THE 2014 THREAT DETECTION CHECKLIST Six ways to tell a criminal from a customer.
Telling criminals from customers online isn t getting any easier. Attackers target the entire online user lifecycle from product awareness through consideration, selection and purchase with various security threats. These include fraud, business logic abuse and other malicious activities. Criminals have evolved to focus their attacks on mobile Web sites and every new mobile application and promotion your marketing department churns out. Bots and other automated malware probe your Web properties long before identifying themselves through the authentication or sign-in process. They can hide as sporadic zero day attacks that appear too infrequently to detect, or are too new to detect by their attack signatures. And your analysts may be drowning in too much data with too little business context from too many monitoring tools to focus on the most serious threats. Online fraud could be costing banks, financial institutions, companies and individuals as much as $200 billion per year 1. In this fast-changing threat environment, yesterday s capabilities don t provide enough protection. Ask these six questions to be sure your Web Threat Detection capabilities can find today s threats. 1. http://www.theguardian.com/technology/2013/oct/30/online-fraud-costs-more-than-100-billion-dollars http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.u58kd_ldwso
1 Can it capture real-time Web session data and stream the data, analytics and threat scores into other Big Data security initiatives? Combining this Web session data with other threat information (such as from point of sale systems or ATMs) creates a more holistic analysis of real-time threats by security analytics systems. Such a capability can help a large Security Operations Center prioritize and focus the thousands of alerts it receives every day from multiple systems. For example, a system correlating data from an external-facing Web site with data from an internal network could more easily identify a fraudster who used SQL injection to gain access to credentials, and used that access to export valuable intellectual property.
2 Does it provide real-time detection and visibility into all Web and mobile traffic, including mobile applications? As organizations develop more appealing Web content and mobile applications, they are increasing their use of the JSON data interchange format. While JSON is a good fit for today s API-driven application development and mobile applications, some observers estimate that nine out of ten mobile applications are vulnerable to attack 2. The ability to visualize the mobile clickstream and parse JSON data can help organizations detect a variety of attacks including Man-in-the-Mobile, Password Guessing, Architecture Probing of the mobile channel, the use of mobile platforms in account compromise and unauthorized account activity. 2. http://www8.hp.com/us/en/hp-news/press-release.html?id=1528865#.u58kd_ldwso
3 Does it help analysts take action against new anomalous behavior and threat groups that are linked to those encountered before? Web applications, mobile applications and the mechanisms of fraudulent attacks are constantly changing. The actions of clusters of actors or IP addresses that form quickly can signal robotic behavior or DDoS attacks. To find even these sudden attacks as efficiently as possible, analysts must be able to identify, track and score new related groups of threats in real-time based on their suspicious behavior. Can you score groups of users or IP addresses whose behavior departs from baselines such as how fast they navigate the Web site or the number or types of queries they submit? Can these tools quickly compare the members of the new group with known, confirmed lists of user names or IP addresses from which attacks were launched in the past?
4 Can it track and correlate suspicious activity over time across both a population and for each individual profile? A savvy fraudster or automated bot may hit the same Web site across multiple sessions separated by days or weeks. Suspicious behavior outside of the baseline for a population, a user or an IP profile can be indicative of multiple threats. Manually correlating those attacks over time can be impossible or at least prohibitively expensive. Does your Web security solution provide a view of user sessions (by user name or IP address) over time, and allow an analyst to scan multiple sessions over weeks, months or years to more quickly and effectively more quickly and effectively identify and categorize new threats. Can the analyst quickly drill down to examine all the clicks that make up the session to identify threat patterns? Profile Timeline feature
5 Does it highlight the most critical threat information in a summary dashboard for each analyst? Anyone who s scanned a Web security log knows that identifying possible attacks can be an overwhelming task for even an experienced analyst. Does your Web security platform make the job easier with a customizable, high-level dashboard with features such as Top 10 Threat Scores, Top suspicious Server Response Codes or Groups with highest `Man in the Middle footprints grouped on an hourly, daily, weekly or monthly basis? Such dashboard dials could also be set for other suspicious activity such as users with multiple IP addresses or originating from multiple geographies. This speeds time to value by allowing analysts to quickly receive alerts of possible threats, and drill down into the details of the user s activity or the incident to compare it to past activity, or to overall activity within the Web site or the mobile application.
Customized dashboards such as this help overloaded analysts focus on the most critical threats. This Analyst Summary Dashboard in RSA Web Threat Detection 5.0 provides a one-stop-shop for alerts the analyst may decide to investigate further. Among the information provided is the number of alerts for the top 10 threats in the past hour, and signs of possible attacks such as click-through speeds, the use of multiple IP addresses for one user, multiple geographic locations for one user or multiple user agents during the time period.
6Can it track anonymous IP behavior? With underground sites selling user names and passwords by the thousands, more and more bots use scripted attacks to try these credentials against Web sites and mobile applications. That makes it essential to track user sessions before they log in, even if the user is an anonymous IP address. Does your Web site security platform allow you to begin tracking sessions before they are authenticated, looking for attack clues such as numerous, rapid unsuccessful hits on a log-in page? Tracking such pre-authentication behavior also helps detect users whose speedy navigation through a Web site can be a clue to an attack. Unlike a legitimate shopper that browses through different product categories and views multiple styles and reviews, a fraudulent shopper or bot might quickly move to selected product areas, choose large quantities of a valuable item and then quickly log in and charge the purchase to a fraudulent credit card before they are detected. Can your Web site security platform track, and score, groups of anonymous users or sessions or sessions by their speed of interaction with the site?
ABOUT RSA WEB THREAT DETECTION 5.0: RSA Web Threat Detection collects and analyzes massive amounts of real-time data from website traffic to provide web session intelligence and real-time analysis of user behavior. Read how Version 5.0 provides greater insight into the online threat environment, more accurate detection of online threats, and the ability to stream Web intelligence into big-data security initiatives and overall platform enhancements. EMC 2, EMC, the EMC logo, RSA, and the RSA logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. Copyright 2014 EMC Corporation. All rights reserved. H13318