Risk assessment associated with digital identity is at the core of any digital business transformation. Companies strive to provide their customers with the best possible service, but at the same time, they struggle with the challenges of digital identity risk. IBM Trusteer is a SaaS solution that is meeting the challenge head-on. In this talk, we present two stories. We look at some identity proofing techniques, and we also examine some of the tools and processes that are keeping Trusteer’s cloud safe and secure. This session also explores use cases involving IBM tools that are deployed in an AWS environment.

1. © 2019, Amazon Web Services, Inc. or its affiliates. Allrights reserved.
Guarding the guardian’s guard:
IBM Trusteer
Doron Ben-Ari
Program Director, DevOps & Cloud
IBM Trusteer
doronb@il.ibm.com
S E P 3 2 6
Eyal Doron
Sr. Technical Account Manager
Amazon Web Services
eyaldoro@amazon.com

2. Technologies arenas—Electricity
“War of the currents’
https://en.wikipedia.org/wiki/War_of_the_currents

3. Technologies arenas—Cars
https://en.wikipedia.org/wiki/Ford_Model_N

4. “A Case of Identity”
• Maintaining multiple identities
• Lousily coupled to the origin persona
• Crime solved in sort of behavioral analytics.
• And here we are 128 years later:
• Each of us own multiple virtual IDs without which we can not
survive.
• There is huge demand out there by complete strangers to
“borrow” and use our virtual IDs
• There is huge demand out there by service provider to
constantly validate our virtual ID

5. Technologies arenas—Digital transformation
• One physical me, so many virtual me:
• Banking, Insurance, PAY Apps
• Healthcare, GOV services
• Ecommerce
• …
• Can we identify and mitigate the risks associated with this exciting technology?

6. https://www.ic3.gov/media/annualreport/2018_IC3Report.pdf
https://www.fbi.gov/news/stories/ic3-releases-2018-internet-crime-report-042219

7. Trusteer Cloud:
Guarding the guardian’s guard
Doron Ben-Ari
Program Director, DevOps & Cloud
www.linkedin.com/doronbenari

8. • Largest enterprise cybersecurity provider
• Leader in 12 security market segments
• 8,000+ security employees
• 20+ security acquisitions
• 70B+ security events monitored per day
About IBM Security
IBM Security / © 2019 IBM Corporation 8

9. Protect data and workloads Manage threats and complianceSecure identity and networks
Unify and deploy your security controls anywhere
9
Journey to the cloud confidently with a continuous approach to security
Open security ecosystem
with unique partnerships and integrations
Private
Cloud
Public
Clouds
On-Premises

10. A continuous approach to securing your hybrid multicloud
IBM Security / © 2019 IBM Corporation 10
3. MANAGE
Manage threats, risks and compliance, with
integrated response
1. PLAN
Build a cloud security strategy and
adoption roadmap
2. BUILD Create secure apps and migrate workloads
leveraging native cloud security, augmented with
enterprise security controls
IBM Cloud
Private
Cloud
Public
Clouds
On-Premises

11. Evolution of threat
Viruses& Worms
Focusedon nuisance
& damage
MiTM/MiTB
Inject transactions
steal secondary
authentication
Online/MobileCross-
ChannelAttacks
Leveragemobileanonymity,
bypassSMS OTP, 2FA
Fake Browsers
High-ValueTargetedAttacks
BusinessEmail Compromise,DyerWolf
Employees/systemscompromise
RATs – RDP/VNC,
PC-Grade MobileMalware
Bypass DeviceID, overlaymobileapp
Overlay Malware
MiTB with Login Blocking,
AutomatedScripts
Steal Credentials,Bypass
DeviceID & Risk Engines
Phishing
Key-loggers
Bypass Static
Username/password
2003 2006 2012 2015 201820092004

12. IBM Security / © 2019 IBM Corporation

13. Darknet is shifting to mobile

14. Trusteer Intelligence, June 2019
Active market for compromised commercial accounts

15. Trusteer Intelligence, June 2019
Active market for gift cards

16. Think 2019 / DOC ID / Month XX, 2019 / © 2019 IBM Corporation
IBM Trusteer Cybersecurity Lab discoveries (partial list)

