Technology Predicts Your Next Security Failure

splunk.jpgLeveraging Machine Data

In 2013, the  U.S Federal Tax Service (IRS) paid out $5.8 billion in refunds for tax filings it later realized were fraudulent, according to a 2015 report by the Government Accountability Office. This news comes as no surprise to the Kentucky Department of Revenue, which is stepping up its own war against rising fraud cases with predictive analytics.

Predictive analytics uses publicly available and privately sourced data to try to determine future actions. By analyzing what has already happened, organizations can detect what is likely to happen before anything affects the security of the organization's physical infrastructure, human capital or intellectual property.

The Kentucky Department of Revenue (DOR) already had an automated batch process in place that searched for signs of fraud based on certain criteria, which the department won't disclose. Even with the old system, the DOR was able to stop $8 million to $10 million in fraudulent tax filings but "there was more to do," according to Melody Tudor, revenue tax policy research consultant for the DOR. "Fraudsters are getting smarter and smarter."

Tudor and her team brought in SAS's Fraud Framework for Government Tax Enforcement software and consultants to explore how predictive analytics could harden the agency's defenses. They provided SAS with six years of data and asked SAS to come back with something different from the checklist they already had in place. Tudor wasn't sure they would turn up anything, but she says she would have considered that outcome a validation of the work her team had already done.
Instead, SAS came back with unique insight, such as the ability to detect similar filings from the same IP address, which could be an indicator of fraud. SAS also could more efficiently analyze small-dollar returns to make sure one person wasn't filing multiple returns hoping to go undetected.

The team tested the tool throughout last year and then put it to work in parallel with the existing system during this year's tax season. The SAS-based application stopped an additional $1 million in fraud in the early months of 2015 -- and Tudor says she expects that number to double by the end of this year.

Predictive analytics has definitely been cost-justified, she says. "The tools we had in place before were helpful but could not identify patterns and anomalies quickly across a huge number of returns," Tudor says. "We are now better able to assimilate a vast array of data and prevent improper payments from going out the door."
Predictive requires patience

While Kentucky's DOR is sold on predictive analytics, some other organizations have been hard-pressed to discover its full potential, according to a survey by the SANS Institute. Only 29% of respondents were using these intelligence tools and services as of the 2014 survey, down from 38% in the 2013 survey.

"There are a lot of offerings out there and organizations realize they can be difficult to adopt," says Phil Hagen, a certified instructor with the SANS Institute. "They are taking time to figure out if they have the human bandwidth to evaluate and integrate intelligence tools and services. "
Hagen adds, "You can't deploy a predictive analytics solution today and get value out of it tomorrow. It requires a lead-up and an establishment of a baseline of normalcy to then be able to see the threads, or deviations, to pull on."

Even the most sophisticated predictive analytics software requires human talent, though. For instance, once the Kentucky DOR tools (either the existing checklist or the SAS tool) suspect fraud, the tax return is forwarded to a human examiner for review. "Predictive analytics is only as good as the forethought you put into it and the questions you ask of it," Hagen warns.
Also, it's imperative that data scientists, not security teams, drive the predictive analytics project. "Security teams are the consumers of the data, not the creators," Hagen says.

At U.S. security firm, Surescripts, CISO Paul Calatayud manages a team of data scientists in-house and considers predictive analytics one of the best lines of defense his company has against fraud and data loss or theft. Surescripts is a health information network that routes and processes 7 billion transactions annually.With 13 years of data on more than 230 million patients, Calatayud has to stay ahead of those who want to do harm. "All of our contracts are dependent on our ability to have trust between systems. If we have data loss at our company, we will cease to exist," he says.

Surescripts uses Splunk Enterprise to carry out independent risk calculations and detect deviations from the norm. Surescripts executives worry about both internal and external threats, including customer credential theft and/or misuse and employee misconduct. For instance, Splunk Enterprise alerts Surescripts if a pediatrician prescribes a 70-year-old patient medication based on a physician profile that doesn't include treating geriatric patients.

Splunk Enterprise also monitors and aggregates data from raw data points such as Active Directory, firewalls, identity and access management software, file and print servers, and cloud-based applications to understand user behavior.
If an employee starts accessing or transferring files at a higher rate than usual, is more active on social platforms such as LinkedIn and is updating a resume document repeatedly, Splunk Enterprise assumes the employee is preparing to leave the company and will alert Calatayud. Together, these actions might indicate an employee is about to quit and might be trying to download proprietary or protected health data. With the heads-up, Calatayud can heighten monitoring, contact human resources and the employee's manager, and cut off network access if needed.
The key, Calatayud says, is to have performed crisis management tabletop exercises with necessary departments -- legal, HR, the privacy/compliance team, communications, external law enforcement and IT -- so that when suspicious activity occurs, there can be a swift response. If a threshold of alarms trip on a Surescripts employee, that person can be removed from the company within four hours, he says.
Without a rapid response, though, predictive analytics can become a liability in an organization's security portfolio. "You can't continue to acquire security technology and not be able to react to it," Calatayud says.
A build-your-own solution
Jason O'Connor, vice president of analysis and mission solutions at defense contractor Lockheed Martin, says the number of data sources that can be culled to detect threats can be overwhelming to many organizations -- especially as social media use grows.
"As the threats become near real-time, countering them needs to be faster than that; it needs to be predictive," he says. "With nearly every major geopolitical event that's happened in the past decade, there has been a tremendous amount of information present on the Internet."

Seven years ago, Lockheed Martin approached this challenge by using its own mathematicians and scientists to develop an analytics engine that now can predict a broad range of events such as social unrest and biological outbreaks. "We not only wanted to see what was going on tactically, but to find characteristics and signals in the data that could infer or assess an outcome," O'Connor says.

After succeeding internally, Lockheed Martin marketed the analytics engine commercially as LM Wisdom to its suppliers and other partners. The company is still using LM Wisdom internally for critical security issues such as supply chain analytics.
Lockheed Martin has thousands of suppliers that help make platforms or products -- all of them channels that introduce risk. The company monitors suppliers for counterfeit parts and materials, including their social media feeds, websites and Internet marketplaces. LM Wisdom's predictive model evaluates the likelihood of a seller being a counterfeit.
"No supplier is going to say 'come buy counterfeit parts,' but LM Wisdom can study the linguistics features of content and marketing materials as well as the types of things a supplier sells," O'Connor says. Employees can then use a system-generated matrix to verify trusted suppliers and avoid counterfeits, reducing the risk associated with delivery of parts, integrity of parts and exposure to bad suppliers.
Early warning to protect people

Predictive analytics also can be used to protect human assets, such as volunteers for international aid organizations or employees of global oil and gas companies. In certain regions, workers are kidnapped and held for millions of dollars in ransom. By monitoring local social media feeds of political groups, news outlets and the like, organizations can detect unrest near outposts and tell workers to stay inside a protected zone, according to Luca Scagliarini, CEO of intelligence software maker Expert System USA.

Insight into geopolitical unrest can reveal changing vulnerabilities of physical assets and mitigate risk of supply chains as well. By analyzing relevant social media streams and other data, for instance, an oil company can get early warning of a port strike and avoid having fully loaded ships stuck at those docks.

In the private sector, predictive analytics tends to operate best when provided a broader context of information from a combination of public, open-source services and private, pay-for-service feeds, according to David Monahan, security and risk management research director at Enterprise Management Associates.
"Multiple data providers are often part of the strategy as they have specialties that make them valuable," he says. The providers often focus on specific types of threats -- human, geographical, physical or information assets. He adds that government organizations have their own data-gathering methods beyond those available commercially.
"Every organization has a risk profile of things that are going to affect them and a risk tolerance of things that they are willing to let happen," Monahan says. "While nobody is truly 'money is no object,' certain companies with higher attack surfaces will obviously have higher budgets for predictive analytics." That said, as predictive analytics tools become more affordable and easier to use, they will no doubt have broader appeal.
Computerworld:  http://bit.ly/1MlydS5

« How Susceptible are U.S Jobs To Automation?
Cyberspace: The New Frontier in Warfare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

National Cyber Security Centre (NKSC) - Lithuania

National Cyber Security Centre (NKSC) - Lithuania

NKSC is the main Lithuanian cyber security institution, responsible for unified management of cyber incidents, monitoring and control of the implementation of cyber security requirements.

Deep Identity

Deep Identity

Deep Identity is a boutique system integrator, with expertise in tailored identity governance & administration (IGA) and identity access management (IAM) solutions.

Thermo Systems

Thermo Systems

Thermo Systems is a design-build control systems engineering and construction firm. Capabilties include industrial control system cybersecurity.

REVI-IT

REVI-IT

REVI-IT is a Danish state-owned audit firm focusing on enterprise IT business processes and compliance,

Saviynt

Saviynt

Saviynt is a leading provider of Cloud Security and Identity Governance solutions.

BankVault

BankVault

BankVault is a new type of cyber technology (called remote isolation) which sidesteps your local machine and any possible malware.

Intelligent Business Solutions Cyprus (IBSCY)

Intelligent Business Solutions Cyprus (IBSCY)

IBSCY Ltd is a leading provider of total IT solutions and services in Cyprus specializing in the areas of cloud services and applications, systems integration, IT infrastructure and security.

IT Search

IT Search

IT Search is a specialist IT recruitment company focusing on Cyber Security, IT Infrastructure, Software, Data, Digital Transformation and C Suite leadership positions.

Optimum Speciality Risks

Optimum Speciality Risks

Optimum Speciality Risks are an experienced team of cyber insurance experts, backed by Lloyds of London.

BlueRiSC

BlueRiSC

BlueRiSC invent cutting-edge system assurance solutions for the 21st century with novel software and hardware designs focusing on security technologies that can be game changing.

FortifyIQ

FortifyIQ

FortifyIQ's mission is to advance maximum security against side-channel attacks across the entire computing spectrum.

Cybolt

Cybolt

Cybolt helps companies, organizations, and governments manage digital risks and live in an environment of confidence and certainty.

Senteon

Senteon

Senteon is a turnkey cybersecurity platform designed to make securing confidential data affordable, understandable, and streamlined for small-to-mid sized businesses and MSPs.

Somos

Somos

From voice to messaging to fraud prevention and beyond, Somos are committed to developing innovative solutions that ensure that our ability to maintain trustworthy connections never stops.

Mother Technologies

Mother Technologies

From Datacentre to Desktop, Mother Technologies has been delivering IT Support, Telecoms, Cybersecurity and Connectivity services to businesses across Scotland and beyond since 2002.

WIIT Group

WIIT Group

WIIT Group are focused on a single goal: securing our clients’ critical processes and enabling them for digital transformation.