By Byron V. Acohido
Cyber criminals are deploying the very latest in automated weaponry, namely botnets, to financially plunder corporate networks.
The attackers have a vast, pliable attack surface to bombard: essentially all of the externally-facing web apps, mobile apps and API services that organizations are increasingly embracing, in order to stay in step with digital transformation.
Related: The ‘Golden Age’ of cyber espionage is upon us
The nonstop intensity of these attacks is vividly illustrated by the fact that malicious bot communications now account for one-third of total Internet traffic. Cybersecurity vendors, of course, have been responding. Established web application firewall (WAF) suppliers like Imperva, F5 and Akamai are hustling to strengthen their respective platforms. And innovation is percolating among newer entrants, like PerimeterX, Shape Security and Signal Sciences.
This week a new entrant in this field, Cequence Security, formally launched what it describes as a “game-changing” application security platform. I had the chance to sit down with CEO Larry Link to discuss what Cequence is up to, and why it believes it can help enterprises detect and mitigate bot attacks, without unduly disrupting the speed and flexibility they’d like to extract from digital-centric operations. Here are takeaways from our discussion:
The botnet problem
According to Gemalto’s Breach Level Index, 3.3 billion data records were compromised worldwide in the first half of 2018 – a 72 percent rise in the number of lost, stolen or compromised records reported in the first six months of 2017. Vulnerable online apps and services factored in as a primary target of automated botnet attacks. This activity can be seen at any moment of any day by examining the volume of malicious botnet traffic moving across the Internet.
A bot is a computing nodule with a small bit of coding that causes it to obey instructions from a command and control server. A botnet is a network of thousands upon thousands of bots under control of an attacker.
Bots arise two ways. The classic source are compromised, or “pwned,” computers. Infections lurk everywhere: in email-borne attachments and web links; in social media postings; on popular and obscure web pages. A pwned PC operates normally for the unwitting user, though he or she may notice performance lags when it is silently carrying out the botnet operator’s commands.
A newer source of bots are virtual instances of computing devices. Bad actors are standing up these virtual bots by the million, cheaply and stealthily, via Amazon Web Services, Microsoft Azure and Google Cloud.
One of the most intensive uses of criminal botnets is account takeovers. Stolen usernames and passwords are loaded up on botnets, which then relentlessly test them on account logon pages. These baseline account takeovers can then be leveraged to spread spam, distribute phishing scams, launch denial of service attacks, infiltrate and plunder networks, execute wire fraud and more.
Link
“Most people still tend to use the same logon credentials on multiple sites,” Link says. “Botnets can test stolen usernames and passwords at scale. Sure enough, about 10 percent of the time the bots will gain unauthorized access to an account belonging to someone else. Once they’re in, all sorts of things can be done that are bad for the organization and can help the bad guys make money.”
Shifting security challenge
Web application firewalls came along 15 years ago and were designed to sit in front of web application server and be configured to specifically to protect designated web sites. This approach worked just find when Internet commerce was much less interactive than it is today.
But then along came cloud services, mobile computing and the Internet of Things, which gelled into digital transformation. Thus, what we’re experiencing today is the blossoming of B2B and B2C commerce transacted digitally. With this trend comes a rise in reliance on public cloud services, like AWS, Google Cloud and Microsoft Azure, which, in turn, has introduced many new layers of software development abstractions, i.e. APIs, microservices, containers and container orchestration.
Link observes that, today, Link notes, a large financial firm, typically will have several hundred customer- and supplier-facing applications, web apps and mobile apps conducting transactions over both PC browsers and smartphone apps. These newer layers redouble complexity and, in doing so, expand the available attack surface.
“Injecting software into a client device to gain telemetry from that device in order to detect malware and threats isn’t enough anymore,” Link says. “A radically different approach is required, one that looks not just at the client, but also the server, the network traffic protocols and the application behaviors, from beginning to end. It’s now really about detecting behavior and deciphering intent.”
Cequence has come up with a new type of software platform, Cenquence ASP is designed to continually monitor all web apps, mobile apps, and API services deployed across the entire organization. It can automatically determine the source, target, and intent of potentially malicious attacks. And once an attack is confirmed, the system will automatically enforce policy-based mitigation techniques.
“We’re taking a more holistic approach,” Link says. “We’re looking at the client, at the server, at the network traffic protocols and at application behaviors, from beginning to end. We ingest data into a powerful AI engine, and do a comprehensive analysis to determine if a malicious bot attack is taking place.”
Early traction
One measure of the efficacy of Cequence’s approach is the success of a trial version deployed with a handful of large customers. The new platform has been operating for some months in the production environments at 10 enterprises, including a Fortune 100 multinational financial services firm and a Fortune 500 cosmetics retailer. And the company was recently named a 2018 Gartner Cool Vendor.
“We’re very pleased with our early market recognition, traction, and the fact that well-known brands are trusting us to protect their businesses from these disruptive and costly attacks,” Lark says.
It will be interesting to see how far Cequence is able to take this. The company certainly has an impressive pedigree. Co-founders Ameya Talwalkar and Shreyans Mehta worked together at Symantec before setting out on their own, three years, ago to develop and pilot Cequence’s platform. They are now chief privacy officer and chief technology officer, respectively.
Link joined more recently, as president and CEO, coming on board with Tony McIlvenna, Cequence’s vice president of worldwide sales; both came over from senior positions at Palo Alto Networks.
“We were early team members at Palo Alto Networks, and we saw the evolution of network security, and the way Palo Alto Networks was able to transform network security,” Link told me. “The opportunity we see here is to transform application security, in a similar fashion.”
(Editor’s note: LW has provided consulting services to Cequence Security.)
