This conversation is ahead of Cyber Security month, and sharing what information is available for our network of tech leaders and the cyber security solutions available to them.
Johnathan Tomek is a VP at Digital Element, a global IP geolocation and intelligence leader for over 20 years. There, he is a seasoned threat intelligence researcher with a background of network forensics, incident handling, malware analysis, and many other technology skills. Previously, Jonathan served as CEO of MadX LLC, Head of Threat Intelligence with White Ops, and Director of Threat Research with LookingGlass Cyber Solutions, Inc.
In this Q&A Jonathan shares the challenges that many of the world’s largest websites, brands, security companies, ad networks, social media platforms and mobile publishers face–and the best practices his team takes to combat online fraud.
M.R. Rangaswami: With the rise of VPNs and residential proxy IP networks, many corporate security teams seem to struggle to see who accessing their networks and data. How should they
approach security as these trends accelerate?
Jonathan Tomek: IP address intelligence data can help security teams hone their best practices for establishing rules for who can access their network. For instance, IP address data reveals a great deal about masked traffic, such as whether it is coming from a VPN, darknet or residential IP proxy. With this knowledge, security teams can opt to block all darknet traffic automatically.
Likewise, knowing that many people use residential IP proxies to scrape websites for competitive research, security professionals can opt to block all residential IP proxies.
The important factor here is context. A company may not be concerned about VPN traffic in general, but if thousands of failed login attempts from a specific VPN over a short time period are observed, this would be indicative of an individual threat versus many unknown attacks.
Digital Element also knows a great deal about the VPN market, including which providers offer features that enable nefarious players to hide their activities.
That insight can be used to set access policies based on the VPN provider. For instance, you may want, as a matter of policy, to block all traffic that stems from VPNs that are free, or accept crypto payment and allow no-logging behavior as an option, as they are features that allow bad actors to cover their tracks.
Though some believe blocking is a common theme, the context provided can be more importan at times, especially after an incident by helping to understand characteristics of the threat and narrow down the area of focus.
M.R. Requesting additional authentication is a safe, but costly, practice. How can IP address
intelligence data help security teams drive efficiency in its access policy?
Jonathan Tomek: Asking for additional authentication is a good security measure, but it does require additional computing power, which isn’t free. It also affects the user experience, especially when a loyal customer signs into a system frequently.
IP address intelligence data is useful here, both in helping networks save resources, and ensuring a more seamless user experience. Such insights include IP stability, which tells us how long a specific IP address has been observed at a specific location.
If a customer signs into your network every day via the same IP address observed at the same geolocation, there may be no need to request a second authentication. But if one day that user attempts to sign-in from an IP address from a geolocation on the other side of the country, or from a more local region but is also a VPN, it would be a good idea to validate them.
IP address intelligence data can provide context to help security teams set policies that prioritize when to request additional authentication.
M.R.: How can IP Intelligence data help security teams understand how a breach occurred, and
to minimize any damage done?
Jonathan Tomek: That’s a great question. Every security professional understands that, try as you might, it is simply impossible to prevent a breach.
The best approach is to be able to respond quickly and minimize the impact in the event of a breach. IP address intelligence is critical to add to a security information and event management solution (SIEM).
By leveraging IP intelligence, you have additional data points which can help reduce false positive alerts, while also refining other alerts for investigators.
The ability to cluster events is a huge timesaver. If a specific VPN was used during a breach, you could find related IP addresses and see how the attacker was attempting to gain entry to your infrastructure, helping you with the timeline.
M.R. Rangaswami is the Co-Founder of Sandhill.com