Risk-based Authentication 1
Defeating Advanced Threats with Risk-based Authentication Security
Marty Jost Symantec Product Marketing
Jeff Burstein Product Management: VIP Authentication Service
Agenda
Risk-based Authentication 2
The Big Picture: Why Risk-based Authentication 1
How Risk-based Authentication Works 2
Symantec Intelligent Authentication 3
Demonstration 4
Q&A 5
Symantec Customers Use IT as a Business Enabler
Risk-based Authentication 3
Improve Processes and Build Competitive Advantage
Mobility to create a flexible workforce
Supply chain integration to for better collaboration
On-line applications to reach more customers
Business agility and superior customer service
Elevated risk demands
trust-worthy access
Strong Authentication Is Critical to Trust
Risk-based Authentication 4
Enhanced credentials provide necessary level of assurance
Username/Passwords Mother’s Maiden Name
Transaction History
physical and/or cryptographic mechanisms provide a 2nd factor
Something You Know Something You Have
Symantec Strong Authentication Solutions
Risk-based Authentication 5
Flexibile, diverse technology for broad customer requirements
Symantec™ Web-based Management Symantec™ Cloud-based Authentication Infrastructure
Validation and Identity Protection Service
Multiple Credential Form Factors
(OTP or Risk-based)
Available in hardware or software Stored on disk or “token”
Symantec Managed PKI Service
Device and User Certificates Authorization gateway to cloud
Single Sign-on
Symantec O3
Symantec VIP Service Architecture
6
Application Integration via RADIUS or Direct via Web Protocols
• High Availability, Cloud-based Architecture
• Single platform offering both token-less and token-based options
• Faster time to value and lower Total Cost of Ownership
•Application-level integration for advanced transaction validation
A Changing Threat Landscape to Manage
7 Risk-based Authentication
• Government and industry: • FFIEC, HIPPA, ISER
• Euro and Asian privacy laws
• PCI, HIE, etc.
• Most regulations additionally require: • Secure access control
• Segmentation of duty
• data privacy and integrity
• audit trails
Non-compliance =
negative business impact
Compliance Hacking and
Malware
• Hacker profile evolving from attention
seekers to organized sponsorship
• More sophisticated attacks which require
more sophisticated defenses
• Frequency seems to be increasing
• Trade-off between usability and security
Public security breaches =
lost customer confidence
FBI Warning on New Zeus Variant, Called Gameover
November 23, 2011
Once they click on the link
they are infected with the
Zeus malware, which is able
to key log as well as steal
their online credentials
Risk-based Authentication 8
Source: http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign
Overview of Zeus, SpyEye Malware
Risk-based Authentication 9
How Malware-based Fraud Works
Others
• “Token-less” secure remote access
• Single Sign On • Self Service Portals • SharePoint • Outlook Web Access
Healthcare
• HIPAA, EU 95/46 • Protect patient data • Healthcare Information
Exchange (HIE)
Financial Services
• FFIEC, FSA, EU 95/46 • Protect online accounts • Reduce fraud costs
Symantec VIP Intelligent Authentication
Risk-based Authentication 10
Broad Applicability Across Industry and Use Cases
Avivah Litan
VP & Distinguished Analyst Gartner
Eighty percent of financial
institutions have very
weak security, relying
mainly on cookies, Flash
objects and challenge
questions
Risk-based Authentication 11
Source: Bankinfosecurity.com,“FFIEC: First Steps Toward Compliance - Gartner's Litan Explains What Institutions Need to Do Now,” Jeffrey Roman, July 15, 2011 http://www.bankinfosecurity.com/articles.php?art_id=3850
Recommended Best Practice: “Layered Security”
• Layered security controls: respond to suspicious or anomalous activity
– Initial login of customers requesting access
– Initiation of electronic transactions involving the transfer of funds
• Recommended Methods
– Blocking know “bad actors”
– Complex Device IDs
– Situational risk profiling
– Out of band options
• Not just for end users / consumers!
