Global Managed Services Provider

CASE STUDY

Global Managed Services Provider

Industry: MANAGED SERVICES

SpyCloud Enables a Global Managed Services Provider to Expand the Value of Their Offering Without Hiring Additional Staff

Challenge

As a managed security provider, this customer needed an efficient way to keep up with newly-exposed breach data, both to identify clients’ account takeover risks and expand their visibility into threat actor activity.

Scroll to Challenge

Solution

With SpyCloud, the customer now alerts clients when employee credentials have been exposed on the criminal underground and uses SpyCloud Investigations to help identify, track, and profile specific threat actors to guide recommendations to clients.

Scroll to Solution

Result

SpyCloud enabled the customer to offer credential monitoring to their clients to prevent ATO, as well as increase the quality of their threat intelligence reports — all without hiring additional staff.

Scroll to Result

About the Customer

This case study examines an anonymous SpyCloud customer that acts as a managed services provider for IT teams, supporting a set of Fortune 100 organizations. Their comprehensive security offering includes a whole suite of services such as security operations, threat intelligence, hunting, red teaming, and incident response.

Challenge

Collect Breach Data Efficiently at Scale

MSSPs accumulate their clients’ challenges. When providing security services to thousands of subscribers around the world, agility and data quality are critical factors for remediating clients’ vulnerabilities before they can be exploited, and providing recommendations on evolving threats so clients can set up proactive defenses. 

According to the vice president of threat intelligence services at the company, the customer knew they needed access to the breach data available to cybercriminals in order to protect their clients effectively. They carefully considered the time and resources required to gather that type of data efficiently on their own. 

“How much is a person capable of collecting? To be able to scale you need to be able to collect as much data as possible and make sure it’s good quality. You need to have dedicated people to do that.” 

 

Before turning to SpyCloud, the customer considered building their own internal service that would collect breach databases and monitor for client data. 

However, meeting their own needs for data volume and quality may have been prohibitively expensive and required additions to the team (or a whole new team). The customer understood that building this service themselves meant delaying a critical security service their clients needed.

“We knew how much and how long it would take to be able to do that and we wanted a solution that would help us hit the ground running right away.”

Solution

Leverage SpyCloud Data for Faster, Better Visibility

The customer was not collecting breach data on their own before using SpyCloud, but did know what data they wanted and how they would make it valuable to clients. When choosing a vendor to collect and operationalize this data for them, the customer says they considered several SpyCloud competitors but were impressed by the scale and quality of SpyCloud’s data. 

“SpyCloud gave us an easy and quick way to offer credential monitoring to clients that subscribe to our service. When a breach is made public, our clients worry about whether or not their information is included in the breach. Being able to collect data quickly to answer that question, then get it in the clients’ hands to remediate vulnerabilities before is crucial.”

SpyCloud has recovered nearly 100 billion breach assets from the cybercriminal underground, and as the company and its data resources have grown, the customer says they’re experiencing an increase in quality and availability of data. 

“Knowing I have a dedicated system I can rely on to tell me if we have credentials exposed gives me peace of mind.” 

 

The organization finds SpyCloud’s speed in recovering data after a breach particularly valuable. 

“Every minute counts. Once a set of data is made available, we know there is a fast turnaround before bad guys get their hands on it and start attacking organizations using those accounts.”

In addition, the customer uses SpyCloud Investigations to help them identify, profile, and track threat actors in order to make security recommendations for their clients. This is another area where the quality and scale of SpyCloud’s data gave the customer an advantage: SpyCloud helps the team connect threat actor personas and TTPs into more comprehensive profiles.

“Having access to SpyCloud’s data lake related to PII supports a lot of research that we do. We can make connections between threat actors’ personas, the services they sell, malware they use, or specific attacks.”

 

Results

Gain Critical Insights Without Increasing Team Size

SpyCloud’s ATO Prevention and Investigations solutions help this customer identify exposed credentials across their client organizations. This capability comes without the substantial investments of time and capital the customer would need to add dedicated staff who could collect, analyze, and operationalize breach data.

“I would need a bigger team without SpyCloud.”

Additionally, SpyCloud Investigations helps make the customer’s threat intelligence reports more valuable to their clients. And better data helps the customer build better profiles of threat actors. Their clients can use these profiles to more easily identify when certain TTPs are relevant to their organization and what changes are needed to close gaps in their security posture.

“SpyCloud really helps our research in connecting dots between a persona that we have and one that we don’t.”

Providing security services to support a set of Fortune 100 organizations requires agility. With SpyCloud’s solutions, this customer and their team can move from research to action more quickly and provide insight on evolving threats at the crucial time before attacks begin.

“I really like to be able to connect dots between identities and personas and that’s only possible because we have SpyCloud. We can cover a lot of ground with it, and we can cover a whole set of third-party places that are exposed in a breach. That really helps, especially for certain actors that we track. The reach that we have in SpyCloud in terms of collection is really helpful.”

“Because of the collection capabilities [SpyCloud has], we can do more at a bigger scale.”

“I sleep well at night knowing that I have SpyCloud.”

