A Scandanavian hacker in the early days was what turned Shuman Ghosemajumdar’s mind towards cyber threats. His career has now been defined by his solutions to growing problems of cyberattacks. Speaking with Pulse Q&A, Ghosemajumder charted his early life as click-fraud czar at Google to his current role as CTO of Shape Security.
*This interview has been edited and condensed for clarity.”
Pulse Q&A: We’re here today with Shuman Ghosemajumdar, from Shape Security, joining us with with Pulse Q&A to talk all about cybersecurity. Thank you so much for joining us today.
Shuman Ghosemajumder: Thanks for having me Arjun.
Pulse Q&A: I wonder if we could just have a little bit of a background about yourself, because you have a fascinating history with Google–where you covered a lot of issues relating to click fraud–leading all the way up to Shape Security, where you are now CTO.
Ghosemajumder: Sure. I grew up in Canada and studied computer science there and have been programming since I was five years old. I have had a strong interest in the evolution of computers during that time period. I was just blown away when the commercial internet and web became a thing during undergrad. And after that I started a company in Canada and developed web applications for several years before coming to the United States doing my MBA at the Sloan School at MIT. Shortly after I joined Google.
At Google, I worked on a number of different areas primarily relating to advertising, click fraud and privacy. I was part of the original team that launched Gmail in 2004, helped build up the systems that act against click fraud, which is the primary threat to our business model there, since we made almost all of our money from pay per click advertising. I founded a group called the privacy council that had a view into data privacy across the entire company and helped establish some of the initial policies that we had at Google on user protection.
After that, I cofounded a nonprofit with my wife based on her PhD research at Stanford called TeacAids and produced educational software that we took around the world and scaled to 82 countries, providing education on HIV prevention, and now most recently on concussion education. After starting that–allowing it to reach a certain level of scale–a couple of years Iater I decided to look at getting back into the for-profit side of the startup world and join Shape in 2012.
Pulse Q&A: And do you remember when you were growing up in Canada and having an interest in technology and software, when the question of cybersecurity first came up?
Ghosemajumder: So when I was running my company in Toronto, I remember getting hacked. We would run the web applications for our customers. And I remember there was one particular incident where the application was misbehaving. And we discovered an intruder had infiltrated our server. And I actually had a conversation with the intruder. And the attacker pretended that they were actually our customer, connecting to the server until we revealed some details that we were aware of and the attacker revealed themselves. And then we realized that they had completely owned us. And we had to reformat that server and restore all of the data. So that was probably the first and biggest realization that I had at the time of how important it is to think about cybersecurity. And, of course, there’s a relationship between application abuse and fraud and cybersecurity in terms of just being able to protect the users of a system and protect the business foundations of an application.
Pulse Q&A: Do you remember who the hacker was? Were they in the same region or in the same country?
Ghosemajumder: They were actually based in Scandinavia. That was one of the ways that we were able to identify that it was not our customer, because we knew that our customer was not based in Sweden.
Pulse Q&A: And I guess at that time as well you didn’t have the sort of legal framework to go after anyone who would who would hacked into a system.
Ghosemajumder: We were a small company. And so we just didn’t have the resources to be abroad, even if we had legal support. That was something that I experienced in a different form at Google, where we had cyber criminals all over the world who are attacking our advertising ecosystem and attacking our advertisers. Our priority was to be able to protect them and protect our system first, and going after cyber criminals through the legal system. That’s something that always has to be a secondary consideration, because it takes years in many cases to be able to deal with the problem that way.
Pulse Q&A: You were a Google in the early 2000s, mainly focused around click fraud, which was a big threat to ad revenue. What were your strategies at Google? What were the types of meetings that you would be having?
Ghosemajumder: Advertising was my primary reason for joining Google in 2003. We had just launched a product called AdSense. That was the first time that many small blogs as well as large media companies could monetize their websites using the same ads that we put on Google.com. And so if you, as a publisher, could now all of a sudden get a percentage of the revenue that was associated with your website, you now had a direct incentive to try and get as many clicks on those ads as possible.
And so we started to see click fraud in a much more sophisticated way than we’d ever seen before on Google.com. We started investing in that area and needed to understand not only all of the technical aspects of the problem, all of the signals that we could collect from clients and from the platform, but also how to be able to create the operational infrastructure within the company to be able to provide that capability to protect against attacks in as real time a fashion as possible. And of course, there is the game theory and policy and communications, and alignment coordination that goes along with all of that. So I ended up speaking to almost every corner of the company at some point, and speaking with external parties extensively as well.
Pulse Q&A: What were the biggest organizational structure aspects you had to change?
Ghosemajumder: So in 2003, Google was really still building itself into the Google that we know today. I had previously been at IBM for a short time. And one of the ways that I would compare the experience at IBM versus Google was that IBM had already built out all of the infrastructure you could possibly imagine, even having redundant infrastructure for different processes. So if you needed to figure out how to do something at IBM, there were often multiple ways to be able to accomplish that. At Google, where you would ask the question–‘what’s the process for being able to do something?’–the answer is often there is no process, and you’re now in charge of creating that process. It was not so much about ending things as starting from a blank page and deciding how to be able to build the solutions in the first place.
Pulse Q&A: At Google, what are the sort of biggest changes that have happened over the last 10 years now in the intensity or the level of the threats to cybersecurity?
Ghosemajumder: So what we saw was that there was a tremendous incentive for organized cyber criminal groups to invest in R&D to become more sophisticated when it came to generating fraudulent clicks. And so in the context of Shape, one of the things that I realized when I first started talking to Sumit and Derek and Justin, who were the founders of Shape, that the login form, a government agency, or if you’re talking about the product page of a retailer, or any user interface across the banking industry, there is an opportunity and an incentive to create abuse that enriches the cyber criminal.
If the cyber criminal has a level of sophistication that allows them to blend in with regular traffic, now, all of a sudden, they can create that fraud at will. So we needed to develop systems that would cut across all of those industries that would generalize the problem. And allow us to identify cyber criminals who are passing the Turing test; those that are capable of generating their traffic in such a way that it looks like real human beings sitting at real keyboards and using mice to be able to generate transactions. But in fact, it’s large scale sophisticated automation that’s creating fraud.
Pulse Q&A: And so it’s not just individual users, it’s large scale automation that’s leading to many of these attacks?
Ghosemajumder: Absolutely. And the reason for that is because cyber criminal groups are ROI driven organizations, they want to have the greatest efficiency when it comes to how they’re investing their resources. And they want to identify easy targets that they have to invest very little where they can use tool kits in rather than having to do custom software developer. And that’s the best way for most cyber criminal groups around the world to be able to generate money on a very consistent basis. What we found was that this has become a very commoditized and federated ecosystem, where it’s actually using a botnet and bouncing your traffic off of millions of different IP addresses.
That’s actually enough to be able to get around many of the security controls that are considered to be industry standard controls, even Fortune 500 environments. But it doesn’t stop there in terms of the sophistication and the evolution of those attackers. They also invest in methods to be able to move the mouse in the same way that a human being does, being able to type on a key with keystrokes and a keyboard that look like, not only a single human being typing, but multiple human beings and the diversity of ways that they type on keyboards. If you can generate that at scale, then it’s a lot more efficient than trying to create those attacks manually. Although if you provide a large enough incentive, and cyber criminals will do that too, form a sweatshop-based approach.
So this is also something that we saw at Google, and we call them click farms, where you would have groups of people in lower wage regions, and they would click on ads all day, essentially. And so now what we see is that if you provide enough incentive to take over and account, then cyber criminals will actually hire individuals to take stolen usernames and passwords and just try them against the login form of whatever website you’re trying to attack.
Pulse Q&A: To what extent does a company like Shape Security study incentives? Usually, what you hear about is solutions, like how to solve the problem if there’s ransomware, if there’s an attack on your computer, but to what extent do you do study incentives to want to hack in the first place or do on a large scale?
Ghosemajumder: It’s part of the underpinning of how an attacker is going to be so that’s something that we study very carefully. And we have different teams that focus on different aspects of the problem. So we’ve got engineering teams that of course, focus on building up the infrastructure that allows us to be able to plug into application infrastructures, process the data and create protective results in a very short period of time with very low latency. But we also have other engineering teams that are entirely focused on learning what signals and telemetry we can get from the clients that are interacting with those applications. And those teams are completely different from the teams that actually focus on understanding the business aspects of the cyber criminals.
How exactly do the cyber criminals operate? How did they get the resources in the first place that allows them to generate the attacks. How will their attacks evolve over time? And how are they different across different industries? And how are they the same across different industries?
For example, there are some attack tool kits that are highly industry-specific. For example, in the sneaker industry, there are a number of different shoe-bots that you can find online that wait for Nike to release a new popular shoe. And then they’re highly specific to trying to buy up all of the inventory of that shoe from Nike’s website.
There are other attack toolkits, like one called Sentry MBA, that is completely cross industry. And what it does is it takes the stolen usernames and passwords that you get from completely unrelated websites like the Yahoo data breach, and you plug it into that tool. And then the tool bounces millions of login requests off of hundreds of thousands, or even millions, of IP addresses in order to be able to attack whatever website you want.
Pulse Q&A: And would ransomware fall under this?
Ghosemajumder: The best way to be able to protect against ransomware is to make sure that your computer is up to date, and that you’ve got all the security updates that need to be incorporated into your operating system. But what we protect against is when you’ve got, say a web application, say you’re running banking login, that bank has invested tens of millions, if not hundreds of millions of dollars in security; they’re not falling behind 30 vulnerabilities. That’s what we consider to be a fully patched application from a traditional information security point-of-view. But there’s still the opportunity for the users of that banking system through their own poor security habits, to make it possible for attackers to take over their accounts. So because users reuse their passwords across hundreds of different websites, in many cases, that creates the opportunity for cyber criminals to take advantage of that.
Pulse Q&A: Is banking still one of the most vulnerable sectors or are you seeing other sectors now being a little bit wiser in their investments on cyber security?
Ghosemajumder: It’s not as though there is a specific investment that someone could make from the way that they’re developing their application that will suddenly make this attack impossible. Instead, what you need to do is develop very sophisticated technology to identify cyber criminals who themselves are so sophisticated that they can’t be detected otherwise. And so that’s what our platform does. And of course, we think that the best way to be able to protect against these attacks is for our platform to be used as widely as possible.
But I would say that banking is the most targeted because of the fact that they’re the ones that have the greatest value behind each of those accounts. But every industry that has accounts that have some value stored within them, is attacked through the same mechanisms. So for example the retail industry and the airline industry are attacked in many cases where more than 90% of all retail logins and more than 99%, in some cases, which are called credential stuffing attacks. And so what we see there is that the cyber criminals are taking over accounts that contain loyalty points or gift card balances. And then they can consolidate those balances into other accounts that they’ve taken over on the same system, and then sell them on secondary markets like eBay. If you go to eBay and you buy discounted air miles, then you’ll find many sellers have, such discounted points and in many cases actually stolen merchandise, essentially, that you’re buying.
Pulse Q&A: Is investment in cybersecurity largely still a cultural issue? Has there been a cultural change in investments on cybersecurity?
Ghosemajumder: I think it has changed significantly in the past decade. So all of these companies that are in the industry, where users place a great deal of trust in them to be able to secure their accounts, to be able to secure their infrastructure and security data. I think that they have seen their peers get compromised, they’ve seen the breadth and rapidity of data breaches. The investment in this area has been very significant over the course of the last decade. And of course, that has caused cyber criminals to evolve.
This is one of the reasons that in many cases, cyber criminals aren’t even trying to look for standard vulnerabilities anymore. When they do get in through a standard vulnerability, it’s one of those gotcha moments where it’s just a very silly mistake that the corporation has made for one reason or another. Maybe for a process reason, and in many cases, one of the things that you hear about in these media reports is that the fix for that particular security vulnerability was already on the roadmap or that IT organization, they just hadn’t gotten around to it yet.
And so there’s investment, there’s knowledge, and then there’s process. And I think that it’s really difficult for a large organization to be able to act flawlessly in all of those areas. And of course smaller organizations don’t even have the resources to be able to do that. So I think that one of the trends we’re seeing in this area is companies trying to take on less of this themselves and pushing more out to third parties where they can get these services provided to them with an SLA. And they have metrics that allow them to be able to understand whether or not they’re as secure as they would like to be for the amount of money that they’re investing.
Pulse Q&A: So a major change would be how an equivalent company to yours in the past wouldn’t now think twice about spending?
Ghosemajumder: A lot would be built in. So if you’re a small company today, then you’re not trying to do things generally, like operate your own servers, you’re using the public cloud. Google, Amazon and AWS are spending hundreds of millions of dollars making sure that those platforms are as secure as possible. And in fact, as a small company, you’re getting the same level of security when you use those platforms, as companies that are orders of magnitude larger than you. So I think that that’s part of that trend towards being able to get greater security, in fact, state of the art security as a service
Pulse Q&A: And does Share Security use any of these other products, or is it all in-house?
