Gartner Security and Risk Summit - Day 2
I am currently attending the Gartner Security and Risk Management Summit 2011. After only the second day, I can honestly say this has been one of the better Gartner conferences I’ve attended. I blogged about day 1 here. I always enjoy the time away from the cubical to allow ones brain to focus with minimum distraction on the topics being presented at such conferences. Below are some of the tidbits of knowledge I captured from the sessions I attended on the second day.
Well, let’s get the less interesting stuff out of the way … I sat in on some “the cloud” related presentations on risks and vendor selection and found the material not particularly useful. As you can imagine, “the cloud” has predictable security and vendor selection challenges that have been around for years when working with vendors. Thus, the marketing/branding hype around “the cloud” is more helpful to give vendors a new way to position products and service offerings to customers rather than create significantly new challenges for security professionals. I’ve written recently about “the cloud” in more detail here.
New Trends in Fraud Detection: Grappling with the Enemies Within and Without, Gartner Analyst Avivah Litan
Long title. Great presentation.
Instead of the usual fear/scare commentary on fraud, Ms. Litan described recent specific fraud patterns that represent a more complex scenarios of today. A new pattern she described is bulleted below:
- Hacker setups up/rents technology infrastructure for attack (“the cloud”)
- Prepare to target the victim with email, such as using Linked In to determine who is in accounts payable at a particular company
- Prepare by stealing “Knowledge Based Authentication” or KBA or “Challenge Questions” via collecting from aggregators (compromise the companies offering KBA services) and/or phishing emails to get people to spill information. Go so far as to get the phone company to forward smallbiz phone to the hacker’s phone.
- Send spear phishing email to victim that includes specific malware program to get installed on their PC.
- Hacker waits for the malware to see a login to their bank. The malware gets the “One Time Password” or OTP such as a physical token (RSA, Vasco, etc.) with either a browser redirect to the hacker’s site to collect the OTP or allow the victim to perform some transactions but capture the session information and forward to the hacker and deny the logout. The user thinks they logged out but the hacker now has the user’s session and keeps accessing the bank as the user.
- Hacker executes a fraudulent transaction. The bank confirms the odd payment via phone but since the hacker re-routed the phone to himself plus he has the KBA information, he can confirm the odd payment and thus the bank allows the odd payment to process.
She indicated this pattern was used on the Catholic Diocese of Des Moines, Iowa (more details on that attack here).
Her claim is that current bank on-line “strong” authentication is not enough to handle these new and sophisticated attack patterns. I’ve commented similarly below here based on her blog post earlier here.
In support of the recent increase in attacks against non-banking institutions such as Sega, Sony, FBI, CIA, RSA, US Congress, etc. reported by the media recently, she indicates that enterprises that aren’t banks don’t have the security measures in place compared to banks that get attacked regularly. The typical company is monitoring activity but has no existing real-time blocking capabilities for attacks.
She then shares some statistics that indicate 86% of surveyed companies were attacked by malware but indicated that those same companies are investing in other areas of security where attacks were admittedly less prevalent. I took a picture of the slide of stats but it came out so blurry I can’t share further details. The gist is companies are being attacked by malware but investing in identifying/block other attacks that are actually happening less frequently.
She concluded with recommended “best practices”:
Strategy and Policy + Operations + Technology = Solving fraud and misuse problems
She presented five layers of protection to implement after authenticating a user on-line and granting them access to a web site:
Level 1 = end point centric (secure browsing, out of band auth, transaction auth)
Level 2 = navigation centric, analyze, profile of user activity, comparing
Level 3 = user and account centric by channel, user business patterns, what credit card folks do
Level 4 = Level 3 but across all channels, online then call center, etc.
Level 5 = Entity link analysis, end of the day dump of details and see cross customer, cross account transaction details
She quoted a Gartner statistic that by 2014, 15% of enterprise will adopt layered fraud detection to compensate for weak authenticating of on-line users. Virtualized, on-demand secure browsers will be available by 2014 reducing the need for such layers. The current risk is that companies won’t invest in the anti-fraud layers.
No authentication method alone will stop fraud, need additional layers. Enterprises consider malware the #1 threat.
