Risk assessment associated with digital identity is at the core of any digital business transformation. Companies strive to provide their customers with the best possible service, but at the same time, they struggle with the challenges of digital identity risk. IBM Trusteer is a SaaS solution that is meeting the challenge head-on. In this talk, we present two stories. We look at some identity proofing techniques, and we also examine some of the tools and processes that are keeping Trusteer’s cloud safe and secure. This session also explores use cases involving IBM tools that are deployed in an AWS environment.
4. “A Case of Identity”
• Maintaining multiple identities
• Lousily coupled to the origin persona
• Crime solved in sort of behavioral analytics.
• And here we are 128 years later:
• Each of us own multiple virtual IDs without which we can not
survive.
• There is huge demand out there by complete strangers to
“borrow” and use our virtual IDs
• There is huge demand out there by service provider to
constantly validate our virtual ID
5. Technologies arenas—Digital transformation
• One physical me, so many virtual me:
• Banking, Insurance, PAY Apps
• Healthcare, GOV services
• Ecommerce
• …
• Can we identify and mitigate the risks associated with this exciting technology?
9. Protect data and workloads Manage threats and complianceSecure identity and networks
Unify and deploy your security controls anywhere
9
Journey to the cloud confidently with a continuous approach to security
Open security ecosystem
with unique partnerships and integrations
Private
Cloud
Public
Clouds
On-Premises
30. BOT Detection
Remote AccessSpoofingAttempt
MobileAccountType (burner?)
SIM Swap
GlobalFraudstersDatabase
Is a Virtual Device?
DeviceHygiene
SMS Stealer
StrongDeviceID
FraudulentBehavioralBiometrics
True Geo Location
Accountsassociatedto device
Crime Logic Indications
FamiliaritySignals
User BehavioralBiometrics
A wide array
of data types
collected in
order to
facilitate risk
analysis
31. BOT Detection
Remote AccessSpoofingAttempt
MobileAccountType (burner?)
SIM Swap
GlobalFraudstersDatabase
Is a Virtual Device?
DeviceHygiene
SMS Stealer
StrongDeviceID
FraudulentBehavioralBiometrics
True Geo Location
Accountsassociatedto device
Crime Logic Indications
FamiliaritySignals
History & Context
User BehavioralBiometrics
A wide array
of data types
collected in
order to
facilitate risk
analysis
32. BOT Detection
Remote AccessSpoofingAttempt
MobileAccountType (burner?)
SIM Swap
GlobalFraudstersDatabase
Is a Virtual Device?
DeviceHygiene
SMS Stealer
StrongDeviceID
FraudulentBehavioralBiometrics
True Geo Location
Accountsassociatedto device
Crime Logic Indications
FamiliaritySignals
History & Context
User BehavioralBiometrics
500K Malware Samples
140K PhishingSites
120K Malware Config.
Intelligence
DarknetData
A wide array
of data types
collected in
order to
facilitate risk
analysis
33. Transparent real-time
authentication & fraud
detection
User-friendly
authentication
Compliance
Cross digital visibility
& control
Discover identity, build trust 33
• Familiarity signals
• Risk & fraud signals
Pillars Value
• End-to-end digital
identity protection
and authentication
• Mobile app
• Mobile web
• Desktop
• Open API
• IOT
Trusteer Collect Trusteer Analyze Trusteer verify
Agile cloud platform,
powered by worldwide
intelligence from 45 billion
events per month
Transparent authentication:
Device ID, Behavioral Biometric.
Friendly step-up authentication:
Finger, Face, QR code, OTP.