– “layered security should include enhanced controls for [priviledged users]”
Risk-based Authentication 12
FFIEC Guidance Articulates the Key Requirements
How Symantec VIP Intelligent Authentication Helps
Risk-based Authentication
13
Addressing Need for Layered Security
Behavior profiling: Login behavior, but don’t yet provide transaction-level behavior profiling
Complex device ID: Client-based and JavaScript-based fingerprint of OS, browser, software and hardware configuration
Device reputation: Check IP against Symantec Global Intelligence Network, check location for “bad” countries, check Norton™ / Symantec Endpoint Protection presence/device health
Out of band authentication: IA uses “step up” authentication; SMS, Voice, Email OTP provide OOB transaction verification
Intelligent Authentication in Action
Risk-based Authentication 14
Synergy of Integrated Symantec Solutions
Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 15
Multiple Technologies Combine for Best Defense Against Malware
Symantec™ Endpoint Protection Client
and Global Information Network
Intel® Identity Protection
Technology (IPT)
Prevent infection and defeat attack
Device Reputation
Risk-based,
OATH-based OTP
OCRA Transactions
Symantec™ Global Intelligence Network
Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 16
Identifies more threats, takes action faster & prevents impact
Information Protection Preemptive Security Alerts Threat Triggered Actions
Global Scope and Scale Worldwide Coverage 24x7 Event Logging
Rapid Detection
Attack Activity • 240,000 sensors
• 200+ countries
Malware Intelligence • 180M client, server,
gateways monitored
• Global coverage
Vulnerabilities • 45,000+ vulnerabilities
• 15,000 vendors
• 105,000 technologies
Spam/Phishing • 5M decoy accounts
• 8B+ email messages/day
• 1B+ web requests/day
Austin, TX Mountain View, CA
Culver City, CA
San Francisco, CA
Taipei, Taiwan
Tokyo, Japan
Dublin, Ireland Calgary, Alberta
Chengdu, China
Chennai, India
Pune, India
Symantec™ Global Intelligence Network
Symantec™ VIP New Feature Overview – Symantec™ VIP Intelligent Authentication 17
Integration into Symantec User Authentication Solutions
Unmatched detection of emerging sources of risk
Symantec™ VIP Intelligent Authentication
Symantec DeepSight technology, powered by
Symantec™ Global Intelligence Network
+ Bots by Patterns, Contact + Command and Control + Phishing Hosts + Top 100K Attacking IP’s
Enhanced fraud capture Reduced false positives More accurate risk assessment
Bumper-Bumper Security Strategy
Risk-based Authentication 18
Bumper – Bumper Security
Login Available Today
Evolving
Monetary Transactions
Log-out
Non-Monetary Touch Points
Anatomy of a Man-in-the-Middle Attack
Risk-based Authentication 19
Attack is Executed From Users Compromised Machine
From: A To: B
Amount: $5,000
From: A To: C
Amount: $15,000
Thanks!
Preventing a Man-in-the-Middle Attack
Risk-based Authentication 20
Using Transaction-Level Behavior Profiling + OOB Authentication
From: A To: B
Amount: $5,000
From: A To: C
Amount: $15,000
Argh!
From: A To: C
Amount: $15,000
Transaction Validation Options
• Amount Anomaly
– Monitor monetary transactions going out of an account
– Varied risk based on transaction type • e.g. Wire Transfer type of transaction is more sensitive than Bill Payment
– Build user behavioral patterns based on amount and type of transaction
– Also monitor aggregated amounts transferred per day/time period
– Flag when a transaction’s amount or aggregated amounts is anomalous
• Time Series Interval Anomaly (Transaction Velocity Anomaly)
– Monitor monetary transactions coming into or going out of an account
– Build frequency patterns of the account activity
– Flag when the destination of the transfer is anomalous
– Flag when the frequency of transactions is anomalous
Risk-based Authentication 21
Assessing Monetary Transaction Risk
Bumper-to-Bumper Security
• Destination Anomaly
– Monitor and Build user behavioral patterns based on destinations of the transfer
– Also monitor the frequency of newly added destination accounts for money transfer
– Flag when the frequency of added destination accounts is anomalous
Risk-based Authentication 22
Assessing Monetary Transaction Risk
Back to the Present
Risk-based Authentication 23
Where Can We Help Right Now?
REPLACE
• OTP / OOB still in play
• It’s all part of VIP!
• Legacy OTP solutions
• High Net Worth Users
• Commercial Banking
• Privileged Users
• Administrators for internal IT systems
• Systems subject to PCI
• Augment their current detection measures with IA’s login authentication
• Deliver complex device ID and behavior analysis
• Symantec Global Intelligence Network
• Reputation data pulled from Norton/SEP clients (coming soon)
• Augment their “step up” authentication with Out of Band (SMS/Voice/Email)
AUGMENT
• Position for future with transaction profiling for deeper integration
• Other areas of the organization (not related to their online banking services)
EXPAND
Why Symantec VIP Intelligent Authentication?
Risk-based Authentication 24
The Leading Cloud PKI Platform…And It Just Got Better
Deploy easily with global coverage Flexible
Deliver consistent, automated, and reliable operation Scalable
Deliver and manage applications from a single, unified platform Cost-effective
Build on the proven reliability of the Symantec Global Information Network and Norton reputation capabilities
Unique
Demonstration
Risk-based Authentication 25
Risk-based Authentication 26
Questions?
Thank you!
SYMANTEC PROPRIETARY/CONFIDENTIAL – INTERNAL USE ONLY Copyright © 2012 Symantec Corporation. All rights reserved.
Thank you!
Risk-based Authentication 27