Community blog

Enterprise-grade security frameworks with LedgerWorks

Article by

HashPack

In this episode of the Hedera corner hosted by King Solomon from Genfinity, Devid Melnick, CEO of LedgerWorks joins to talk about the intricacies of security in web3. Despite its transparency and stepped up security over traditional systems, LedgerWorks has identified that the security experience Enterprises expect is not quite there yet.Through Sentry and Sentinel LedgerWork’s value proposition aims to tackle this problem.

Transcription

Genfinity – King Solomon – Founder & CEO
All right I'm gonna kick this off um all right if you guys aren't aware Genfinity we do a weekly Hbar spaces every Monday at 3 P.M eastern time we've done a wide variety of interviews on here from Shayne Higdon CEO of the foundation to nft projects to some of some Enterprise solution projects today is a really important topic at least in my opinion dealing In security custody of your own assets fraud monitoring and just really kind of the safety aspects of crypto which a lot of the time for most people don't seem like a huge issue until something happens and then they realize man I should have taken that extra step or that extra two steps or I should have moved my stuff off exchanges and custody my own assets I mean it doesn't seem like it's an issue until it becomes an Issue but that's kind of why we're doing this space today excited to have David Melnick who is the CEO of Ledger Works up here with us we're gonna we do these in two parts because HashPack who we do these in partnership with they transcribe all of these interviews and put them out so that people can kind of read the entire interview as well on their Community side so huge shout out to HashPack on top of that but we'll do the first portion of this with Ledger Works and we do have David Melnick up here David thank you so much for joining really appreciate Ledger Works taking the time out today to come on and be interviewed it's awesome.

Ledger Works – David Melnick – Founder & CEO
Yeah my pleasure important topic glad to be here.

Genfinity – King Solomon – Founder & CEO
Awesome yeah and you know I always like to start these with a little a little bit of a self overview of yourself maybe a background as well as how you Got into crypto slash web3 and maybe just a brief overview of Ledger Works until we get into maybe some more poignant questions.

Ledger Works – David Melnick – Founder & CEO
Sure I think you know my story is Collision of security or cyber with web3 and I started in the cyberspace way back when we were still talking about how to hack a phone and you know following that through when there was three or four freestanding security companies now you Go to RSA one of the pre preeminent security events and those you know 5 000 companies so the security space has come a long way in maturing but most of those traditional security providers don't exist here or don't have a position here in web three and that's partly because most security companies sell to Enterprise customers and most Enterprise customers aren't yet in web 3. so you know we've had to spin it all on our own um so for me you know fraud Protection security I was a I was a partner at Deloitte one of the national Partners in cyber risk working with companies on strategy before I went off and built security as a service company that I later sold to proof Point and after that experience I became you know as many have fascinated with crypto the sort of Ledger technology and really where Enterprises meet web3 so you know as many of us drew me right into Hedera and you know what's interesting about Enterprises is they just expect that there is going to be a mature sort of disciplined thinking about security and controls in any technology stack that they begin to work in and they're often you know disappointed with the position in the state of maturity around security controls that they find in web 3 and so you know we need to do better that's part of why I'm here that's part of what Ledger Works is about, you know, unlike, and I'll just leave it with this, you know, into traditional web 2 space, where you know, you just assume that activity monitoring, your fraud protection, is taken care of for you, whether it's a bank or a credit card. You know you're indemnified, the technology is baked into a lot of the tools that you use. You'll hear in web3, we're all on our own, right? We're all figuring it out for ourselves largely. Some of the wallets give you some basic key management, some of the more sophisticated tools might give you multi-sig and workflow, but by and large, you know, we are, you know, we're on our own to protect ourselves here. And we're gonna have to get better at that before Enterprises are going to be willing to come in mass and put significant financial assets at risk, so I'll pause there.