17. Fraud is moving to mobile
Trusteer North America – Mobile fraud trend
Desktop Mobile Trusteer Intelligence, Jan 2019

18. GM-Bot
• Malware as well as C&C code
leaks
• Leading to rapid expansion
• Case study:
• GM Bot Source Code
• Leaked December 2015

20. Mobile overlay malware – Who is vulnerable?

21. FaaS*: Mobile overlay malware
* Fraud as a Service

22. Mobile overlay malware – Infecting the Google Play Store

23. SMiShing

24. 2003 2006 2012 2015 201820092004
Product evolution

25. Prevent loss
Keep the fraudsters out
Comply
Privacy, GDPR, Open API
Protect digital
identity
Build end-user trust
for more business
Make it
frictionless
Ensure security is not a
barrier
IBM Security / © 2019 IBM Corporation 25
Digital identity trust strategy
Making security a business enabler, not a barrier

26. MonitorPolicy Releasein Real Time
Offline Research
How it works?
Data Collection ➔
 Provide Risk Assessment
Research

27. So, what’s in
the data lake?

28. A wide array
of data types
collected in
order to
facilitate risk
analysis
User
Behavior
DeviceEnvironment
Activity

29. DeviceHygiene
StrongDeviceID
True Geo Location
FamiliaritySignals
User BehavioralBiometrics
A wide array
of data types
collected in
order to
facilitate risk
analysis

30. BOT Detection
Remote AccessSpoofingAttempt
MobileAccountType (burner?)
SIM Swap
GlobalFraudstersDatabase
Is a Virtual Device?
DeviceHygiene
SMS Stealer
StrongDeviceID
FraudulentBehavioralBiometrics
True Geo Location
Accountsassociatedto device
Crime Logic Indications
FamiliaritySignals
User BehavioralBiometrics
A wide array
of data types
collected in
order to
facilitate risk
analysis

31. BOT Detection
Remote AccessSpoofingAttempt
MobileAccountType (burner?)
SIM Swap
GlobalFraudstersDatabase
Is a Virtual Device?
DeviceHygiene
SMS Stealer
StrongDeviceID
FraudulentBehavioralBiometrics
True Geo Location
Accountsassociatedto device
Crime Logic Indications
FamiliaritySignals
History & Context
User BehavioralBiometrics
A wide array
of data types
collected in
order to
facilitate risk
analysis

32. BOT Detection
Remote AccessSpoofingAttempt
MobileAccountType (burner?)
SIM Swap
GlobalFraudstersDatabase
Is a Virtual Device?
DeviceHygiene
SMS Stealer
StrongDeviceID
FraudulentBehavioralBiometrics
True Geo Location
Accountsassociatedto device
Crime Logic Indications
FamiliaritySignals
History & Context
User BehavioralBiometrics
500K Malware Samples
140K PhishingSites
120K Malware Config.
Intelligence
DarknetData
A wide array
of data types
collected in
order to
facilitate risk
analysis

33. Transparent real-time
authentication & fraud
detection
User-friendly
authentication
Compliance
Cross digital visibility
& control
Discover identity, build trust 33
• Familiarity signals
• Risk & fraud signals
Pillars Value
• End-to-end digital
identity protection
and authentication
• Mobile app
• Mobile web
• Desktop
• Open API
• IOT
Trusteer Collect Trusteer Analyze Trusteer verify
Agile cloud platform,
powered by worldwide
intelligence from 45 billion
events per month
Transparent authentication:
Device ID, Behavioral Biometric.
Friendly step-up authentication:
Finger, Face, QR code, OTP.
device, environment
behavioral patterns,
behavioral biometric,
transactional data & identity
data
WhatWhyHow

34. Private Cloud
Departmental
Trusteer operation spans multiple infrastructure/clouds
Public Cloud
Public Cloud
Third-Party Tools
Traditional IT
Enterprise

