analyst report: ema - the industrialization of fraud demands a dynamic intelligence-driven response

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

The Industrialization of Fraud Demands a Dynamic Intelligence-Driven ResponseAn ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Prepared for RSA, The Security Division of EMC

March 2012

Table of Contents

©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

The Industrialization of Fraud Demands a Dynamic Intelligence-Driven Response

Executive Summary .............................................................................................................................................1

Fraud in 2012: The Maturing of an Industry .................................................................................................1

The Net Result: The Industrialization of Fraud ............................................................................................3

How to Defend Against an Industry? ..............................................................................................................5

Dynamic, Adaptive, and Intelligence-Driven: The RSA Identity Protection and Verification Suite ....6

At the Core: Intelligence and Expertise .....................................................................................................6

Integrating Real-Time Intelligence with Anti-Fraud Technologies ......................................................7

Before Any Transaction: RSA Identity Verification .......................................................................8

Assuring Confidence in Access: RSA Adaptive Authentication ..................................................8

After Access is Gained: RSA Transaction Protection ...................................................................9

Support for a Comprehensive Strategy: RSA FraudAction Service .....................................................9

EMA Perspective ............................................................................................................................................... 11

About RSA, The Security Division of EMC ............................................................................................... 11

http://www.enterprisemanagement.com

©2012 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com1


Executive SummaryAs criminals have discovered the profitability of attacks against information systems, the impact of fraud has grown. Adversaries have discovered the lucrative nature of harnessing cyber threats. Their innovations have made it easier to steal from a wider range of victims. This has spurred the commercialization of crimeware and services – which, in turn, has given rise to specialization, competitive pressures, and other factors that illustrate how fraud, abetted by cyber crime, has grown from the unrelated activities of a few into an industry in its own right.

This industry has produced a level of automation and sophistication in fraud techniques to rival those of the legitimate business world. The commercial-grade packaging of complex threats makes it possible to readily convert personal systems into pawns that facilitate fraud, often unbeknownst to their rightful owners. Large-scale systems management capitalizes on the ability to harness entire networks of compromised hosts whose masters often avoid detection and defeat through highly nimble evasive tactics. The net result: an industrialized threat that is costing businesses billions of dollars worldwide.

In this paper, ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) analysts explore the response organizations must marshal to stand up to this industrialized cyber crime threat. If attackers are well organized and well informed, take advantage of the latest innovations in the shadow market of crimeware and automation, and capitalize on intelligence to maintain their advantage, organizations must respond accordingly.

Coordinated strategies embracing multiple tactics to limit exposure and improve effectiveness are now mandated by guidance such as that of the U.S. Federal Financial Institutions Examinations Council and other regulations worldwide affecting businesses targeted by fraud. The RSA Identity Protection and Verification Suite offers an example of such a coordinated approach. With its early leadership in technologies and services that integrate intelligence with anti-fraud tactics in real time, the RSA Identity Protection and Verification Suite gives organizations the tools to enable strategies for confronting an industrialized threat with an industry-wide response.

Fraud in 2012: The Maturing of an IndustryIn years past, those who sought to perpetrate fraud by exploiting information systems often worked alone. They may have selected their methods, harvested valuable data and carried out fraudulent transactions in relative isolation, working independently for their own gain.

Today, the profitability of cybercrime has transformed the nature of the game. Consider phishing attacks alone, which the RSA Anti-Fraud Command Center estimates to have cost businesses $1.3 billion in global fraud losses in 2011. Phishing continues to be a problem that plagues businesses around the globe. From the first to the second half of 2010, the Anti-Phishing Working Group noted a 40 percent increase in unique phishing attacks worldwide over the previous half-year. That figure grew even more dramatically in the first half of 2011, when the Group observed an increase of 70 percent over the second half of 2010, owing largely to attacks on Chinese targets and those that leverage shared virtual servers to infect multiple domains at once.1

1 http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf, pp. 4-5

. If attackers are well organized and well informed,

take advantage of the latest innovations in the

shadow market of crimeware and automation, and

capitalize on intelligence to maintain their advantage,

organizations must respond accordingly.


