Recognize critical risks from failed attack logs

Starting with cloud accounting services, freee has expanded to include personnel and labor, company establishment, tax reporting, project management and other services. In 2021, the company will issue its own integrated corporate card "freee card unlimited" to support users' cash flow. In the term ending June 2021, the number of paid users will exceed 290,000 companies, and the ARR (annual total billing amount of recurring billing users) will reach 11.9 billion yen. With a new vision of "an integrated platform that anyone can freely manage", we will contribute to the integration of all back-office operations, automation of business-related operations, and visualization of management.

The impetus for considering the introduction of Sift was the discovery of suspicious user behavior in the regular log reviews of freee's PSIRT. After introducing a security information and event management tool (SIEM) and integrating and analyzing various logs, we found traces of attempts to access the database using another company's account after successfully logging in. Since freee's cloud accounting service allows anyone to create a free account, the attacker could have used this free account to try to exploit it.

“There have been attempts to hijack accounts of other companies by password list attacks, etc., but most of them could be eliminated with a web application firewall (WAF). is basically the logic of the application.If there is an error in this logic and there is a defect in the control, it may lead to information leakage." (Mr. Sugiura)

For attackers, it is much more efficient to launch an attack to steal information of other accounts after login than to hijack existing accounts. The former can only obtain information on accounts that have been successfully hijacked, but the latter can access information on all users once the attack is successful. Although there was no information leakage damage when the traces were actually discovered, freee's PSIRT regarded this as a serious risk.

Introduced Sift after evaluating ease of system integration and visualization through dashboards

At that time, freee had introduced a product that detected unauthorized logins. It was a rule-based product that calculated a score based on rules set based on factors such as IP addresses, and determined that access exceeding a certain score was an unauthorized login and defended it. "With the previous product, we had to specify the rules for determining the score one by one. We had to set all the rules ourselves to determine what was considered fraudulent, and we were able to respond to evolving attacks by ourselves. We had to keep tuning it.'' (Mr. Sugiura) Also, because the service charged a usage fee each time the API was called, due to cost reasons, we could only introduce fraud detection at login time. It was a problem. ``The scope of visibility was narrow compared to the cost involved, and as a result, we were unable to track the overall behavior of suspicious users.'' (Mr. Sugiura)

When considering the introduction of Sift Account Abuse, a service that prevents unauthorized account use after login, the company was struck by the ease of use of the API. I felt that the advantage was that it was possible to automate the system by linking the system by using the rich API and feedback output through webhooks. Automation often leads to a black Box, but Sift allows you to visualize how each user's behavior is scored on a dashboard. "You can follow a user's behavior after login in chronological order just by looking at the screen. If a person visually determines that the user is suspicious, they can feed it back to the machine learning engine by simply checking the box on the screen. I rated this point the highest.” (Mr. Sugiura)

One of the difficulties I encountered during the trial implementation was creating custom events to send to Sift. Sift originally started as a fraud detection solution for e-commerce sites, so many of the events prepared in the early stages are for e-commerce sites, such as credit card payments and cart operations. Therefore, the missing events for cloud accounting services had to be created as custom events. "You won't know how the engine will react until you try it, so at first we covered a wide range, sent actual data, and removed events that we deemed to be meaningless.Sift has extensive documentation and samples. It was easy to develop.We received support from engineers at Macnica, the vendor, regarding the detailed specifications of the API.'' (Mr. Sugiura) The reason for the judgment can be checked from the dashboard, so it is easy to develop without trial and error. The introduction of the system has progressed through various trials.

In the end, almost all events related to data changes and deletions and page transitions were sent to Sift. Although all items that correspond to personal information such as email addresses and names are sent in an irreversible state using irreversible encryption, we are confident that the machine learning engine will operate without problems and provide highly accurate judgment results. This was confirmed during the trial period.

Automatically blocks suspicious users with a detection rate 100 times higher than before

As a result of a two-month trial, we determined that the accuracy was sufficient to automatically block suspicious users, and we shifted to full-scale operation of Sift Account Abuse from June 2020. Users with scores above the reference value are temporarily blocked and re-authentication emails are sent. For more than a year and a half since the system went into full operation, it is said that there has never been a complaint from a user due to re-authentication.

Currently, Mr. Imai, who is in his first year with the company, is in charge of almost all operations. On average, it takes about 5 man-days per month for work such as feedback to Sift of the results of regular log reviews performed by the whole team, API implementation for new pages, and maintenance of existing APIs. “When we add events or tune Sift's engine side, the score can suddenly rise and block users who had no problems before. We need to make the engine learn more in response. However, after about 100 feedbacks, most of them are reflected, so I think it takes about 1/10th of the time and effort compared to other solutions." (Mr. Imai)

After introducing Sift Account Abuse, it blocks about 1% of new accounts that sign up. That's 100 times more than the product I used before. "During operation, there are times when Sift judges a case that seems to have no problem with the human eye to be gray. In such a case, if you read it together with the security log of another tool, By detecting all suspicious things according to Sift's rules, I think that cases where confirmation is likely to be insufficient are identified and omissions are eliminated. I think so." (Mr. Sugiura) I feel that the advantage is not only the high detection rate, but also the information that can be obtained from cases where fraud is suspected.

"Sift automatically blocks what seems to be 'abandoned accounts' for unauthorized use, so it is helpful to reduce unnecessary information when reviewing logs and providing additional feedback to the engine." (Mr. Imai) 2021 At the end of 2018, the results of responses to re-authentication emails were fed back to the machine learning engine, further improving accuracy. Having obtained satisfactory results from the introduction of Sift Account Abuse, freee has additionally introduced Sift Account Defense, which specializes in detecting unauthorized logins, from November 2021, and has started operation.

Expecting integrated management with SIEM

Freee uses SIEM to manage security events and logs in an integrated manner, and they hope to be able to incorporate Sift information into SIEM in the future. “It will be obvious when humans judge whether events detected by Sift have been detected by other security sensors or whether they can be easily correlated. By feeding back information to other sensors, I expect that the number of man-hours required for operation will be further reduced.” (Mr. Sugiura)

Protecting your own APIs will become more important from now on

Freee, which started as a cloud accounting service, already works with many bank APIs, and has already realized automatic capture of account statements and transfer processing. In the future, we are considering that the exchange of money between companies using freee will be completed in the cloud accounting service. “One of our strengths is that we support most of the APIs of domestic banks and credit card companies, so we publish our own API so that we can centrally link with other applications, including those. In the future, I think it will become more and more important to protect our own APIs.” (Mr. Sugiura) We expect Sift to support us by preparing rules and events for banking operations. there is

"If a book is stolen, it's over, but with a cloud accounting service, it can't be stolen or tampered with. In order to be able to say that to our customers, we consider fraud detection to be one of the important functions of the cloud accounting service, and we are working on it every day. says Mr. Sugiura. Sift plays a role in supporting the security of freee, which continues to expand its services as a platform for small businesses.