Cyber Detection at Booking.com: Securing the Future of Travel
Booking.com is one of the world’s leading marketplaces for travel. It makes sense, then, that they need world-class cyber defence capabilities. The Cyber Detection and Response Group keeps Booking.com, its customers, partners and employees secure around the clock. The group oversees things like Cyber Detection engineering, security product management and advanced cyber incident response.
The group consists of over 45 highly talented, passionate security professionals, in charge of the cyber defence of one of the biggest, most recognisable e-commerce companies in the world. So maintaining Booking.com’s overall security and compliance, as well as ensuring their customers’ and partners’ data is handled in-line with the highest international standards, is a core priority.
Starting out in the cybersecurity industry
Ariel Lemelson, Head of Cyber Detection & Response at Booking.com, describes his leadership style as “empowering”, inspiring his team with a shared vision and dedication to cyber security. Ariel adds: “Build your team with people that share your passion and can become true partners that would share the excitement of the journey. Genuinely caring about your people and being consistently honest is also key in achieving an engaged, high-performing security group.”
With over 17 years of cybersecurity domain experience, Ariel advises those starting out to be humble, always keep learning and continually look for tomorrow’s practices: “Don’t get stuck in the present,” he says.
Cybersecurity is, of course, a constantly evolving and forward-looking industry. Ariel says that those who want to enter cyber security need to “get their hands dirty” and to not get disconnected from the practice as they grow, including “what is happening on the production floor”. He adds that it is crucial to embrace the business context; security is not done in siloes: “We are here to serve and enable the business to innovate at speed, while keeping things secure and compliant.”
In short, Ariel believes that a can-do approach and high level of passion are drivers for success in this field.
What is unique about Booking.com and cybersecurity?
“We take online safety and the protection of consumer and partner data extremely seriously,” says Ariel “We are continuously innovating our processes and systems to ensure optimal security on our platform, while constantly evaluating and enhancing the robust security measures we already have in place.”
“In line with the highest technical standards, our dedicated security and fraud teams monitor activity 24/7, utilising bespoke, state-of-the-art tooling to quickly detect and resolve any potentially suspicious activity, leveraging both internal and independent industry expertise to stay one step ahead of threats and adversaries.”
It’s no stretch to say that Booking.com hires top talent to make up their teams, as well as the best tooling and most advanced technologies available on the market ‒ including the latest, most innovative methodologies.
What must companies do to prepare successfully for cyber incidents?
“Observability and detection are vital for the response aspect of security. Simply put, if you can’t detect it, then the chance for a timely response to a cyber incident is low. In order to prepare, you need to define your process, your technology and your people on each of three components: observability, detection and response,” says Ariel.
“As cyber defence leaders, in order to be well prepared you would like to have identified your business priority risks and crown jewels, and have a thorough understanding of your threat landscape. To add to that, you want to have practical, well-practised and validated response procedures, as well as a trained and passionate cyber incident response team, armed with top quality tooling.”
Dealing with emerging threats
To stay one step ahead of emerging threats, you have to be able to correlate an abundance of information sources into a crisp reality image. This is done by smart contextualisation of the telemetry and alerts, correlating them with each other, with threat intelligence sources, and with business and risk information. Ariel says that “this allows you to keep your cyber defence teams within a manageable amount of information of high value, and high effectiveness of security operations”.
IT technologies have grown exponentially more complex over the years. In order to stay up to speed, cyber defence teams have to be able to scale defence capabilities without requiring linear growth in resources.
“Scale and effectiveness became an essential condition for success in cyber defence, replacing manual efforts with automated ones,” he says. “It is essential to work with the right tooling that allows us to contextualise all the dots and signals into a clear picture. This saves substantial amounts of time in prevention, detection, investigation and response, and increases the ROI of the security spending.
“The sophistication of the attackers requires better contextualisation, and a more adversarial point of view by the defence teams. Having the effective ability to defend the different dynamic environments and workloads on-prem and in-cloud requires robust automation and correlation capabilities to be up to speed with the pace of technology. Things that could have been manual in the past, can’t be done in a manual fashion any more.”
What is Proactive defence?
“In the past, the common defence assumption of security teams was that an organisation was not compromised until proven otherwise. This was in alignment with the perimeter defence approach. With the changing of the paradigm into the mental model of ‘Assumed Compromise’, organisations now have to act as if the attackers are already in their environment. Still, making a working assumption that adversaries have access to the environment is different from assuming they have achieved their goals of stealing sensitive information or performing other impactful attacks like ransomware.
“In most mature organisations, for attackers to have a substantial impact or potential economic benefits, they would need to perform quite a complex operation, jumping from place to place carefully, exploiting any potential ‘digital holes’ found.
Proactive defence methodology assumes that the attackers are somewhere on their way from an initial access point towards the company data. In order to detect those potential attackers, defence teams deploy numerous types of cyber-traps called ‘detections’, and also actively hunt the attackers on their way,” Ariel outlines.
For the uninitiated, these descriptions really give one a sense of cyber warfare. In order to be successful in that, it is important to have the telemetry stored in an easily accessible fashion for longer terms, and to have tooling that can support security teams in making hunting efficient with all that information.
“In today’s landscape, it is key to have more data rather than less, making less painful tradeoffs between which log source to save and for how long. With partial telemetry, the ability to efficiently hunt sophisticated attackers becomes limited.”
Pitfalls in cyber threat detection and response
“Some of the pitfalls cyber security defence teams encounter result from doing cyber defence in a silo, without being fully aware of both the full attack surface and the most important business assets. This may lead to a security ‘comfort zone’, where there may be over-investment in defence of certain points, while other major blind spots are not properly defended and there’s a lack of awareness and risk acceptance from the business. These disconnected situations may result in a negative scenario,” says Ariel.
“There is also limited raw telemetry collection and retention, which impedes the ability to detect, hunt or investigate cyber attacks. Cyber defence teams do not always have a clear and open view of the threat landscape, or of the adversarial point of view. In such cases, it is almost impossible to provide proper cyber defence to the business,” he continues to explain. “The defence would be passive, driven by native alerts coming from security tools, lacking the holistic understanding of the ‘3D chess game’ we play every day with our adversaries, as cyber defence professionals.”
Another potential pitfall in security defences is that it's common to see security organisations that simply don’t measure the right KPIs. “If you don’t define the KPIs properly,” says Ariel, “you’ll be creating the wrong incentives for the security teams, which will eventually lead to ineffective resource allocation, low team effectiveness and, potentially, to cyber compromise.”