http://www.antiphishing.org/reports/APWG_GlobalPhishingSurvey_1H2011.pdf



The growth in profitability has had the same impact on the business of fraud as it would in any other endeavor – it has given rise to a market as well defined as any in the legitimate business world:

• Commercialization: From assortments of exploits collected over time and through the experience of individuals, the profitability of fraud has matured attacks into packaged products and even product sets made available through covert commercial channels. Frameworks that enable exploits to be built from components have accelerated the “time to market” of more complex threats. Depending on the need, crimeware can in some cases be had in “standard,” “gold” or “platinum” editions, revealing sophistication in serving a market that directly parallels legitimate consumer businesses.

• Commoditizationhas naturally followed commercialization, as the expertise of a few has become available to many. Once an attack concept becomes coded as malware, it becomes available to a much greater number of adversaries who need not be more sophisticated than the original author (and are often far less). As the tools of fraud have become more widely available, prices have fallen accordingly. According to RSA research, a fully functional version of the Zeus Trojan that may have once sold for $10,000 can now be had for as little as $380 for a “twofer” recompile.2

• Competition has further commoditized crimeware and depressed prices in the illicit market. The SpyEye Trojan has been a significant competitor to Zeus, with capabilities that can displace Zeus when found on a target. SpyEye, too, has gone from $10,0003 for a full version to $4,000 and then to as low as $600 for the attack binary with setup and injection features.4 The publication of SpyEye source code in 2011 may further erode its price while at the same time help to obscure its users, now that virtually anyone with the necessary skill can recompile the attack.5

• Specialization: The commercialization of fraud has created new opportunities for expertise in specific domains of the craft. With the release of source code such as that of Zeus and SpyEye into the open market, creativity has flourished. Recompiles, bespoke Trojans designed to be unique to an individual attacker, geographically specific attacks and other refinements have led to a situation where custom malware has become a significant factor in cyber crime. Verizon reported that custom attacks made up one-third of the malware in its investigated caseload of 2011 data breaches.6 Development platforms analogous to the Integrated Development Environments (IDEs) of legitimate software enable attackers to construct complex attacks from specialized modules with minimal effort. Supplemental “off the shelf ” products have arisen to serve emerging segments of the market, such as “anti-security” software that defends crimeware against detection and defeat.

• “FraudasaService”: The increasing specialization of fraud has also given rise to entrepreneurs who recognize the value of services to support and enhance fraud activity. Malware purveyors have shifted from keeping techniques close to the vest, to offering malware modules for sale. This, in turn, has led to what are effectively subscription services, where a provider may, for example, make injection scripts available for a small fee (such as $5 each), or provide unlimited access to a variety of modules for $50 per month.7 As fraud-enabling resources have proliferated, some have produced services such as the MegaSearch search engine, which aggregates information on compromised payment cards and enables fraudsters to locate those selling them.8

2 The Year in Crimeware, RSA FraudAction Anti-Trojan Service, January 2012, p. 203 http://www.informationweek.com/news/security/vulnerabilities/2315000204 The Year in Crimeware, p. 205 http://www.informationweek.com/news/security/vulnerabilities/2315000206 2012 Data Breach Investigations Report, Verizon Business et al., p. 307 The Year in Crimeware, p. 208 http://krebsonsecurity.com/2012/01/megasearch-aims-to-index-fraud-site-wares/


http://www.informationweek.com/news/security/vulnerabilities/231500020

http://krebsonsecurity.com/2012/01/megasearch-aims-to-index-fraud-site-wares/



The Net Result: The Industrialization of FraudThese developments make one central fact clear: fraud has grown from a criminal activity into an industry. Spam and messages that abuse email systems now make up 88.8% of mail volume across more than 400 million mailboxes among the participating member service operators of the Messaging Anti-Abuse Working Group.9 Nearly one-fourth of spam email contained malware in August 2011 – and much of that malware targeted fraud as its objective.10

How have the malicious been able to dominate this much of legitimate IT? Through the sophistication of attacks made possible by an industrial ecosystem:

• Multifunctional attacks that encompass a variety of ways to compromise victims have been made possible by readily used frameworks for their construction, and crimeware of a quality similar to commercial-grade off-the-shelf software in packaging, delivery and support.