Ghosemajumder: No, we’re very much representative of that approach. So we use other services ourselves. And we use public cloud platforms, we use a variety of third party tools and services to make sure that we are as thorough as possible. And our product itself is exclusive simply provided as a service. So we’ve created this sophisticated platform to be able to identify cyber criminals that would otherwise be invisible to existing security controls. And the only way that you interact with shape is by using our platform and integrating into your application as a service. So we then take responsibility for protecting your application against all kinds of sophisticated fraud and abuse no matter what it does.
Pulse Q&A: Is there still a zero trust approach in cyber security?
Ghosemajumder: That’s a very good way of thinking about what we do. Because you have to understand all of the activity on the application–all of the transactions that are coming through a login form–in order to be able to identify very sophisticated fraud and abuse. So that relies on us basically saying that every transaction is untrusted until it is past certain gates of analysis that allow us to say that it appears to be clean. Saying that the same thing applies to devices and accounts and so on. So you can analyze multiple dimensions of a problem from a zero trust perspective, to be able to create models of behavior.
Pulse Q&A: One of the catchphrases on your website is that ‘the front line is always changing’. What would you say are the biggest challenges in terms of cyber security threats over the next sort of five years?
Ghosemajumder: I would say that the use of AI is something that is transforming the way that both attackers and defenders function. So from a defense perspective, the only way for us to be able to analyze billions of transactions a day is using machine learning. And that was something that we used back in the day at Google as well. That was, again, the only way to be able to achieve that scale. But using machine learning techniques also allows you to be able to reach a level of efficacy that you wouldn’t be able to have if you just had human inspection. And so it’s the combination of that greater efficacy and greater scale, that makes it a requirement for us and companies like us to invest in AI.
But cyber criminals are on the opposite side of this problem. They’re trying to figure out how to fool your machine learning models. And that’s also something that’s increasingly difficult to do by hand. On the other hand, if you as a cyber criminal can gain access to a data set of legitimate users, now all of a sudden you can use that to model your spoofed behavior, and hopefully defeat the AI based systems that are trying to identify you as committing fraud. So it’s an honor arms race on both sides. And one of the things that we’re seeing is that cyber criminals are getting much more sophisticated on that front.
An example of this is the way that cyber criminals are able to be captured. CAPTCHA is the most widely used Turing test in the world. And it was traditionally the way that applications would prevent bots from interacting with their login forms and with their posting mechanisms and other areas that they didn’t want to allow automation into.
And the problem is that CAPTCHA now does the exact opposite of what it was intended to do. So if you’re a cyber criminal, you just use a CAPTCHA solving service or you use built in optical character recognition in your attack tool and you can solve any CAPTCHA that’s out there. If you’re a human user. On the other hand, you’ve been having an increasingly difficult time over the last five years because being able to solve CAPTCHAs, that require you to spend more and more time identifying images and trying to guess what the right answer is before you’re allowed into your account. And so now it’s become a significant roadblock for real users. And it offers no real security benefit against attackers. So that’s an example of where the traditional AI-based mechanism in terms of trying to use the Turing test against the attackers has been overcome by the evolution of those cyber criminals.
Google released some stats a few years ago, on their synthetic distorted text challenges (the squiggly text that you would have to write). What it showed was that human beings had dropped down to a 33% solid rate. So two thirds of the time, we were getting it wrong and machine learning-based optical character recognition as used by cyber criminals and others had a 99.8% rate.
Pulse Q&A: What could you give me some examples of machine learning within within the world of hackers.
Ghosemajumder: I think that’s still an evolving area. The most prominent example of this is them using optical character recognition itself, which was traditionally a machine learning and AI based set of techniques to be able to solve CAPTCHA. Now optical character recognition is so widespread that we don’t even necessarily think of it in the context of AI. But that’s representative of the evolution in that field. Now it’s more broadly about computer vision. And as CAPTCHAs get more complex, you’ve got more opportunity for computer vision approaches to be able to still comprehend what they represent the same way that we assume only a human being can.
Pulse Q&A: You often give talks on cybersecurity quite a lot around the world. I’m interested in what the major issues now are when you give these speeches.
