In more cases than not, it can take companies weeks or months to discover that hackers have stolen critical corporate or customer data.
But a new company fresh out of stealth mode claims to be able to cut that wait time down to just seconds.
A new technology launched Wednesday, called Matchlight, built by a Baltimore, MD.-based security startup Terbium Labs, can trace the source of a data breach -- even on the dark web which accessible through anonymity networks such as Tor. The aim is to cut down response times, seal leaks in company systems, and get a recovery plan in place sooner rather than later.
"There will always be a path out of your network through an advanced or insider threat," said co-founder Danny Rogers in a phone call last week. "There is no defense that's perfect. If you can't stop everything, what else can you do? That's when we started to focus on immediate threat detection," he said.
Rarely do like red flags appear on a screen inside a company's firewall warning that its systems have been breached. In reality, most data breaches are discovered because someone stumbles across stolen data in an underground forum, up for sale to the highest bidder.
Rogers, and his co-founder Michael Moore, said that using large-scale cloud-based automation to search for this data can considerably cut down on how long it takes to discover breaches.
Here's how it works:
The customer, such as a retailer or a bank, has a database of sensitive data, from credit card numbers to usernames and passwords. With an appliance, they can generate in-house unique fingerprints of that data. Those fingerprints go into Matchlight's cloud, without any sensitive data leaving that company's systems. Combined with an advanced web crawler that's able to index sites on the dark web, the company can be immediately informed when a fingerprint is found.
And that happens near-instantaneously, and regardless of the type of attack that led to the data theft in the first place.
"We can look inside marketplaces where there may be credentials required -- we're accessing the same way humans do, but thousands of times larger," said Moore.
Terbium Labs started in 2013, and has rapidly increased in size since its inception. During the last few months, the company has enlisted the private support of a number of Fortune 500 companies in a private beta. (The two co-founders declined to name any customers, but did say they include manufacturing, healthcare, and banks and financial companies.)
During advanced testing prior to its launch, the two co-founders said they identified 30,000 new credit cards go up for sale on the dark web, as well as 6,000 email addresses and passwords in a single day.
In one other case, on the first day in working with a major US banks, Matchlight picked up within half a minute a few thousand credit cards that had been put up for sale.
"What we have is a unique look at the scale and scope of the dark web market for stolen information," said Rogers.
The leak happened because an authentication flaw in one of the IRS's online tools required very little taxpayer information to prove identity. That meant data stolen from previous breaches, such as Target and JP Morgan, could've been used to build up profiles on taxpayers to access even more sensitive financial data.
"If we had those individuals' data fingerprinted and monitored, we would've seen it on the dark web in seconds to a few minutes," said Rogers. "What we're able to do after that is dependent on the data. If it's credit card numbers, they can be flagged or cancelled, and if it's social accounts those passwords can be changed."
"There's a lot that can be done once the data is out there," said Rogers. "The hardest part is finding out the data is out there in the first place."