• Sophisticated automation rivaling the scale and efficiency of enterprise-class IT management systems that enables the fluid control of large-scale networks of compromised hosts.

• Tools that harness the power of the Internet to further expand fraud on a similarly global scale. Compromised hosts can, for example, become spam or phishing amplifiers, dramatically increasing the likelihood of successful exploit.

• Web sites – malicious as well as legitimate sites whose vulnerabilities have been exploited – can be engaged to further propagate attacks, by enabling a compromised host to download additional crimeware at the command of a remote manipulator, often without the victim’s knowledge. The reach of sites can be further extended through techniques such as search engine manipulation.

• What cannot be automated can be accomplished by an industry that can recruit large numbers of people to perform often straightforward yet lucrative tasks, such as enabling cross-border money transfers that might lead to identification of foreign criminals if out-of-country fraudsters were to attempt to transfer funds directly via remote control. The pressures of a distressed economy make it that much easier for fraudsters to recruit these “mules” with the promise of easy money in exchange for absorbing this aspect of their employers’ risk. This is in addition to what may be considered a “mule” of another sort: an unsuspecting individual whose personal system has been compromised to perform essentially the same function remotely, typically without the user’s awareness, and using the individual’s (legitimate) credentials.

• At this industrial level, fraud becomes an efficient business of opportunity. Each one of millions of compromised victims can become a source of information that can be exploited to siphon off material assets – or perhaps to access even more valuable data such as intellectual property or other assets whose compromise could seriously damage a victim – regardless whether an individual or a global enterprise.

• The tactics of industrialized fraud give criminals access to a wide range of targets – from the usernames and passwords of legitimate account holders, to data that enables fraudsters to successfully impersonate victims in applying for credit or access to tangible assets.

9 Messaging Anti-Abuse Working Group (MAAWG) Email Metrics Report, First, Second and Third Quarter 2011, http://www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf

10 http://redmondmag.com/articles/2011/08/18/spam-hiding-malware-increases-in-august.aspx

These developments make one central fact clear: fraud

has grown from a criminal activity into an industry.


http://www.maawg.org/sites/maawg/files/news/MAAWG_2011_Q1Q2Q3_Metrics_Report_15.pdf

http://redmondmag.com/articles/2011/08/18/spam-hiding-malware-increases-in-august.aspx



• Access alone is not the only risk. Once access is gained, organizations must maintain vigilance over transactions to assure that access was not gained through fraud, or that fraud is not the objective of what appears to be legitimate access.

• This, in turn, indicates the level of intelligence defenders must muster to match the intelligence capabilities of criminals in control of millions of compromised victims. These professionals are able to evade detection through nimble techniques such as the ability to move botnets quickly from one mass of compromised systems to another, or to hide behind complex abstractions of IP addresses and hostnames that change dynamically in response to attempts to detect and expose fraud activity.

Given these capabilities, it is hardly surprising that:

• Ninety-eight percent of breaches analyzed in the 2012 Verizon Data Breach Investigations Report are attributable to external agents, or that 79 percent resulted from “opportunistic” attacks11 – the very sort of exploit that large-scale automation and commercial-quality crimeware are designed to capitalize upon.

