Security intelligence maps out’s online journey

As a company that generates 95 percent of its revenues online, Australia-based has paid particular attention to ensuring its operations – whose 500 staff span 19 countries on five continents – are resistant to the depredations of malicious online hackers and well-meaning internal staff alike.

Delivering a consistent user experience across a range of product categories – including hotels, flights, events and most recently holiday rentals – had proved to be a challenging task, but one that was core to the company’s brand as it sought to deliver a customer-focused experience rather than simply turfing users off to a range of different travel sites.

That strategy had kept the company doing extensive inhouse development that included two-way software integration with a multitude of travel providers – and complicated its software architecture by requiring a security framework that was at once strict enough to meet the requirements of PCI DSS card-processing compliance, and flexible enough to accommodate a broad range of input methods.

The security challenge had become even more pointed in recent years, architect Brett Dargin told attendees at the recent IBM Pulse conference, as Wotif grew rapidly by acquisition – and inherited a mishmash of security attitudes, technologies and exposures.

“Each different company that we purchased had a lot of duplicate systems to do the same kinds of things,” he said, explaining that the company had inherited “quite a lot of diverse technologies, different data centre locations, and different views on security. We’ve got growing complexity and keep adding new applications – and throughout all this, we’ve had to continually evolve our security measures.”

The security of knowing

While penetration defences are naturally important, Wotif faces added challenges in the need to detect and defend against surges of traffic from competitors, whose price-comparison bots repeatedly hit the site trying to scrape its discounted prices.

Ironically, in some cases the company found itself “DDoSing ourselves”, Dargin said, noting that co-ordinating software testing across eight internal software-development teams and myriad partners sometimes created huge surges of traffic over short time periods. “Whether it’s load testing that comes across our major site, or it’s partners that start testing in production and don’t have any throttling, we keep relearning that lesson.”

Aiming to get better insight into its ever-changing security posture, Wotif recently began weighing its options for security-intelligence tools that would improve the analysis and correlation of its event logging.

Because it didn’t have a big enough IT department to have a dedicated security team, it needed a way for its “virtual team” to be able to filter out the large volumes of noise from its security tools, and to focus on the areas that needed the most attention.

“Over time, it was becoming really clear that we had some large gaps,” Dargin explained. “Even though we had invested in security for some time, we still weren’t doing it efficiently enough. Over time, we really wanted to get to get to a place where compliance isn’t going to get broken – but there was this general angst that we were too reactive in security.”

With security events typically spawning an intense period of retrospective review, however, this problem had become hard to shake. Massive number-crunching exercises typically ran for many hours, by which point the exercise was more of a post-mortem than a concerted security response.

“The ability to go back in time is not very proactive,” he said. “We wanted to be more proactive, and to get ahead of the game – and to do this, we wanted meaningful data. But because we have a small network team, they can’t be wasting their time nursing the reporting.”

Security intelligence

Aiming to get better insight into its ever-changing security posture, Wotif went to market for a security intelligence and event management (SIEM) system that would combine capabilities such as log management, network flow analysis, a range of data-capture capabilities, compatibility with a range of custom log-data formats, and the ability to handle what can often be over 10,000 hits per second.

Wotif ultimately chose the IBM Security QRadar solution, and worked through an implementation that would allow it to continue accommodating a multitude of data formats from different systems; this was a crucial feature given Wotif’s history of systems diversity and growth through acquisition, and had not been an option with many of the other SIEM platforms the company evaluated.

With SIEM running against a range of activity logs, the company was quickly able to move to fix the system of a user that had accidentally clicked on a zero-day exploit, linking their computer to a botnet on a known-bad IP address.

“The symptoms were readily known, and an external IP address on a certain port was being hit,” Dargin said. “It took us around five minutes to track down which machines were infected, and who they belonged to – and we were able to go around and clean their machines.

Better security intelligence has remained a key part of Wotif’s defence mechanisms, with monitoring of traffic patterns highlighting the effects of changes in traffic because of partner’ activities.

Filtering rules are constantly being tweaked, known and blocked IP addresses updated, reports generated, and anomalies quickly detected by looking at aggregate analyses such as the top sources of IP traffic. This makes it easy, for example, to find out what applications are experiencing long response times – and how this affects other elements of Wotif’s application infrastructure.

Effectively using the tool requires a fair bit of attention: “When you turn it on you get a high number of alerts initially,” Dargin explained, “but you have to teach the system about your network priorities. If you really want to get the best benefits out of the system, you’ve got to tend to it.”

This includes, for example, telling the system what network zones are in place, what traffic is allowed in each of them, where the company backup server is, and which servers are allowed to be doing ping sweeps and moving SMB traffic between hosts.

“The real-time performance is fantastic,” Dargin continued, noting that continual updates had allowed the team to establish performance baselines and eliminate false-positives over time.

“We’re aiming to get less than 10 [alerts] per day, although we’re not quite there yet. But it’s important not to let them pile up, and this is an interactive process: you’re constantly going around and tuning and changing things. We’re giving our operations team training in the art of triage and of defences: since you’ve got such an all-encompassing view of what’s going on, we want to be able to support an investigation if we needed to.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags online

More about CSOIBM Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts