Tibor Kiss

In many industries including finance and healthcare, sensitive data such as payment card numbers and government identification numbers need to be secured before they can be used and shared. A common approach is applying tokenization to enhance security and manage risk.

A token is a substitute value that replaces sensitive data during its use or processing. Instead of directly working with the original, sensitive information (usually referred to as the “raw data”), a token acts as a stand-in. Unlike raw data, the token is a scrambled or encrypted value. 

Using tokens reduces the real-world risk posed by using the raw data, while maintaining the ability to join or aggregate values across multiple datasets. This technique is known as preserving referential integrity.

Tokenization engineered into Google Cloud

While tokenization is often seen as a specialized technology that can be challenging and potentially expensive to integrate into existing systems and workflows, Google Cloud offers powerful, scalable tokenization capabilities as part of our Sensitive Data Protection service. With it, you can make calls into serverless API endpoints to tokenize data on the fly in your own applications and data pipelines. 

This allows you to enable tokenization without needing to manage any third-party deployments, hardware, or virtual machines. Additionally, the service is fully regionalized, which means tokenization processing happens in the geographical region of your choice helping you to adhere to regulatory or compliance regimes. The pricing is based on data-throughput with no upfront costs, so you can scale to meet the needs of your business with as little or as much as you need. 

Sensitive Data Protection takes things even further offering in-line tokenization for unstructured, natural language content. This allows you to tokenize data in the middle of a sentence and if you pick two-way tokenization (and have the right access permissions), you can even detokenize data back when necessary. 

This opens up a whole new set of use-cases including run time tokenization of logs, customer chats, or even as part of a generative AI-serving framework. We’ve also built this technology directly into Contact Center AI and Dialogflow services so that you can tokenize customer engagement on-the-fly.

Tokenization with BigQuery

In addition to serverless access through Sensitive Data Protection, we also offer tokenization directly in BigQuery. This gives you tokenization methods at your fingertips in BigQuery SQL queries, User Defined Functions (UDFs), views, and pipelines. 

Tokenization technology is built directly into the BigQuery engine to work at high speed and high scale for structured data, such as tokenizing an entire column of values. The resulting tokens are compatible and interoperable with those generated through our Sensitive Data Protection engine. That means you can tokenize or detokenize in either system without incurring unnecessary latency or costs, all while maintaining the same referential integrity. 

Using tokens to solve real problems

While the token obfuscates the risk, utility and value are still preserved. Consider the following table which has four rows and three unique values: value1, value2, value3. 

<value1> → <token1>
<value2> → <token2>
<value1> → <token1>
<value3> → <token3>

Here you can see that each value is replaced with a token. Notice how “value1” gets “token1” consistently. If you run an aggregation and count unique tokens, you’ll get a count of three, just like on the original value. If you were to join on the tokenized values, you’d get the same type of joins as if joining on the original value. 

This simple approach unlocks a lot of use cases.    

Obfuscating real-world risk

Consider the use-case of running fraud analysis across 10 million user accounts. In this case, let’s say that all of your transactions are linked to the end-users email address. An email address is an identifier that poses several risks:

• It can be used to contact the end-user who owns that email address.

• It may link to data in other systems that are not supposed to be joined.

• It may identify someone’s real world identity and risk exploding that identity’s connection to internal data.

• It may leak other forms of identity, such as the name of the owner of the email account.

Let’s say that the token for that email is “EMAIL(44):AYCLw6BhB0QvauFE5ZPC86Jbn59VogYtTrE7w+rdArLr” and this token has been scoped only to the tables and dataset need for fraud analysis. That token can now be used in place of that email address and you can tokenize the emails across all the transaction tables, and then run fraud analysis. 

During this analysis any users or pipelines exposed to the data would only see the obfuscated emails, thus protecting your 10 million users while unblocking your business.

Next steps

Tokenization provides a powerful way to protect sensitive information while still allowing for essential data operations. By replacing sensitive data with non-sensitive substitutes, tokens can significantly reduce the risk of data breaches and simplify compliance efforts. Google Cloud simplifies tokenization by offering a readily available, scalable, and region-aware service, allowing you to focus on your core business rather than managing infrastructure. 

To get started on using tokenization on Google Cloud, see the following:

• Sensitive Data Protection Tokenization and pseudonymization

• Learn more about BigQuery Encrypt and Decrypt compatibility with Sensitive Data Protection

Written by: Steven Karschnia, Truman Brown, Jacob Paullus, Daniel McNamara

Executive Summary

• Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilities

• By implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigated

• Using server-side rendering within the SPA can prevent unauthorized users from modifying or even viewing pages and data that they are not authorized to see

Introduction

Single-page applications (SPAs) are popular due to their dynamic and user-friendly interfaces, but they can also introduce security risks. The client-side rendering frequently implemented in SPAs can make them vulnerable to unauthorized access and data manipulation. This blog post will explore the vulnerabilities inherent in SPAs, including routing manipulation, hidden element exposure, and JavaScript debugging, as well as provide recommendations on how to mitigate these risks.

Single-Page Applications

A SPA is a web application design framework in which the application returns a single document whose content is hidden, displayed, or otherwise modified by JavaScript. This differs from the flat file application framework traditionally implemented in PHP or strictly HTML sites and from the Model-View-Controller (MVC) architecture where data, views, and server controls are handled by different portions of the application. Dynamic data in SPAs is updated through API calls, eliminating the need for page refreshes or navigation to different URLs. This approach makes SPAs feel more like native applications, offering a seamless user experience. JavaScript frameworks that are commonly used to implement SPAs include React, Angular, and Vue.

Client-Side Rendering

In SPAs that use client-side rendering, a server responds to a request with an HTML document that contains only CSS, metadata, and JavaScript. The initially returned HTML document does not contain any content, and instead once the JavaScript files have been run in the browser, the application’s frontend user interface (UI) and content is loaded into the HTML document at runtime. If the application is designed to use routing, JavaScript takes the URL and attempts to generate the page that the user requested. While this is happening, the application is making requests to the API endpoint to load data and check whether or not the current user is authorized to access the data. If a user is not yet authenticated, then the application will render a login page or redirect the user to a separate single sign-on (SSO) application for authentication.

While all of this happens, a user may briefly observe a blank white page before the application dashboard or login page is loaded into their browser. During this pause, the application is potentially loading hundreds of thousands of lines of minified JavaScript that will build the full user experience of the application. SPAs are used in millions of applications across the globe, including Netflix, Hulu, Uber, and DoorDash.

Issues with Client-Side Rendering

Because SPAs rely entirely on the client’s browser to render content (using API data), users have significant control over the application. This enables users to manipulate the application freely, making user or role impersonation easier.

Routing

One fundamental aspect of the JavaScript frameworks that SPAs are implemented in is the idea of routes. These frameworks use routes to indicate different pages in the application. Routes in this case are different views that a user can see, like a dashboard or user profile. Since all of the JavaScript is handled by the client’s browser, the client can view these routes in the JavaScript files that are included in the application source. If a user can identify these routes, they can attempt to access any of them. Depending on how the JavaScript was implemented, there may be checks in place to see if a user has access to the specific route. The following is an example of React routing that includes information on creating the views, and more importantly path attributes.

In = function () {
	return (0, _.jsx)(d.rs, {
		children: (0, _.jsxs)(ki, {
			children: [
			(0, _.jsx)(d.AW, {
				path: "/dashboard",
				children: (0, _.jsx)(Ii, {}),
			}),
			(0, _.jsx)(d.AW, {
				path: "/users",
				children: (0, _.jsx)(wi, {}),
			}),
			(0, _.jsx)(d.AW, {
				path: "/profile",
				children: (0, _.jsx)(Ti, {}),
			}),
			],
		}),
	});
};

Hidden Elements

One way that access control is handled by SPAs is through hidden page elements. This means that when the page loads, the application checks the user’s role through local/session storage, cookie values, or server responses. After the application checks the user’s role, it then displays or hides elements based on the user’s role. In some cases, the application only renders elements that are accessible by the user. In other cases, the application renders every element but “hides” them by controlling the CSS properties of the element. Hidden elements can be exposed through browser Developer Tools, allowing users to force their display. These hidden elements could be form fields or even links to other pages.

JavaScript Debugging

Modern browsers allow users to debug JavaScript in real time with breakpoints. Modern web browsers allow breakpoints to be set on JavaScript files, which can be used to modify variables or rewrite functions all together. Debugging core functions can allow users to bypass access controls and gain unauthorized page access. Consider the following JavaScript:

function isAuth() {
        var user;
        var cookies = document.cookies;
        var userData = btoa(cookies).split(‘:’);
        if (userData.length == 3) {
                user.name = userData[0];
                user.role = userData[1];
                user.isAuthed = userData[2]; 
        } else {
                user.name = “”;
                user.role = “”;
                user.isAuthed = false; 
        }
        return user;
}

The previously defined function reads a user’s cookie, Base64 decodes the value, splits the text using : as the delimiter, and if the values match, it considers the user as authenticated. Identifying these core functions allows an attacker to bypass any authorization and access controls that are being handled by the client-side application.

Exploitation

Manually exploiting JavaScript framework issues takes time and practice, but there are a few techniques that can make it easier. A common technique involves analyzing JavaScript files to identify application routes. Identifying routes allows you to “force-browse” to application pages and access them directly, rather than through the UI. This technique may work on its own, but other times you may need to identify any role checks in the application. These checks can be accessed through the JavaScript debugger to modify variables during execution to bypass authorization or authentication checks. Another useful technique involves capturing server responses to requests for user information in an HTTP proxy, such as Burp Suite Professional, and manually modifying the user object. While these exploitation techniques are effective, they can be mitigated through strong preventative measures, including those detailed in this post.

Recommendations

Access control issues are systemic to client-side-rendered JavaScript frameworks. Once a user has the application loaded into their browser, there are few effective mitigations to prevent the user from interacting with content in unauthorized ways. However, by implementing robust server-side access control checks on APIs, the effect that an attacker could produce is severely reduced. While the attacker might be able to view what a page would look like in the context of an administrator or even view the structure of a privileged request, the attacker would be unable to obtain or modify restricted data. 

API requests should be logged and monitored to identify if unauthorized users are attempting to or successfully accessing protected data. Additionally, it is advisable to conduct periodic penetration tests of web applications and APIs throughout their lifetime to identify any gaps in security. Penetration testing should uncover any APIs with partial or incomplete access control implementations, which would provide an opportunity to remediate flaws before they are abused by an adversary.

API Access Controls

Implementing robust API access controls is critical for securing SPAs. Access control mechanisms should use a JSON Web Token (JWT) or other unique, immutable session identifier to prevent users from modifying or forging session tokens. API endpoints should validate session tokens and enforce role-based access for every interaction. APIs are often configured to check if a user is authenticated, but they don’t comprehensively check user role access to an endpoint. In some cases, just one misconfigured endpoint is all it takes to compromise an application. For example, if all application endpoints are checking a user’s role except the admin endpoint that creates new users, then an attacker can create users at arbitrary role levels, including admin users. 

An example of proper API access control is shown in Figure 1.

This diagram shows a user authenticating to the application, receiving a JWT, and rendering a page. The user interacts with the SPA and requests a page. The SPA identifies that the user is not authenticated so the JavaScript renders the login page. Once a user submits the login request, the SPA forwards it to the server through an API request. The API responds stating the user is authenticated and provides a JWT that can be used with subsequent requests. Once the SPA receives the response from the server, it stores the JWT and renders the dashboard that the user originally requested. 

At the same time, the SPA requests the data necessary to render the page from the API. The API sends the data back to the application, and it is displayed to the user. Next, the user finds a way to bypass the client-side access controls and requests the main admin page in the application. The SPA makes the API requests to render the data for the admin page. The backend server checks the user’s role level, but since the user is not an admin user, the server returns a 403 error stating that the user is not allowed to access the data.

The example in Figure 1 shows how API access controls prevent a user from accessing API data. As stated in the example, the user was able to access the page in the SPA; however, due to the API access controls, they are not able to access the data necessary to fully render the page. For APIs developed in C# or Java, frameworks often provide annotations to simplify implementing access controls.

Server-Side Rendering

Aside from API access controls, another way to mitigate this issue is by using a JavaScript framework that has server-side rendering capabilities, such as Svelte-Kit, Next.js, Nuxt.js, or Gatsby. Server-side rendering is a combination of the MVC and SPA architectures. Instead of delivering all source content at once, the server renders the requested SPA page and sends only the finalized output to the user. The client browser is no longer in charge of routing, rendering, or access controls. The server can enforce access control rules before rendering the HTML, ensuring only authorized users see specific components or data.

An example of server-side rendering is shown in Figure 2.

This diagram shows a user accessing a server-side rendered application. After requesting an authenticated page in the application, the server checks if the user is authenticated and authorized to view the page. Since the user is not yet authenticated, the application renders the login page and displays that page to the user. The user then authenticates, and the server builds out the session, sets necessary cookies or tokens, and then redirects the user to the application dashboard. Upon being redirected, the user makes a request, the server checks the authentication state, and since the user has permissions to access the page, it fetches the necessary data and renders the dashboard with the data. 

Next, the user identifies an admin page URL and attempts to access it. In this instance, the application checks the authentication state and the user’s role. Since the user does not have the admin role, they are not allowed to view the page and the server responds with either a 403 Forbidden or a redirection to an error page.

A Final Word

In conclusion, SPAs offer a dynamic and engaging user experience, but they also introduce unique security challenges when implemented with client-side rendering. By understanding the vulnerabilities inherent in SPAs, such as routing manipulation, hidden element exposure, and JavaScript debugging, developers can take proactive steps to mitigate risks. Implementing robust server-side access controls, API security measures, and server-side rendering are excellent ways to safeguard SPAs against unauthorized access and data breaches. Regular penetration testing and security assessments can further strengthen the overall security posture of SPAs by identifying any security gaps present in the application and allowing developers to remediate them before they are exploited. By prioritizing security best practices, developers can ensure that SPAs deliver both a seamless user experience and a secure environment for sensitive data.

The way users search is evolving. When searching for a product, users might type in natural-sounding language or search with images. In return, they want tailored results that are specific to their query. To meet these demands, developers need robust multimodal search systems.

In this blog post, we’ll share a powerful approach to build a multimodal search engine using Google Cloud’s Vertex AI platform. We’ll combine the strengths of Vertex AI Search and vector search, using an ensemble method with weighted Rank-Biased Reciprocal Rank (RRF). This approach allows for:

• Improved user experience: Searching becomes more intuitive and less reliant on finding the “perfect” keywords.
• Enhanced product discovery: Users can uncover items they might not have found with text alone.
• Higher conversion rates: More relevant and engaging search results lead to happier customers and increased sales.

Why using a combined approach matters

Think about how you search for products online. Assume you want to search for queries such as “homes with a large backyard” or “white marble countertops”. Some of this information might be stored in text, while others might only be available in images. When you search for a product, you want the system to look through both modalities. 

One approach might be to ask a Large language model (LLM) to generate a text description of an image. But this can be cumbersome to manage over time and add latency for your users. Instead, we can leverage image embeddings and combine the search results with text data in Vertex AI Search. Together, this multimodal approach delivers: 

• Richer visual understanding: Multi-modal embeddings capture the complex visual features and relationships within images, going beyond simpler text annotations.

• Image-based queries: Users can directly search using an image, allowing for more intuitive discovery based on visual inspiration.

• Precise filtering: Filtering by detailed attributes like size, layout, materials, and features becomes possible, leading to highly accurate search and curated results.

Google Cloud’s Vertex AI platform provides a comprehensive set of tools for building and deploying machine learning solutions, including powerful search capabilities:

• Vertex AI search: A highly scalable and feature-rich engine for many types of search. It supports advanced features like faceting, filtering, synonyms, and custom relevance ranking. It also enables advanced document parsing including unstructured documents (PDFs) and even those with embedded graphics (e.g. tables, infographics, etc.) 

• Vertex AI multimodal embedding API: This is used to generate image embeddings (numerical representations of images).

• Vertex AI Vector Search: This is used as the vector database to store the embeddings with metadata information for searching. It can store both sparse embeddings, e.g. text descriptions, and dense embeddings, e.g. images. 

Our ensemble approach: Text + image power

To create our multimodal search engine, we’ll use an ensemble approach that combines the strengths of Vertex AI Search and vector search for images:

1. Text search with Vertex AI Search:

• Index your product catalog data (names, descriptions, attributes) into a data store using agent builder.

• When a user enters a text query, Vertex AI Search returns relevant products based on keyword matching, semantic understanding, and any custom ranking rules you’ve defined.

• This also has capabilities to return facets which can further be used for filtering. 

• You can even visualize how unstructured or complex documents are parsed and chunked

• Generate image embeddings for your products using multimodal embeddings API.

• Store these embeddings in vector search.

• When a user uploads an image or text, convert it to an embedding and query the vector database to find visually similar product images.

• Rank-biased Reciprocal Rank (RRF): This metric measures the relevance of a ranked list by considering the position of the first relevant item. It favors lists where relevant items appear higher.

• Weighted RRF: Assign weights to the text relevance score (from Vertex AI Search) and the image similarity score (from vector search). This allows you to adjust the importance of each modality (i.e. Vertex or Vector Search) in the final ranking.

• Ensemble: Combine the text and image search results, re-rank them using the weighted RRF score, and present the blended list to the user.

To enhance the search experience, use Vertex AI Agent Builder Search’s faceting capabilities:

• Define facets: Based on your product data, create facets for categories, attributes (color, size, material), price ranges, etc.

• Dynamic filtering: Allow users to interactively refine their searches using these facets, narrowing down the results to the most relevant products. The filters adjust automatically based on the returned results (hence “dynamic”) 

• Natural language query understanding: If the textual data is structured then you can enable natural language query understanding in your Vertex AI Agent Builder Search to improve results of the query. You can then parse the filters from the response to apply the same filters to the vector search using namespaces.

Why this approach works

This approach gives developers the best of both worlds by combining the rich features of Vertex AI Search (for example, the parsing pipeline) with the ability to directly utilize images as a query. It’s also flexible and customizable because it adjusts the weights in your RRF ensemble and tailors facets to your specific needs.

Above all, this approach gives your users what they need – the ability to search intuitively using text, images, or both, while offering dynamic filtering options for refined results.

Get started with multi-modal search

By leveraging the power of Vertex AI and combining text and image search with a robust ensemble method, you can build a highly effective and engaging search experience for your users. Get started: 

1. Explore Vertex AI: Dive into the documentation and explore the capabilities of Vertex AI Search and embedding generation.

2. Experiment with embeddings: Test different image embedding models and fine-tune them on your data if needed.

3. Implement weighted RRF: Design your scoring function and experiment with different weights to optimize your search results.

4. Natural language query understanding: Leverage the inbuilt capabilities of Vertex AI agent builder Search to generate filters on structured data to apply the same filters to Vector Search.

5. Filters in vector search: Apply filters to your image embeddings to further give control to the users.

Earlier this year, Deutsche Börse Group began developing a new cloud-native, purpose-built trading platform. It was built with a focus on digital assets, such as stablecoins, cryptocurrencies, and other tokenized assets. However, the new platform is instrument-agnostic and can trade in all types of assets, from equities to ETFs.

Developing a trading platform for digital assets isn’t just about embracing this increasingly popular and diverse digital investment universe. Tokens and other digital assets originate from decentralized systems, evolve quickly, trade 24/7 across the globe — and require a trading platform fit for purpose. Therefore, if the new trading platform can reliably deliver on digital assets, it can handle just about any asset you’d want to trade.

This work is one of the first major results of the strategic partnership between Deutsche Börse Group and Google Cloud announced in 2023. Today, institutional trading is largely done on-premise with leased-line connectivity or co-location. Deutsche Börse Group have designed a new cloud-native trading engine for a digital trading platform with 24/7 availability and a cloud-native internet API for access (with co-location as a future integration pattern for more demanding market participants) so it can be rolled-out  quickly to new markets and operated at low cost. 

As an international exchange organization and innovative market infrastructure provider, Deutsche Börse Group ensures capital markets are fair, transparent, reliable and stable. Their business covers the entire financial market transaction process chain, including the provisioning of indices, data, software, SaaS and analytical solutions, as well as admission, trading, and clearing. Additionally, it comprises services for funds, the settlement and custody of financial instruments, and the management of collateral and liquidity. 

As a technology company, the Group also develops state-of-the-art IT solutions and offers its IT systems all over the world. Trust, stability, reliability, resilience, consistency, and compliance are the cornerstones of Deutsche Börse Group’s business — and the key features we incorporated into the new trading engine over the ten months it took to build.

