Laura Mather , Ph.D., is the cofounder and vice president of product marketing for Silver Tail Systems and an expert in combating Internet fraud. She has spoken at IRS, Federal Trade Commission, and Merchant Risk Council events in addition to security industry conferences and summits. Fast Company ranked her number 16 on their annual list of "The 100 Most Creative People in Business" for 2012. The CIA’s information technology venture capital firm, In-Q-Tel, has invested in Silver Tail. She is also the managing director of operational policy for the Anti-Phishing Working Group, where she drives Internet policy to fight electronic crimes such as phishing, pharming, and spoofing. Prior to cofounding Silver Tail Systems, she spent three years in fraud prevention and antiphishing at eBay, was a director of research and analysis for the online division of Encyclopedia Britannica, and also spent time as a research analyst for the National Security Agency (NSA). Mather holds a Ph.D. in Computer Science and a B.S. in Applied Mathematics, both from the University of Colorado.
How was your company Silver Tail Systems born and what cybersecurity services does it provide?
When I was director of fraud prevention at eBay, there were so many attacks against the eBay Web site, and I had no ability to do anything but be reactive to them. I didn’t have the tools to detect them as they started, so I had to wait for customers to tell me about these attacks. Then, I had to go figure out on my own what the criminals were doing. It was a nightmare.
I realized that I wasn’t looking at the problem in the correct way. The better thing to do was to monitor behavior on Web sites—essentially look at the behavior of all the Web sessions. Criminals are going to do something different than customers in the e-commerce space. If they’re going to steal money or data or try and take down your system, legitimate people don’t do that, so the criminal Web sessions should stand out compared to the legitimate sessions. There has to be some component of criminal behavior that looks different from legitimate behavior. My cofounder and I built tools that would detect these behavioral outliers. We monitor all Web sessions, including mobile, and automatically create models of what is normal. And when there is a Web session that deviates a certain amount from normal, then we are able to notify the Web site owner immediately.
What has been fascinating is the premise that criminals look different from customers. It works in e-commerce and finance, and it works for intranets as well. In the intranet situation, bad actors or adversaries will often get into an intranet that’s a secure environment, such as IBM, HP, or Google. They will often get in through malware or through a compromised insider. Once inside, they will try and navigate through the information available via a Web browser and steal data, such as intellectual property. Thirteen years ago when I was at NSA, some things were available through the intranet, but actually not much. It wasn’t all that functional, but now I would wager that you can get to the phone directory, requirements documents, intelligence summaries, and mission overviews through a Web browser. If you were an adversary, there is a lot of information that could be extremely valuable that is accessible via browser.
So, you’re saying that information that used to be siloed but now is networked gives an adversary access to everything if he or she knows how to navigate it?
Exactly. Let’s be honest—the fact that it was in a silo was not good. It made it inconvenient to do your job. Now, it’s very convenient, and people can do their jobs more efficiently. The warfighter in the field has access to information that they never had access to before, and that’s a fantastic thing. But it also creates vulnerabilities. So our software monitors all the sessions, either through the mobile applications or through the Web browser, and identifies when a Web session deviates from either the population or from what’s expected of an individual user. We compare what we expect from the population and from this user. Do they usually move through really quickly or do they usually access the product requirements page over and over again?
Does that mean an adversary has to profile the behavior of a legitimate user to try and beat your software?
There’s no silver bullet for sure. Criminals will find ways to stay under the radar, but it’s going to be hard to do. Our premise is that they’re going to have to do something that legitimate people don’t normally do. If they want to get the entire phone list for the NSA, for example, they could absolutely download a page of it a day, but then it’s going to take them two years to get the whole thing.
Your software tries to inflict on adversaries the law of diminishing returns?
Exactly. It’s very similar to decisions other businesses make every day: the criminals have some conversion rate or amount of information they want to get in a certain time frame and in a lot of cases that is going to be so time-sensitive that they are going to have to move quickly, and we’ll be able to find them. In the end, is what they get worth the effort it took to get it? It’s the typical return-on-investment calculation.
(Click here to continue reading "Federal Cybersecurity Perspective," from our December 2012 issue.)