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

SpyCloud Helps Bring an Identity Thief to Justice

CASE STUDY

SpyCloud Investigations

Industry: TECHNOLOGY

SpyCloud Helps Bring an Identity Thief to Justice

After Three Years of Identity Theft and Financial Fraud, An Executive Turns to SpyCloud for Help

SpyCloud’s core mission is to significantly disrupt the cybercriminal economy to eliminate the loss of money, time, and reputation due to online fraud – ultimately making the internet a safer place for individuals and businesses.

Due to the depth of our investigations experience and breadth of our breach asset database, we’re often brought in to assist customers with investigations, and frequently partner with law enforcement to bring criminals to justice.

This is the story of one such investigation, which was recently brought to a satisfying conclusion.

Background on the Case

We were put in touch with an executive who had been the victim of identity theft and financial fraud by an unidentified attacker for close to three years — a leader at a nationally-recognized technology solutions firm. 

Using a combination of stolen credentials and social engineering, the attacker perpetrated a string of crimes, including:

  • Opening numerous bank accounts in the executive’s name, leveraging his Social Security number
  • Opening various credit cards in his name
  • Accessing his utility bills and even shutting his utility services off
  • Accessing his actual bank account and wiring funds
  • Unlocking the credit hold the victim put in place as a stopgap

Based upon the duration and types of activities performed by the attacker, it was clear that not only were we dealing with a tenacious and determined bad actor, but that the attack was highly targeted. 

Targeted attacks, though time-consuming, are highly effective, difficult to stop and can lead to huge losses – as this victim experienced.

The victim had one clue as to the identity of the perpetrator: a check had been issued from his real bank account to an unknown person – possibly the attacker.

Enter: SpyCloud

Investigators at SpyCloud were asked to look into the suspected attacker’s digital footprint to stitch together a profile, reveal possible alternate identities, and potentially attribute other crimes. Investigators often begin with only one piece of information – an email address or phone number, or in this case, a name. At the outset, we reviewed publicly available information tied to the suspect’s name, such as known addresses and phone numbers. We then leveraged OSINT to collect additional PII, and were able to identify four pertinent email addresses that guided our next steps.

Using Maltego, we dove into SpyCloud’s datalake of nearly 100 billion breach assets: decades worth of digital breadcrumbs that can be used to locate and unmask criminals (like the rest of us, criminals use online accounts that are subject to data breaches). 

Pivoting off the email addresses, we found numerous identities under which the suspect was performing illegal activities — email addresses or user IDs that had either been stolen on the internet or created to impersonate other victims. Various other identities tied to an original known email address is a strong indicator that a person is engaging in criminal enterprise. 

Based upon IP addresses, we were able to geolocate the suspect’s residence and drop off points. We identified another criminal at the suspect’s address: his sister, who was also committing financial fraud. We also found many phone numbers attributed to the suspect — both land lines and burner phones. 

Finally, using SpyCloud data, we were able to locate an address for the suspect that was tied to a previous arrest record in a neighboring county.

The Arrest

Everything we learned was provided to the local police department. Along with information the detective compiled, the SpyCloud report was used to help curate the warrant for the suspect’s arrest.

During the arrest, evidence was collected from the suspect’s house showing the victim’s name, utility and cable TV account numbers written on a piece of paper.

The suspect is currently facing multiple felony charges. SpyCloud is proud to have helped put an end to the technology executive’s victimization.

With SpyCloud data acting as a roadmap to unmask and bring criminals to justice, we regularly offer our customers and partners assistance with investigations, and cooperate with law enforcement to take criminals of all types off the streets.

SpyCloud partners with law enforcement to investigate and take down cybercriminals committing online fraud, identity theft, and other illegal activities.

Transform Your Investigations

Whether you begin with a name, email or phone number, SpyCloud Investigations – backed by 50+ Maltego transforms and over 100 billion searchable breach assets – makes it faster and more efficient to take down those attempting to harm to individuals and businesses.

Learn More About SpyCloud Investigations

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Zscaler

CASE STUDY

Zscaler

Industry: TECHNOLOGY

Transforming Information Security with a New Vision and a New Model

About the Company

Zscaler is a cloud-based security company that is completely transforming the way companies approach information security. Many of the world’s largest and most forward-thinking companies rely on Zscaler to move their security off the network and into the cloud. Gartner has named Zscaler a leader in its Magic Quadrant for SWGs for seven consecutive years and the company recently went public. Clearly, Zscaler is moving the needle.

For the past decade, Zscaler has brought its revolutionary vision to a rather fixed mindset. It realized early on that employees had begun working differently than in the past. They weren’t attached to a static office and they weren’t consistently on a secure, corporate-controlled network using company-owned devices. The traditional security models were no longer aligned with culture. Today, mobility and the cloud enable all of us to be more productive and agile, yet it poses a new problem for security. How do you protect users, data, systems and applications when they aren’t always visible? How do you control security when traffic isn’t going through the traditional security stack?

Changing How Information Security is Viewed

While many business systems have moved to the cloud, security has been slow to transition. The hesitation comes less from cost or efficiency concerns, as most companies realize the cloud improves both, but more from the questions of complexity and scope. Zscaler recognized the opportunity to make modern security not only attainable, but comprehensive, with the scalability to encompass all of the ways people now work. The company took security hardware out of the enterprise data center and built its own multi-tenant, cloud-based stack around the globe, enabling companies to step away from managing their own stack and forwarding their traffic through the Zscaler stack instead.

