RSA, The Security Division of EMC Corp., has issued its first major Web threat prevention software update since the October acquisition of Silver Tail Systems and its flagship online fraud detection system -- now called RSA Silver Tail. The layer 2 technology, designed to track users and prevent malicious activity by capturing and analyzing Web session data, adds functionality in Version 4.0, which enables real-time threat monitoring and
Instead of knowing that $10 million was stolen an hour ago, I would rather know that something strange is happening right now.
Dr. Ken Baylor,
research vice president, NSS Labs
The founders of Silver Tail Systems, who launched the company in January 2008, worked for PayPal and eBay. "That experience led to this understanding of the need to look at the difference between criminals and normal users on websites, because as attacks get more complicated, there's a detection problem," said Jason Sloderbeck, RSA's director of product management.
The RSA Silver Tail online fraud detection engine, developed with help from Google, was designed for consumer-based fraud prevention. Today, Silver Tail's customers range from wholesale banking and financial services to large ecommerce sites and the federal government.
In recent years, Silver Tail has added important features for wholesale environments, such as user-based profiling, according to NSS Labs Research Vice President Dr. Ken Baylor, who used Silver Tail's technology when he served as the vice president of security and anti-fraud at Wells Fargo Bank, N.A. Rather than compare a user's navigation behavior to that of the average customer, or detect anomalies based on click rates -- 3 seconds versus .0004 seconds between clicks, for example -- the online fraud detection engine has evolved to compare current activity to past behavior, Baylor explained. "If you come in from an IP address that I've never seen before or a device that I've never seen before, and you've authenticated okay -- I'm going to have a much harder look at you right now."
Fighting fraud online
RSA Silver Tail 4.0 adds a Streaming Analytics engine that supports click-by-click, in-memory threat scoring for faster detection of suspicious activity on websites. In past releases, Silver Tail provided user and population behavioral analysis on an hourly basis or near real time, tracking more than 330,000 clicks per second on some larger sites, including mobile Web traffic. "Now, we are providing it in real time, up to the click," Sloderbeck said.
Combat Web fraud
Requirements for data protection on the Web have evolved as big data provides more information for user and population behavioral analysis.
Review policies and procedures if you store personal information
Keep firewalls and antivirus software on Web servers up to date
Follow PCI DSS requirements
Consider real-time threat monitoring from authentication to transaction requests
Archive profiles of unique users for historical behavioral analysis
Silver Tail has continued to introduce functionality that makes its online fraud detection more applicable to the needs of the market, observed Baylor. "If you think of how fast Web fraud can happen, it can happen in maybe a minute. Instead of knowing that $10 million was stolen an hour ago, I would rather know that something strange is happening right now," he said. "I would like to have the ability to interact with the fraud engine. You might be able to interject into the transaction clause: 'Hey, you are doing something weird. Let us call you back and verify that it is really you.' And they are starting to bring that technology on board now, which is definitely a big change."
RSA Silver Tail sits offline behind the load balancer and looks at a mirror of the HTTP and HTTPS traffic. "We are not just looking at the log entries, we are looking at the actual traffic," Sloderbeck said. "Think of all the information that is exchanged between users and websites; we only need about 5% of that."
Silver Tail's behavioral analysis engine can detect anomalies, business logic abuses, password and authentication issues or "thousands of people moving in concert," which enables banks and ecommerce sites to thwart distributed denial-of-service attacks and other botnet-related activities.
"We actually identify suspicious activity; there is no analytics required per se on the customer's part," Sloderbeck said. In addition to alerts, the system can send IP addresses to a load balancer, for example, and block the activity in real time.
The online fraud detection system also compares the webpage that is sent to users with the webpage that they send back and can detect malware such as the Zeus banking Trojan or man in the middle attacks. "They are good at detecting when an end user's device has been taken over," Baylor said. "And that should be useful when it comes to detecting malware on mobile devices."
Profiling unique users with big data analytics
RSA Silver Tail 4.0 introduces a rebuilt graphical user interface that offers more interactive features, including some big data visualization capabilities. Fraud teams can look at deep, historical profiles of unique users based on archives of potentially months of data, including device fingerprinting, provided the company has the technology, which is not part of Silver Tail.
"It is basically head-and-shoulders better than it used to be," said Baylor. With older versions, you had to learn a special query language if you wanted to capture events: If the user does x and y does that lead to fraudulent activity? "That seems to be gone now," said Baylor. "And you are able to do the whole thing through the graphical user interface."
Silver Tail deployment is far from trivial and it requires knowledge of fraud, information security and Web skills. In less complex deployments, the Web servers feed into Silver Tail and you need to know how Web pages link together and update the system if the page flow changes. While IT security personnel tend to have expertise in networking and servers, Web teams often focus on applications.
RSA Silver Tail's online fraud detection system requires a "mixture of skills up and down the stack," according to Baylor, including experts in fraud detection and how Web fraud works. "But the requirements for data science have actually been eased a lot," he said.
Moving towards enterprise-level security
In October, EMC indicated that Silver Tail's technology would extend RSA's Identity Protection and Verification products. The latest release does not integrate EMC technology, according to Sloderbeck. "We're real excited about all of the platforms that RSA gives us exposure to," he said. "As part of this announcement, we are not announcing any timelines."
Banking regulations and widespread industry practices have largely driven adoption of Web fraud prevention and related technologies, according to Baylor, who expects to see more commonplace usage of this type of security software. Based on regulations, banks and financial services need to calculate a risk score for customers when they log in and then analyze their behavior, especially at the point of transaction. "Silver Tail is starting to move towards that," he said.
A leader in fraud prevention technology, RSA's Adaptive Authentication application calculates a risk score for each user at login, according to Baylor. "But it needs to be upgraded." His observations are echoed in a Gartner research note published in early November around the time of the acquisition:
[M]any Gartner clients that use RSA Adaptive Authentication for fraud prevention have gone elsewhere in the past couple of years to fill gaps in RSA's coverage (while holding on to RSA Adaptive Authentication), most notably to ward off attacks against Web applications from banking Trojans and other "zero-day" threats. Silver Tail should help RSA fill some of those gaps.
Gartner recommends that Silver Tail customers request service-level agreements to ensure an optimum level of customer service. Integration of RSA Adaptive Authentication and Silver Tail alerts into a single dashboard would also benefit customers that use both technologies.
Banks have layers of fraud prevention, sometimes up to 20 different fraud applications, according to Baylor, but enterprise security practitioners need to assess their risk tolerance for Web fraud before considering navigation-centric fraud prevention as a supplementary technology. "It has not been all that helpful in the past," Baylor said. One reason: If you have 25 people doing something on your website, how is that anomalous behavior?
"Overall, if you compare this release to Silver Tail two years ago, it is a much better product that's more applicable to a wider audience," Baylor said, "and I think it has been a good buy for EMC. I think it will give them a path forward. … It is definitely going to have to have some more functionality before it starts moving down market. It is not an everyday enterprise product as [of] yet."