Digital markets demand new trading systems

Today, Deutsche Börse Group successfully operates high-volume/low-latency trading venues — such as Xetra, Börse Frankfurt, Eurex, and the European Energy Exchange, as well as partner exchanges — by using proven high-performance architectures. Deutsche Börse Group has reached this point by combining financial and technological expertise, and finding the right partners with the knowledge to support its vision.

But even with deep knowledge of our respective fields, the teams at Deutsche Börse Group and Google Cloud knew that building a digital asset trading platform from the ground up would be a challenge. It remains a new and fast-moving space that requires careful and thoughtful consideration to get right. 

The need for a new trading engine, and the desire to make it the cornerstone and first component of Deutsche Börse Group’s emerging Digital Asset Business Platform, stems from changing market structures. In the world of digital assets, 24/7 operations are required to reduce execution risk. Market participants also demand choice of market access, including internet connectivity to execute trades anytime, anywhere. Providing access via APIs and convenient SDKs is important for both developer productivity and consistent trade flow. Taken together, these features are essential in markets such as digital assets, where leased line connections and bespoke integrations are not the highest priority.

While traditional trading architectures are designed for industrial purposes and can support high-volume, established markets well, our new trading engine is designed for innovative and changing market structures. They prioritize low time-to-market, with participants demanding rapid deployment and seamless integration. Cloud-native platforms address this need by leveraging the flexibility of the cloud to accelerate deployment and simplify connectivity. This translates to faster deployment and ease of use, which are critical advantages in the dynamic world of digital assets.

Finally, a new trading engine would have to meet not only these new requirements, but also common needs such as resilience, fault-tolerance, and high availability.

The Google Cloud team has prioritized the adoption of cloud resource management best practices — infrastructure as code, the continuous integration of infrastructure changes, and their continuous delivery. This enabled the engineering team to quickly develop, test, and deploy an entire exchange, including infrastructure, with minimal manual intervention, allowing the team to experiment and test the performance of different configurations.

The overall scope was twofold: enable the rapid deployment of new trading venues, and enable incremental changes to existing markets on a daily and even intra-day basis. This would enable a market to operate 24/7.

The architecture of a cloud-native trading system

Recognizing that internet connectivity is the access pattern of choice in the target markets, the Google Cloud team designed a multi-market architecture that uses direct ingress to the Google Cloud’s platform, and leverages a Global External Proxy Network Load Balancer (GEPNLB) for traffic from both TCP/IP sockets and WebSocket clients. Each market environment utilizes its own set of Network Endpoint Groups (NEGs) and Google Kubernetes Engine clusters. This access pattern may change in the future — for example, if the markets become more liquid and therefore attract investors who require low-latency access via colocation and dedicated interconnects.

In this architecture, the NEGs act as backends for the global GEPNLB backend service, and traffic is routed to the NEGs for each market as appropriate. To reduce latency, the architecture uses single tenancy, different subnets per market, and placement policies to minimize distance between critical components and reduce network hops, contributing to improved performance and reduced latency for market participants.

To enhance security, the architecture incorporates Cloud Armor for DDoS protection. A Cloud Armor security policy is attached to the backend service with various rules, including those for mitigating DDoS attacks. This protects the application from malicious traffic and ensures service availability. 

The new trading engine at the heart of this architecture initially supports hit-and-take and request-for-offer market models. It uses sophisticated, highly available, high-performance, in-memory, fault-tolerant services to ensure fair and orderly trading. This requires all trade messages to be processed on a strict first-in-first-out basis to maintain order and prevent any unfair advantages. This is a particularly important feature, as it ensures all market participants have an equal opportunity to interact with the market.

A new kind of trading platform for new kinds of markets

To ensure smooth operations and optimal resource allocation, the team designed comprehensive monitoring of all technical activity using the Google Cloud operations suite. This included both functional monitoring to track trading activity, leveraging Google Cloud Trace to follow the lineage of requests coming in from the web and pinpoint bottlenecks, and technical monitoring to ensure the health and performance of the underlying infrastructure. Google Cloud Monitoring captured key performance indicators at each layer of the trading system stack, including application service metrics and resource utilization. 

These real-time insights were combined with rigorous performance testing and capacity planning to ensure low-latency handling of high trading volumes. This combination enabled proactive identification and resolution of potential issues and continuous optimization of resource utilization. 

To further streamline operations, the integration of managed services offered by Google Cloud, such as backup and archiving, is a future priority for Deutsche Börse Group as it seeks to focus on its core business while relying on Google Cloud for infrastructure management.

Market participants of all kinds are becoming more sophisticated and more demanding every day as technology continues to evolve the way they access markets, and the types of assets they can invest in. Deutsche Börse Group needs to offer services that are equally sophisticated and able to keep pace with the demands of its global customers. 

With our new partnership, we have laid the foundation for a trading platform of the future that will serve not only the increasingly popular world of digital assets, but also legacy trading of all kinds. And with the redundancy, flexibility, and security of our work, it has the potential to make trading of all kinds smoother, faster, and more secure.

If you are looking to reinvent your trading platforms, or any other aspect of your financial services business, discover what Google Cloud can do for you today.

