Rather than building taller silos of data that become even bigger targets for criminals, enterprises must come together around common means of data exchange and collaboration. IBM & Prudential are making incredible strides within their organizations to correlate their cyber and fraud intelligence data to lead to faster, more actionable decisions.
Last month TruSTAR sat down with Allen Roundtree, the Executive of Platform Security for IBM Softlayer, and Scott Johnson, the Director of Cyber Investigations and Incident Response at Prudential, to learn how each of their organizations are using cross-team correlation methods to speed investigations and catch the bad guys.
Below we’ve edited and condensed some of the live Q&A that took place. To listen to the full discussion, click here.
Chris Godfrey, Fraud Intelligence Lead at TruSTAR (CG): We talk a lot about the concept of “Connected Defense.” What are the challenges you’re taking on as you try to connect multiple teams within your company?
Allen Roundtree, Executive of Platform Security for IBM Softlayer (AR): IBM is a large company and I oversee multiple teams under the umbrella of our fraud and security organization. My primary challenge is taking my fraud, anti-abuse, and cyber teams and getting them to share data while keeping my compliance and legal teams happy. If I want to do the same thing with other business units, I have to convince other team leaders that connecting data pools together and making correlations is valuable for everyone. I can make a convincing argument by telling them about the legal, compliance and tooling challenges we have already overcome.
As we streamline our intelligence operations, some of the questions my team is grappling with is are, Should we monetize? Should we collaborate with customers? And if so, should we vet those customers?
Scott Johnson, the Director of Cyber Investigations and Incident Response at Prudential (SJ): The ways I’ve addressed threat intelligence among my teams has evolved over time. I have to satisfy two sides of my security organization: The Business Unit, which oversees the daily business operations of Prudential, and the Internal Information Security Unit. Initially we found ourselves we found ourselves very plugged into the info security side of things. We saw vast amounts of data flowing through this team, such as indicators of compromise (IOCs) and alerts, flowing across the wire with good visibility. When I compared the Information Security data flow to the Business Unit it became clear to me that both sides of the house shared some very distinct IOCs, like domains, email addresses, and even phone numbers. I saw that there were data points popping up on both sides that actually link.
Looking through this problem with the TruSTAR lens helped me immediately realize that the same people dealing with botnets and command and control servers have relationships to the adversaries who are doing account takeover fraud and similar campaigns. Linking them seemed to be the logical way to go.
CG: At TruSTAR we often say that “one person’s fraud problem, can be another person’s security problem.” What are you both seeing along those lines? How are the worlds of fraud and security beginning to blend together?
AR: In the cloud services industry, seeing potential correlations between what happens when someone defeats our fraud mechanisms and then what happens to our anti-abuse teams is extremely helpful. When a fraudster comes on the platform, they’re not trying to setup a legitimate business. They’re there to broadcast spam or setup a botnet torrent to conduct malicious activities.
Before we started correlating our fraud and anti-abuse data streams, the abuse team was taking action before the fraud team had a chance to investigate. After we connected these data streams we discovered we had customers that were being affected on both sides. By correlating and corroborating these data streams, we’ve been able to take action faster and protect the reputation of our IP space.
CG: How do you determine which observables you should be tracking and correlating?
SJ: The most valuable observables are the ones that we know are attempting to abuse us. You may think it’s one monolithic enterprise, but it’s a series of connected business units. Regardless of what business unit the bad guys are attacking within the enterprise, adversaries are using playbooks and shared infrastructure to set up fraudulent banking accounts, compromised machines and VoIP systems, and they’re using those in a programmatic disciplined manner to attack victim after victim.
By using security operations tools like TruSTAR and SIEMs to connect individual business units with fraud IOCs we’ve already observed elsewhere has had a magical effect on reducing the effectiveness of the opposition. By combining these two streams of data, we’re able to give our business units IOCs far in advance. It’s that kind of crossover that adds a tremendous amount of value.
CG: Allen, How are you thinking of advancing the concept of Connective Defense beyond your four walls of IBM? What are the challenges?
AR: This concept is what brought IBM to TruSTAR. Today we’re participating in something called the Cloud Fraud Exchange, which has cloud service provider business competitors sharing and correlating fraud indicators among one another. Fraudsters are trying to keep their costs down just like any other business. They want to be able to leverage the same threat package or threat profile across multiple vendors.
We created the Cloud Fraud Exchange because we want to close the loop faster on fraudulent activity. If we can do that at-scale, we can drive-up the cost of maintaining that infrastructure for our adversaries and force them to change up their TPPs and playbooks more often. If we can do that long enough and fast enough, we can take away the profit from the fraudsters, which in-turn makes us a harderend and less profitable target for adversaries. By becoming a cohesive collaborative group, these fraud actors won’t be able to leverage the cloud for malicious activities.
CG: Scott, what are you doing at Prudential to expand threat intelligence exchange?
SJ: My phone is ringing off the hook. People want to know how information sharing works. Here’s a quick anecdote I always use that proves the value:
Recently we had a DDOS incident at Prudential and very quickly people suspected it may be an insider threat. My team was in charge of assesing if this threat was coming from inside or outside our organization. I was able to very quickly drop some IOCs into TruSTAR and identify six other companies who had shared overlapping IOCs from this same malicious actor. With this data in hand, I was able to go back to management and verify this threat was coming from an outside group. This ability to verify the attack was coming from an outside group allowed me to cut my investigation time in half. The immediate value in sharing data is overwhelming when observed in this context.
Thank you Scott and Allen for this valuable insight!