Zscaler has been attractive to many of the world’s largest companies with distributed workforces and multiple locations. Smaller companies have taken notice as well, realizing they can finally afford an enterprise-grade security platform they don’t have to manage themselves. Zscaler is also a preferred partner for service providers who want to offer security to their customers through a SaaS-based platform.

For Sutton, attracting customers and partners is only a small part of the vision. Changing how information security (IS) is viewed is the bigger goal. “Gone are the days when IS dictates security within the company. Users have so much power now and IS doesn’t have the control or visibility they once had. CISOs have to rethink how they achieve their mission and find ways to empower users instead of being the “Office of No” that employees will just bypass. Security can be flexible without giving up protection.”

The Zero Trust Model

Visibility is a fundamental challenge for many in IT and IS. Protecting what isn’t seen is a common pain point. From BYOD, remote employees and cellular networks, to uploading data and unsanctioned apps, security leaders are hard pressed to control this seemingly rogue atmosphere. Even if they could gain visibility into all of this traffic, much of it today is encrypted and therefore unusable.

“You can’t control what every employee is doing—it’s simply not possible and companies will waste an inordinate amount of energy trying to do so,” says Sutton. “We built Zscaler with this perspective in mind. We don’t care where employees work, which device they use, or how they choose to connect. We had to build a solution that would enable IS to see all of the traffic, inspect it appropriately, and be alerted of anything suspicious. The zero-trust model insists we treat all devices and all websites as untrusted until they can be authenticated and users can be authorized. It’s not about changing the user habits. It’s about changing the IS model.”

Radically Rethinking Security

Changing perspectives is never easy, yet companies large and small are accepting the zero-trust model and taking steps to incorporate it into their methodology. Zscaler solutions are intentionally built to make this process easier and more adoptable. Zscaler built its security stack from the ground up and all of its capabilities are tightly integrated, so there is only one proxy through which all traffic runs. Controls as simple as blacklisting a site to more complex sandboxing can be performed through one system, making security more efficient and easily visualized.

As Zscaler continues to lead the cloud security market, it is taking a top-down approach. “It’s no longer selling a product to a line-level person in charge of firewalls,” Sutton says. “It’s so much bigger than that. We are pitching a new vision that C-level executives can champion to lead the transformation into the cloud. Zscaler is helping companies take their security to the next level—not with a specific product, per se, but by radically rethinking their approach to security.”

About Michael Sutton

Being the CISO at a security company is what Michael Sutton compares to being a skating coach on a hockey team. Everyone at Zscaler is a security pro, making his job unconventional. Instead of convincing employees to adopt his security protocols, he spends his time selling his vision and best-practice expertise to companies who he believes need to rethink their entire approach to internal security. Sutton is also a mentor and advisor to the next generation of security startup founders at Mach37. He has been with Zscaler since its inception in 2008, starting as vice president of security research. Prior to Zscaler, Sutton was a security evangelist at Hewlett-Packard and SPI Dynamics.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

A Large US University

CASE STUDY

A Large US University

Industry: HIGHER EDUCATION

A Large US University Freed Up Precious Resources and Solidified its Account Protection Using the Automated Capabilities of SpyCloud

Challenge

With few resources to dedicate to account takeover prevention, this large US university was settling for a mediocre security solution that required too much manual effort.

Scroll to Challenge

Solution

The university leverages SpyCloud’s seamless integration with Splunk to automate its account takeover prevention strategy, enabling the institution to strengthen its security stance.

Scroll to Solution

Result

Using SpyCloud automation and data, the university consistently discovers more account exposures and remediates in a fraction of the time as before and with fewer resources.

Scroll to Result

A Large US University Finds More Exposed Credentials 10X Faster with SpyCloud

Challenge

Keeping Information Accessible While Protecting Accounts

This featured university takes cyber security seriously and is aware of the constant threats to its students, faculty and staff. Like many higher education institutions, however, this university has few dedicated security professionals on staff to implement and manage technologies and processes.

For security professionals at higher education institutions, there is often an identity access management dilemma. On the one hand, they want to restrict account access to only authorized individuals, yet they also want to remain “open” for students and staff to get any information they may need. This transparent framework fosters self-reliance and efficiency, but it makes it challenging to limit and control security.

The university understands account takeover is a pervasive problem throughout the college systems that is growing exponentially. They believed they were addressing threats with a product, but it failed to live up to its sales pitch, leaving them to perform additional work to get the most from the solution. “We had to do so many manual tasks after finding any issues and knew we might be missing other ATO threats. These efforts took time away from performing other necessary tasks in our security cycles,” says a manager in the Office of Information Technology at the university. “We were introduced to SpyCloud and were eager to compare credential matches. Even more so, we wanted to see how the integrations would speed remediation with fewer resources.”

Solution

Integrate SpyCloud and Splunk for Automation Efficiencies

The institution chose SpyCloud for several reasons, including the fact that the SpyCloud API could dump their robust breach data into its Splunk instance. According to the manager, integration into Splunk was key. “Our previous tool lacked Splunk integration, forcing us to use up resources to investigate suspicious accounts and take manual action in Splunk,” he says. “Splunk scripts pull in the SpyCloud data automatically to provide instant visibility into which of student’s or staff’s credentials have been exposed. The quantity and quality of their data is amazing, we’ve never seen anything like it.”

The Splunk integration means developers no longer have to take extra manual steps to consume the SpyCloud data. The SpyCloud API provides an efficient and reliable way for the Office of IT to access their exposed credentials that are being traded in underground communities.

Many other account takeover prevention solutions and tools find exposed credentials only after they are on public forums, much too late for remediation efforts to secure accounts.

“As a higher education institution with students, faculty and staff using school emails to access everything from financial aid to housing data to meal plans, we have a responsibility to protect those accounts as best we can from cyber criminals who hope to gain access to those accounts,” says the manager. “With SpyCloud, we feel like our security staff finally have the tool they require to know the who, what, when and where as it relates to compromised accounts.”

Results

Faster, More Reliable Results with Fewer Resources

Since implementing SpyCloud, the school finds more exposed credentials than ever before. Thanks to the seamless API integration with Splunk, they are finding those exposures and taking action ten times faster than in the past.

“We have to do more with fewer resources every year,” says the manager. “SpyCloud digs deeper into the dark web and cyber underground than other tools and finds more stolen credentials sooner. We have more hits than we did with the other system because SpyCloud data is fresher and more complete.”

Exposures found 10X faster than with previous tools

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Oklahoma University

CASE STUDY

Oklahoma University

Industry: HIGHER EDUCATION

University of Oklahoma Remediates 1,000 Exposed Email Accounts in Less than 24 Hours with SpyCloud

Challenge

With few internal resources or sufficient tools to identify and remediate exposed student, faculty and staff email accounts, OU was at constant risk for accounts being compromised.

Scroll to Challenge

Solution

OU chose SpyCloud for its user-friendly API and comprehensive and operationalized exposure data it could quickly compare with its Active Directory accounts to automatically stop bad guys from compromising accounts.

Scroll to Solution

Result

OU is now able to take proper remediation action based on reliable SpyCloud data and student employee ingenuity, saving thousands of accounts from being taken over and causing harm to users and the university.

Scroll to Result

University of Oklahoma Remediates 1,000 Exposed Email Accounts in Less than 24 Hours with SpyCloud

Founded in 1890, the University of Oklahoma (OU) is a public research university located in Norman, Oklahoma. With just over 21,000 undergraduate students, 6,000 full-time employees and 80,000 active accounts, the institution realizes the potential for cybercrime activity is a constant threat. It approaches security with a proactive stance but needed automation and good data to make a real difference.

Challenge

Establishing Internal Means of Identifying Exposed Accounts

OU faces the same challenge that most higher education institutions face: students and staff use school email accounts for personal use, often reusing their OU passwords on multiple sites. When they do, they make it easy for cyber criminals to get into not only the personal sites but find their way into the school accounts as well.

OU knew some of its 80,000 active accounts were periodically exposed to cyber criminals. It just didn’t have an effective way to monitor these accounts and discover all of the exposures. It was relying on third parties, and open source resources such as Pastebin and Have I Been Pwned sites.

“We look at Pastebin and they will alert us of exposed credentials, but that only gives us part of the story because not everything gets posted publicly when there’s a data breach,” says Aaron Baillio, deputy CISO at the University of Oklahoma. “There are a lot of dark web and non-public sites that have our information but we can’t see it using open sources. We had to find a more reliable way to get alerts and manage exposures.”

Managing those credential exposures was no easy feat. Even when OU received a breach alert, they didn’t have the resource capacity to investigate and determine if all of the accounts belonged to active students or staff, if the exposed password matched their current OU password, or when the exposure occurred. The institution also had no password policy in place to secure active accounts. Baillio and his team made it a priority to protect the institution on the front and back ends.

Solution

Use SpyCloud API to Integrate SpyCloud Data with Internal Tools

The first thing OU did was establish a campus-wide password policy. Students, faculty and staff are obligated to reset their passwords every year with an eight-character minimum and complexity requirements. The same password cannot be reused for five cycles. Once good password habits were enforced, the school moved on to automating account takeover precautions.

OU had a few credential exposure products in their security stack but none with the scale and capabilities they required. They chose SpyCloud because the solution not only shows them where the credentials are located but gives them plaintext passwords and hashes so exact matches can be more easily found. It also reveals exposures in the dark web, those that aren’t listed in open sources. By catching the exposures before they are on public forums, OU can take more preemptive actions before criminals do harm.

“We don’t want to block an account if we don’t have to, so having such detailed and usable data from SpyCloud helps our security team be more discerning,” says Baillio. “We see the date of the breach, when the exposure was discovered, and its severity. If SpyCloud flags an incident with 10 emails affected but leaked more than a year ago, we hope our password policies forced a reset already and we wouldn’t need to lock the account.”

OU decided to integrate SpyCloud with its internal SOAR platform (security, orchestration, automation and response). Using the SpyCloud API, they pull SpyCloud breach data into their platform. When there is an alert about a particular data breach or credential leak, a ticket is automatically created.

