The mystery surrounding what exactly happened at Ellie Mae to cause its system to go down continues to unravel. What Ellie Mae initially labeled “a distributed denial of service (DDoS) attack” is now being called an outage that was “triggered by a confluence of factors involving network, hardware, software and demand for service.” Regardless of what happened, lenders deserve better. So, I went out to another LOS to see how they would handle this situation if it happened to them.
“Ellie Mae is a strong competitor,” said Keven Smith, President and CEO at Mortgage Builder. “We compete with them in almost every deal. We feel badly for the impacted lenders, but we also want to reach out to talk about our strategy. These attacks are nothing new. We’ve had attacks in the past and we’ve prevented them from disrupting our clients’ business.”
In the wake of this disaster, Mortgage Builder decided to be proactive and inform their clients about what would happen if Mortgage Builder found itself in Ellie Mae’s shoes. Can Mortgage Builder fend off what Ellie Mae called a distributed denial of service (DDoS) attack? I obtained that letter. Here’s some of what Mortgage Builder said to explain to its clients what Mortgage Builder is doing to ensure their system doesn’t experience the same outage as Ellie Mae’s Encompass did:
“Based on this event we have had a handful of clients this week reach out to ask “can this happen to us” as a Mortgage Builder client. Although it does not entirely mitigate all the risks associated with doing Internet business, we already have in place system functionality and IT infrastructure that should put our customers at ease. We have two types of deployed LOS systems at Mortgage Builder:
>> Client Hosted – these are clients that host MB at their office locations or at a Co-Location facility of their choice. For these clients the software and data would not be affected by a DDoS attack on our MB hosting facility. One important differentiator between MB and most other LOS’s is that document preparation is embedded into the MB system and all interfaces are built directly to the vendor or provider of service and do not route through any middleware product hosted by MB. So in short, an MB DDoS occurrence would not affect a self-hosted MB customer in any way.
>> Mortgage Builder Hosted – These clients are hosted in one of our MB Co-Location facilities. The Mortgage Builder environment provides multiple redundancies to provide constant uptime in the case of a DDoS attack. There are 5 Internet connections from multiple providers and an engineered routing policy to analyze, react, and mitigate Internet traffic in the event of a DDoS attack. When our Co-Location detects an abnormal spike or malicious network traffic directed at the target host (MB server), the mitigation routing policy is deployed and automatically routes the target’s IP address upstream to prevent saturation of the MB connection. The network returns to normal when the network event is over and the malicious packet stream has subsided. This DDoS defense is protecting our entire network (all products). With its protection your network will remain up, even during a dangerous network event.”
Let’s face it, lenders have been so focused on lowering volume and increased regulation, lenders don’t want to worry about technology. Lenders want to be on browser-based solutions in the cloud or fully Web-based systems and they don’t want to worry about it. That’s fine, but there are things that lenders have to look for in an LOS to make sure that their business is secure.
“We have clients paying per closed loan in a SaaS environment that opt to host the data themselves,” explained Smith. “We can also host the data on our servers as well. Our strategy is such that if our servers are down, the customer is still protected. Also, all of our interfaces go direct to the vendor, not through a platform like the Ellie Mae Network or another third party.”
Mortgage Builder touts that it can also transition clients from one model to another over just a weekend. “We can transition clients to a hosted model or they can transition back to a client-server environment if they feel more secure with that strategy given what happened with Ellie Mae. We can also offer disaster recovery solutions to those lenders that want to self host, but still want that security.”
In the end every vendor is vulnerable to DDoS attacks and other issues, but the better vendors do everything possible to make sure their clients are not impacted.
About The Author
Tony Garritano is chairman and founder at PROGRESS in Lending Association. As a speaker Tony has worked hard to inform executives about how technology should be a tool used to further business objectives. For over 10 years he has worked as a journalist, researcher and speaker in the mortgage technology space. Starting this association was the next step for someone like Tony, who has dedicated his career to providing mortgage executives with the information needed to make informed technology decisions. He can be reached via e-mail at firstname.lastname@example.org.