8/3/2019 A Million Mousetraps

1/20

A Million MousetrapsUsing Big Data and Little Loops to Build BetterDefenses

Allison Miller, Tagged

8/3/2019 A Million Mousetraps

2/20

Overview

Protecting customers on an openplatform

Big data + Little loops enableautomation via analytics

Decisions as defensesPutting your data to work

8/3/2019 A Million Mousetraps

3/20

the

interde en

8/3/2019 A Million Mousetraps

4/20

the

orous

8/3/2019 A Million Mousetraps

5/20

so, about

that

Spam

Credential

Theft

Malware

Bots

Accounttakeover

Fraud

DOSPhish

Griefers

Scammers

8/3/2019 A Million Mousetraps

6/20

The Better Mousetrap

Automates defensive action x-platform

- Fast

- Accurate

- Cheap

In Real TimeIn Time to MinimizeLossReasonable False

PositivesAs good as a humanspecialistReduces More Loss than Cost

CreatedCheaper thanManual intervention

Big Data &Little Loops

8/3/2019 A Million Mousetraps

7/20

123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/wpaper.gif HTTP/1.0" 200 6248"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:47 -0400] "GET /asctortf/ HTTP/1.0" 200 8130

"http://search.netscape.com/Computers/Data_Formats/Document/Text/RTF" "Mozilla/4.05 (Macintosh; I;PPC)"123.123.123.123 - - [26/Apr/2000:00:23:48 -0400] "GET /pics/5star2000.gif HTTP/1.0" 200 4005"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"[Tue Mar 9 22:02:41 2004] [info] created shared memory segment #10813446[Tue Mar 9 22:02:412004] [notice] Apache/1.3.29 (Unix) mod_ssl/2.8.16 OpenSSL/0.9.7c configured -- resuming normaloperations[Tue Mar 9 22:02:41 2004] [info] Server built: Mar 7 2004 13:38:59pausing[http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling] for 50000 ms[TueMar 9 22:04:16 2004] [error] [client 218.93.92.137] mod_security: Access denied with code 200. Patternmatch "Basic" at HEADER.[Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security:Invalid character detected [4]

123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/1.0" 200 1031"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount?jafsof3&width=4&font=digital&noshow HTTP/1.0" 200 36 "http://www.jafsoft.com/asctortf/""Mozilla/4.05 (Macintosh; I; PPC)"[Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)[Tue Mar 9 22:03:262004] [error] [client 218.93.92.137] mod_security:[Tue Mar 9 22:07:16 2004] [error] [client 203.121.182.190] mod_security: Invalid character detected [4]123.123.123.123 - - [26/Apr/2000:00:23:50 -0400] "GET /pics/5star.gif HTTP/1.0" 200 1031

"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /pics/a2hlogo.jpg HTTP/1.0" 200 4282"http://www.jafsoft.com/asctortf/" "Mozilla/4.05 (Macintosh; I; PPC)"123.123.123.123 - - [26/Apr/2000:00:23:51 -0400] "GET /cgi-bin/newcount?jafsof3&width=4&font=digital& noshow HTTP/1.0" 200 36 "http://www.jafsoft.com/asctortf/""Mozilla/4.05 (Macintosh; I; PPC)"[Tue Mar 9 22:02:41 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)Big Data &

Little Loops

http://www.jafsoft.com/asctortf/http://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://www.jafsoft.com/asctortf/http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://www.jafsoft.com/asctortf/http://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://xmlrevenue.com/s.php?username=jenneypan&keywords=Online+Gambling%5Dhttp://www.jafsoft.com/asctortf/http://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://search.netscape.com/Computers/Data_Formats/Document/Text/RTFhttp://www.jafsoft.com/asctortf/

8/3/2019 A Million Mousetraps

8/20

APPLIED RISK ANALYTICS

Use of technology, data, research & statisticsto solve problems

associated with losses or costs due to

security vulnerabilities / gaps in a system

-- resulting in the deployment of optimizeddetection, prevention, or response capabilities.

8/3/2019 A Million Mousetraps

9/20

Decisions, Decisions

Authorize Block

Goodfalse

positive

Badfalse

negative

RESPONSE

POPULATION

Incorrect decisions have a cost

Correct decisions are free (usually)

GoodAction Gets

Blocked

Bad ActionGets

Through

DownstreamImpacts

8/3/2019 A Million Mousetraps

10/20

Applying Decisions

Risk management isdecision management

ACTORATTEMPTS

ACTIONSuSUBMIT

WHAT ISTHE

REQUEST

HOW TOHONOR

THE

REQUEST

SHOULDWE

HONOR?

RESULTACTIONOCCURS

8/3/2019 A Million Mousetraps

11/20

For example:

ACTORATTEMPTS

Payment

p (actor attemptingpayment is

accountholder)

Decision

Authorize

Review

Refer

RequestAuthentication

Decline

f(variable A + Variable B + ...)

SuSUBMIT

8/3/2019 A Million Mousetraps

12/20

Study history...User IP Country

Billing Country

Buying prepaidmobile phones

Add new shippingaddress in cart

However

Buyer = Phonereseller, static

machine ID

How much $$ isat risk?

What is normalfor thiscustomer?

What bad

profiles doesthis match?

8/3/2019 A Million Mousetraps

13/20

SHALL WE PLAY A GAME?INCE WE CANT PLAY CLUE FOR EVERYLOGIN

TRANSACTIONNEW USERMESSAGE

FRIENDREQUEST

ATTACHMENTPACKET

WINK

POKECLICK

WE BUILD RISK MODELS)

8/3/2019 A Million Mousetraps

14/20

Model Development Process

Target -> Yes/No questions best

Find Data, Variable Creation -> Best part

Data Prep -> Worst part

Model Training -> Pick an algorithm

Assessment -> Catch vs FP rate

Deployment -> Decisioning vs Detection

8/3/2019 A Million Mousetraps

15/20

User IP Country

Billing Country

Buying prepaidmobile phones

Add new shippingaddress in cart

Buyer = Phonereseller, staticmachine ID

How much $$ is at risk?

What is normal for this customer?

What bad profiles does this match?

GeolocateIP

Convert geoto country

code

Flag onMismatch

Cart

Category

MerchRisk

Level

DateAdded

AddressType

StringMatching

CustomeProfile

Device I

DeviceHistoryTXN-$-AMT

Churn Risk, C... TXNs, login

Stolen CC

8/3/2019 A Million Mousetraps

16/20

p-value of

significance, throwout if > .05

Variance in dependentvariable explained by

independent variables

Dependent

Variable

Independent

Variables

Factor odds ofdependent go up

when independent

var incremented

p-value shouldbe