• Large-scale cyber crime rivals even the greatest achievements of legitimate efforts. In the “DNS Changer” botnet targeted in late 2011 by the U.S. FBI, approximately 4 million hosts were compromised, roughly twice the number of the Rustock botnet taken down the previous March.12 This is more than 30 percent larger than SETI@Home, one of the largest legitimate distributed computing efforts to date, which currently numbers slightly more than 3 million hosts.13

These facts describe the nature of concern manifested in guidance issued in 2011 by the U.S. Federal Financial Institutions Examinations Council (FFIEC) in its Supplement to Authentication in an Internet Banking Environment, which noted that:

“The Agencies [of the FFIEC] are concerned that customer authentication methods and controls implemented in conformance with the Guidance several years ago have become less effective. Hence, the institution and its customers may face significant risk where periodic risk assessments and appropriate control enhancements have not routinely occurred.”14

These concerns are shared by regulators worldwide, including the Reserve Bank of India, South Korea’s Financial Supervisory Service, the Infocomm Development Authority of Singapore, Mexico’s National Banking and Securities Commission, and the People’s Bank of China – all of which have responded since early 2010 with regulation targeting much the same objectives as the guidance of the U.S. FFIEC.

This concern extends beyond financial fraud alone. It should be noted that once criminals have access to sensitive data linked to tangible assets, they might not stop at fraud. The access to additional sensitive information made possible by the tactics of industrialized fraud – such as usernames, passwords, access information, sensitive intellectual property or other valuable information assets – could be exploited to commit other crimes, which could cause even greater problems for individuals and organizations alike.

11 2012 Data Breach Investigations Report, Verizon Business et al, p. 16, 4712 http://www.computerworld.com/s/article/9221699/Feds_lead_biggest_botnet_takedown_ever_end_massive_

clickjack_fraud13 http://boincstats.com/stats/project_graph.php?pr=sah as of February 7, 201214 http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf as of February 15, 2012

It should be noted that once criminals have access

to sensitive data linked to tangible assets, they might not stop at fraud.


http://www.computerworld.com/s/article/9221699/Feds_lead_biggest_botnet_takedown_ever_end_massive_ clickjack_fraud

http://www.computerworld.com/s/article/9221699/Feds_lead_biggest_botnet_takedown_ever_end_massive_ clickjack_fraud

http://boincstats.com/stats/project_graph.php?pr=sah

http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf



How to Defend Against an Industry?Strategists should take note of the common themes in these aspects of industrialized fraud:

• An industry enables efficient, large-scale operations. Sophisticated automation backed by integrated capabilities from multiple sources speaks to how the fraud landscape has matured. Global complexity is managed deftly when the tools of industry make it possible.

• Broad intelligence capabilities inform and refine fraud techniques and drive furtherevolutionof thefraudindustry. Enabled by large-scale automation, criminals collect intelligence from millions of victims, and from successful as well as unsuccessful exploits. This enables them to understand the victim’s common weaknesses and the most successful tactics for achieving objectives and evading fraud defense.

• Identityiskey. Fraud, after all, is about exploiting legitimate access to, and control over, valuable assets – and the technologies that handle them. What many organizations may have overlooked in the growing industrialization of fraud, however, is that protecting identity has come to mean much more that just strengthening a login or password. Today, it means greater protection for both individuals and institutions, and not just at login. From assuring identity in the provisioning of access, through validating legitimate activity throughout transaction processes and defending transactions against abuse, identity has become a pervasive factor in protecting organizations from fraud risk. This also highlights the pivotal role of identity in a “layered” approach to security, such as that described by the U.S. FFIEC.

Defenders must respond accordingly:

• Confrontinganindustryrequiresaresponseuptothetask.Organizations require industry-wide intelligence and action in order to make the most of effective techniques for detection and defense.

• Theharnessingof dynamicintelligenceisvital. Today, intelligence, detection and defense are coming together as never before. Defenders must have broad as well as detailed insight into activity across the fraud landscape – but this means more than just awareness. Today’s most advanced techniques for protecting assets harness that intelligence in real time, from equipping expert anti-fraud analyst teams with up-to-the-moment insight, to automating the decision to permit, block or more closely monitor transactions when evidence of potential or actual fraud is found.