Written by: Josh Triplett

Executive Summary

Backscatter is a tool developed by the Mandiant FLARE team that aims to automatically extract malware configurations. It relies on static signatures and emulation to extract this information without dynamic execution, bypassing anti-analysis logic present in many modern families. This complements dynamic analysis, providing faster threat identification and high-confidence malware family attribution. Google SecOps reverse engineers ensure precise indicators of compromise (IOC) extraction, empowering security teams with actionable threat intelligence to proactively neutralize attacks.

Overview

The ability to quickly detect and respond to threats has a significant impact on potential outcomes. Indicators of compromise (IOCs) serve as crucial breadcrumbs, allowing cybersecurity teams to identify and mitigate potential attacks while expanding their search for related activity. VirusTotal’s existing suite of tools to analyze and understand malware IOCs, and thus the Google Threat Intelligence platform by extension, is further enhanced with Backscatter.

VirusTotal has traditionally utilized dynamic analysis methods, like sandboxes, to observe malware behavior and capture IOCs. However, these methods can be time-consuming and may not yield actionable data if the malware employs anti-analysis techniques. Backscatter, a service developed by the Mandiant FLARE team, complements these methods by offering a static analysis capability that directly examines malware without executing it, leading to faster and more efficient IOC collection and high-confidence malware family identification. Additionally, Backscatter is capable of analyzing sandbox artifacts, including memory dumps, to improve support for packed and obfuscated malware that does successfully execute in dynamic environments.

Within the Google Threat Intelligence platform, Backscatter shines by identifying configuration data, embedded IOCs, and other malicious artifacts hidden within malware uploaded by users. It can pinpoint command-and-control (C2 or C&C) servers, dropped files, and other signs of malware presence, rapidly generating actionable threat intelligence. All of the extracted IOCs and configuration attributes become immediately pivotable in the Google Threat Intelligence platform, allowing users to identify additional malware related to that threat actor or activity.

Complementing Dynamic Analysis

Backscatter enables security teams to quickly understand and defend against attacks. By leveraging Backscatter’s extracted IOCs in conjunction with static, dynamic, and reputational data, analysts gain a more comprehensive view of potential threats, enabling them to block malicious communication, detect and remove dropped files, and ultimately neutralize attacks.

Backscatter’s static analysis approach, available in Google Threat Intelligence, provides a valuable addition to the platform’s existing dynamic analysis capabilities. This combination offers a more comprehensive threat intelligence strategy, allowing users to leverage the strengths of both approaches for a more robust security posture.

Backscatter in GTI and VirusTotal

Backscatter is available to Google SecOps customers, including VirusTotal Enterprise and its superseding long-term Google Threat Intelligence platform. While detecting a file as malicious can be useful, more clarity about the specific threat provides defenders with actionable intelligence. By providing a higher confidence attribution to a malware family, capabilities and behaviors can be approximated from previous reporting without requiring manual analysis.

Embedded data such as C2 servers, campaign identifiers, file paths, and registry keys can provide analysts with additional contextual information around a specific event. Google Threat Intelligence helps link that event to related activity by providing pivots to related IOCs, reports, and threat actor profiles. This additional context allows defenders to search their environment and expand remediation efforts.

By taking a static approach to extracting data from malware, Backscatter is able to handle files targeting different environments, operating systems, and execution mechanisms. In the previous example, the DONUT malware sample is x86 shellcode and was not able to be executed directly by a sandbox.

Backscatter in the Field

Mandiant Managed Defense leverages Backscatter to deliver faster and more accurate identification and analysis of rapidly emerging malware families. This enables them to more quickly scope threat activity and more rapidly provide customers with pertinent contextual information. From distribution campaigns providing initial access, to ransomware operations, to targeted attacks by state-sponsored actors, Backscatter aims to provide actionable threat intelligence to enable security teams and protect customers.

One example threat group is UNC2500, which primarily distributes malware via email attachments and links to compromised websites. Many of the malware families used by this group, such as QAKBOT and DARKGATE, are supported by Backscatter, allowing Managed Defense customers to proactively block IOCs extracted by Backscatter.

Looking Ahead

Backscatter stands as a testament to Google SecOps’ commitment to providing cutting-edge tools for combating cyber threats. By offering a fast and efficient way to extract IOCs through static analysis, Backscatter empowers security teams to stay one step ahead of attackers. Incorporating Backscatter into their workflow, Google Threat Intelligence customers can strengthen their cybersecurity defenses and safeguard their valuable assets.

For retailers, making intelligent, data-driven decisions in real-time isn’t an advantage — it’s a necessity. Staying ahead of the curve means embracing AI, but many retailers hesitate to adopt because it’s costly to overhaul their technology. While traditional AI implementations may require significant upfront investments, retailers can leverage existing assets to harness the power of AI. 

These assets, ranging from security cameras to point-of-sale systems, can unlock store analytics, faster transactions, staff enablement, loss prevention, and personalization — all without straining the budget. In this post, we’ll explore how inference at the edge, a technique that runs AI-optimized applications on local devices without relying on distant cloud servers, can transform retail assets into powerful tools.

How retailers can build an AI foundation

Retailers can find assets to fuel their AI in all corners of the business. You can unlock employee productivity by transforming your vast repository of handbooks, training materials, and operational procedures into working assets for AI. 

Digitized manuals for store equipment, human resources, loss prevention, and domain-specific information can also be combined with agent-based AI assistants to provide contextually aware “next action assistants”. By extending AI optimized applications from the cloud to the edge, retail associates can now ask their AI assistant, “What do I do next?” with a detailed and fast response tailored to the retail associate’s question. 

