Global Managed Services Provider

CASE STUDY

Global Managed Services Provider

Industry: MANAGED SERVICES

SpyCloud Enables a Global Managed Services Provider to Expand the Value of Their Offering Without Hiring Additional Staff

Challenge

As a managed security provider, this customer needed an efficient way to keep up with newly-exposed breach data, both to identify clients’ account takeover risks and expand their visibility into threat actor activity.

Scroll to Challenge

Solution

With SpyCloud, the customer now alerts clients when employee credentials have been exposed on the criminal underground and uses SpyCloud Investigations to help identify, track, and profile specific threat actors to guide recommendations to clients.

Scroll to Solution

Result

SpyCloud enabled the customer to offer credential monitoring to their clients to prevent ATO, as well as increase the quality of their threat intelligence reports — all without hiring additional staff.

Scroll to Result

About the Customer

This case study examines an anonymous SpyCloud customer that acts as a managed services provider for IT teams, supporting a set of Fortune 100 organizations. Their comprehensive security offering includes a whole suite of services such as security operations, threat intelligence, hunting, red teaming, and incident response.

Challenge

Collect Breach Data Efficiently at Scale

MSSPs accumulate their clients’ challenges. When providing security services to thousands of subscribers around the world, agility and data quality are critical factors for remediating clients’ vulnerabilities before they can be exploited, and providing recommendations on evolving threats so clients can set up proactive defenses. 

According to the vice president of threat intelligence services at the company, the customer knew they needed access to the breach data available to cybercriminals in order to protect their clients effectively. They carefully considered the time and resources required to gather that type of data efficiently on their own. 

“How much is a person capable of collecting? To be able to scale you need to be able to collect as much data as possible and make sure it’s good quality. You need to have dedicated people to do that.” 

 

Before turning to SpyCloud, the customer considered building their own internal service that would collect breach databases and monitor for client data. 

However, meeting their own needs for data volume and quality may have been prohibitively expensive and required additions to the team (or a whole new team). The customer understood that building this service themselves meant delaying a critical security service their clients needed.

“We knew how much and how long it would take to be able to do that and we wanted a solution that would help us hit the ground running right away.”

Solution

Leverage SpyCloud Data for Faster, Better Visibility

The customer was not collecting breach data on their own before using SpyCloud, but did know what data they wanted and how they would make it valuable to clients. When choosing a vendor to collect and operationalize this data for them, the customer says they considered several SpyCloud competitors but were impressed by the scale and quality of SpyCloud’s data. 

“SpyCloud gave us an easy and quick way to offer credential monitoring to clients that subscribe to our service. When a breach is made public, our clients worry about whether or not their information is included in the breach. Being able to collect data quickly to answer that question, then get it in the clients’ hands to remediate vulnerabilities before is crucial.”

SpyCloud has recovered nearly 100 billion breach assets from the cybercriminal underground, and as the company and its data resources have grown, the customer says they’re experiencing an increase in quality and availability of data. 

“Knowing I have a dedicated system I can rely on to tell me if we have credentials exposed gives me peace of mind.” 

 

The organization finds SpyCloud’s speed in recovering data after a breach particularly valuable. 

“Every minute counts. Once a set of data is made available, we know there is a fast turnaround before bad guys get their hands on it and start attacking organizations using those accounts.”

In addition, the customer uses SpyCloud Investigations to help them identify, profile, and track threat actors in order to make security recommendations for their clients. This is another area where the quality and scale of SpyCloud’s data gave the customer an advantage: SpyCloud helps the team connect threat actor personas and TTPs into more comprehensive profiles.

“Having access to SpyCloud’s data lake related to PII supports a lot of research that we do. We can make connections between threat actors’ personas, the services they sell, malware they use, or specific attacks.”

 

Results

Gain Critical Insights Without Increasing Team Size

SpyCloud’s ATO Prevention and Investigations solutions help this customer identify exposed credentials across their client organizations. This capability comes without the substantial investments of time and capital the customer would need to add dedicated staff who could collect, analyze, and operationalize breach data.

“I would need a bigger team without SpyCloud.”

Additionally, SpyCloud Investigations helps make the customer’s threat intelligence reports more valuable to their clients. And better data helps the customer build better profiles of threat actors. Their clients can use these profiles to more easily identify when certain TTPs are relevant to their organization and what changes are needed to close gaps in their security posture.

“SpyCloud really helps our research in connecting dots between a persona that we have and one that we don’t.”