device, environment
behavioral patterns,
behavioral biometric,
transactional data & identity
data
WhatWhyHow
45. HTTP calls per month
45
API calls per month
Data lake (byte)
Data collection events
Sessions
Unique users
46. MonitorPolicy Releasein Real Time
Offline Research
Lambda Architecture @Trusteer
Data Collection ➔
Provide Risk Assessment
Research
47. Daily
Data Lake
Cassandra
<Full History>
W R R
Data
Collections
Data Access
Layer
(Read & Merge)
W
Kinesis
Amazon RDS/MySQL
<ShortTerm>
Amazon
EMR
Amazon
EMR
Amazon
Redshift
Data Lake
Athena
Data Lake
BATCH LAYER
SPEED LAYER
OFFLINE/RESEARCH
SERVING LAYER
Monitor
Kinesis Data
Firehose
Kinesis Data
Firehose
Amazon
Redshift
Monitor
Athena
Monitor
MonitorPolicy Releasein Real Time
Offline Research
Lambda architecture at Trusteer
52. Behavioral biometrics
Fraud Legit
26/06/201
7 11:07
NO
REFERRER
login
21/07/20
17 9:10
bank.com/ login
26/06/201
7 11:08
login
authentication
information
21/07/20
17 9:10
login
authentication
information
26/06/201
7 11:10
account
enquiry
account overview
21/07/20
17 9:11
basic page
account
overview
26/06/201
7 11:10
multiple
payment
set up new payee
21/07/20
17 9:16
make payment
successful
account
overview
26/06/201
7 11:10
set up new
payee
set up new payee
21/07/20
17 9:19
make payment
successful
account
overview
26/07/201
7 12:06
bank.com/ login
30/06/20
17 8:10
bank.com/ login
26/07/201
7 12:06
login
authentication
information
30/06/20
17 8:10
login
authentication
information
26/07/201
7 12:07
account
enquiry
account overview
30/06/20
17 8:11
authentication
information
authentication
information
26/07/201
7 12:08
multiple
payment
set up new payee
30/06/20
17 8:12
basic page
account
overview
26/07/201
7 12:08
set up new
payee
set up new payee
30/06/20
17 8:14
basic page
account
overview
26/07/201
7 12:10
new
beneficiary
pay success
account overview
30/06/20
17 8:15
make payment
successful
account
overview
30/06/20
17 8:15
payment related
account
overview
▪ Detects malicious user behavior based on navigation patterns in the
website.
▪ Treat each flow as a “story” and use text classification methods in
order to classify if this story is fraudulent or not.
Mouse movements
Mobile touch
Keystrokes
Time spent on pages
61. QRadar setup
• Available both from IBM site and AWS
marketplace
• In Trusteer – Configured and installed
and integrated w/ CloudTrail manually
• Easier BYOL experience on the
marketplace
62. Deployment of QRadar in Trusteer environment: Concept
Amazon EC2
AWS
Auto Scaling
GuardDuty
Cloud Trail ……
Amazon EC2
AWS
Auto Scaling
GuardDuty
Cloud Trail
Amazon EC2
AWS
Auto Scaling
GuardDuty
Cloud Trail
Region 1 Region 2 Region 8
AWS Cloud
On premises
• 5K Events/Day
• 120 Rules
• 1 Action/Day
• 10 Info/Day
SOC
Analyst Run Book
• Low false-alert volume achieved
by:
• “Smart rules” considering and
corelating factors such as:
• Time windows
• Same user X IP
• Collapsing repetitive events into
single alert
• Usage of add-ons
• UBA
• Mixed type of rules
• Out of the box
• Custom
63. Deployment of QRadar in Trusteer environment: Example 1
• Graph display of log (sum count)
• Time-based pattern is visible
• A problem presented by unusual accumulation of error logs
• 4–5 AM
• EU-Cent region
64. Deployment of QRadar in Trusteer environment: Example 2
• QRadar add-ons, plug-ins
• Case in example: User behavior
analytics (UBA)
• Focuses on user-centric view of
events
• In the picture, specific users:
• Access S3 bucket, which is
supposed to be accessed only by
applicative user
• Stopping a service they are not
supposed to stop
65. IBM BigFix: A collaborative endpoint management and security platform
66. Deployment of BigFix in Trusteer environment: Concept
Regions 1-8
AWS Cloud
On premises CISO
Analyst Reports
• BigFix scans
• Config
• Patch level
• Over a diverse set of
technologies
• Linux OS
• Middleware
• RMQ
• Redis
• Cassandra
• HA-Proxy
• Etc.
RabbitMQ
RedisELK
HA-ProxyCassandraCassandraCouchBase
MySQLAmazon Linux
Additional advisory services