• Identityiskey. If fraud is about exploiting legitimate access to, and control over, valuable assets, defending identity and strengthening authentication must be paramount. When fused with the evolution of intelligence-driven defense, this means an entirely new approach to protecting identity and defending against unauthorized or criminal access. It means arming identity and access management with a dynamic, intelligence-driven response to detected or attempted fraud, from the outer defenses of application systems, through the lifecycles of sensitive transactions. It also means establishing a higher confidence in identity based on informed insight.

From assuring identity in the provisioning of

access, through validating legitimate activity throughout

transaction processes and defending transactions

against abuse, identity has become a pervasive factor in protecting organizations

from fraud risk.




Such an approach is consistent with the “layered security” concept described in the U.S. FFIEC’s 2011 Supplement to Authentication in an Internet Banking Environment:

“Layered security is characterized by the use of different controls at different points in a transaction process so that a weakness in one control is generally compensated for by the strength of a different control. Layered security can substantially strengthen the overall security of Internet-based services and be effective in protecting sensitive customer information, preventing identity theft, and reducing account takeovers and the resulting financial losses.”15

The FFIEC Supplement further identifies two key areas of focus: detection and response to suspicious activity, and control over privileged access to financial information systems. This suggests the strong linkage between intelligence and identity, and the need for strategy and tactics that unite both.

Dynamic, Adaptive, and Intelligence-Driven: The RSA Identity Protection and Verification SuiteWith its long history in fraud defense, the RSA Identity Protection and Verification Suite counters the evolution of fraud with a comprehensive set of capabilities that herald a growing trend of intelligence integrated with tactics for confronting the fraud industry.

Testifying to these capabilities are RSA’s accomplishments in defeating fraud. According to the RSA Anti-Fraud Command Center, RSA has shut down more than 550,000 phishing attacks and more than 100,000 Trojan attacks in 185 countries over the past seven years. As this capability has grown in response to the growth of fraud as an industry, it has led to the development of a coordinated set of capabilities required to counteract well-organized threats to valuable assets.

At the Core: Intelligence and ExpertiseRSA’s anti-fraud strengths are centered on a foundation of intelligence with insight throughout the fraud landscape. This intelligence is collected and delivered by analysts with significant expertise in the study of fraud activity and tactics, and in the techniques required for effective response:

• Analysts at the RSAAnti-FraudCommandCenter (AFCC) work around the clock, every day of the year, to identify and shut down sources of fraud, cyber crime and communications channels that enable attacks such as phishing and malware distribution. They conduct intensive forensic work in order to understand the granular details of fraud essential to informing strategies and tactics, mounting an appropriate response to incidents, and recovering credentials when compromised. The AFCC has established relationships with multiple network service providers worldwide, and maintains expertise in nearly 200 languages to better detect and counter fraud activity where found.

15 http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf, as of February 15, 2012

With its long history in fraud defense, the RSA Identity Protection and

Verification Suite counters the evolution of fraud

with a comprehensive set of capabilities that

herald a growing trend of intelligence integrated

with tactics for confronting the fraud industry.


http://www.informationweek.com/news/security/vulnerabilities/231500020



• This expertise informs intelligence-driven RSA services for sharpening the ability to recognize fraud and defeat it before it has a damaging impact, such as the RSAeFraudNetwork, which maintains a continuously updated repository of fraud patterns gleaned from throughout RSA’s network of customers, service providers, and third party sources worldwide. The RSA eFraudNetwork tracks cybercriminal profiles, patterns and behavior across 185 countries and maintains this data in a shared repository accessible to customers to keep them alerted to current trends in fraud activity. This information enables customers to better recognize fraud early and intervene more effectively to protect valuable assets from abuse.

• The RSA FraudAction Service provides round-the-clock detection, alerting, shutdown and reporting on fraud activity that provides a foundation on which effective fraud countermeasures can then build to strengthen defense against industrialized fraud. Analysts at the RSA Anti-Fraud Command Center provide these services to protect organizations against phishing, pharming and Trojan attacks, and to supplement anti-fraud strategies with focused expertise in the field. These capabilities can further help to round out a comprehensive strategy (as described in a later section of this report).