Providing security services to support a set of Fortune 100 organizations requires agility. With SpyCloud’s solutions, this customer and their team can move from research to action more quickly and provide insight on evolving threats at the crucial time before attacks begin.

“I really like to be able to connect dots between identities and personas and that’s only possible because we have SpyCloud. We can cover a lot of ground with it, and we can cover a whole set of third-party places that are exposed in a breach. That really helps, especially for certain actors that we track. The reach that we have in SpyCloud in terms of collection is really helpful.”

“Because of the collection capabilities [SpyCloud has], we can do more at a bigger scale.”

“I sleep well at night knowing that I have SpyCloud.”

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Global Networking Company

CASE STUDY

Global Networking Company

Industry: TECHNOLOGY

Global Networking Company Trusts SpyCloud to Protect Its Active Domain Users from Account Takeover

Challenge

Discovering exposed user credentials across the global networking company’s many domains proved to be challenging using old, redundant, and undecrypted password data from an incomplete solution.

Scroll to Challenge

Solution

The technology company automatically monitors domain user accounts using fresh data pulled from the SpyCloud database via an API, giving the company time to remediate before accounts are compromised.

Scroll to Solution

Result

With the SpyCloud exposure data at their fingertips, the company generates detailed reports that enable earlier remediation as well as justifying the value of their investment in account takeover prevention technology.

Scroll to Result

A Global Networking Company Trusts SpyCloud Data to Protect Its Domain Users from Account Takeover

The global IT and networking company profiled is a recognized technology leader with approximately 75,000 employees and annual revenue of nearly $50 billion. Security is a primary focus of its digitization strategy and the company uses a multi-pronged approach to ensure its systems, employees and customers are protected.

Challenge

Discovering Compromised User Accounts Early

The technology company is well-aware of security risks that seem to never end. Its focus on protecting its assets and users motivates security leaders to continually implement modern solutions to combat the threats.

One of the growing challenges is protecting usernames and passwords from being compromised. When users select a password to log into internal company domains, they establish a connection point that criminals are all too quick to leverage.

The primary problem is directly linked to reused passwords. When employees use the same or slightly varied password across multiple accounts, it’s like a neon light flashing for criminals. While this introduces risk for every organization, this particular company has more than their share of corporate domains to protect. Through acquisitions, they have accumulated multiple domains, each with its own user base.

The existing security products they were using were intended to monitor the dark web and notify security leaders of any compromised accounts. What they received instead was old and redundant data that was discovered well after the credentials had already been stolen and sold on underground markets. Further, the previous vendor was only able to provide exposed encrypted password hashes much of the time, making the data inactionable. For a company who takes security seriously, a better solution had to be found.

Solution

Detailed Exposure Data that Triggers Automated Remediation

The technology company was intrigued by the quality and quantity of data that SpyCloud curates, particularly with the number of plaintext passwords that are directly matched to a username. SpyCloud has recovered the largest database of compromised accounts, has cracked the most amount of encrypted password hashes into plaintext, and is constantly ingesting more breach data sooner after a breach than any other company. When compromised credentials are discovered earlier in the account takeover lifecycle, companies like this one can take action before criminals use the credentials in stuffing attacks to gain access into the organization.

“The SpyCloud data has proven to be of very high quality and we saw instant value,” says a security manager within the technology company.

“The SpyCloud model lends itself well to driving the level of automation required for our use cases.”

For the technology company, automation is key to efficiency, accuracy and speed. They have automated most of the discovery and remediation process using the SpyCloud API to pull breach records across all of their domains to form a watchlist that is forwarded to the security manager. The security team separates external and internal account holders of their main domain, and external account users are notified directly of compromised credentials.

Another process is initiated for internal account holders. For these accounts, answers to a series of questions direct the type of remediation effort: has the breach record been seen before? Is the account still active? Does the account belong to an executive, administrator or service account?

The technology company has also built their own internal “Credentials Leak Notification Dashboard” that monitors the value SpyCloud is providing. This dashboard contains monthly reports of the leaks as well as the victims who were notified, the notification timeline, and the specific accounts that have experienced more than one breach.

Results

More Exposures Discovered Than Ever Before

In just one quarter, the IT and technology company was able to use the SpyCloud data to notify more than 3,600 users that their credentials had been exposed. These are active user accounts that were threatening the enterprise without users realizing they were playing a role in security risk. Today, the company is confident they are catching exposures and using the data to educate users on ways to fortify their passwords going forward.

Using the API, the reports in the company’s dashboard contain all of the relevant data pulled directly from the SpyCloud database, giving the company the information they need to take appropriate and immediate action.

