Threat Intelligence

11/21/2017
10:30 AM
Ryan Stolte
Ryan Stolte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Let's Take a Page from the Credit Card Industry's Playbook

Internal security departments would do well to follow the processes of major credit cards.

The fallout from the Equifax breach will most likely continue well into 2018 as the criminals use the stolen data to break into other organizations. According to Verizon's 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen or weak passwords. We should assume that after big breaches like those experienced by Equifax and Yahoo, hackers already have enough information to put millions of people at risk of being compromised.

It's time that organizations shift their focus from keeping attackers out to detecting them once they are in.

The credit card industry has gotten very good at this process. To give a personal example, I recently received a call from my credit card company asking if I bought gas in Guatemala. I replied "no," and the company froze my account. The process was so seamless and efficient, I faced very little impact. On the other side, while visiting my family in Iowa, I received a text from my credit card company asking if I bought gas. I responded "yes," and faced no impact. I bought gas and made other purchases during that trip uninterrupted.

I am just one of millions of credit cardholders who have received these kinds of texts and calls. In fact, the credit card industry has become so good at detecting fraud that we expect to hear from them whenever we purchase something that's outside our norm.

The cybersecurity industry can learn a lot from the credit card industry, especially when it comes to monitoring and analyzing behaviors. If someone were to steal my credentials, log in to my corporate email account, and act in a way that's inconsistent with what I normally do, I would expect my company to flag the behavior and stop it with the same promptness as my credit card company when confirming I did not buy gas in Guatemala.

However, many organizations do not yet have that level of security sophistication. For some, it's a philosophical belief that monitoring and analyzing users' behaviors is an invasion of privacy.

Privacy and security are not at odds with each other. They are on the same side of the table. We need security to protect privacy. Today's criminals know more about us than ever before. They know our commonly used passwords, Social Security numbers, secret questions and answers, relationships, and more. Our private information has been compromised. Yet, if companies more efficiently spotted a bad actor walking in a legitimate employee's shoes and took immediate action, the risk of this private information being used against us would decrease.

The credit card industry also learned a valuable lesson. Instead of blocking everything that looks suspicious, the card company first proactively and quickly communicates with the cardholder, and then adjusts on the fly. Using the Iowa example, when I confirmed that I was in Iowa and bought gas, I did not hear from my card company again during that trip. If the cybersecurity industry were to adopt that same strategy, it would avoid inhibiting employees from doing their jobs and reduce wasted time chasing down false positives.

For example, an alert comes in that an employee is accessing a database that he, his peers, and the overall team would not normally log in to. The alert is sent to the application owner who manages the database, asking if the attempted access was justified by business or unusual. The owner affirms the employee was granted access to the database for a legitimate business reason. That alert is then whitelisted so that the behavior is not flagged again. As a result, the employee's behavior in relation to that database receives less scrutiny while the information on the database remains protected (security + privacy), and the employee can go about doing his job uninterrupted due to the automated verification that his behavior was business justified.

Finalizing the credit card fraud detection and mitigation process did not happen overnight. Enterprise security is at a turning point but far from its destination. Ten years from now (and earlier than that, I hope), I expect that all employees will have that same level of treatment and care when it comes to their credentials. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Ryan Stolte is co-founder and CTO at Bay Dynamics, an analytics company that enables organizations to quantify the impact of cyber-risk from insider and outsider attacks and prioritize mitigation. Ryan has spent more than 20 years of his career solving big data problems with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.