Integrating Real-Time Intelligence with Anti-Fraud TechnologiesRSA’s fraud intelligence capabilities do more than inform customers of fraud activity. Today’s emerging anti-fraud technologies also integrate intelligence directly into real-time defense.

• The RSA Risk Engine offers a significant example of this capability. Central to a number of RSA technologies for defeating fraud, protecting identity and verifying transactions, the RSA Risk Engine detects online activity, analyzes it for evidence of potentially fraudulent or malicious behavior, and scores this activity in real time. The RE collects and analyzes large amounts of data from multiple sources. It evaluates online activity for more than 150 indicators of actual or potential fraud in real time, and assigns a unique risk score between 0 and 1,000 to each activity. Factors include user behavior, authentication and transaction activity, device and access context and more. It employs both a self-learning statistical model to maintain currency and accuracy of assessment. When combined with a policy manager that enables organizations to define their own risk management criteria, the RSA Risk Engine provides a layered approach to automating assessment of the integrity of observed access attempt and transaction behavior. This risk assessment serves as the basis for allowing transparent authentication, allowing the majority of transactions to pass unhindered, and identifying only the most risky transactions or activity for additional authentication.

This capability is directly consumed in RSA anti-fraud and authentication technologies to manage online activity and dynamically protect access to reduce risk and identify new fraud trends as they develop.

RSA’s fraud intelligence capabilities do more than inform customers of fraud activity. Today’s emerging

anti-fraud technologies also integrate intelligence

directly into real-time defense. This capability

is directly consumed in RSA anti-fraud and

authentication technologies to manage online activity and dynamically protect

access to reduce risk and identify new fraud

trends as they develop.




Before Any Transaction: RSA Identity VerificationBefore any entity can be trusted with valuable assets, its identity and authorization must be verified. Criminals often seek to exploit weaknesses in proving identity in order to masquerade as legitimate parties or to gain unauthorized access to assets. It is thus an important first step, before establishing any relationship between individuals or organizations and their assets, to assure high confidence in the identity of asset owners and custodians. This assurance depends on intelligence-based distinction of those who are who they claim to be from those who are not.

• RSAIdentityVerification offers a consumer service that confirms a user’s identity in real time. It incorporates dynamic knowledge-based authentication that presents users with a series of questions that are formed based on information accessible from dozens of public and commercially available sources. This capability can deliver a high-confidence confirmation of identity within seconds, even if no prior relationship has been established with the user.

RSA Identity Verification exemplifies techniques that directly integrate intelligence with strengthening fraud prevention in real time. It can, for example, determine that the potential for fraud may be increased based on identity fraud alert monitoring, checks of recent public records searches, source IP flagging, “identity velocity” checks for high volumes of activity associated with one individual at several businesses, or “IP velocity” indicators of multiple authentication requests generated from a single IP address. Risks detected from these sources are computed in an identity risk score that helps quantify the risk associated with an identity and automates response accordingly. When these factors are detected, RSA Identity Verification can dynamically increase question difficulty to limit the probability that the entity seeking to establish identity is not who it claims to be.

Assuring Confidence in Access: RSA Adaptive AuthenticationOnce identity is established, protection depends on assuring that fraudulent attempts to access valuable assets are prevented, and that legitimate access is limited only to those authorized. As attackers have increased their ability to capture login credentials and exploit many common authentication techniques, organizations must consider the ways in which today’s fraud countermeasures can better defend against authentication exploit.

• RSAAdaptiveAuthentication responds to these concerns with a dynamic approach that measures fraud risk when and where access is attempted, and adjusts the rigor of authentication accordingly. Its risk-based authentication technology is informed by the RSA eFraudNetwork and powered by the RSA Risk Engine. Currently in use by more than 8,000 organizations in multiple industries, RSA Adaptive Authentication supports strong, multi-factor authentication using a combination of forensic data regarding the endpoint device and behavioral analysis in addition to the intelligence of the RSA eFraudNetwork.