35. USA-VA
Ireland
Frankfurt
Singapore
Tokyo
Trusteer presence spans over several AWS Regions
USA-OR
Sydney
USA-CA

36. USA-VA
Ireland
Frankfurt
Singapore
Tokyo
Trusteer presence spans over several AWS Regions
USA-OR
Sydney
USA-CA
Amazon
EMR
Amazon
Kinesis
AWS Glue
Amazon
Athena
Cost Report AWS Cost
ExplorerService
Amazon
EC2
AWS Auto
Scaling
Elastic Load
Balancing
Amazon
Redshift
Amazon
RDS
Amazon
SageMaker
Amazon
CloudWatch
AWS Transfer
for SFTP
Amazon
VPC
AWS VPN AWS Certificate
Manager
AWS
CloudHSM
Amazon
S3
Amazon
GuardDuty
AWS
CloudTrail
AWS Secrets Manager

37. Trusteer: Fraud and Identity
Fraud Prevention & Identity Proofing
IBM Security / © 2019 IBM Corporation
37
Trusteer: Tools, Processes, Best Practices
Keeping Complex Cloud Environment Secure & Compliant
Two stories

38. Every month,
globally, Trusteer
protects 40M
unique users
38

39. Every month,
globally, Trusteer
protects 1.2B
sessions
39

40. Session may include multiple events…

41. This load is
mapped to 14B
events per month
41

42. This load is stored
in a 150 TB data
lake, processes for
both real-time and
offline research
42

43. Users query this
data lake at a rate
of 0.5B API calls
per month
43

44. This load is
mapped to 45B
HTTP calls per
month
44

45. HTTP calls per month
45
API calls per month
Data lake (byte)
Data collection events
Sessions
Unique users

46. MonitorPolicy Releasein Real Time
Offline Research
Lambda Architecture @Trusteer
Data Collection ➔
 Provide Risk Assessment
Research

47. Daily
Data Lake
Cassandra
<Full History>
W R R
Data
Collections
Data Access
Layer
(Read & Merge)
W
Kinesis
Amazon RDS/MySQL
<ShortTerm>
Amazon
EMR
Amazon
EMR
Amazon
Redshift
Data Lake
Athena
Data Lake
BATCH LAYER
SPEED LAYER
OFFLINE/RESEARCH
SERVING LAYER
Monitor
Kinesis Data
Firehose
Kinesis Data
Firehose
Amazon
Redshift
Monitor
Athena
Monitor
MonitorPolicy Releasein Real Time
Offline Research
Lambda architecture at Trusteer

48. Authentication & verification:
Built on three elements
Something You Have
• Device
IBM Security / © 2019 IBM Corporation 48
Something You
Know
• User Name
• Password
Something You Are
• Physical
• Behavioral

49. Behavioral biometrics
Mouse movements
Mobile touch
Keystrokes
Navigation flow
Time spent on pages

50. Behavioral biometrics
Mobile touch
Keystrokes
Navigation flow
Time spent on pages

51. Behavioral biometrics
Mouse movements
Mobile touch
Navigation flow
Time spent on pages

52. Behavioral biometrics
Fraud Legit
26/06/201
7 11:07
NO
REFERRER
login
21/07/20
17 9:10
bank.com/ login
26/06/201
7 11:08
login
authentication
information
21/07/20
17 9:10
login
authentication
information
26/06/201
7 11:10
account
enquiry
account overview
21/07/20
17 9:11
basic page
account
overview
26/06/201
7 11:10
multiple
payment
set up new payee
21/07/20
17 9:16
make payment
successful
account
overview
26/06/201
7 11:10
set up new
payee
set up new payee
21/07/20
17 9:19
make payment
successful
account
overview
26/07/201
7 12:06
bank.com/ login
30/06/20
17 8:10
bank.com/ login
26/07/201
7 12:06
login
authentication
information
30/06/20
17 8:10
login
authentication
information
26/07/201
7 12:07
account
enquiry
account overview
30/06/20
17 8:11
authentication
information
authentication
information
26/07/201
7 12:08
multiple
payment
set up new payee
30/06/20
17 8:12
basic page
account
overview
26/07/201
7 12:08
set up new
payee
set up new payee
30/06/20
17 8:14
basic page
account
overview
26/07/201
7 12:10
new
beneficiary
pay success
account overview
30/06/20
17 8:15
make payment
successful
account
overview
30/06/20
17 8:15
payment related
account
overview
▪ Detects malicious user behavior based on navigation patterns in the
website.
▪ Treat each flow as a “story” and use text classification methods in
order to classify if this story is fraudulent or not.
Mouse movements
Mobile touch
Keystrokes
Time spent on pages

