Defeating Advanced Threats with Risk-based Authentication Securityvox.veritas.com/legacyfs/online/veritasdata/SR B07.pdf · 2016-07-04 · Defeating Advanced Threats with Risk-based

Risk-based Authentication 1

Defeating Advanced Threats with Risk-based Authentication Security

Marty Jost Symantec Product Marketing

Jeff Burstein Product Management: VIP Authentication Service

Agenda


The Big Picture: Why Risk-based Authentication 1

How Risk-based Authentication Works 2

Symantec Intelligent Authentication 3

Demonstration 4

Q&A 5

Symantec Customers Use IT as a Business Enabler


Improve Processes and Build Competitive Advantage

Mobility to create a flexible workforce

Supply chain integration to for better collaboration

On-line applications to reach more customers

Business agility and superior customer service

Elevated risk demands

trust-worthy access

Strong Authentication Is Critical to Trust


Enhanced credentials provide necessary level of assurance

Username/Passwords Mother’s Maiden Name

Transaction History

physical and/or cryptographic mechanisms provide a 2nd factor

Something You Know Something You Have

Symantec Strong Authentication Solutions


Flexibile, diverse technology for broad customer requirements

Symantec™ Web-based Management Symantec™ Cloud-based Authentication Infrastructure

Validation and Identity Protection Service

Multiple Credential Form Factors

(OTP or Risk-based)

Available in hardware or software Stored on disk or “token”

Symantec Managed PKI Service

Device and User Certificates Authorization gateway to cloud

Single Sign-on

Symantec O3

Symantec VIP Service Architecture

6

Application Integration via RADIUS or Direct via Web Protocols

• High Availability, Cloud-based Architecture

• Single platform offering both token-less and token-based options

• Faster time to value and lower Total Cost of Ownership

•Application-level integration for advanced transaction validation

A Changing Threat Landscape to Manage

7 Risk-based Authentication

• Government and industry: • FFIEC, HIPPA, ISER

• Euro and Asian privacy laws

• PCI, HIE, etc.

• Most regulations additionally require: • Secure access control

• Segmentation of duty

• data privacy and integrity

• audit trails

Non-compliance =

negative business impact

Compliance Hacking and

Malware

• Hacker profile evolving from attention

seekers to organized sponsorship

• More sophisticated attacks which require

more sophisticated defenses

• Frequency seems to be increasing

• Trade-off between usability and security

Public security breaches =

lost customer confidence

FBI Warning on New Zeus Variant, Called Gameover

November 23, 2011

Once they click on the link

they are infected with the

Zeus malware, which is able

to key log as well as steal

their online credentials


Source: http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign

http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign





























Overview of Zeus, SpyEye Malware


How Malware-based Fraud Works

Others

• “Token-less” secure remote access

• Single Sign On • Self Service Portals • SharePoint • Outlook Web Access

Healthcare

• HIPAA, EU 95/46 • Protect patient data • Healthcare Information

Exchange (HIE)

Financial Services

• FFIEC, FSA, EU 95/46 • Protect online accounts • Reduce fraud costs

Symantec VIP Intelligent Authentication


Broad Applicability Across Industry and Use Cases

Avivah Litan

VP & Distinguished Analyst Gartner

Eighty percent of financial

institutions have very

weak security, relying

mainly on cookies, Flash

objects and challenge

questions


Source: Bankinfosecurity.com,“FFIEC: First Steps Toward Compliance - Gartner's Litan Explains What Institutions Need to Do Now,” Jeffrey Roman, July 15, 2011 http://www.bankinfosecurity.com/articles.php?art_id=3850

http://www.bankinfosecurity.com/articles.php?art_id=3850

Recommended Best Practice: “Layered Security”

• Layered security controls: respond to suspicious or anomalous activity

– Initial login of customers requesting access

– Initiation of electronic transactions involving the transfer of funds

• Recommended Methods

– Blocking know “bad actors”

– Complex Device IDs

– Situational risk profiling

– Out of band options

• Not just for end users / consumers!

