Analyze biometrics and behavior with ML to defeat professional attackers, Acceptto security expert urges
Cybercrime has become a lucrative business employing professional criminals, and harnessing advanced technologies like machine learning and behavioral biometrics is the way to keep ahead of them, according to Acceptto Principle Security Architect Fausto Oliveira.
Oliveira is concerned about the availability of tools on the dark web which often make the return on investment into hacking authentication systems very high. Attackers spending a hundred dollars on data gathered in a past breach use a modicum of automation to replay those credentials, allowing them to steal data from or take over accounts of targets. Personally identifiable information can be stolen, ransomware installed, or other crimes carried out, with potential proceeds of millions of dollars.
A small minority of online gangs appear to be targeted for enforcement action, Oliveira says based on observable activity. Even criminal groups that law enforcement agencies like Interpol and FBI have struck blows against have continued operation.
Then there are insider attacks, which are often not reported or disclosed, with malicious employees signing non-disclosure agreements after being caught, Oliveira says.
“That is something that worries me from the security point of view, because if there are no legal consequences, what is preventing that guy from resurfacing somewhere in the industry and performing exactly the same kind of crime?” he asks.
Acceptto starts from assumption that there is no single factor that cannot be breached, or even has not been breached already. Its technology combines hundreds of signals, which are ingested by the company’s machine learning algorithms to generate a model of the user. The signals can include physical and behavioral biometrics and others collected by the workstation, phone, or browser, along with open source and proprietary intelligence signals. Acceptto also employs a unique temporal factor based on patterns in behavior throughout the day.
There are other companies in the market bringing together many factors to identify individuals for protection against fraud, but there is much more than the temporal factor setting it apart, according to Oliveira.
“Our angle was that there are a few ways of dealing with user modeling, and we took the approach of using as many models as we see performing in a reliable format, to perform as what we call a mixture of experts, in essence a mixture of machine learning models, to create a balanced picture of the user,” Oliveira explains. “There are techniques that use static rules, which hardly can be classified as machine learning, among our competitors, there are techniques that use a single machine learning algorithm, and then we took the approach of mixing all the experts that we could find that were reliable.”
The end goal is to get rid of the password. Oliveira thinks that goal is in sight.
“There are enough solutions nowadays for passwordless,” he asserts. “It’s not a matter of a lack of solutions, it’s not a matter of making them cost-effective – they are extremely cost effective compared to passwords. It’s a matter of, essentially, executive guidance. Companies are stuck with the password mentality.”
That means the loss of productivity, loss of customers, and exposure to risk, that Oliveira says come with passwords are all unnecessary, and the resistance of users is one of the only things keeping them in place.
The way to incentivize customers or employees is to “show them the experience,” and Oliveira provides an example of a large customer that was able to shift three-quarters of its employees to passwordless authentication simply by incentivizing them to try it.
Biometric sensors are becoming ever more effective due to industry efforts, with liveness and efforts to reduce false positives. It is the combination of many continuous factors, however, that not only enables passwordless authentication, but secures systems against biometric sensors, which are essentially passive, being compromised.
“Not having the knowledge that that barrier has been breached kind of defeats the whole purpose of authentication,” Oliveira points out.
Going beyond authentication is necessary to fend off attackers that behave like corporations, with some actually behaving like SaaS operators, or using ML the same way tech industry is.
Oliveira goes so far as to warn that “if enterprises don’t get on the bandwagon and start using machine learning to protect their perimeters, they are going to be breached.”
That means employing new technology to improve their enterprise security capabilities beyond the inexpensive computing power attackers can easily buy from cloud providers, and the lack of international coordination which they take advantage of in launching sophisticated attacks.
“We need to have systems that mix up machine learning, subject matter experts, and behavioral modeling so that we can detect these threat actors,” Oliveira advises. “Traditional binary controls are things of the past.”
Existing investments already provide much of the data needed to make that change, however. The investments organizations have already made in cybersecurity can be put to better use, Oliveira contends, taking action driven by machine learning and subject matter rules based on technology that brings together biometrics, behavioral analysis, and the other information already coming from security systems.
“All of that equipment is generating signals, but seldom are those signals combined to empower authentication,” Oliveira states. “You’ve got your SIEMs, your IGA’s, you name it, all of them are generating quite a lot of information. Having the ability, which we do, to ingest all that information and merge it to create behavior and track you throughout your session, your access to service, your system log in, helps the organization know at all moments in time what your security posture is, and also allows you to track if there are indicators of compromise. As soon as there’s an indicator of compromise, you can take action.”