53. Detection
Overlay
Point of activation

54. Suspected SW Presence
RAT
Mouse Move
Mouse Click
Keyboard Click

55. Trusteer: Fraud and Identity
Fraud Prevention & Identity Proofing
IBM Security / © 2019 IBM Corporation
55
Trusteer: Tools, Processes, Best Practices
Keeping Complex Cloud Environment Secure & Compliant
Two stories

56. HTTP calls per month
56
API calls per month
Data lake (byte)
Data collection events
Sessions
Unique users

57. changes per
month
57

58. changes per
month
58
Change
Change
Change
Change
Change

59. No Logo Yet
Waterfall
Agile
DevOps
Trusteer:
Hyper Change at Scale
Trusteer: Hyper Change

60. IBM Security QRadar: Intro

61. QRadar setup
• Available both from IBM site and AWS
marketplace
• In Trusteer – Configured and installed
and integrated w/ CloudTrail manually
• Easier BYOL experience on the
marketplace

62. Deployment of QRadar in Trusteer environment: Concept
Amazon EC2
AWS
Auto Scaling
GuardDuty
Cloud Trail ……
Amazon EC2
AWS
Auto Scaling
GuardDuty
Cloud Trail
Amazon EC2
AWS
Auto Scaling
GuardDuty
Cloud Trail
Region 1 Region 2 Region 8
AWS Cloud
On premises
• 5K Events/Day
• 120 Rules
• 1 Action/Day
• 10 Info/Day
SOC
Analyst Run Book
• Low false-alert volume achieved
by:
• “Smart rules” considering and
corelating factors such as:
• Time windows
• Same user X IP
• Collapsing repetitive events into
single alert
• Usage of add-ons
• UBA
• Mixed type of rules
• Out of the box
• Custom

63. Deployment of QRadar in Trusteer environment: Example 1
• Graph display of log (sum count)
• Time-based pattern is visible
• A problem presented by unusual accumulation of error logs
• 4–5 AM
• EU-Cent region

64. Deployment of QRadar in Trusteer environment: Example 2
• QRadar add-ons, plug-ins
• Case in example: User behavior
analytics (UBA)
• Focuses on user-centric view of
events
• In the picture, specific users:
• Access S3 bucket, which is
supposed to be accessed only by
applicative user
• Stopping a service they are not
supposed to stop

65. IBM BigFix: A collaborative endpoint management and security platform

66. Deployment of BigFix in Trusteer environment: Concept
Regions 1-8
AWS Cloud
On premises CISO
Analyst Reports
• BigFix scans
• Config
• Patch level
• Over a diverse set of
technologies
• Linux OS
• Middleware
• RMQ
• Redis
• Cassandra
• HA-Proxy
• Etc.
RabbitMQ
RedisELK
HA-ProxyCassandraCassandraCouchBase
MySQLAmazon Linux
Additional advisory services

67. BigFix example/intro

68. BigFix example 1

69. BigFix example 2

70. IBM Security Resilient: Intro

71. Resilient: Response workflow/orchestration

73. Augmenting commercial tools and solutions with homegrown tools

74. • Trusteer Providing Digital Identity Solution
– Data Lake, Risk Engine - Running on AWS
• Augment AWS’ native security capabilities with IBM Security’s
enterprise offerings
– IBM QRadar – Threat management
– IBM BigFix – Endpoint management
– IBM Resilient – Incident response
– IBM Security Guardium – Data security
Security, Better Together
IBM Security / © 2019 IBM Corporation 74

75. © Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.
IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention,
detection and response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be considered completely secure and no single
product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily
involve additional operational procedures, and may require other systems, products or services to be most effective. IBM
does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the
malicious or illegal conduct of any party.
Follow us on:
ibm.com/security
securityintelligence.com
ibm.com/security/community
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
Thank you