– “layered security should include enhanced controls for [priviledged users]”


FFIEC Guidance Articulates the Key Requirements

How Symantec VIP Intelligent Authentication Helps

Risk-based Authentication

13

Addressing Need for Layered Security

Behavior profiling: Login behavior, but don’t yet provide transaction-level behavior profiling

Complex device ID: Client-based and JavaScript-based fingerprint of OS, browser, software and hardware configuration

Device reputation: Check IP against Symantec Global Intelligence Network, check location for “bad” countries, check Norton™ / Symantec Endpoint Protection presence/device health

Out of band authentication: IA uses “step up” authentication; SMS, Voice, Email OTP provide OOB transaction verification

Intelligent Authentication in Action


Synergy of Integrated Symantec Solutions

Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 15

Multiple Technologies Combine for Best Defense Against Malware

Symantec™ Endpoint Protection Client

and Global Information Network

Intel® Identity Protection

Technology (IPT)

Prevent infection and defeat attack

Device Reputation

Risk-based,

OATH-based OTP

OCRA Transactions

Symantec™ Global Intelligence Network


Identifies more threats, takes action faster & prevents impact

Information Protection Preemptive Security Alerts Threat Triggered Actions

Global Scope and Scale Worldwide Coverage 24x7 Event Logging

Rapid Detection

Attack Activity • 240,000 sensors

• 200+ countries

Malware Intelligence • 180M client, server,

gateways monitored

• Global coverage

Vulnerabilities • 45,000+ vulnerabilities

• 15,000 vendors

• 105,000 technologies

Spam/Phishing • 5M decoy accounts

• 8B+ email messages/day

• 1B+ web requests/day

Austin, TX Mountain View, CA

Culver City, CA

San Francisco, CA

Taipei, Taiwan

Tokyo, Japan

Dublin, Ireland Calgary, Alberta

Chengdu, China

Chennai, India

Pune, India



Integration into Symantec User Authentication Solutions

Unmatched detection of emerging sources of risk

Symantec™ VIP Intelligent Authentication

Symantec DeepSight technology, powered by


+ Bots by Patterns, Contact + Command and Control + Phishing Hosts + Top 100K Attacking IP’s

Enhanced fraud capture Reduced false positives More accurate risk assessment

Bumper-Bumper Security Strategy


Bumper – Bumper Security

Login Available Today

Evolving

Monetary Transactions

Log-out

Non-Monetary Touch Points

Anatomy of a Man-in-the-Middle Attack


Attack is Executed From Users Compromised Machine

From: A To: B

Amount: $5,000

From: A To: C

Amount: $15,000

Thanks!

Preventing a Man-in-the-Middle Attack


Using Transaction-Level Behavior Profiling + OOB Authentication

From: A To: B

Amount: $5,000

From: A To: C

Amount: $15,000

Argh!

From: A To: C

Amount: $15,000

Transaction Validation Options

• Amount Anomaly

– Monitor monetary transactions going out of an account

– Varied risk based on transaction type • e.g. Wire Transfer type of transaction is more sensitive than Bill Payment

– Build user behavioral patterns based on amount and type of transaction

– Also monitor aggregated amounts transferred per day/time period

– Flag when a transaction’s amount or aggregated amounts is anomalous

• Time Series Interval Anomaly (Transaction Velocity Anomaly)

– Monitor monetary transactions coming into or going out of an account

– Build frequency patterns of the account activity

– Flag when the destination of the transfer is anomalous

– Flag when the frequency of transactions is anomalous


Assessing Monetary Transaction Risk

Bumper-to-Bumper Security

• Destination Anomaly

– Monitor and Build user behavioral patterns based on destinations of the transfer

– Also monitor the frequency of newly added destination accounts for money transfer

– Flag when the frequency of added destination accounts is anomalous


Assessing Monetary Transaction Risk

Back to the Present


Where Can We Help Right Now?

REPLACE

• OTP / OOB still in play

• It’s all part of VIP!

• Legacy OTP solutions

• High Net Worth Users

• Commercial Banking

• Privileged Users

• Administrators for internal IT systems

• Systems subject to PCI

• Augment their current detection measures with IA’s login authentication

• Deliver complex device ID and behavior analysis

• Symantec Global Intelligence Network

• Reputation data pulled from Norton/SEP clients (coming soon)

• Augment their “step up” authentication with Out of Band (SMS/Voice/Email)

AUGMENT

• Position for future with transaction profiling for deeper integration

• Other areas of the organization (not related to their online banking services)

EXPAND

Why Symantec VIP Intelligent Authentication?


The Leading Cloud PKI Platform…And It Just Got Better

Deploy easily with global coverage Flexible

Deliver consistent, automated, and reliable operation Scalable

Deliver and manage applications from a single, unified platform Cost-effective

Build on the proven reliability of the Symantec Global Information Network and Norton reputation capabilities

Unique

Demonstration



Questions?

Thank you!

SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.

Thank you!


Documents

Defeating Advanced Threats with Risk-based Authentication Securityvox.veritas.com/legacyfs/online/veritasdata/SR B07.pdf · 2016-07-04 · Defeating Advanced Threats with Risk-based