Threat Intelligence

11/21/2017
10:30 AM
Ryan Stolte
Ryan Stolte
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Let's Take a Page from the Credit Card Industry's Playbook

Internal security departments would do well to follow the processes of major credit cards.

The fallout from the Equifax breach will most likely continue well into 2018 as the criminals use the stolen data to break into other organizations. According to Verizon's 2017 Data Breach Investigations Report, 81% of hacking-related breaches leveraged stolen or weak passwords. We should assume that after big breaches like those experienced by Equifax and Yahoo, hackers already have enough information to put millions of people at risk of being compromised.

It's time that organizations shift their focus from keeping attackers out to detecting them once they are in.

The credit card industry has gotten very good at this process. To give a personal example, I recently received a call from my credit card company asking if I bought gas in Guatemala. I replied "no," and the company froze my account. The process was so seamless and efficient, I faced very little impact. On the other side, while visiting my family in Iowa, I received a text from my credit card company asking if I bought gas. I responded "yes," and faced no impact. I bought gas and made other purchases during that trip uninterrupted.

I am just one of millions of credit cardholders who have received these kinds of texts and calls. In fact, the credit card industry has become so good at detecting fraud that we expect to hear from them whenever we purchase something that's outside our norm.

The cybersecurity industry can learn a lot from the credit card industry, especially when it comes to monitoring and analyzing behaviors. If someone were to steal my credentials, log in to my corporate email account, and act in a way that's inconsistent with what I normally do, I would expect my company to flag the behavior and stop it with the same promptness as my credit card company when confirming I did not buy gas in Guatemala.

However, many organizations do not yet have that level of security sophistication. For some, it's a philosophical belief that monitoring and analyzing users' behaviors is an invasion of privacy.

Privacy and security are not at odds with each other. They are on the same side of the table. We need security to protect privacy. Today's criminals know more about us than ever before. They know our commonly used passwords, Social Security numbers, secret questions and answers, relationships, and more. Our private information has been compromised. Yet, if companies more efficiently spotted a bad actor walking in a legitimate employee's shoes and took immediate action, the risk of this private information being used against us would decrease.

The credit card industry also learned a valuable lesson. Instead of blocking everything that looks suspicious, the card company first proactively and quickly communicates with the cardholder, and then adjusts on the fly. Using the Iowa example, when I confirmed that I was in Iowa and bought gas, I did not hear from my card company again during that trip. If the cybersecurity industry were to adopt that same strategy, it would avoid inhibiting employees from doing their jobs and reduce wasted time chasing down false positives.

For example, an alert comes in that an employee is accessing a database that he, his peers, and the overall team would not normally log in to. The alert is sent to the application owner who manages the database, asking if the attempted access was justified by business or unusual. The owner affirms the employee was granted access to the database for a legitimate business reason. That alert is then whitelisted so that the behavior is not flagged again. As a result, the employee's behavior in relation to that database receives less scrutiny while the information on the database remains protected (security + privacy), and the employee can go about doing his job uninterrupted due to the automated verification that his behavior was business justified.

Finalizing the credit card fraud detection and mitigation process did not happen overnight. Enterprise security is at a turning point but far from its destination. Ten years from now (and earlier than that, I hope), I expect that all employees will have that same level of treatment and care when it comes to their credentials. 

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry's most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

Ryan Stolte is co-founder and CTO at Bay Dynamics, a cyber risk analytics company that enables enterprises and government agencies to prioritize and mitigate their most critical threats. Ryan has spent more than 20 years of his career solving big data problems with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Empathy: The Next Killer App for Cybersecurity?
Shay Colson, CISSP, Senior Manager, CyberClarity360,  11/13/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15759
PUBLISHED: 2018-11-19
Pivotal Cloud Foundry On Demand Services SDK, versions prior to 0.24 contain an insecure method of verifying credentials. A remote unauthenticated malicious user may make many requests to the service broker with different credentials, allowing them to infer valid credentials and gain access to perfo...
CVE-2018-15761
PUBLISHED: 2018-11-19
Cloud Foundry UAA release, versions prior to v64.0, and UAA, versions prior to 4.23.0, contains a validation error which allows for privilege escalation. A remote authenticated user may modify the url and content of a consent page to gain a token with arbitrary scopes that escalates their privileges...
CVE-2018-17190
PUBLISHED: 2018-11-19
In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execute user code. A specially-crafted request to the master can, however, cause the master to execute code ...
CVE-2018-1841
PUBLISHED: 2018-11-19
IBM Cloud Private 2.1.0 could allow a local user to obtain the CA Private Key due to it being world readable in boot/master node. IBM X-Force ID: 150901.
CVE-2018-18519
PUBLISHED: 2018-11-19
BestXsoftware Best Free Keylogger 5.2.9 allows local users to gain privileges via a Trojan horse "%PROGRAMFILES%\BFK 5.2.9\syscrb.exe" file because of insecure permissions for the BUILTIN\Users group.