RSA Adaptive Authentication often functions transparently to users, who may be unaware of its activity. This reduces the friction of adopting stronger authentication techniques, preserving customer convenience as well as enhancing confidence in defense against more advanced fraud tactics. For instance, in most implementations, over 95% of customer logins are not “challenged” by Adaptive Authentication. The RSA Policy Manager enables organizations to customize authentication policies to meet their specific needs. Together, a dynamic, intelligence-driven approach combined with granular control over policy definition provides organizations with a high




degree of flexibility in advanced authentication technology. This flexibility is further supported by the availability of RSA Adaptive Authentication in both Software-as-a-Service (SaaS) and on-premises models, giving organizations the options they need to match needed control with attractive options for administration and support.

RSA Adaptive Authentication protects Web sites, portals, SSL VPNs and Web Access Management (WAM) applications. In addition, RSA Adaptive Authentication for eCommerce offers a single fraud prevention solution for card issuers, with support for the 3D Secure protocol and a wide range of authentication and card security products including Verified by Visa®, MasterCard SecureCode™ and JCB J/Secure™.

After Access is Gained: RSA Transaction ProtectionStrengthening authentication alone, however, may not always defend assets against fraud. Consider, for example, the class of attacks known as “man-in-the-browser” that echo earlier “man-in-the-middle” tactics of intercepting communications for eavesdropping, picking up sensitive information, and other nefarious purposes – except that “man-in-the-browser” attacks can do all this on a compromised personal endpoint system alone. When a criminal has direct access to an individual’s sensitive communications with financial systems, visibility into transaction anomalies is required to distinguish legitimate activity from fraud.

This, too, is in keeping with the FFIEC guidance to adopt a layered approach to security. When intelligence includes visibility into transactions, it helps to eliminate what may otherwise be a blind spot in fraud prevention.

• RSATransactionProtection combines risk-based analysis of transaction behavior and Trojan detection capabilities with out-of-band authentication techniques. This layered approach enables organizations to increase the level of authentication needed when fraud risk is detected. Multiple transaction types can be protected, from bill payments to address changes to password resets. When RSA Transaction Protection suspects a Trojan or other threat creating a fraudulent transaction to a “mule” account, out-of-band authentication with specific transaction verification through the phone, email or SMS channel can be deployed automatically to thwart the attempt and prevent damage. Call forwarding detection can also be activated to prevent criminals who attempt to intercept the challenge call by forwarding the genuine user’s phone number to their own.

Support for a Comprehensive Strategy: RSA FraudAction ServiceMaintaining an effective strategy against modern fraud requires more than a deployment of technologies or practices within an individual business. Confronting an industry requires capabilities that counteract fraud at its source. In addition, when incidents occur, specialized expertise in fraud analysis may be required for the proper forensic response. This highlights the role of services that unite expertise and intelligence with action, further extending the concept of layered security beyond narrowly focused protections.

• The RSAFraudActionService offers a set of managed services that provide organizations with the ability to help prevent fraud threats from reaching their targets. This service provides round-the-clock detection, alerting, shutdown and reporting on fraud activity. RSA FraudAction also

When a criminal has direct access to an individual’s

sensitive communications with financial systems,

visibility into transaction anomalies is required

to distinguish legitimate activity from fraud.




provides forensic capabilities, countermeasures, and comprehensive blocking of access to known infection points. Analysts at the RSA Anti-Fraud Command Center provide these services to protect organizations against phishing, pharming and Trojan attacks, and to supplement anti-fraud strategies with focused expertise in the field.

Capabilities of the RSA FraudAction Service include:

• The RSAAnti-PhishingService,which employs the expertise of the RSA AFCC to monitor, detect and alert on phishing activity that plays a central role in extending the reach of fraud. With intelligence gathered from over 3 billion emails per day, this service provides real-time alerts and reporting, site blocking and shutdown, forensic analysis and credential recovery, and countermeasures against phishing attacks. When an attack is detected, pre-defined criteria trigger an alert to the AFCC. If an attack is confirmed, customers are immediately notified. Blocking and shut-down is supported through partnerships with many of the world’s leading ISPs and browser developers, while countermeasures such as baiting techniques help identify criminals and provide deeper insight into fraud activity.

