Federal Cybersecurity Perspective: Interview with Laura Mather, Ph.D.
An interview with Dr. Laura Mather, cofounder and chief visionary of Silver Tail Systems.
Laura Mather , Ph.D., is the cofounder and vice president of product marketing for Silver Tail Systems and an expert in combating Internet fraud. She has spoken at IRS, Federal Trade Commission, and Merchant Risk Council events in addition to security industry conferences and summits. Fast Company ranked her number 16 on their annual list of "The 100 Most Creative People in Business" for 2012. The CIA’s information technology venture capital firm, In-Q-Tel, has invested in Silver Tail. She is also the managing director of operational policy for the Anti-Phishing Working Group, where she drives Internet policy to fight electronic crimes such as phishing, pharming, and spoofing. Prior to cofounding Silver Tail Systems, she spent three years in fraud prevention and antiphishing at eBay, was a director of research and analysis for the online division of Encyclopedia Britannica, and also spent time as a research analyst for the National Security Agency (NSA). Mather holds a Ph.D. in Computer Science and a B.S. in Applied Mathematics, both from the University of Colorado.
How was your company Silver Tail Systems born and what cybersecurity services does it provide?
When I was director of fraud prevention at eBay, there were so many attacks against the eBay Web site, and I had no ability to do anything but be reactive to them. I didn’t have the tools to detect them as they started, so I had to wait for customers to tell me about these attacks. Then, I had to go figure out on my own what the criminals were doing. It was a nightmare.
I realized that I wasn’t looking at the problem in the correct way. The better thing to do was to monitor behavior on Web sites—essentially look at the behavior of all the Web sessions. Criminals are going to do something different than customers in the e-commerce space. If they’re going to steal money or data or try and take down your system, legitimate people don’t do that, so the criminal Web sessions should stand out compared to the legitimate sessions. There has to be some component of criminal behavior that looks different from legitimate behavior. My cofounder and I built tools that would detect these behavioral outliers. We monitor all Web sessions, including mobile, and automatically create models of what is normal. And when there is a Web session that deviates a certain amount from normal, then we are able to notify the Web site owner immediately.
What has been fascinating is the premise that criminals look different from customers. It works in e-commerce and finance, and it works for intranets as well. In the intranet situation, bad actors or adversaries will often get into an intranet that’s a secure environment, such as IBM, HP, or Google. They will often get in through malware or through a compromised insider. Once inside, they will try and navigate through the information available via a Web browser and steal data, such as intellectual property. Thirteen years ago when I was at NSA, some things were available through the intranet, but actually not much. It wasn’t all that functional, but now I would wager that you can get to the phone directory, requirements documents, intelligence summaries, and mission overviews through a Web browser. If you were an adversary, there is a lot of information that could be extremely valuable that is accessible via browser.
So, you’re saying that information that used to be siloed but now is networked gives an adversary access to everything if he or she knows how to navigate it?
Exactly. Let’s be honest—the fact that it was in a silo was not good. It made it inconvenient to do your job. Now, it’s very convenient, and people can do their jobs more efficiently. The warfighter in the field has access to information that they never had access to before, and that’s a fantastic thing. But it also creates vulnerabilities. So our software monitors all the sessions, either through the mobile applications or through the Web browser, and identifies when a Web session deviates from either the population or from what’s expected of an individual user. We compare what we expect from the population and from this user. Do they usually move through really quickly or do they usually access the product requirements page over and over again?
Does that mean an adversary has to profile the behavior of a legitimate user to try and beat your software?
There’s no silver bullet for sure. Criminals will find ways to stay under the radar, but it’s going to be hard to do. Our premise is that they’re going to have to do something that legitimate people don’t normally do. If they want to get the entire phone list for the NSA, for example, they could absolutely download a page of it a day, but then it’s going to take them two years to get the whole thing.
Your software tries to inflict on adversaries the law of diminishing returns?
Exactly. It’s very similar to decisions other businesses make every day: the criminals have some conversion rate or amount of information they want to get in a certain time frame and in a lot of cases that is going to be so time-sensitive that they are going to have to move quickly, and we’ll be able to find them. In the end, is what they get worth the effort it took to get it? It’s the typical return-on-investment calculation.
By detecting anomalies in real time, your software allows companies to respond flexibly?
Yes. For many customers, before they had our system, it would take them forever to learn of an attack, then they had to go figure out what happened, how, and when. Worse yet, they would then go to their development team and say, “Hey, we have to fix this page so that people can’t hit it a hundred thousand times per minute.” And the development team would say, “We know how to do this,” but it would be weeks or months until they could get it live. What we can help them do is send triggers to other systems, like a firewall, and say on the next request, “block this traffic.” Our customers can put rules in place that take these actions and test it in maybe a few hours. We’ve done it in 15 minutes in an emergency case.
In a video I saw, you claimed that Silver Tail could stop WikiLeaks-type disclosures. There are times when information is legitimately leaked from within the government because the public has the right to know. Do you ever think about how your technology could be used to eliminate whistleblowing?
My goal has always been to add integrity to the Internet, but if my software keeps the good guys from getting to information that is being inappropriately hidden, that’s a catch-22, right?
I’m definitely not advocating that people expose everything they think the public needs to know. The answer is likely that the owners of the Web site should have the ability to decide what goes out and what doesn’t. I understand that isn’t ideal since it’s the owners of the Web sites that would likely want to protect the information. It’s possible that this is one of those cases where there is some impact on the minority for the greater good of the majority. I would postulate that protecting data is more important than making sure the small amount of data that should be exposed is available.
During the next five to 10 years, what do you see as the future of cybersecurity? What new threat vectors are evolving, or at least can be predicted, that cybersecurity companies like Silver Trail will need to develop remedies against?
I’m beginning to think the problem isn’t that we aren’t doing a good enough job anticipating what is coming. I think the problem is that we focus too much on what is going to be the next threat. There are so many threats that arise that were unexpected, I think the better way to look at threats is to acknowledge you don’t know what’s coming. Once you admit that, you craft your strategy around identifying the new threat as soon as it emerges. This seems to be the most economical way of addressing threats. Instead of spending money and resources fixing things that haven’t been attacked, only fix the things that have been attacked. Our system, for example, is all about letting people move quicker and give them the confidence that if they are attacked, they will be notified quickly and can respond quickly.
With your background, what vulnerabilities worry you the most about the cyber-realm?
There is definitely the possibility of a catastrophic event on the Internet. The main thing that has prevented that in the past is the fact that most of the people who would like to cause the problems that would occur by taking down the Internet also rely on the Internet, so it would hurt the attacker as much as the victim. Given that the Internet was developed for purposes very different from what it is used for today, there needs to be a major rearchitecting of the Internet. It seems that a bit of planned disruption now might be better than unplanned disruption later if the criminals decide they want to completely disrupt the system.