As part of their practical application initiative, instead of using the SpyCloud Active Directory Guardian to generate automated scripts, the school selects a few SOC student employees to practice their skills to create homegrown scripts that check the SpyCloud data against the school’s Active Directory. These scripts determine if active accounts and passwords are the same.

“The SpyCloud API automates the heavy lifting and data gathering for us,” says Baillio. “Our student employees integrate SOAR and SpyCloud so we can quickly react. Having the API documentation in Apiary clearly defined, allows our team and students who have limited security experience to build effective automations. We can’t get that with other platforms out there.”

Results

Fast Remediation with Minimal Resources

Using the SpyCloud API, a student employee was able to take a list of more than 7,000 exposed emails from SpyCloud, run it through their own script, and discover over 1,000 Active Directory accounts with matching passwords.

“Before SpyCloud, if we were alerted to 7,000 exposed passwords to manually check, we would most likely have had to ignore them due to a lack of resources,” says Baillio. “With SpyCloud, we can get that information in less than 30 minutes. We passed that information along to our help desk and in a matter of hours, 1,000 accounts were secured. Using SpyCloud and the ingenuity of our student employees, we are legitimately preventing bad guys from compromising accounts.”

Baillio believes the university is in a much better place now that they have SpyCloud in their security stack. Because SpyCloud enables them to quickly and efficiently identify compromised accounts using their own tools and in-house integrations, they can make decisions and remediate much quicker.

He and his team are focusing on training and outreach to educate students, faculty and staff on the dangers of password reuse, as well as phishing campaigns he says can generate up to a 60 percent click rate from students. “If you get your password compromised in one place, you can bet it’s compromised everywhere you reuse passwords. We need users to understand the many dangers that are inherent with emails and passwords. OU is striving to be a place of learning that goes beyond the classroom and impacts their everyday lives.”

7,000 emails checked with 1,000 exposed password matches found in less than 30 minutes

About Aaron Baillio

I’ve spent the first 10 years of my career with the Department of Defense. With them I traveled the world and supported both in garrison and deployed network operations and information assurance. I’ve written compliance documents for AF accreditation and NIST accreditation including policy and technical documents. I’ve also spent a lot of time performing security engineering through the system development process. Currently, I am the managing director of security operations at the University of Oklahoma. We cover the whole range of security operations from day to day sustainment to incident response. We’ve planned for and developed tool sets for malware detection, DNS security, vulnerability discovery and remediation and incident response maturity. We support the entire university in security operations and advise on departmental security projects.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Global Networking Company

CASE STUDY

Global Networking Company

Industry: TECHNOLOGY

Global Networking Company Trusts SpyCloud to Protect Its Active Domain Users from Account Takeover

Challenge

Discovering exposed user credentials across the global networking company’s many domains proved to be challenging using old, redundant, and undecrypted password data from an incomplete solution.

Scroll to Challenge

Solution

The technology company automatically monitors domain user accounts using fresh data pulled from the SpyCloud database via an API, giving the company time to remediate before accounts are compromised.

Scroll to Solution

Result

With the SpyCloud exposure data at their fingertips, the company generates detailed reports that enable earlier remediation as well as justifying the value of their investment in account takeover prevention technology.

Scroll to Result

A Global Networking Company Trusts SpyCloud Data to Protect Its Domain Users from Account Takeover

The global IT and networking company profiled is a recognized technology leader with approximately 75,000 employees and annual revenue of nearly $50 billion. Security is a primary focus of its digitization strategy and the company uses a multi-pronged approach to ensure its systems, employees and customers are protected.

Challenge

Discovering Compromised User Accounts Early

The technology company is well-aware of security risks that seem to never end. Its focus on protecting its assets and users motivates security leaders to continually implement modern solutions to combat the threats.

One of the growing challenges is protecting usernames and passwords from being compromised. When users select a password to log into internal company domains, they establish a connection point that criminals are all too quick to leverage.

The primary problem is directly linked to reused passwords. When employees use the same or slightly varied password across multiple accounts, it’s like a neon light flashing for criminals. While this introduces risk for every organization, this particular company has more than their share of corporate domains to protect. Through acquisitions, they have accumulated multiple domains, each with its own user base.

The existing security products they were using were intended to monitor the dark web and notify security leaders of any compromised accounts. What they received instead was old and redundant data that was discovered well after the credentials had already been stolen and sold on underground markets. Further, the previous vendor was only able to provide exposed encrypted password hashes much of the time, making the data inactionable. For a company who takes security seriously, a better solution had to be found.

Solution

Detailed Exposure Data that Triggers Automated Remediation

The technology company was intrigued by the quality and quantity of data that SpyCloud curates, particularly with the number of plaintext passwords that are directly matched to a username. SpyCloud has recovered the largest database of compromised accounts, has cracked the most amount of encrypted password hashes into plaintext, and is constantly ingesting more breach data sooner after a breach than any other company. When compromised credentials are discovered earlier in the account takeover lifecycle, companies like this one can take action before criminals use the credentials in stuffing attacks to gain access into the organization.

“The SpyCloud data has proven to be of very high quality and we saw instant value,” says a security manager within the technology company.

“The SpyCloud model lends itself well to driving the level of automation required for our use cases.”

