Shared Threat Monitoring Protects Enterprise


Shared Threat Monitoring Protects Enterprise: “

By Michael O’Connor, President of IronClad Consulting

Recently, as detailed by Anthony Freed of, Larry Clinton of the Internet Security Alliance presented information to Congress regarding security and protecting privacy in cyberspace.

First of all, it is encouraging to hear that these kinds of discussions are being presented in D.C. Thanks to Larry Clinton and his team for representing these very important issues.

I agree with the feel of Larry’s suggestions — that it is not necessarily ‘compliance’ that will resolve our concerns, and that more practical means must be established.

If this is so, I would recommend ongoing monitoring as the key. And if monitoring is the key, how does this affect businesses, individuals, and personal privacy?

And what role does government play, if any? Can we balance good monitoring and security with privacy?

My laptop is monitored constantly by security software. In return for the service, I voluntarily give up some information.

However, this information is about my system and not me personally (other than standard billing info, which is public anyway, minus the credit card data).

Do you think a similar solution could be implemented business-wide, to help monitor and keep businesses free from harmful attacks?

Perhaps ‘compliance’, in such a model, would be gained by agreeing to opt in to the monitoring system.

Going along with one of Larry’s future objectives – information sharing – threats exposed in such a system could become immediately beneficial to other businesses that are hooked in.

Some companies are already attempting this strategy. The general concept is to create a sort of ‘reputation’ around the data elements of the transaction.

The more unique the data elements and the more clients use (and contribute to) the reputation, the more valuable the reputation becomes.

Reputation can be tied to elements such as an IP address (as with MaxMind), a ‘client device ID’ (CDI, as with 41st parameter, Kount, or iovation), a credit card number (as with Visa’s neural network), and so on.

Ostensibly, the most unique and valuable data element would be the client device ID.

It provides a much more concrete identification mechanism than the other, dynamic and changeable elements such as email address, shipping/billing address, name, phone number, etc.

Thus, gathering these – and especially sharing them – would provide an excellent foundation for a monitoring system.

Ideally, both government and private sectors would contribute to the system, which would provide real-time updates and warnings concerning devices that were previously known to be used in fraudulent activities.

But what of privacy concerns?

An intrinsic benefit of CDI is that it does not hold Personally Identifiable Information (PII) within it.

You’re just looking at the device – and ideally the reputation surrounding it – rather than the person or private information behind the device.

The privacy concern becomes moot.

Granted, any client looking at the transaction has private information on their end (a retailer looking at the invoice, for example), and they could easily connect the PII and CDI together for their own purposes, but the PII portion would not be shared within the overarching monitoring system.

Moving full-circle back to the role of government, were they to adopt such a monitoring system and require that businesses take part in it as a requirement for a new kind of security ‘compliance’, we might see a positive shift from the bookshelf-breaking paper-based compliance of the past.

*   *   *

Stay Informed With ISR News Alerts:


by FeedBurner

*   *   *

Follow us on Twitter

*   *   *

Michael O’Connor has been working in various operational management positions since 1994, and with online payment in particular since 2000. In 2003 he began a focused foray into fraud prevention while leading a team at, where they prevented millions of dollars in potential fraud losses from hitting the company’s bottom line. Michael was also fortunate enough to have served on the advisory board of the Merchant Risk Council and assisting in the training of an FBI CyberCrimes unit. Ironclad’s core objective is to make businesses safer and profitable by providing unbiased consultation in the areas of payment facilitation, compliance, risk assessment, and fraud prevention best practices. The threats are inbound. Are you Ironclad?™

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to

(Via Information Security Resources.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: