≡ Menu

First Look – Silvertail Systems


Silver Tail Systems was founded in 2008 by founders with a background in web search, trend analytics and fraud detection. After joining eBay to fight phishing and other kinds of fraud like fake auctions and fake bids, the team sat down and figured out the tools that would have been helpful tackling these fraud challenges. That was the basis for Silver Tail Systems. Their first sales were in mid 2010 and have established an A-list set of customers (mostly not publicly mentionable) across retail, financial services, government including, for instance, ING Direct. They have built a strong team of about 30 with backgrounds from eBay, Paypal and Google.

The products are designed to handle the world’s largest websites – 500k clicks per second – and they are currently monitoring 750M website visitors and 2B web sessions a year. Their biggest customer has regular spikes of over 300,000 clicks per second. The products are all subscription based either on premise or SaaS.

A recent Gartner report divides security into 5 layers – end point, navigation, transactions, cross-channel and link analysis. Silver Tail System’s focus is on Navigation security such as that exposed by the recent attacks on websites like Citigroup, Sony Portugal or Nintendo. Criminals are using the legitimate functions of a website such as applying for offers or registering for an account for criminal purposes. “Business logic” abuse. They had some great examples. Two of my favorites were an ecommerce site that started offering an annual fee for free shipping and was then taken advantage of by people listing products on eBay (with shipping fee) and having them drop ship products to the auction winners and the guy using a bot to make 1cent transactions on his bank account so he could win a bet with a buddy about having the longest bank statement!

Silver Tail Systems analyzes full web sessions and creates what they call “attack intelligence” specifically around fraud and abuse. This complements existing products used in other security layers – other fraud detection tools tend to be connected to a specific transaction while security products focus on validating and verifying logins, avoiding data leaks etc. The context of the web session is not used by these other products and that’s Silver Tail Systems’ secret sauce.

Three products based around two key assumptions – criminals and abusers behave differently from legitimate customers and most visitors to a legitimate site are not criminals. As a result even though a site cannot know ahead of time what someone will do in terms of fraud or abuse they can be sure that whatever attackers/abusers do will be different from the usual customers.

  • Forensics
    This product creates models of what is normal for the website and then generates risk scores for each session/click to show how likely it is not to be normal. Four risk scores for velocity risk (is the session robotic or human), man in the middle risk, man in the browser risk and a general behavior risk score (looks statistically different). Models are updated every hour based on the last hour’s sessions. No long term analysis is done as even monthly or seasonal cycles would show up differently in sessions due to constant changes to the site navigation.
    Rules can be defined to route a session to a case management system and the system has a dashboard showing overviews of what’s happening. These including the ability to drill down into a session and even to specific clicks, all of which are scored.
  • Mitigation
    This product builds on the scores from Forensics and uses a rule engine to trigger other systems in the company. It could trigger the firewall (blocking an IP address say) or Security Event Managers, authentication tools (telling the site to trigger a new authentication as soon as it can for a particular session), or even invoke an arbitrary API.
    Rules can access information about the session including all the information in the HTML passed back in the session – there’s no tie to the database as the rules can just use the information flowing through the session. Mitigation turns the predictive analytics of Forensics into a true Decision Management system, allowing a company to define automated responses based on data and analytics.
  • Junction Master
    The third product is an add-on that deals with the fact that many sites are outsourcing functionality – a bank may offer Bill Pay that is hosted by someone else using an iframe for example. This product sits in the traffic stream and routes these third party links through the host first so they can be seen by Forensics and acted on by Mitigation.

Forensics and Mitigation use the span port and require no changes to the HTML or tagging. Silver Tail Systems claim installation in 1 day and integration in 2-3 weeks. The products are not big hardware hogs and have little or no impact on the infrastructure.

Take a man in the mobile example. Malware in the mobile device waits for the use of a banking app. The login from the mobile is immediately followed by a remote login from somewhere else using the same credentials. People have standard uses of these applications and Forensics has built models of normal. The second login creates a session that has strange behavior and gets scored as high risk by Forensics. Mitigation can then be programmed to act on this kind of attack to, for instance, inject a CAPCHA into the second stream to stop the automated attack.

Don’t forget the Decision Management Technology Map