For the technology company, automation is key to efficiency, accuracy and speed. They have automated most of the discovery and remediation process using the SpyCloud API to pull breach records across all of their domains to form a watchlist that is forwarded to the security manager. The security team separates external and internal account holders of their main domain, and external account users are notified directly of compromised credentials.

Another process is initiated for internal account holders. For these accounts, answers to a series of questions direct the type of remediation effort: has the breach record been seen before? Is the account still active? Does the account belong to an executive, administrator or service account?

The technology company has also built their own internal “Credentials Leak Notification Dashboard” that monitors the value SpyCloud is providing. This dashboard contains monthly reports of the leaks as well as the victims who were notified, the notification timeline, and the specific accounts that have experienced more than one breach.

Results

More Exposures Discovered Than Ever Before

In just one quarter, the IT and technology company was able to use the SpyCloud data to notify more than 3,600 users that their credentials had been exposed. These are active user accounts that were threatening the enterprise without users realizing they were playing a role in security risk. Today, the company is confident they are catching exposures and using the data to educate users on ways to fortify their passwords going forward.

Using the API, the reports in the company’s dashboard contain all of the relevant data pulled directly from the SpyCloud database, giving the company the information they need to take appropriate and immediate action.

“The SpyCloud data provides us with the details of not only the exposures but how we are distilling the data and deriving value from the SpyCloud solution,” says the manager. “Great data is wonderful, but the way SpyCloud operationalizes it for us has been invaluable in our efforts to justify our investment in this security technology.”

More than 3,600 users notified of leaked credentials in the first 3 months

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Top 10 Travel Booking Site

CASE STUDY

Top 10 Travel Booking Site

Industry: TRAVEL & HOSPITALITY

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials per Hour with SpyCloud

Challenge

Preventing account takeover begins with monitoring the dark web, but without the ability to match user accounts with a database of exposed credentials, a top 10 travel booking site was vulnerable to attack.

Scroll to Challenge

Solution

The booking company uses the SpyCloud API to continually monitor and protect customer accounts against SpyCloud’s massive database of exposed emails and plaintext passwords.

Scroll to Solution

Result

With automated dark web monitoring, the company discovers thousands of exposed customer accounts every hour, enabling the company to better protect their customers from account takeover.

Scroll to Result

Top 10 Travel Booking Site Discovers Up to 11,000 Exposed Customer Credentials Per Hour with SpyCloud

The online travel booking company profiled is one of the largest in the world, with nearly two million room nights reserved at more than 140,000 global destinations on its online platform every day. With a mission to remove the friction out of travel, the company unites travelers with every type of accommodation available.

Challenge

Preventing Account Takeover After a Breach

Account takeover (ATO) is a growing problem that impacts virtually every industry, particularly those organizations with an e-commerce capability. When cyber criminals steal usernames and passwords or purchase them from breach data on the dark web, both consumer and company can suffer.

The risk of ATO keeps security leaders up at night. Beyond the financial loss, ATO is often the dreaded aftermath of a security breach and can continue to cause damage for years.

For one of the top 10 travel site’s Account Security Group, keeping constant watch over their user accounts is a full-time job that would greatly benefit from automation.

“It has always been our goal to prevent, detect and remediate any account security threat,” says a security leader at the online travel company. “We wanted a solution that would enable us to continually evaluate our security stack and if we detect any gaps in our strategy, take immediate action to protect our customers and our brand, starting with ATO prevention.”

Solution

Identify Exposed Credentials Early and Rapidly

SpyCloud always has its ear to the ground in the deep and dark web. Through proprietary tools, techniques and technologies, SpyCloud is able to detect corporate breaches earlier than any other company. The earlier exposed credentials are discovered, the more likely a future breach can be prevented.

To prevent a breach, ATO and ongoing fraud from happening, this top 10 travel booking site turned to SpyCloud, recognizing the value of the detailed, real-time, accurate data SpyCloud provides. They chose to work with SpyCloud to launch a new initiative to automatically detect exposed customer credentials and alert security leaders early in the process, before criminals have the opportunity to take over the account and cause damage.

The company uses SpyCloud data as part of their account stuffing attack monitoring. For each login attempt to their domains, they initiate an out-of-band SpyCloud check for an account match. They then check match alerts against SpyCloud’s recorded spikes in account stuffing attacks to identify any correlations.

“We use SpyCloud to detect the ATO storms – when an attacker targets our system with a list of breached credentials,” says the security leader at the company. “The SpyCloud data reveals which accounts are compromised so we can force the account down an alternate road that includes a second step in the verification process. This is typically requiring the account owner to answer security questions or engage in two-step multi-factor authentication.” 

“Without the SpyCloud data, we would be in constant risk for attacks we never saw coming. We may not be able to stop every breach, but we feel we are being more proactive and have dramatically improved our security stance.”

Results

Thousands of Exposed Credentials Discovered Every Hour

One of the unique aspects of SpyCloud is the ability to discover direct matches with emails and passwords. Identifying exposed emails is not enough and doesn’t indicate the account has been compromised. With SpyCloud’s proprietary password cracking methodology, more passwords can be cracked, unencrypted and operationalized. In fact, SpyCloud owns the largest database of emails and plaintext passwords, eight billion and counting.