“The SpyCloud data provides us with the details of not only the exposures but how we are distilling the data and deriving value from the SpyCloud solution,” says the manager. “Great data is wonderful, but the way SpyCloud operationalizes it for us has been invaluable in our efforts to justify our investment in this security technology.”

More than 3,600 users notified of leaked credentials in the first 3 months

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Top 10 Travel Booking Site

CASE STUDY

Top 10 Travel Booking Site

Industry: TRAVEL & HOSPITALITY

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials per Hour with SpyCloud

Challenge

Preventing account takeover begins with monitoring the dark web, but without the ability to match user accounts with a database of exposed credentials, a top 10 travel booking site was vulnerable to attack.

Scroll to Challenge

Solution

The booking company uses the SpyCloud API to continually monitor and protect customer accounts against SpyCloud’s massive database of exposed emails and plaintext passwords.

Scroll to Solution

Result

With automated dark web monitoring, the company discovers thousands of exposed customer accounts every hour, enabling the company to better protect their customers from account takeover.

Scroll to Result

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials Per Hour with SpyCloud

The online travel booking company profiled is one of the largest in the world, with nearly two million room nights reserved at more than 140,000 global destinations on its online platform every day. With a mission to remove the friction out of travel, the company unites travelers with every type of accommodation available.

Challenge

Preventing Account Takeover After a Breach

Account takeover (ATO) is a growing problem that impacts virtually every industry, particularly those organizations with an e-commerce capability. When cyber criminals steal usernames and passwords or purchase them from breach data on the dark web, both consumer and company can suffer.

The risk of ATO keeps security leaders up at night. Beyond the financial loss, ATO is often the dreaded aftermath of a security breach and can continue to cause damage for years.

For one of the top 10 travel site’s Account Security Group, keeping constant watch over their user accounts is a full-time job that would greatly benefit from automation.

“It has always been our goal to prevent, detect and remediate any account security threat,” says a security leader at the online travel company. “We wanted a solution that would enable us to continually evaluate our security stack and if we detect any gaps in our strategy, take immediate action to protect our customers and our brand, starting with ATO prevention.”

Solution

Identify Exposed Credentials Early and Rapidly

SpyCloud always has its ear to the ground in the deep and dark web. Through proprietary tools, techniques and technologies, SpyCloud is able to detect corporate breaches earlier than any other company. The earlier exposed credentials are discovered, the more likely a future breach can be prevented.

To prevent a breach, ATO and ongoing fraud from happening, this top 10 travel booking site turned to SpyCloud, recognizing the value of the detailed, real-time, accurate data SpyCloud provides. They chose to work with SpyCloud to launch a new initiative to automatically detect exposed customer credentials and alert security leaders early in the process, before criminals have the opportunity to take over the account and cause damage.

The company uses SpyCloud data as part of their account stuffing attack monitoring. For each login attempt to their domains, they initiate an out-of-band SpyCloud check for an account match. They then check match alerts against SpyCloud’s recorded spikes in account stuffing attacks to identify any correlations.

“We use SpyCloud to detect the ATO storms – when an attacker targets our system with a list of breached credentials,” says the security leader at the company. “The SpyCloud data reveals which accounts are compromised so we can force the account down an alternate road that includes a second step in the verification process. This is typically requiring the account owner to answer security questions or engage in two-step multi-factor authentication.” 

“Without the SpyCloud data, we would be in constant risk for attacks we never saw coming. We may not be able to stop every breach, but we feel we are being more proactive and have dramatically improved our security stance.”

Results

Thousands of Exposed Credentials Discovered Every Hour

One of the unique aspects of SpyCloud is the ability to discover direct matches with emails and passwords. Identifying exposed emails is not enough and doesn’t indicate the account has been compromised. With SpyCloud’s proprietary password cracking methodology, more passwords can be cracked, unencrypted and operationalized. In fact, SpyCloud owns the largest database of emails and plaintext passwords, eight billion and counting.

“SpyCloud allows us to see where we are vulnerable in order for us to fortify those potential entry points,” says the security leader. “With the SpyCloud database constantly updated, we can continually monitor our customer base with the freshest, most usable data available. Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover. “

While the SpyCloud solution does include the capability for users to automatically remediate accounts with matches to breach records, typically forcing a password reset, the travel company prefers less friction in the booking process.

“For now, we are using SpyCloud simply for monitoring, but we are aware the solution can do much more,” says the security leader. “We are evaluating our options and are considering moving towards being more proactive without compromising our mission. The fact that SpyCloud is customizable to our needs now but also scalable to where we may go in the future is one of the reasons we chose their solution.”

4.7% email and plaintext password match rate.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Automattic

CASE STUDY

Automattic

Industry: TECHNOLOGY

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover. 

Challenge

Password reuse is a constant issue that often leads to account takeovers, yet finding exposed credentials was a labor-intensive, manual task that didn’t capture every instance.

Solution

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting customer accounts from a takeover with proactive tools that force an immediate password reset.

Result

With the automated solution, Automattic is protecting millions of people from account takeover and preventing them from reusing exposed passwords for a safer customer experience.

How Automattic Is Protecting Customers Behind The Scenes

Automattic is the company behind one of the most popular online publishing platforms in the world, WordPress.com. WordPress.com is but one of the products offered by Automattic. The company has developed services like Jetpack and WooCommerce that give users additional functionalities such as ecommerce, website security, backups and anti-spam capabilities. With a motto of “making the web a better place,” clearly Automattic is defining how the internet can empower, inspire and delight.

Today, customer accounts have become a target for cybercriminals who seek to hack accounts to steal identities, data or privileges using stolen credentials. When people reuse passwords across multiple sites and apps, they make themselves highly vulnerable to attacks. Automattic took up the cause to ensure its customers were as secure as its own servers, offering multi-factor authentication and ensuring customers choose strong passwords that have never been exposed on the dark web.

Enhancing the Website Experience

Automattic’s mission is to give people easy access to a platform where they can share data beyond social media accounts. “We believe everyone should have their own place on the web, their own domain they own forever,” says Barry Abrahamson, CTO at Automattic. “While affordable, we give them inventive tools to make it unique, interactive and highly functional.”

What was once primarily a blogger’s paradise, WordPress.com has expanded to give businesses of all sizes across the globe a place to connect with an audience in ways never before possible. “Protecting our customers from account takeover is something we view as our responsibility,” says Abrahamson. “Many people may not realize the risk of reusing passwords across multiple accounts. Our goal is to both educate our users and protect their WordPress.com site as much as we can from all forms of attacks. We do all of the work behind the scenes so customers can just enjoy their site and the freedom it brings to express themselves.”

Automattic is unique. They don’t charge extra for the many security features embedded in their products. Everything is included in the platform because the company believes at its core that those features are too important to leave to chance. A secure presence on the internet is a basic right, not an opportunity to nickel and dime customers. To Automattic, Denial of Service, SSL, web application firewalls and account takeover prevention are features as important as any basic product functionality, maybe more.

“Our idea behind security is to provide best-in-class security features and functionality to all customers in a transparent, no-hassle way, whether they ask for it or are completely oblivious to its necessity,” says Abrahamson. “We ensure when we implement something, we make the default version as secure as technically possible. Security features are automatically enabled, without requiring the user to turn on a feature, so we know our customers are protected from bad people who want to cause harm.”

Proactively Preventing Account Takeover

Account takeover has come front and center in the past few years. According to Verizon, stolen credentials top the list of breach attacks, mostly due to the fact that nearly 60 percent of people admit to reusing passwords across multiple accounts. Automattic believes it can be more effective in protecting its millions of customers by embedding security solutions into its products.

One such solution Automattic chose was SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover with proactive tools that force an immediate password reset. “Account compromise due to password reuse has become a larger problem over the years,” says Abrahamson.

“We found ourselves spending more of our time searching the dark web for these password lists and then going through manually comparing the list with our customer list, then proactively resetting their passwords. It was a huge time commitment. Now that we have an automated solution, we can protect hundreds of millions of people and prevent them from choosing passwords that have already been exposed.”

Plenty has changed since Automattic was founded, yet the company has the foundation in place to stay nimble to whatever comes next. Automattic continues to build tooling and algorithms internally that detect, block, alert and notify. “We will invest in security measures that are proven to bring value to our products by providing a safe environment for our customers,” he says. “Security will always be at the top of our priority list because it’s our responsibility to take care of our customers who trust us.”

About Barry Abrahamson

Chief Technology Officer may be on Barry Abrahamson’s resume, but Automattic insiders prefer to call him Systems Wrangler. Abrahamson knows technology. He was one of the original hires at Automattic and for more than 12 years, has worn plenty of hats. He is responsible for all of the technology and implementations at Automattic, including servers, data centers and security, as well as improving performance and security insights. Before joining Automattic, Abrahamson was a senior account manager at Rackspace Managed Hosting.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.