• The RSA Anti-Trojan Service leverages intelligence from a network of technology partners, third-party sources, and techniques such as automated discovery to find, analyze and reverse-engineer detected malware and crimeware worldwide. This service also provides credential recovery, to enable mitigation of any possible theft and infection. The Anti-Trojan service equips customers with early recognition of active or emerging Trojan threats that are often involved in credential theft or abuse – intelligence without which this class of threat may go unrecognized and undetected, causing real harm.

• The RSA FraudAction Intelligence Service provides detailed reports on the activities of the cybercriminal underground including forum posts, threat trends and organization-specific information.

• The RSACyberCrimeIntelligenceService informs organizations regarding corporate endpoints, network resources, access credentials or other information that may have been compromised by malware. This intelligence is derived from RSA Trojan Research Labs analysis and a network of security technology crawling partners in antivirus, network security and Web defense that provide RSA with current malware information. Clients are informed of potential compromises through a variety of weekly reports including recovered data related to an organization’s corporate URLs, email communications, or IP address ranges. The RSA CyberCrime Intelligence Service also offers two daily reports on blacklisted sites used by criminals to launch attacks and communicate updates to malware in the wild. Reports are delivered in an XML format that can be easily downloaded through a dedicated portal, providing clients with the insight they need into malware activity affecting their organization, and helping them to make the most of their security investments.

Together, these capabilities highlight how a comprehensive approach extends the concepts of layered security envisioned by guidance such as that of the FFIEC:

• From the gathering of intelligence and expertise

• To putting that expertise directly to work in the technologies of defense

• From identity provisioning to adaptive authentication before transactions are initiated

• Through protection for transactions once access is gained

• To complementing the approach with comprehensive defenses that employ intelligence and expertise to combat industrialized fraud.




EMA PerspectiveIn technologies such as risk-based authentication and the automation of risk analysis in anti-fraud techniques, EMA sees the heralds of a new, intelligence-driven approach to information security that signal a turning point for the industry. As criminals continually challenge the effectiveness of legacy defenses, insight into malicious activity is becoming central to any effective approach to security and fraud defense. The long view of this trend is the integration of intelligence directly in the technologies of defense, in order to make countermeasures more directly dependent on dynamic data sources to sharpen their effectiveness in real time.

In this, the technologies that combat fraud have shown early leadership. Techniques such as risk-based authentication and transaction protection were among the first to recognize the value of integrating intelligence directly into strengthening the protection of access to valuable assets, to recognize fraud before it is attempted, and to defeat it once transactions are in process.

With its investment in intelligence-driven technologies for identity protection, verification, and fraud defense, RSA has become a recognized leader in this field. Its portfolio of products and services that embrace a comprehensive approach to fraud defense do more than extend the concepts of layered security that have become the mandate for financial institutions, and a pattern for more effective defense beyond.

With a comprehensive approach to fraud intelligence and defense that extends across multiple areas of concern, RSA offers an example that recognizes the scope of the challenge, equipping organizations with the level of response needed to extend the concept of layered security to the confrontation of what has become an industrialized threat.

About RSA, The Security Division of EMCRSA, The Security Division of EMC, is a premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations solve complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.

Combining controls in identity assurance, encryption and key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.EMC.com/RSA.

In technologies such as risk-based authentication and the

automation of risk analysis in anti-fraud techniques, EMA sees the heralds of

a new, intelligence-driven approach to information

security that signal a turning point for the industry.


http://www.EMC.com/RSA

About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help its clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter or Facebook.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2012 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

CorporateHeadquarters:5777 Central Avenue, Suite 105 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com2448.032812


blogs.enterprisemanagement.com

http://twitter.com/ema_research

http://www.facebook.com/pages/Enterprise-Management-Associates-EMA/232626436757941


analyst report: ema - the industrialization of fraud demands a dynamic intelligence-driven response

Technology