Technical approaches to address each level:
Level 1 = “Secure” browser can block malware. Existing vendors include: Crealogix, Ironkey, TrustDefender, Trusteer OR plugins through browser plugins (block API’s into that session with bank)
Level 1 = Also, mobile location services, linking activity to (browser location vs. mobile phone location), GPS or mobile proximity to MSC code in towers, lat/long of device via cell tower best is the using aggragetor’s of the mobile provider’s location of devices. I logged in from a PC in Cleveland but my mobile phone is in Florida. The bank should take extra steps to confirm things are a-ok.
Level 2 = Biggest investment is the ability to check on page to page rates to compare human versus malware (human takes random seconds between pages where as programs take predictive milliseconds)
Level 3 = Invest in profiling users, accounts, devices, transactions.
Level 4 = Do what you are doing in Level 3 but do it across all channels.
Level 5 = Invest in entity link analysis. Example = HIV tests in demographic that normally has none. Dr. that does one procedure starts billing Medicare for new procedures. 10 to 1 return on investment (per Gartner) if implemented comprehensively. Medical billing fraud seems to benefit immediately from this approach.
All in all, a very data based (rather than hype based as most anti-fraud presentations can be) session.
I asked her the question: Does Gartner have any data to suggest the most effective place within a bank payment application to implement transaction verification. At new payee add or when a payment transaction is being requested but before confirming/processing? I must have not been clear because she didn’t understand the question. I approached her afterwards and tried to re-explain. She didn’t seem to have that detailed perspective on where to implement such out-of-band confirmation to maximum effort. Thus, I’ll continue to dig on that topic.
All in all, an excellent detailed presentation based on data rather than the typical anti-fraud stuff you come across.
Secure Web Gateways: Intelligently Defending Against the Web 2.0 Threat
First, I congratulate them on working Web 2.0 into the title with so many others preferring “the cloud”. This session was on the traditional security applied to company web surfing or why you can’t seem to access Facebook or Twitter from your work PC.
Since the demand is for malware protection, the presentation indicated the ways secure web gateway or SWG vendors can approach this with Gartner’s levels of success:
Low – Signature based filtering (ClamAV/Snort)
Med – Multifeed Signatures+Vendor Enhancements, more sophisticated, BotNet command-n-control lists, vendor signatures, reputation feeds, send request to the cloud to analyze request
High – Real-time in path signature-less detection, active code analysis, exploit signature detection, sand-boxing, traffic pattern analysis
The market today, per Gartner, is at the medium level.
Future = cloud-based secure web gateway as a service, signature-less malware protection, fine-grained app and social media control (example, control Facebook, only allow certain simple/safe features)
Cloud-based SWG projected to grow faster than in house hosted solutions (14% to 15% in-house growth rate). 2015, 25% will migrate to SWG as a service currently only 10% of the market.
Cloud-based SWG has the typical challenges, authenticating users, directory integration (saml?), geographic coverage as well as location of origin, reporting might be job over night rather than instant data.
Gartner claim, next generation firewalls will not replace SWG before 2015.
Gartner claim, blocking web sites alone does not materially reduce malware exposure as some might think.
Additionally, I spent some time with IBM product managers to understand what their latest security products will be offering in the near future.
I’ll conclude with an interesting discussion I had with some people from Ecert. They represent a very interesting service offering. Their customers are both the major email service providers (think Gmail, Yahoo, Comcast, Time Warner, etc.) as well as companies that get phished regularly (think banks, PayPal, eBay, American Greetings, etc.). They are trying to combine email authentication to allow phished companies to notice when non-known sources of email are sending out messages (likely spam/phishing) along with giving major email providers a way to ignore phishing emails and provide an indication to their users that an email from a phished company is actually legit. They are endorsed by BITS which is a non-profit financial services round table of the top 100 US banks. They appear to offer a very unique service that is successful the more banks join and the more email providers join. They offer take down services and well as other fraudulent email related services that have the potential to really add value in the authentication of email messaging.
All in all, another good day of interesting perspectives on the security landscape. Look for a summary of day 3 tomorrow.