Inside Visa/FireEye’s Fraud Fighting Machine

Turns out that diseases and vaccinations are the perfect metaphor for thinking about how to cure the cybercrime epidemic that has run rampant throughout the payments ecosystem. At least that’s the perspective of the execs at Visa and FireEye who are leading a mission to, in their words, make as many issuers and merchants as possible “immune” to the growing number of cyberthreats affecting the payments ecosystem.

“Before vaccinations, diseases were quickly able to ravage communities and countries. Our hope is that VTI [Visa Threat Intelligence, Powered by FireEye] is thought of as inoculation, and once the population is immune to the threat, we want to make it a lot harder for criminals going forward,” said Grady Summers, SVP and CTO for FireEye.

Earlier this week, Visa and FireEye launched the first solution to come out of their fraud prevention partnership. The cyberintelligence service Web portal, known as Visa Threat Intelligence (VTI), Powered by FireEye, transforms intelligence into actionable insights for issuers and merchants.

By investigating and analyzing the data breaches making headlines around the world, FireEye and Visa will be able to combine their respective areas of expertise to produce articles containing pertinent information for VTI subscribers about the latest and greatest cyberthreats. This data and threat intelligence information within these articles, along with insights into the tactics, techniques and procedures of the attack, will be used to create actionable information that issuers and merchants can use to safeguard themselves from falling victim to the same cyberattacks analyzed in the VTI portal.

The VTI portal will serve as a cyberthreat intelligence hub, where subscribers can go to learn more about the actors, attack methods and trends related to recent data breaches but also be incentivized to share their own best knowledge and information related to cybersecurity.

“The beauty of this new offering with VTI is we are able to package what we call ‘contextual intelligence,’ along with actionable indicators, and tie it all together with an API,” Summers continued.

As Summers explained, creating “immunity” to the ravages of the cybercriminal-borne epidemic is the ability to take action on the contextual intelligence triggered by what Visa and FireEye are calling “Indicators of Compromise,” or IOCs. IOCs are nothing more than a technical representation of an attack. IOCs can be an identifier for a specific strain of malware used or pointers to a cyberattacker command and control domain, such as a domain name or IP address.

For instance, in the first half of 2015 alone, FireEye discovered at least six new strains of malware, including those specifically targeting the memory in POS terminals. As more and more merchants have shifted to encrypting data once it leaves the POS, the resourceful cybercriminals have switched their focus to hit the memory of the POS terminal instead. Each of those malware strains would trigger an IOC.

After a data breach or major cyberattack takes place, Visa and FireEye examine a multitude of factors to determine the IOCs behind the attack. This includes analyzing the method of attack, determining who is believed to be behind the threat and how the cybercriminal was able to move through the environment to launch the attack on its intended target.

The IOCs identified through the VTI solution provide issuers and merchants with a greater insight as to how and where cybercriminals are moving, as well as the best precautions to take in order to protect themselves and their consumers.

Once those IOCs are known, users are then able to turn that knowledge into actionable real-time intelligence within their own IT environment in a matter of minutes. For now, the solution will be most attractive to subscribers who maintain their own security detection systems and who can, therefore, act immediately on the IOC-based intelligence, but Visa and FireEye said that wheels are already turning for how to leverage this capability for the benefit of smaller merchants.

Both Visa and FireEye agreed that perhaps the most powerful antibody in fighting cybercrime is the power of a trusted community of payments professionals they hope to mobilize who will contribute data to the VTI portal. Mark Nelsen, SVP of Risk Products and Business Intelligence at Visa, believes that the ability to share and collaborate as an industry can help alert the broader community sooner to threats that are seen before they spread throughout the ecosystem and beat the cybercrooks at their own game — finding something that works then sticking with it.

“What’s fascinating is that we know that criminals have the same types of resource constraint as businesses. We like to think of them as legions of minions, continuing to reuse the same tactic as long as it works,” Summers said, noting that in some cases FireEye has seen the same type of malware used up to a year after it’s first discovered simply because it’s still doing the job.”

Both Nelsen and Summers agree that cybercrime isn’t a “one-and-done” game. The steady increase in both the frequency and magnitude of cyberattacks requires an agile and long-term strategy.

“[Cybercrime] is clearly problematic, which is one of the main reasons why we continue to invest so heavily in technology that can eventually remove the sensitive payment data from the ecosystem completely, so that if the data is stolen, it can’t be used,” Nelsen said.

Both Visa and FireEye agree that protecting against fraud and cybercrime on all fronts — mobile, eCommerce and in store — as well as providing faster, actionable intelligence to stakeholders, is just the beginning of what their partnership will bring to the cybersecurity space.