Genfinity – King Solomon – Founder & CEO
Yeah, no, and I have to give a shout out to Warlock down there. I usually, and I did go and do the due diligence and look through all of the aspects with Ledger Works, so I have, you know, some of my own questions here, but Warlock loaded some stuff up for me, so it made my job extremely easy today. And you touched base a little bit on Consumer Fraud in crypto. Can you touch base a little bit because we know that we did see kind of the aspect of what is it UniSwap that was ported over? When we talk about smart contracts integrating into the Hedera ecosystem, what does that really represent from a security standpoint and a monitoring standpoint for an organization like Ledger Works and the tools you're providing for your consumers and for the community at whole?

Ledger Works – David Melnick – Founder & CEO
Sorry, I was on mute. When you look at web3, we've got certain things working for us and certain things working against us, right? From a security perspective, you know, some of the things we like, you know, the limited access to Identity data, you know, the fast finality and no recourse, we view those as virtues in some ways, but from a security perspective, those things are tough hills to climb, right? On the flip side, from a security perspective, the public availability of data is actually a huge asset. But specific to your question about smart contracts, what's super interesting and unknown to most is that, you know, and you could think of the risk in two different ways, right? So, you know, some nefarious creator of a smart contract, you know, can largely do whatever they want in that code, right? I mean, so there is a huge amount of risk that you don't really know what's happening in that smart contract. The audit of the smart contract, if they publish their code, if the ABS, I mean, there's things that can be done that can allow you to mitigate that risk or to do more discovery. But smart contracts pose, you know, from a technology perspective, both an amazing opportunity, but from a security perspective, a huge risk to be managed. And a lot of managing that is not about where we've traditionally focused our time in web3, like source code hardening, right? Smart contract auditing is great if you've got an upstanding citizen that's putting out their smart contract with good intentions and gets an audit. But source code hardening is necessary but not sufficient, right? So when we look at and think about smart contracts, we think about what are the detective and broader strategies that we can apply to understand the risk of a smart contract than a consumer's interaction with a smart contract.

Genfinity – King Solomon – Founder & CEO
And moving forward, you did you also touch base on Enterprise adoption and kind of from the web 2 perspective, Enterprises are expecting their web to experience for security, privacy, all those aspects to kind of be baked in with whoever they're working with. It could potentially, you know, maybe even extrapolate out a little bit on your initial comments. You know, how much work is there to be done to make it an easy but also kind of a warm and fuzzy onboarding experience into web 3 for these Enterprises, as far as active fraud monitoring and just safety and security in general?

Ledger Works – David Melnick – Founder & CEO
Well, so I think, you know, the way I've increasingly begun to think about this is, you know, the discipline  and, you know, I, a lot of my career was security and controls over the life cycle of processes and technology and people within Enterprise organizations. So, you know, for us, it's a lot of it is the life cycle of a transaction, right? And so, you know, what can you do at the front end, you know, at the time of transaction, post-transaction? And at the front end, there's a lot of work being done around, you know, what kind of orchestration, what kind of permissions, you know, not just protecting keys, but you know, what kind of permissions can a user have to do what kind of things, right? So, all of the rules and controls you might have to orchestrate, you know, the various workflows that might take place ahead of a transaction, right, to set the rules. This would be kind of a whole area of work that can be baked into wallets, can be baked into applications, but is all that part of that life cycle? Then, if the transaction itself, I think a lot of what you need there is, in addition to enforcing those workflow rules through the transaction, it's, you know, can I do work at the time of transaction, at the point of sale, or transaction in real-time to manage risk, right? So, that can be, can I pre-screen ahead of a transaction all the aspects of the strategy? So, you hear some people talk about simulation, you can take a transaction, pre-screen the target address, the target smart contract, and evaluate the risk associated with that. You know, maybe bring the concept of a FICO score into our ecosystem, right, where you have what's that target address or target smart contract's historical behavior look like, and can I infer any risk segmentation based on that? What's this transaction's risk? You know, if I look at the behavior of an account, right, by take all their activity, put it in a time-series database, establish baseline normative behavior, and therefore have what constitutes an anomaly as something I can use to determine the risk of a transaction, is this anomalous as a transaction all baked into the actual transaction? And then post-transaction, what kind of analytics and signal detection and follow-on monitoring can be done post a transaction to not necessarily mitigate the risk of that final no-recourse event, but because we may be in partners and, you know, relational and transactions that occur in recur over time, what can I learn about various smart contracts and ecosystem? There may come a time when all smart contracts in an ecosystem have risk ratings by various agencies that you can call upon, right? So, I think about it a little bit as that life cycle of management, and to the extent you can make that available to entities that want to transact in an ecosystem, I think that could be valuable. And you can apply that to our HCS or to other services, not just the financial transaction, right? The same concept, if that makes sense.

Genfinity – King Solomon – Founder & CEO
I mean, 100%. I mean, we know obviously within crypto, within blockchain, there's a sense of not gonna sense of, there is finality. So really, that preventative aspect is amazingly important, especially from the user experience stance too. I mean, I would love for, I think it's a good pivot to, and to allow you to talk a little bit about what Ledger Works facilitates through both Sentry and Sentinel. To give a brief overview, Sentry provides real-time active monitoring and fraud alerts for crypto accounts for users, and Sentinel is an Enterprise offering, allowing for Enterprises to integrate monitoring and protection for their customers. If you could maybe delve a little bit deeper into Sentry and just tell the audience what you guys do from an active monitoring and fraud prevention standpoint for user crypto accounts, that would be fantastic.

Ledger Works – David Melnick – Founder & CEO
Thank you, I appreciate the opportunity to talk about that. As some folks in this community have already experienced, we started out bringing activity monitoring. We had built, you know, as many know, a broad public commercial-grade mirror. So we were ingesting everything in real time or essentially every few hundred milliseconds, and then we had built rules that we could apply at scale. We have one application in the Eco Community, for example, where there's 50,000 rules being applied at scale in real-time to the ledger. So that infrastructure allowed us to think about, well, what kind of security, fraud detection, other kinds of monitoring rules could we build into a holistic protection system? So the first use case out there, what people can get today if they went to ledgerworks.io right now in a free trial is activity monitoring. They can go in, they can register a wallet, and they can monitor any event and have an independent third-party verification of any activity on ledger around that account. So if you're on a trade, if you're on a wallet, and you've got cold storage and you want to make sure, think of it like an insurance policy, that nothing's happening with respect to that wallet that I didn't expect to happen, that's going to be an independent third-party verification of that. From there, you move into, and this is what's already live on Avalanche, we're a multi-chain, we're launching ETH before Consensus this month, but what's already live on Avalanche, what's going to be coming, is taking all of an account's activity, putting it into time-series data. This is what's live on Avalanche and then having anomaly detection. But more than that, not just being able to say, "Hey, this is outside of my norms, account drainage, attack risk," other kinds of risk, but also looking at the target account that you're interacting with. Is this smart contract or this account I'm interacting with relatively new on ledger? Is it relatively inactive on ledger? Has it been sanctioned? Real easy to look up things that give you a real sense of what's the warning level, right? How concerned should I be? And then the ability to do that as a pre-screen so that you can see whether or not a target account is a risky person to interact with or entity to interact with before you make that transaction take place, that's kind of where we are across our ledgers. We're looking, you know, increasingly for partners, someone like a HashPack or a blade is in a position to initiate a pre-screen via an API with us so that before transaction takes place, they can do that risk assessment, does an API call to us. So we're looking to partner with CeFi players to bring these technologies to the point where transactions are happening. Sentinel basically says, for an enterprise, I may have all kinds of more sophisticated rules that I might want to put at work. So if I'm doing workflow at the front end of a transaction and I say, these classes of users are going to be permitted to do transactions within this range, you could dynamically, we call it a snap notification, you could put a rule in in real time that basically says, I'm waiting to see if anything hits the ledger in consensus within this threshold, within this range, because if it's outside of this range, then something went wrong, or if it doesn't happen at all, then it didn't get finished. So, in a workflow where you've got multi-sig approval, the person that initiates might want to get notification when those approvals and it goes to consensus on the network, so you can have that kind of front-end notification and management as well as pre-screening risk in real time for transactions themselves, and you can imagine the same kind of fast follow and monitoring that you might do post-activity as well. That's kind of a quick look at the kinds of flexibility that Sentinel as an enterprise solution brings, and we have customers using Sentinel today. I mentioned the Eco solution earlier. Software Labs uses the Sentinel in our community as well for monitoring their smart contracts. We want end-users to use our tool, not because we view that as our ultimate marketplace, because I'm an old school security person, and old school security persons know that with very limited exception consumers don't pay for their own security. There's a couple of examples that are anomalous to that, but by and large, the enterprise or, you know, the DeFis and the CeFis build security. In and the consumers are the beneficiaries, so that's generally how it ultimately will work in a maturing system. But we want the experience of consumers using our platform so that we can understand both our, you know, fine-grained cost of delivery, but also feature functionality that consumers view is valuable in getting feedback. We were surprised to find that just activity monitoring seemed to have an extraordinary amount of utility for folks in the space. You know, there are other communities where notification monitoring is more widely available, but just that ability to have an independent third-party verification that something reached consensus can have its own value. We found use cases with, you know, consumers and users out there where they wanted to monitor NFTs. And, you know, we've used it in launch parties with Discord and things of that nature, and that's fun. Um, you know, but ultimately where we're going is, you know, tightly coupling with CeFis like I mentioned earlier with wallets, where we can tightly build together that ability to incorporate not just what wallets are great at, which, you know, tends to be key management, you know, provision-based permission-based activity, multi-sig even, right? Um, key sharding maybe, all those kinds of things they do to protect, but to merge that up with the fine-grain activity monitoring and analytics, the security analytics and data work that we're doing in big data. You know, with learning, you know, on our platform so that when you marry those two together, you get not only what we bring, which can be both preventative and detective controls based on understanding underlying data, merge together so CeFi and wallets is a great example. But even in the DeFi world, we're looking at creating collaborations with DeFi players that have communities where they want to bring something extra and special to their community. So we might, so we might bring both our basic fraud protection into that community and elevate the protection that DeFi can offer to its community participants. But then also use our Sentinel product to build special rules that might create an enhanced experience within that DeFi's broader story, right? So, um, so we're looking to collaborate both with DeFis and CeFis in our go-to-market, and that's really where, you know, our business attention is. But we are excited for every user that comes in, signs up, and shares their feedback. So, so we still encourage that. If that answered the question.

Genfinity – King Solomon – Founder & CEO
Yeah, no, 100%. I think you briefly touched on it, but, you know, this landscape of crypto and web 3 is consistently changing and pivoting, and this year, especially, we're starting to at least hear whispers of, you know, real regulation and crackdown around things like stable coins. And I think KYAML aspects, if you could maybe touch base on, you know, where you see security and fraud protection going in the future for really for that mass adoption aspect of this space, what kinds of things do you think might come down the pike for regulatory actions that define out, you know, fraud protection necessities? Um, and how important is security and fraud protection for crypto to mature?

Ledger Works – David Melnick – Founder & CEO
Yeah, so it's interesting because there is a repeating life cycle of technology adoption and how security operates in that that we've seen play out many times, right, and in my career. And so some of that is while you're in an early adopter phase, which we effectively are still as a web 3 community, um, security in that relatively immature space often isn't everybody's focus, right? You just are too busy trying to build basic infrastructure, basic feature functionality and security, like insurance, like many other aspects of process and practice, tend to not be the first thing you focus on. But over time, as the platforms mature, a couple of things happen, one of which is that the kinds of vulnerability you see change. Right now, we see someone just finding a vulnerability in underlying source code and exploiting that vulnerability, just breaking in on stuff. Making, you know, that kind of stuff shifts as technology matures. And rather than the frontal assault, let's face it, bad guys are lazy, they go for the easiest way to get in, and over time, it moves to socially engineered attacks, right? Because they're easy, they're effective. So, as our technology gets better, you're going to see more and more of the kind of fraud we're seeing glimpses of in social engineering today, right? It's much easier to get somebody to voluntarily accidentally send you all their money than it is to figure out how to break in and take their keys, right? So that's one structural thing, and structurally, you will see the maturing of security over time. And what drives that, to your earlier point, is a combination. So regulatory intervention always comes with security control requirements, and I've watched that from the early days of ERISA through Sarbanes-Oxley. I mean, you could count regulations, whether it's privacy-focused stuff like the EU DPD to GDPR. In order to apply regulatory oversight, you have to have controls to monitor and ensure those things are happening. And so when we look at legislation coming like Senator Warren's attempted Bill to KYC every DeFi fight, at KYC everything, we may have, we hope that we don't see regulatory intervention that is really destructive to the community, but whatever it is, it will be, whether we're talking about enforcement actions or legislative, which I don't expect significant legislative intervention this year, but regulatory enforcement, we're obviously seeing a much more activist sort of environment. But either way, that's all going to come with a need for the DeFi players and CeFi players to be in a better position to monitor and regulate themselves, and that's about security and controls. They're going to be forced over time, driven both by that as well as in the Hedera community as enterprise enters the space. The enterprises are going to demand a level of security and controls monitoring and oversight in order for them to just play the game with us, right? So, whether it's the success of enterprise customers that are doing the space or whether it's regulatory oversight or some combination of the two, maturing means that we're gonna have to become better at this.

Genfinity – King Solomon – Founder & CEO
Yeah, and I think it's important to think about the over-regulation aspects as well, which I think you did briefly mention. Kind of opens the door for me to ask you, you know, with Sentry and with all the work that Ledger Works is doing, how important is it for you guys, or are you interested in making partnerships in this space that kind of drive that goal for drive the underlying value proposition forward of actually really providing security and monitoring across these accounts? Are you guys looking at potential partnerships, moving forward with anybody? Are you open to that? Would love to hear your thoughts.

Ledger Works – David Melnick – Founder & CEO
Yeah, there's definitely in a space that's moving as quickly as ours, partnerships are going to be essential. I think one of the areas that we look at is the convergence of traditional web 2 intelligence with what we're doing in Web 3. So, there's on-chain work, and most of our work today is, what can I do with on-chain data, right? But the reality is that a lot of our d-apps interact in a web 2 world. So, if somebody comes to a website to authenticate, the IP address that they came with, the metadata around that session is hugely valuable from a risk management perspective. And so, I'm personally involved with companies, Deduce is an example, but there are many other companies that literally have connected in and brought in and are running data against IP ranges and the various kinds of data we can gain from the traditional web world and fusing that together with on-chain data. But that's just one example of off-chain data that can help inform, and it's not just about linking identity to a wallet, right? It's linking other behavioral attributes that are surrounding that partner, that player, that envy you're interacting with. So, I see partnerships on the one hand with off-chain data providers and ways in which we can elevate what we're doing by collaborating with great sources of data, and that's one sort of aspect of it. But I think it's our on-chain providers that are going to be the most important, where we're looking at DeFi and CeFi players who are building a lot of intelligence and interaction with their community, and we're collaborating with them to identify the kinds of rules and controls that are going to be of the most value. Because you can't just port traditional security into our space and hope it's going to work. Our space is different, you know what I mean? It's some stuff will be the same, a socially engineered attack, a fraud scam is a fraud scam, right? Whether you call it pig butchering or you call it an investment scam, it's kind of the same, you know? So, there are a lot of the nature of cybercrime, and the way crime is going to look in our space will be very similar to how it looked a thousand years ago, a hundred years ago. Some of these attacks have been playing themselves out since Jesus was allowed, literally. But the way it manifests, the kinds of technologies and techniques we use to protect ourselves against them are going to be specific to Web3, and so we'll be looking to kind of collaborate to develop those emerging controls.

Genfinity – King Solomon – Founder & CEO
Yeah, and it's interesting. This is kind of an off-the-cuff question that when we talk about digital identity and the way that pure knowledge proofs and things like that play into digital identity, I don't think we're obviously not there yet. But at some point, digital ID, the way that we interact with normal businesses and with Web3 and everything else, is going to play a role. How forward-thinking, because you seem like you're knowledgeable as far as previous technology and where this technology moves forward in the future, how important is it going to be to at least set a framework for what we have right now so that whenever we do get to that point of digital identity and all these other aspects, that we can kind of just use the framework that is being built out now and then bolster it up as this technology really grows moving forward?

Ledger Works – David Melnick – Founder & CEO
I think it's a really powerful question because there are certain aspects of our world that demand really mature thinking, be you know I was the national co-lead at Deloitte for the Privacy practice for Example. And so early in European data privacy directive and GDPR. And one of the things that's super fascinating about our space, right, is that you know you have this idea of, you know, where we don't share our true identity by default, right? Like a wallet address is in docs too. But what happens is because you can follow, once I have an address, I can follow forward and backward in time everything that that address is involved with. The moment you connect that with Identity, you've just, it's a radically invasive level of knowing about that person, right? I mean, so you know we're in this funny place where if we yield on identity, you know, we are much more vulnerable than the regular, all this right, because the level of insight you have when you can marry identity to the wall, it is so vast. So it's a very interesting problem set for us, right? Because on the one end, we love and this sort of libertarian and this, I You know, this I identity, you know, and all the Regulators just don't understand this space, and they all come at it with a kyc, you know, I just have to know who I'm dealing with Mantra without having really thought it through in any interesting way. You know, partly because that's how I deal with taxes and that's how I deal with, you know, whatever they're worrying about, right? Law enforcement and Taxation principally, but and protecting consumers. I'll give them the benefit of the doubt on that, right? But so in our world deeply about that, you know, we're just going to fall victim to, you know, the implications of an overzealous regulatory intervention. And you know we, so we really have to, we really have to figure some of these things out. And you know, how can I live in a world where I can both protect, you know, not just identity and privacy but also provide basic security and controls and protection as well? And you know these are tough questions. So I'm here to just really ask annoying and tough questions, just to give answers, but that's just one example, right, of something very unique to our space.

Genfinity – King Solomon – Founder & CEO
Yeah, I certainly think we're moving to a world where a profile picture of a profile picture of a turtle riding a skateboard isn't necessarily going to protect your privacy, exactly. So yeah, I mean, I would love. I want to, I want to get Hbar to the Moon instead of that wallet up here in a second, but I would love for you to, um, maybe close us, uh, out from a ledger work standpoint, talk about what you're most excited about moving forward for Ledger Works moving forward into 2023 and maybe provide some info, info for anybody listening, so they can check out more. And I should say I've got it pinned, uh, up to the jumbo of Toronto as well.

Ledger Works – David Melnick – Founder & CEO
I appreciate that. So you know, I think as we look at 2023, I think we've got this incredible window of time to really build compelling technology before we really blow up, right? We're still in this sort of crypto winter time where, you know, we've, you know, we don't have the level of scrutiny and attention that the world has subjected us to, right? Everyone's often distracted with AI for a little bit, right? So we've got the time to build some truly great stuff to, to frankly, we're a little immature. We got some real work to do, you know, to be ready for the kind of attention that was showered upon us, right? We're in that spirit, really excited about building world-class fraud protection and the ability for DeFi and CeFi players to bring a level of security, control, and monitoring to their platforms that really does elevate the safety for communities to transact, the protection for our communities, and to be ready so that when enterprises come to our space and demand the kinds of basic maturity in our technology infrastructure that they expect from other platforms, that we're ready to deliver. And I think, you know, Hedera does so many things so well, and I want us to be able to tell a Hedera community a superior fraud protection story to those enterprises when they come to our environment in mass. So that's what I'm excited about.

Genfinity – King Solomon – Founder & CEO
100%. Well, I have to say, David, thank you so much. I would love for you to hang out up here. We're going to interview Citadel Wallet. Hbar to the Moon here as well. If any of you guys have any questions, I know Darren is down there, Death Ranger's down there. I know that all of these guys think about privacy and fraud monitoring and all these things pretty consistently. So if you guys happen to have any questions, drop them in the comments down below. I know, and just thank you, Dave, for coming up and allowing us to interview you. I would love to do it again in the near future. Feel free to hang out up here. Thank you for the time. Thank you, David.

Back to community blog