Bug or feature? Vulnerability or exploitation? These questions often arise in the realm of product security. Also anti-fraud. Let's have that intricate dance between fraud, cyber attacks, and risk management with Allison Miller, Marco Ciappelli, and Sean Martin.
Guest: Allison Miller, Faculty at IANS [@IANS_Security] and CISO (Chief Information Security Officer) and VP of Trust at Reddit [@Reddit]
On LinkedIn | https://www.linkedin.com/in/allisonmiller
On Twitter | https://twitter.com/selenakyle
____________________________
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Island.io | https://itspm.ag/island-io-6b5ffd
____________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, as part of our Chats on the Road series to Black Hat USA 2023 in Las Vegas hosts Sean Martin and Marco Ciappelli chat with Allison Miller to discuss the parallels and differences between the fraud and cybersecurity teams, focusing particularly on how each measures success and handles challenges. Sean highlights the fraud team's clear metric of money, starting and ending their processes with it, and contrasts it to the security team's reliance on metrics like MTTx (Mean Time to Detect, Respond, etc.). He's curious about how the fraud team optimizes their processes and wonders if there are lessons that security teams can glean from them.
Allison appreciates the methodologies of fraud teams, especially their use of sampling to understand the magnitude of problems. She explains how fraud teams utilize backend data, machine learning, AI, and statistics to discern risk factors. Then, they test these models on forward-looking data, a methodology akin to red teaming in cybersecurity. She emphasizes the importance of continuous testing to ensure confidence in their detection capabilities. A point of difference she highlights is that fraud models have a high degree of confidence due to rigorous testing, while in cybersecurity, a lot of trust is placed on tool outputs without similar rigorous testing.
Marco emphasized the importance of building trust among teams. He stated that without trust, metrics could be misleading, and the overall effectiveness of processes might decline. He urged teams to ensure that they not only trust the data but also their colleagues, suggesting that this trust fosters better communication, understanding, and ultimately, results.
Sean expresses his wish for the cybersecurity world to be more integrated into applications, like the fraud teams are. Allison notes that fraud teams naturally fit into transaction processes because that's where money moves. For cybersecurity, the most natural integration point would be during authentication, but it's a risky move since blocking legitimate users would significantly impair their experience. Despite the challenges, Allison sees potential in fusion between fraud and security, especially in areas like API abuse. Both teams could benefit immensely from mutual collaboration in such areas.
Allison concludes that while direct involvement of security teams within applications may be a stretch, collaboration with fraud teams can still provide valuable insights. For example, in the realm of retail and payment, insights into API abuse can be a significant area for cooperative efforts between the two teams.
Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa
____
Resources
For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
👉 https://itspm.ag/bhusa23tsp
Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here:
👉 https://itspm.ag/bhusa23bndl
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships