American Security Today September Digital Magazine September 2016 | Page 65
Volume 7
want and for as long as they can. In addition, cybercriminals have numerous ways to attack – and
they keep finding more. It’s similar to physical crime
or terrorism in that way. It’s not feasible to protect
a soccer stadium, for example, against all possible
attack vectors—from every entrance, from the sky,
from underground—let alone means of attack that
security teams haven’t thought of yet.
With today’s porous network perimeters and proliferation of devices connecting to the network, data
security is a constant, uphill battle. The fact is that
every time we get it wrong, something bad happens. Sometimes very bad, as in stock-plummeting, customer-fleeing, company-destroying bad.
September 2016 Edition
delity to truly take control of a user’s identity, if the
right signals are observed and analyzed. The focus
changes from the user’s username, password and
perhaps location or secret question, to his or her
unique identifying behaviors. Deriving identification
from measuring these behavioral indicators is so
powerful because behavioral signals can’t be replicated in enough fidelity to emulate a known good
user.
When these signals are gathered together to create
unique user profiles, fraudulent actors can’t use the
static username and password data they’ve stolen.
It’s no longer merely an issue of plugging credentials into a login screen and taking over an account,
or completing fraudulent transactions; fraudsters
would have to exactly mimic every behavior in the
profile – an impossible task.
This method makes personal data useless to criminals. Why would they go to the trouble of stealing something they can’t use? The incentive for
fraudsters to steal this kind of data is zero. In other
words, the data has no value.
(Learn More, What is account takeover, why is it important,
and what can Financial Institutions and Ecommerce companies do about it? Courtesy of NuData Security and YouTube)
Reading the Signals
Security today must be proactive, and being proactive means observing consumer behavior with
much higher fidelity. Traditionally, analysis has
tended to be rather superficial. To truly understand
and know the user, you need to look deeper. This
includes looking for signals you wouldn’t normally
look for—how fast someone types, how hard they
hit the keys, how a user interacts with a website,
etc. —the types of signals that are often overlooked
or ignored.
So then, what others — criminals and consumers
alike — don’t pay attention to actually creates a
unique, behavior-based user profile that is far more
detailed and reliable than the old standby of username and password. Knowing a consumer’s true
behavior transcends reliance on static identities.
Applying this knowledge of the consumer’s true
behavior, devalues the stolen data. How? Cyber
criminals can’t emulate behaviors with enough fi-
Rewriting the Rules
Along with death and taxes, data theft has become
a certainty. The saving grace here is that criminals
tend to take the path of least resistance as well, and
nab the loot that’s easiest to steal and offers the
biggest pay-off. If you could change the scenario so
that the loot is unusable and therefore worthless to
them, why wouldn’t you?
By creating authentication based on a user’s behavior, you render customer data useless and remove
the incentive for theft. This creates a double layer
of protection: any data that may be stolen can’t be
used in a meaningful way. It’s the ultimate win-win
in the battle to protect data.
About the author
Robert Capps is the vice president of Business Development for NuData Security. He is a recognized
technologist, thought leader and advisor with more
than 20 years of experience in the design, management and protection of complex information systems – leveraging people, process and technology
to counter cyber risks.
For more information, visit https://nudatasecurity.
com/
65