This solution overview highlights six features that strengthen an organization's fraud and threat detection capabilities in today's increasingly complicated web environment.
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Â
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
1. Six ways to tell a
criminal from a
customer.
THE 2014
THREAT
DETECTION
CHECKLIST
2. Telling criminals from customers online isnât getting any easier. Attackers target the
entire online user lifecycle from product awareness through consideration, selection
and purchase with various security threats. These include fraud, business logic abuse
and other malicious activities.
Criminals have evolved to focus their attacks on mobile Web sites and every new
mobile application and promotion your marketing department churns out. Bots and
other automated malware probe your Web properties long before identifying
themselves through the authentication or sign-in process. They can hide as sporadic
âzero dayâ attacks that appear too infrequently to detect, or are too new to detect by
their attack signatures. And your analysts may be drowning in too much data with too
little business context from too many monitoring tools to focus on the most serious
threats.
Online fraud could be costing banks, financial institutions, companies and
individuals as much as $200 billion per year1
. In this fast-changing threat
environment, yesterdayâs capabilities donât provide enough protection.
Ask these six questions to be sure your Web Threat Detection capabilities can find
todayâs threats.
1. http://www.theguardian.com/technology/2013/oct/30/online-fraud-costs-more-than-100-billion-dollars
http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.U58kd_ldWSo
The 2014 Threat Detection Checklist
3. The 2014 Threat Detection Checklist
Can it capture real-time Web session data and stream the data,
analytics and threat scores into other Big Data security
initiatives?
Combining this Web session data with other threat
information (such as from point of sale systems or ATMs)
creates a more holistic analysis of real-time threats by
security analytics systems. Such a capability can help a
large Security Operations Center prioritize and focus the
thousands of alerts it receives every day from multiple
systems. For example, a system correlating data from an
external-facing Web site with data from an internal
network could more easily identify a fraudster who used
SQL injection to gain access to credentials, and used
that access to export valuable intellectual property.
1
4. Does it provide real-time detection and visibility into all Web and
mobile traffic, including mobile applications?
As organizations develop more appealing Web content and mobile applications, they
are increasing their use of the JSON data interchange format. While JSON is a good fit
for todayâs API-driven application development and mobile applications, some
observers estimate that nine out of ten mobile applications are vulnerable to attack2
.
The ability to visualize the mobile clickstream and parse JSON data can help
organizations detect a variety of attacks including Man-in-the-Mobile, Password
Guessing, Architecture Probing of the mobile
channel, the use of mobile platforms in account
compromise and unauthorized account activity.
The 2014 Threat Detection Checklist
2. http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.U58kd_ldWSo
2
5. Does it help analysts take action against new anomalous behavior
and threat groups that are linked to those encountered before?
Web applications, mobile applications and the mechanisms of fraudulent attacks are
constantly changing. The actions of clusters of actors or IP addresses that form
quickly can signal robotic behavior or DDoS attacks. To find even these sudden
attacks as efficiently as possible, analysts must be
able to identify, track and score new related groups of
threats in real-time based on their suspicious behavior.
Can you score groups of users or IP addresses whose
behavior departs from baselines such as how fast they
navigate the Web site or the number or types of queries
they submit? Can these tools quickly compare the
members of the new group with known, confirmed lists
of user names or IP addresses from which attacks were
launched in the past?
The 2014 Threat Detection Checklist
3
6. Can it track and correlate suspicious activity over time across
both a population and for each individual profile?
A savvy fraudster or automated bot may hit the same Web site
across multiple sessions separated by days or weeks.
Suspicious behavior outside of the baseline for a population,
a user or an IP profile can be indicative of multiple threats.
Manually correlating those attacks over time can be
impossible or at least prohibitively expensive. Does your Web
security solution provide a view of user sessions (by user
name or IP address) over time, and allow an analyst to scan
multiple sessions over weeks, months or years to more
quickly and effectively more quickly and effectively identify
and categorize new threats. Can the analyst quickly drill down
to examine all the clicks that make up the session to identify
threat patterns?
The 2014 Threat Detection Checklist
4
Profile Timeline feature
7. Does it highlight the most critical threat information in a
summary dashboard for each analyst?
Anyone whoâs scanned a Web security log knows that identifying possible attacks can
be an overwhelming task for even an experienced analyst. Does your Web security
platform make the job easier with a customizable, high-level dashboard with features
such as âTop 10 Threat Scores,â âTop suspicious Server Response Codesâ or âGroups
with highest `Man in the Middleâ footprintsâ grouped on an hourly, daily, weekly or
monthly basis? Such dashboard âdialsâ could also be set for other suspicious activity
such as âusersâ with multiple IP addresses or originating from multiple geographies.
This speeds time to value by allowing analysts to quickly receive alerts of possible
threats, and drill down into the details of the userâs activity or the incident to compare
it to past activity, or to overall activity within the Web site or the mobile application.
The 2014 Threat Detection Checklist
5
8. Customized dashboards such as this help overloaded analysts focus on the most critical threats. This Analyst
Summary Dashboard in RSA Web Threat Detection 5.0 provides a âone-stop-shopâ for alerts the analyst may
decide to investigate further. Among the information provided is the number of alerts for the top 10 threats in
the past hour, and signs of possible attacks such as click-through speeds, the use of multiple IP addresses
for one user, multiple geographic locations for one user or multiple user agents during the time period.
The 2014 Threat Detection Checklist
9. Can it track anonymous IP behavior?
With underground sites selling user names and passwords by the thousands, more and
more bots use scripted attacks to try these credentials against Web sites and mobile
applications. That makes it essential to track user sessions before they log in, even if the
âuserâ is an anonymous IP address. Does your Web site security platform allow you to begin
tracking sessions before they are authenticated, looking for attack clues such as numerous,
rapid unsuccessful hits on a log-in page?
Tracking such pre-authentication behavior also helps detect
âusersâ whose speedy navigation through a Web site can be
a clue to an attack. Unlike a legitimate shopper that browses
through different product categories and views multiple
styles and reviews, a fraudulent shopper or bot might
quickly move to selected product areas, choose large
quantities of a valuable item and then quickly log in and
charge the purchase to a fraudulent credit card before they
are detected. Can your Web site security platform track, and
score, groups of anonymous users or sessions or sessions by
their speed of interaction with the site?
The 2014 Threat Detection Checklist
6