Markets by Trading view

Why rules don’t work


By Doron Hendler, CEO and Co-Founder of RevealSecurity

Rogue insiders and external attackers have become a growing concern in enterprise business applications. External attackers often leverage stolen credentials to impersonate a consumer online, while at the same time enterprise insiders are not sufficiently monitored in SaaS and custom-built applications. This poses a risk from employees and admins who might misuse and engage in malicious activities. 

In a post-COVID era, more organizations are transitioning from on-prem to SaaS for everyday business applications in areas such as finance, HR, and operations, raising the level of risk for malicious activities to take place. Such examples could include a customer service agent at an insurance company modifying a policy to add themselves as a beneficiary, or a salesperson who downloads confidential reports before moving to a competitor. The detection of these breaches usually comprises of manual sifting through tonnes of log data from multiple sources when suspicion arises.

The common detection technology today is based on rule engines. Rules are effective due to major commonalities in the network, device and user access layers: the market uses a limited set of network protocols and we are all working on a handful of operating systems. But rules have limited effectiveness in the application layer. Additionally, each application has its own set of rules.

Rules were put into place originally as the first generation of solutions to provide a framework for the detection of known patterns, and were based on breaches as they occurred. However, rule-based detection solutions are notoriously problematic because they generate numerous false positives and false negatives. They require expensive analysts to develop and maintain bespoke rules, because each application is different, so one must be extremely familiar with the application’s business logic, logs, how it is used, etc., in order to write and manage rules for the detection of malicious activities in an application.

Even a perfect rule-based solution for one application won’t scale across others. Each application is unique, so while rules that work on one operating system are effectively applied in a similar way to other operating systems, malicious activities in the application layer have raised the level of detection complexity exponentially.

Belgian KBC Bank is an interesting case study proving the significance of adding unsupervised machine learning capabilities to detect malicious activities by imposters: an EU court has ruled that the bank is liable even if it is the customer who gave away their credentials. The court’s ruling means banks must be able to detect anomalies in its applications, or at least demonstrate “best effort” intentions. The court stated that although it was the customer who accidentally gave away their credentials (through social engineering), the bank should have known that this customer never performed these specific types of money transfers. This KBC use case demonstrates that financial institutions must level up their in-application detection capabilities.

User journey analytics would have detected the anomalies in KBC’s case.

A user journey describes the user’s activity flow through an application over a period of time. Each user has many journeys per application. However, just monitoring a single activity and analysing its statistics doesn’t provide enough information for accurate detection, as most of the people involved are performing legitimate actions there. RevealSecurity learns per user, per application all their in-application journeys and builds multiple profiles. We find malicious journeys by comparing each user journey to their learned normal journeys (profiles), because malicious users are likely to use a journey that is different from normal: maybe their journey in the bank is longer because they don’t know where they’re going; or maybe they just quickly go in and out as fast as possible, to avoid raising any suspicion. User journey analytics helps us find these anomalies and point them out, thus alerting suspicious activities.

At the end of the day, the only truly effective way to protect applications and prevent malicious attackers from penetrating business operations starts with a recognition that simply following the rules is not enough and ultimately, doesn’t work. User journey analytics is far more effective.

Author: Doron Hendler

Doron Hendler, Co-Founder and CEO

Doron Hendler is the Co-Founder and CEO of RevealSecurity. Doron is an experienced management and sales executive, with a proven track record of growing early-stage technology startups. He has mapped complex business environments in a wide range of global markets, both directly and through partners. Throughout his career, Doron has lead teams selling products, solutions and projects in storage, cyber security, DR/BC, green Energy/EV, Cloud and  SaaS,, at companies such as NICE Systems (NASDAQ:NICE) and Trivnet (Acquired by Gemalto, NASDAQ: GTO), Surf Communication (acquired by Lytx) and mPrest.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts


Write your email to verify subscription


Sign up for our free newsletter and receive the latest banking and fintech stories, straight to your inbox - every week