“SpyCloud allows us to see where we are vulnerable in order for us to fortify those potential entry points,” says the security leader. “With the SpyCloud database constantly updated, we can continually monitor our customer base with the freshest, most usable data available. Using the SpyCloud data, we discover anywhere from 3,000 to 11,000 direct matches per hour. Every one of those exposed accounts could have led to account takeover. “

While the SpyCloud solution does include the capability for users to automatically remediate accounts with matches to breach records, typically forcing a password reset, the travel company prefers less friction in the booking process.

“For now, we are using SpyCloud simply for monitoring, but we are aware the solution can do much more,” says the security leader. “We are evaluating our options and are considering moving towards being more proactive without compromising our mission. The fact that SpyCloud is customizable to our needs now but also scalable to where we may go in the future is one of the reasons we chose their solution.”

4.7% email and plaintext password match rate.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Automattic

CASE STUDY

Automattic

Industry: TECHNOLOGY

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover. 

Challenge

Password reuse is a constant issue that often leads to account takeovers, yet finding exposed credentials was a labor-intensive, manual task that didn’t capture every instance.

Solution

Automattic chose SpyCloud to automate the process of detecting account exposures and protecting customer accounts from a takeover with proactive tools that force an immediate password reset.

Result

With the automated solution, Automattic is protecting millions of people from account takeover and preventing them from reusing exposed passwords for a safer customer experience.

How Automattic Is Protecting Customers Behind The Scenes

Automattic is the company behind one of the most popular online publishing platforms in the world, WordPress.com. WordPress.com is but one of the products offered by Automattic. The company has developed services like Jetpack and WooCommerce that give users additional functionalities such as ecommerce, website security, backups and anti-spam capabilities. With a motto of “making the web a better place,” clearly Automattic is defining how the internet can empower, inspire and delight.

Today, customer accounts have become a target for cybercriminals who seek to hack accounts to steal identities, data or privileges using stolen credentials. When people reuse passwords across multiple sites and apps, they make themselves highly vulnerable to attacks. Automattic took up the cause to ensure its customers were as secure as its own servers, offering multi-factor authentication and ensuring customers choose strong passwords that have never been exposed on the dark web.

Enhancing the Website Experience

Automattic’s mission is to give people easy access to a platform where they can share data beyond social media accounts. “We believe everyone should have their own place on the web, their own domain they own forever,” says Barry Abrahamson, CTO at Automattic. “While affordable, we give them inventive tools to make it unique, interactive and highly functional.”

What was once primarily a blogger’s paradise, WordPress.com has expanded to give businesses of all sizes across the globe a place to connect with an audience in ways never before possible. “Protecting our customers from account takeover is something we view as our responsibility,” says Abrahamson. “Many people may not realize the risk of reusing passwords across multiple accounts. Our goal is to both educate our users and protect their WordPress.com site as much as we can from all forms of attacks. We do all of the work behind the scenes so customers can just enjoy their site and the freedom it brings to express themselves.”

Automattic is unique. They don’t charge extra for the many security features embedded in their products. Everything is included in the platform because the company believes at its core that those features are too important to leave to chance. A secure presence on the internet is a basic right, not an opportunity to nickel and dime customers. To Automattic, Denial of Service, SSL, web application firewalls and account takeover prevention are features as important as any basic product functionality, maybe more.

“Our idea behind security is to provide best-in-class security features and functionality to all customers in a transparent, no-hassle way, whether they ask for it or are completely oblivious to its necessity,” says Abrahamson. “We ensure when we implement something, we make the default version as secure as technically possible. Security features are automatically enabled, without requiring the user to turn on a feature, so we know our customers are protected from bad people who want to cause harm.”

Proactively Preventing Account Takeover

Account takeover has come front and center in the past few years. According to Verizon, stolen credentials top the list of breach attacks, mostly due to the fact that nearly 60 percent of people admit to reusing passwords across multiple accounts. Automattic believes it can be more effective in protecting its millions of customers by embedding security solutions into its products.

One such solution Automattic chose was SpyCloud to automate the process of detecting account exposures and protecting the account from a takeover with proactive tools that force an immediate password reset. “Account compromise due to password reuse has become a larger problem over the years,” says Abrahamson.

“We found ourselves spending more of our time searching the dark web for these password lists and then going through manually comparing the list with our customer list, then proactively resetting their passwords. It was a huge time commitment. Now that we have an automated solution, we can protect hundreds of millions of people and prevent them from choosing passwords that have already been exposed.”

Plenty has changed since Automattic was founded, yet the company has the foundation in place to stay nimble to whatever comes next. Automattic continues to build tooling and algorithms internally that detect, block, alert and notify. “We will invest in security measures that are proven to bring value to our products by providing a safe environment for our customers,” he says. “Security will always be at the top of our priority list because it’s our responsibility to take care of our customers who trust us.”

About Barry Abrahamson

Chief Technology Officer may be on Barry Abrahamson’s resume, but Automattic insiders prefer to call him Systems Wrangler. Abrahamson knows technology. He was one of the original hires at Automattic and for more than 12 years, has worn plenty of hats. He is responsible for all of the technology and implementations at Automattic, including servers, data centers and security, as well as improving performance and security insights. Before joining Automattic, Abrahamson was a senior account manager at Rackspace Managed Hosting.

