Threat Intelligence

11/21/2017
10:30 AM
Ryan Stolte
Ryan Stolte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Let's Take a Page from the Credit Card Industry's Playbook

Internal security departments would do well to follow the processes of major credit cards.

The fallout from the Equifax breach will most likely continue well into 2018 as the criminals use the stolen data to break into other organizations. According to Verizon's 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen or weak passwords. We should assume that after big breaches like those experienced by Equifax and Yahoo, hackers already have enough information to put millions of people at risk of being compromised.

It's time that organizations shift their focus from keeping attackers out to detecting them once they are in.

The credit card industry has gotten very good at this process. To give a personal example, I recently received a call from my credit card company asking if I bought gas in Guatemala. I replied "no," and the company froze my account. The process was so seamless and efficient, I faced very little impact. On the other side, while visiting my family in Iowa, I received a text from my credit card company asking if I bought gas. I responded "yes," and faced no impact. I bought gas and made other purchases during that trip uninterrupted.

I am just one of millions of credit cardholders who have received these kinds of texts and calls. In fact, the credit card industry has become so good at detecting fraud that we expect to hear from them whenever we purchase something that's outside our norm.

The cybersecurity industry can learn a lot from the credit card industry, especially when it comes to monitoring and analyzing behaviors. If someone were to steal my credentials, log in to my corporate email account, and act in a way that's inconsistent with what I normally do, I would expect my company to flag the behavior and stop it with the same promptness as my credit card company when confirming I did not buy gas in Guatemala.

However, many organizations do not yet have that level of security sophistication. For some, it's a philosophical belief that monitoring and analyzing users' behaviors is an invasion of privacy.

Privacy and security are not at odds with each other. They are on the same side of the table. We need security to protect privacy. Today's criminals know more about us than ever before. They know our commonly used passwords, Social Security numbers, secret questions and answers, relationships, and more. Our private information has been compromised. Yet, if companies more efficiently spotted a bad actor walking in a legitimate employee's shoes and took immediate action, the risk of this private information being used against us would decrease.

The credit card industry also learned a valuable lesson. Instead of blocking everything that looks suspicious, the card company first proactively and quickly communicates with the cardholder, and then adjusts on the fly. Using the Iowa example, when I confirmed that I was in Iowa and bought gas, I did not hear from my card company again during that trip. If the cybersecurity industry were to adopt that same strategy, it would avoid inhibiting employees from doing their jobs and reduce wasted time chasing down false positives.

For example, an alert comes in that an employee is accessing a database that he, his peers, and the overall team would not normally log in to. The alert is sent to the application owner who manages the database, asking if the attempted access was justified by business or unusual. The owner affirms the employee was granted access to the database for a legitimate business reason. That alert is then whitelisted so that the behavior is not flagged again. As a result, the employee's behavior in relation to that database receives less scrutiny while the information on the database remains protected (security + privacy), and the employee can go about doing his job uninterrupted due to the automated verification that his behavior was business justified.

Finalizing the credit card fraud detection and mitigation process did not happen overnight. Enterprise security is at a turning point but far from its destination. Ten years from now (and earlier than that, I hope), I expect that all employees will have that same level of treatment and care when it comes to their credentials. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Ryan Stolte is co-founder and CTO at Bay Dynamics, an analytics company that enables organizations to quantify the impact of cyber-risk from insider and outsider attacks and prioritize mitigation. Ryan has spent more than 20 years of his career solving big data problems with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.