Edge processing power decision point: CPU vs GPU 

Next, we’ll explore the critical decision on the right hardware to power your applications. The two primary options are CPUs (Central Processing Units) and GPUs (Graphics Processing Units), each with its own strengths and weaknesses. Making the informed choice requires understanding your specific use cases and balancing performance requirements, bandwidth, and model processing with cost considerations. Consider this chart to guide your decision-making process, especially when choosing between deploying at a regional DC or at the edge.

Decision matrix (chart):

Key decision criteria for retail decision makers

• Complexity of AI models: Retail use case focused AI models, like basic object detection, can often run efficiently on CPUs. More complex models, such as those used for real-time video analytics or personalized recommendations with large datasets, typically require the parallel processing power of GPUs.

• Data volume and velocity: If you’re processing large amounts of data at high speed, a GPU may be necessary to keep up with the demand. For smaller datasets and lower throughput, a CPU may suffice.

• Latency requirements: For use cases requiring ultra-low latency, such as real-time fraud detection, GPUs can provide faster processing, especially when located at the edge, closer to the data source. However, network latency between the edge and a regional DC might negate this benefit if the GPU is located regionally.

• Budget: GPUs usually have a higher price tag than CPUs. Carefully consider your budget and the potential ROI of investing in GPU-powered solutions before making a decision. Start with CPU-based solutions where possible and upgrade to GPUs only when absolutely necessary.

• Power consumption: GPUs generally consume more power than CPUs. This is an important factor to consider for edge deployments, especially in locations with limited power availability. This is less of a concern if deploying at a regional DC where power and cooling are centralized.

• Deployment location: The proximity of the processing power to the data source has major implications for latency. Deploying at the edge (in-store) minimizes latency for real-time use cases. Regional DCs introduce network latency, making them less suitable for applications requiring immediate action. However, certain tasks requiring heavy compute but not low latency (e.g., nightly inventory analysis) might be better suited for a regional DC where resources can be pooled and managed centrally.

Remember, not all AI and ML require new investments in emerging technology. Many AI/ML based use cases can produce the desired outcome without using a GPU. For example, consider visual inspection for storage analytics and fast check out referenced in the Google Distributed Cloud Price-a-Tray interactive game. The inference is performed at 5FPS, while the video stream continues to run at 25FPS. The bounding boxes are then drawn on top of the returned information rather than having one system perform the video stream, detection and bounding boxes. This enables more efficient use of the CPU since many of the actions in this example can be split across cores and threads. 

But there are cases when GPUs do make sense. When very high precision is required, GPUs are often needed as the drop in fidelity to quantize a model may reduce the quality beyond acceptable thresholds. In the example of tracking an item, if millimeter movement accuracy is required, 5FPS would not be sufficient on a reasonably fast moving item and a GPU would likely be required.

There is a middle between GPUs and CPUs—the world of speciality accelerators. Accelerators come in the form of peripherals to a system or as special instruction sets to a CPU. CPUs are being manufactured with advanced matrix multiplication math assisting tensor manipulation on-chip, greatly improving performance of ML and AI models. One concrete example is running models compiled for OpenVINO. In addition, Google Distributed Cloud (GDC) Server and Rack editions utilize Intel Core processors, an architecture designed to be more flexible, supporting matrix math improving the performance of ML models on CPU over traditional ML model service serving. 

Bring AI to your business 

By tapping into the power of existing infrastructure and deploying AI at the edge, retailers can deliver modern customer experiences, streamline operations, and unlock employee productivity. 

Learn more about how to transform your retail brand with Google Distributed Cloud.

Google Cloud’s mission is to accelerate every organization’s ability to digitally transform its business and industry — and a key part of doing that is with our ISV and service partners, who possess critical industry knowledge and technical expertise. To provide customers with the most advanced ecosystem of solutions across industries, we’ve enabled these partners to easily build and scale products on our platform. Many are deeply engaged with our AI technology to deliver new and novel AI solutions directly to our customers and theirs.

Today, at the annual National Retail Federation (NRF) conference, we wanted to highlight more than 20 ISV and services partners that are utilizing Vertex AI, Gemini models, and other Google Cloud technologies to empower retail businesses with the tools they need to transform how employees work and shoppers engage with their brands. 

Generative AI has already had a significant impact on the retail industry by enabling businesses to run more personalized marketing campaigns, increase sales via improved search capabilities, and enhance customer service experiences through more accurate and tailored resolutions. In many cases, AI agents are helping these businesses move beyond predictive capabilities to performing tasks autonomously. 

At NRF, we’re excited to showcase the breadth of our ecosystem of retail partners and spotlight the ways they are enabling customer success using technology from Google Cloud.

Transforming marketing with AI-powered data

AI is helping retailers get significantly more value from business data, enabling them to create personalized campaigns at scale, increase ROI with data-driven insights, and build more predictive and advanced audience segments. Partners are using Vertex AI, Gemini models, and BigQuery to let customers unlock the true potential of their data to optimize revenue and more effectively grow their businesses. 