Ghosemajumder: I think one of the major themes is how we secure our data in the platforms that we use, as well as services that store our money and store our data. And also, how does this affect issues and society like elections? So being able to rely on those systems, from a security perspective, is fundamental to our ability to trust, the output of the systems and the operation of the system. So we’re going to have major concerns that are going to keep increasing as we see elections being influenced by the use of fake accounts and the creation and propagation of fake content. And so I think that’s an area that is making cybersecurity broader and broader to the general population. But one of the things that we see is that everyone is using services like their banks, their airlines, retailers, and so on, that are being attacked on a 24/7 basis. They’re just not necessarily aware of those attacks, because they’re kind of happening behind the scenes.
So when you think about something like a DdOS attack, and there was a lot of attention paid to DdOS attacks in the era immediately prior to this one (I’d say maybe about five years ago), everyone would ask how was this major website taken down? There was a major DdOS attack that took down a bunch of banking websites and everyone asked ‘How did this incident occur?’. But when you think about the attack itself, the reason that we were having that press cycle and and having those discussions was because of the fact that the attack was very visible, everyone could see that the bank sites were no longer accessible. And they asked ‘How did this happen?’. They wanted to know what could be done to be able to protect against that. And
From there, what we saw was that many defenses were built, and many companies were created to do a better job of DdOS protection. And now that’s built into the platform that we rely on. So there’s DdOS protection that’s built into AWS and TCP and so on. And I think that the difference with the attacks that we’re focused on today is that they are much less visible. So if you’ve got banks and retailers that are being attacked millions of times a day, but there’s no visible sign of that on the website, then it’s sort of out of sight out of mind.
You as a user of that system, don’t actually know whether or not your account is being targeted specifically. And so you discover this one day, if all of a sudden. You log into your account, and that funds lower than you expected them to be, or in some cases, your gift card balance has been completely depleted. And then you write into the company and you ask what happened, and they might conduct an investigation and determine that you were the victim.
We think about these attacks often after the fact, as opposed to being able to get a very visible sign that it’s going on. And I think that that delay has resulted in some complexity and challenges associated it with not only addressing the problems and protecting us from the attacks, but also in educating the public about the complex nature of this part of the ecosystem.
Pulse Q&A: I imagine that goes double for political interference as well, because you have to do it much before the election itself. Does Shape Security deal with political interference by cyberattacks.
Ghosemajmder: We don’t look at the content. And looking at fake information is a very broad topic, there’s a set of technologies that enable you to create fake content. Now, tool kits that let you create deep fake videos that let you create fake news articles that let you synthesize voices that sound like celebrities and politicians. We don’t focus on that side of the problem in terms of the generation of the content. Frankly, I think that there’s not very much that can be done in terms of preventing content like that from being generated, because the tools are already out there. And they’re getting more sophisticated. They can be used, often in the darkness by any bad actor that wants to be able to create that fake content in the first place where we focus on. Where I think there’s the greatest opportunity to be able to do something about that fake content is in the propagation of the content. So anyone that’s creating a deep fake video, or creating a fake set of news articles, they’re not just hoping that that content is going to catch on and go viral, they’re going to try and manipulate the system and make that happen.
So what we can do is we can identify the fake accounts that they register to be able to post that content, we’ve identified the actions of automating those fake posts as well. And we can identify all of the interactions that they also automate, in order to be able to make those fake accounts look like they’re real accounts over time. Because if you’re trying to post fake content, you can’t just go and register a million accounts from a single IP address, and hope that platforms are aren’t going to be able to detect that, of course, they’re going to be able to detect that every major technology platform is able to identify too much traffic coming from a single IP address in a short period of time.
So attackers, like I was mentioning before, they use botnets, as table stakes for being able to bounce traffic off of many different IPS and look like it’s a large set of users that are engaged in either posting something or in logging into websites or generating other types of transactions. Then what they do, particularly on social platforms, is what’s called persona management. And so they’ll register an account often years in the past, and then that account will lay dormant for several years before they actually bring it into use. And during that dormant period, it’ll do things like link to other accounts, and start posting some completely benign materials, and start following other accounts that are commonly followed so that the account looks more legitimate when they actually do want to use it and stays under the radar in terms of any detection systems that the platform might be using. Being able to detect very sophisticated automation in those types of contexts, that’s where I think we have the greatest opportunity to be able to protect against those attacks.
Pulse Q&A: Thank you so much for your time today. Really appreciate it.
Ghose Majumder: Thanks so much, Arjun.