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.

Buckman

CASE STUDY

Buckman

Industry: CHEMICAL

Buckman Combines Technology with Employee Education to Fight Cybercrime

Challenge

Preventing a security breach that impacts their customer data is a top priority for Buckman, yet without credential exposure reporting, they were at constant risk.

Scroll to Challenge

Solution

Buckman consistently monitors employee credentials against SpyCloud’s database of stolen credentials to proactively catch account takeover exposure early, before criminals have the opportunity to compromise employee accounts.

Scroll to Solution

Result

With accurate, real-time exposure data at their fingertips, Buckman is able to prove risk, helping executives and employees become more aware of the threat of account takeover and be proactive to prevent it.

Scroll to Result

About the Company

Buckman Combines Technology with Employee Education to Fight Cybercrime

Buckman is a global company specializing in innovative chemicals and smart solutions. The company works with customers in pulp and paper, leather, performance chemicals, and industrial water treatment process chemistry. Its goal is to help customers improve their operations by boosting productivity, increasing profitability and ensuring safety, compliance and sustainability.

Challenge

Visibility into The Real Threat of Exposed Credentials

One of Buckman’s strategic initiatives is to apply digital technology in the process of not only applying chemicals but helping customers ensure their processes are efficient and effective. With cyber threats front and center, the company is equally invested in taking appropriate protections to mitigate their own risk by protecting sensitive data.

“Much of what we do is not only to gain the trust of our customers with our chemical and process expertise but with how we treat their private information,” says Scott Herren, director of Global IT Infrastructure at Buckman. “We can’t afford to have a security breach that impacts their data.”

As a Buckman veteran well-versed in cybersecurity, Herren understands many of the attackers find entry points into organizations via unsuspecting employees. Whether by using their company credentials on personal accounts or responding to phishing emails that download malware, employees are often the easiest targets for cybercriminals. Many of Buckman’s employees use multiple devices to access systems with corporate or customer information, compounding the risk.

In fact, Buckman has experienced account takeover of this nature in the past with a phishing attack that made its way to the CEO. “Our CEO had his email account taken over and the cybercriminal sent out a bogus email to a finance associate claiming Buckman’s financial officer authorized a wire transfer,” explains Herren. “The email was convincing, even using actual names and private information.” Fortunately, the team member was well trained in spotting suspicious emails and went directly to the finance officer to verify the email was a scam.

Even with best practices in place, Herren recognized the company needed to add credential exposure reporting to its repertoire of security solutions. Many of its executives didn’t realize their information was exposed and associates didn’t believe their stolen credentials would harm the company or customers. In order to prove the risk to them, Herren wanted hard data to show them the threat was real, from the CEO to the most entry-level associate.

Solution

Real-time, Usable Data for Immediate Remediation

Buckman already had multiple layers of technology safeguards in place, such as firewalls, automatic security updates, malware prevention, and automatic monitoring of assets. The one thing it lacked was consistent monitoring of employee credentials against a database of stolen credentials. For that, Herren chose SpyCloud.

Over 2,000 exposed employee records were detected across 65 different 3rd party breaches since becoming a SpyCloud customer.

“We are a chemical company, not a cybersecurity company,” says Herren. “SpyCloud watches multiple areas of the dark web for us, gathers exposed credential data that we never had access to before and presents it in a simple way we can share with associates and corporate leaders to help them understand the level of risk we are facing,” says Herren. “The SpyCloud data is more specific and actionable than any other solution we found, giving us employee, account-level and source detail we need to prove the threat and take immediate action. SpyCloud also shared best practices we could immediately employ. Combined with real-time exposure data, our employees are continually improving their cyber-knowledge and skills.”

Employee education has been a major focus for Herren and something to which SpyCloud has contributed greatly. Teaching associates and executives about the tactics cybercriminals use and the steps they must take to safeguard their accounts are just as important as the technology in place to protect their information, brand and reputation. Today, all Buckman employees understand they are all potential targets and know what to do to lessen the risk.

Results

Continual Improvement of Cyber Awareness, Skills and Protection

Since implementing SpyCloud as part of its overall technology stack, Buckman has dramatically reduced the risk of a breach. Its executives and associates are proactive in contributing to the company’s security stance, particularly as they receive data on exposed credentials. Information from SpyCloud empowers them to take control of their corporate credentials, which in turn, helps them protect their personal accounts as well.

The success of the SpyCloud solution has been measurable; so much so, that it enabled Herren to obtain budget for weekly phishing prevention training from industry experts. It has become an expectation that associates continually develop their cyber skills and adhere to best practices, including changing their passwords on a regular basis, choosing strong and unique passwords, multi-factor authentication and not using corporate IDs for personal business.

“Criminals have been doing the same thing they’ve been doing for centuries,” says Herren. “They’re just doing it differently now. We can’t fight it all with technology alone. We must also transform our habits to reduce the risk. Our security strategy has come a long way, but we are never complacent. I sleep better at night knowing we are doing as much as we can, while at the same time, always have one eye open to what we need to do next.”

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

SpyCloud human intelligence researchers have recovered billions of data breach assets, including stolen passwords and emails that can put enterprises at risk of account takeover

Download the PDF version of the case study to print or share with others.