DocuSign Phishing Case Study | RiskIQ

Case Study

DocuSign

RiskIQ Helps DocuSign Gain Visibility and Control Over Internet-Exposed Assets

The Challenges

DocuSign’s business model is based on trust – trust among DocuSign and its customers and partners and trust between customers. The company is growing rapidly around the world, and its brand has become highly recognizable as the verb for getting business done easily, quickly and securely–100% digitally. This makes it a prime target for fraudsters. It would be an affront to customer trust if malicious phishing websites and rogue mobile applications were able to hijack the valuable DocuSign brand to commit fraud against the company’s millions of customers.

Challenge: Phishing and Brand Abuse

Vanessa Pegueros, VP and Chief Information Security Officer, says her company frequently encounters phishing sites that abuse the brand. Mobile apps, too, are easy to counterfeit, and the company must keep a watchful eye open for unauthorized programs in more than 100 mobile apps stores around the world. DocuSign rarely encounters bogus mobile apps, but the company often discovers partner-developed mobile apps that don’t adhere to the company’s branding. Such applications can confuse users if they don’t have the official look and feel of DocuSign’s products and services.

Challenge: M & A Activity

Part of the company’s tremendous growth has come through partnerships, mergers and acquisitions. Prior to engaging with these entities, DocuSign does its due diligence to understand the risk of doing business together. According to Pegueros, it’s important to understand the general health of the partner companies’ digital presence. “Looking at how they secure their web and mobile properties is an indicator for us of how they approach security in general,” says Pegueros. “We need to know if they aren’t as controlled as they should be.”

The Solution

DocuSign uses RiskIQ’s Digital Footprint solutions to ensure that its own online and mobile presence is well controlled.

“Our main use is to monitor for brand abuse,” says Pegueros. “We rely on RiskIQ to detect if there are rogue mobile applications or malicious websites that are abusing the DocuSign brand. It’s not necessarily something you can prevent, so a tool like RiskIQ Digital Footprint is absolutely necessary to stop someone from operating a copycat site.” Her security team used APIs from RiskIQ to create an automated workflow that sends evidence of malicious phishing sites directly to a takedown service provider. Now the order happens automatically without manual intervention, which shortens the time to takedown for a more secure, trusted environment.

DocuSign is very forward thinking in its use cases for the RiskIQ tools. For example, the company uses RiskIQ to evaluate the risk posture of potential strategic business partners. “We want to understand what sort of risk we are taking on when we are about to work very closely with another company,” explains Pegueros.

“We will run that particular company’s properties through RiskIQ to get a sense of how tightly run their security group is and where the company is in terms of their security controls. If a company is not really tight in one area of security, they probably have other areas of lax security. That’s not to say we are capturing all of their risk, but it is a good leading indicator of risk that is fairly easy and unobtrusive for us to look at.”

RiskIQ also has helped the DocuSign security team identify web and mobile assets of which it wasn’t aware. According to Pegueros,

“The company has grown tremendously in recent years and keeping track of all our digital properties is a challenge—especially the legacy assets. We’re moving so fast that we need tools like those from RiskIQ to help us grow in a healthy way. Whenever we add new domains, we add them right away into RiskIQ in order to keep a good inventory and a clean environment. RiskIQ helps us keep a handle on the growing attack surface that we have at DocuSign as we become a bigger global company.”

Looking to the future, Pegueros would like to expand use of the RiskIQ Digital Footprint tools to other departments. “I think our marketing department, in particular, could benefit from what we get from RiskIQ,” she says. “I’d like to develop dashboards that are meaningful to our marketing team. In general, I think marketing organizations need to be educated on the risks that web and mobile properties introduce to a company. If they have increased awareness of the vulnerabilities and they understand what could happen, they can help us make better decisions so that we don’t encounter some of those risks down the road.”

The company has grown tremendously in recent years and keeping track of all our digital properties is a challenge—especially the legacy assets. We’re moving so fast that we need tools like those from RiskIQ to help us grow in a healthy way. Whenever we add new domains, we add them right away into RiskIQ in order to keep a good inventory and a clean environment. RiskIQ helps us keep a handle on the growing attack surface that we have at DocuSign as we become a bigger global company.

--Vanessa Pegueros, VP and CISO DocuSign

The Results

At this writing, DocuSign has used RiskIQ solutions for about a year. In that time the company has gotten a good inventory of its web and mobile properties. It has uncovered legacy assets that needed to be retired or replaced, and discovered partner-developed properties that were out of compliance with DocuSign’s brand.

DocuSign has gained control over rogue websites and mobile apps and has automated the takedown process to help keep customers safe from fraudulent sites and applications. This is critical in maintaining a good reputation, as well as customers’ trust. The company has confidence that RiskIQ is continuously watching for issues that would otherwise be hard to discover. “They have our back and that’s a good feeling,” says Pegueros.