1.2 million hits IPs originating from high-risk countries Single IP executing 70,000 page requests in one hour 10 IP s executing 366,000 page requests in one hour Mitigation Categorized 10 IPs as a threat group and sent to firewall 53

Web Threat Detection and Adaptive Authentication Intelligent, Risk-based Layered Security 54

Web Threat Detection Complete Web Session Intelligence & Application Layer Threat Visibility Adaptive Authentication & Transaction Monitoring Risk-based Authentication & Transaction Monitoring Beginning of Web Session Login Financial Transaction Checkout and Logout Vulnerability Probing DDOS Attacks Site Scraping New Account Registration Fraud Promotion Abuse Parameter Injection Password Guessing Man In The Browser Access From High Risk Country Account Takeover Unauthorized Account Activity Man In The Middle High Risk Checkout Copyright 2011 EMC Corporation. All rights reserved. 55

Adaptive Authentication and Web Threat Detection AA/TM for AUTHENTICATION Risk-based, multi-factor authentication Web Threat Detection for ANOMALOUS BEHAVIOR DETECTION Real-time online threat detection Protects log-in and/or transactions Protects across online life cycle Mitigates via step up authentication incl. out of band Mitigates via API to send to step up, WAF, SIEM, etc AA/TM are controls that kick in at single points in time to determine if the person attempting to log in or initiate a transaction is who he says he is ST offers continuous monitoring and analysis to determine if the person is behaving in a way that suggests he is up to no good and requires a closer look 56

Web Threat Detection and Adaptive Authentication in Action $150K Fraudulent Transfer stopped at Large US Bank Adaptive Authentication raised an alert on a suspicious $150,000 transaction and triggered a step up authentication request Bank had deployed Challenge Questions as step up Fraudster had social engineered the answers and passed the challenge Web Threat Detection raised an alert on the IP initiating the transaction In response to high risk scores from both Adaptive Authentication and Web Threat Detection, Bank stopped the wire transfer 57

RSA Web Threat Detection Real-Time Online Threat Detection in Your Environment 58

Behavioral Analysis Detects Online Threats in Real Time No disruption customer experience or site performance Self learning risk engine continuously adapts to recognize new threats Real time detection allows real time response Almost immediate time to benefit Rapid deployment Highly scalable 59

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback