pixel_dreams - Fotolia

Dark Web scanner promises to cut data breach detection time to seconds

As the focus of security moves to detection and response, a new product aims to find stolen corporate data within seconds or minutes of a data breach occurring by crawling the dark Web, but one expert questions the need for such a product.

A new security product, designed to anonymously crawl the dark Web for stolen corporate data, is being touted as being able to cut data breach detection time to minutes, but one expert is wary of the safety and need for such a product.

The scanner from Baltimore-based Terbium Labs, called Matchlight, is said to crawl the dark Web constantly in an effort to find stolen data that has been put up for sale on the black market. The claim is that finding data as soon as it is posted to the dark Web will cut detection times of data breaches to "within seconds to minutes."

Terbium Labs CEO Danny Rogers explained that the software developed can be given to corporations to create a "fingerprint" of sensitive data, which is what Matchlight uses to find that data on the dark Web, all without Terbium ever knowing what the data actually is.

matchlight fingerprint hash matching

"The fingerprint involves breaking the data up into small pieces and then cryptographically hashing those pieces," Rogers said. "We do the same process on the Web crawler side, allowing us to compare only hashes to other hashes. This is how we can blindly search for signatures of clients' data without actually needing to know what the original data is."

Morey Haber, vice president of technology for Phoenix-based security software vendor BeyondTrust Inc., said this approach is a new spin on services by companies like Dark Web ID, which would scan the dark Web for domain names and solicit companies based on results.

Haber also said the product made sense but "sounded kind of dangerous," because he felt it was a leap of faith to believe that Terbium Labs would have no way to see the sensitive data it searched for.

"What scares me is not that you're sending the hashes," Haber said, "it's that you're allowing a piece of software into your environment to build those hashes."

Rogers insisted the hashes generated were one-way only, and Terbium has no way to reverse the process and see sensitive data.

The other question Haber had was in the freshness of the data found, because he said it is unclear how quickly stolen data is put on the dark Web for sale.

"If it can be proven that data was showing up on the dark Web as Target was being breached, [Terbium's] model is pretty cool," Haber said and noted the stolen data could be part of a coordinated attack used for something like identity theft before being put on the dark Web for sale. "There are tons of sites that only ask for your name and Social Security number, so if you're stealing this information and you have this plan all the way through, you don't even have to sell it."

Rogers acknowledged that some attackers may have more nefarious plans, but said most individuals or groups that conduct the theft are not the same as those who put the data to more criminal use.

"Typically, the data is not stolen by the same parties that use it," Rogers said. "Usually, the data is stolen by an attacker than sold to other fraudsters on the Web. The critical point at which the most damage occurs after a breach is when that stolen data is leaked or sold. By detecting it at that point quickly and quietly, we can mitigate the damage caused by most breaches."

Rogers said Terbium Labs is currently working with a number of Fortune 500 companies while Matchlight is in beta and is expanding the beta now with plans to move out of beta by the end of the year.

Next Steps

Learn how the dark Web is a key enabler for cyber criminals.

Dig Deeper on Data security breaches