• Eagle Eye delivers its AI-powered omnichannel personalization solution, built on Vertex AI, with built-for-retail algorithms to generate personalized promotions at scale that drive loyalty and customer engagement across channels.
• LiveRamp provides a data collaboration platform that allows companies to enrich, activate, and analyze customer data while protecting brand and consumer trust
• Revieve offers multiple solutions tailored for beauty retailers and brands that provide real-time consumer interactions, next gen AI, conversational AI, and data-informed product discovery.
• Revionics’ price optimization suite utilizes Gemini and Vertex AI to power conversational analytics that enable customers to engage with their retail data using natural language search, such as “which competitor changes prices most frequently” and “which products are priced higher than competitors.”

Optimizing unified commerce experiences

Unified commerce experiences equip retailers with a more holistic view of front- and back-end systems to have complete visibility of the customer, inventory, and orders across all retail channels. With Google Cloud technology like BigQuery and embedded ML, partners are helping customers enhance decision-making processes and create stronger brand loyalty and revenue growth. 

• BigCommerce uses Google Cloud AI within BigAI Product Recommendations, which enables brands to offer shoppers real-time, personalized recommendations and can boost conversion and average order value.
• Bloomreach uniquely integrates customer and product data within its real-time AI solution, enabling more personalized marketing, product discovery, advertising content, and conversational shopping experiences. 
• commercetools is a global leader in composable commerce and empowers businesses to customize, scale, and optimize shopping experiences with solutions that help retailers reduce risks and costs, and expand growth through exceptional customer experiences.
• Everseen Vision AI platform and applications reduce retail shrink, improve inventory accuracy, enhance customer service, and provide data-driven insights, contributing to retailers’ ROI and a streamlined shopping experience.
• Quantum Metric provides a digital analytics platform that enables businesses to more easily monitor, troubleshoot, and optimize their customers’ digital journeys while leveraging gen AI to enhance user retention, conversion rates, and much more.
• Shopify is the leading global commerce company with a platform engineered for speed, customization, reliability, and security for businesses of any size, and a better experience for consumers everywhere they shop.

Creating sustainable supply chains

AI-powered tools for supply chains and logistics are enabling retailers to drive more sustainable and efficient operations, scale automation, and reduce their carbon footprint across the entire value chain. Partners are leveraging Vertex AI and BigQuery to extend these capabilities to retailers, with industry-leading analytics and predictive capabilities that can help optimize business performance. 

• 345 Global is a cloud-based platform that enables customers to optimize store planning, merchandising, sales, and marketing functions within a single, integrated solution.
• Impact Analytics helps retailers and consumer goods businesses make better decisions and improve profitability with a platform that uses predictive analytics and machine learning to optimize various aspects, such as forecasting demand, managing supply chains, and enhancing merchandise planning, pricing, and promotions.
• Manhattan empowers retailers to unify point of sale, order management, inventory, fulfillment, and customer service with supply chain execution — optimizing operations, enabling real-time decisions, and driving growth.
• o9 Solutions unlocks measurable results by transforming disconnected planning processes, reducing value leakage, and enabling smarter, integrated, and more efficient planning decisions.

Enhancing physical store operations

Physical stores and in-person shopping experiences remain vital to retailers. AI is helping these businesses improve how they operate in a variety of ways, whether it’s enhancing how merchandising assistants support customer requests or deploying machine vision to detect and resolve low-inventory challenges. 

• NCR Voyix enables retailers to deliver a seamless and personalized omnichannel shopping experience while providing real-time, data-driven insights into shopper behavior and store performance, which helps optimize operations and supports long-term growth.
• Standard.ai offers solutions that let retailers optimize performance through computer vision with capabilities, such as multi-camera tracking to enable high-resolution understanding of shopper behaviors and store performance.
• VusionGroup helps retailers maximize efficiency and improve store performance with solutions that can optimize critical functions, such as intelligent pricing and promotions, real-time shelf monitoring, in-store digital advertising, and more. 
• Zebra offers new integrated hardware and software solutions that leverage AI and machine learning to help retailers transform workflows through improved inventory, connected frontline workers, and intelligent automation.

Enabling customer success with services partners

Google Cloud relies on its services partners to provide customers with the expertise and support needed to plan, deploy, and optimize AI projects. Many of these partners have launched services specifically for retailers and are continuing to demonstrate their proven ability to help customers transform with AI and other Google Cloud technology at NRF. 

• Accenture and its ai.RETAIL solution provide customers with the technology needed to transform operations, deploying AI and edge computing to improve consumer experiences, personalize marketing, enhance employee productivity, and more. 

• Deloitte offers a real-time Associate Productivity solution for intelligent task management and improving in-store operations, a Demand Planning solution to enhance inventory productivity and on-shelf availability, and a Customer Data Enrichment solution for better customer insights and personalized marketing. 

• Publicis Sapient applies Google Cloud AI for its Content Supply Chain offering, which helps businesses optimize the content lifecycle, and its Retail Media Accelerator, which enables retailers to identify new revenue streams and increase ROI throughout the marketing lifecycle.

• Tredence brings unified data models and AI/ML accelerators together with its gen AI-powered Category Performance Advisor, which provides real-time prescriptive recommendations for retail organizations to stay ahead of market trends, improve efficiency, and drive measurable growth.

• Slalom provides retail businesses with a multimodal AI discovery solution that uses BigQuery, Vertex AI, and Gemini to help customers solve product discovery challenges and initiate automated workflows for delivery and warranty information.