Technology Predicts Your Next Security Failure

splunk.jpgLeveraging Machine Data

In 2013, the  U.S Federal Tax Service (IRS) paid out $5.8 billion in refunds for tax filings it later realized were fraudulent, according to a 2015 report by the Government Accountability Office. This news comes as no surprise to the Kentucky Department of Revenue, which is stepping up its own war against rising fraud cases with predictive analytics.

Predictive analytics uses publicly available and privately sourced data to try to determine future actions. By analyzing what has already happened, organizations can detect what is likely to happen before anything affects the security of the organization's physical infrastructure, human capital or intellectual property.

The Kentucky Department of Revenue (DOR) already had an automated batch process in place that searched for signs of fraud based on certain criteria, which the department won't disclose. Even with the old system, the DOR was able to stop $8 million to $10 million in fraudulent tax filings but "there was more to do," according to Melody Tudor, revenue tax policy research consultant for the DOR. "Fraudsters are getting smarter and smarter."

Tudor and her team brought in SAS's Fraud Framework for Government Tax Enforcement software and consultants to explore how predictive analytics could harden the agency's defenses. They provided SAS with six years of data and asked SAS to come back with something different from the checklist they already had in place. Tudor wasn't sure they would turn up anything, but she says she would have considered that outcome a validation of the work her team had already done.
Instead, SAS came back with unique insight, such as the ability to detect similar filings from the same IP address, which could be an indicator of fraud. SAS also could more efficiently analyze small-dollar returns to make sure one person wasn't filing multiple returns hoping to go undetected.

The team tested the tool throughout last year and then put it to work in parallel with the existing system during this year's tax season. The SAS-based application stopped an additional $1 million in fraud in the early months of 2015 -- and Tudor says she expects that number to double by the end of this year.

Predictive analytics has definitely been cost-justified, she says. "The tools we had in place before were helpful but could not identify patterns and anomalies quickly across a huge number of returns," Tudor says. "We are now better able to assimilate a vast array of data and prevent improper payments from going out the door."
Predictive requires patience

While Kentucky's DOR is sold on predictive analytics, some other organizations have been hard-pressed to discover its full potential, according to a survey by the SANS Institute. Only 29% of respondents were using these intelligence tools and services as of the 2014 survey, down from 38% in the 2013 survey.

"There are a lot of offerings out there and organizations realize they can be difficult to adopt," says Phil Hagen, a certified instructor with the SANS Institute. "They are taking time to figure out if they have the human bandwidth to evaluate and integrate intelligence tools and services. "
Hagen adds, "You can't deploy a predictive analytics solution today and get value out of it tomorrow. It requires a lead-up and an establishment of a baseline of normalcy to then be able to see the threads, or deviations, to pull on."

Even the most sophisticated predictive analytics software requires human talent, though. For instance, once the Kentucky DOR tools (either the existing checklist or the SAS tool) suspect fraud, the tax return is forwarded to a human examiner for review. "Predictive analytics is only as good as the forethought you put into it and the questions you ask of it," Hagen warns.
Also, it's imperative that data scientists, not security teams, drive the predictive analytics project. "Security teams are the consumers of the data, not the creators," Hagen says.

At U.S. security firm, Surescripts, CISO Paul Calatayud manages a team of data scientists in-house and considers predictive analytics one of the best lines of defense his company has against fraud and data loss or theft. Surescripts is a health information network that routes and processes 7 billion transactions annually.With 13 years of data on more than 230 million patients, Calatayud has to stay ahead of those who want to do harm. "All of our contracts are dependent on our ability to have trust between systems. If we have data loss at our company, we will cease to exist," he says.

Surescripts uses Splunk Enterprise to carry out independent risk calculations and detect deviations from the norm. Surescripts executives worry about both internal and external threats, including customer credential theft and/or misuse and employee misconduct. For instance, Splunk Enterprise alerts Surescripts if a pediatrician prescribes a 70-year-old patient medication based on a physician profile that doesn't include treating geriatric patients.

Splunk Enterprise also monitors and aggregates data from raw data points such as Active Directory, firewalls, identity and access management software, file and print servers, and cloud-based applications to understand user behavior.
If an employee starts accessing or transferring files at a higher rate than usual, is more active on social platforms such as LinkedIn and is updating a resume document repeatedly, Splunk Enterprise assumes the employee is preparing to leave the company and will alert Calatayud. Together, these actions might indicate an employee is about to quit and might be trying to download proprietary or protected health data. With the heads-up, Calatayud can heighten monitoring, contact human resources and the employee's manager, and cut off network access if needed.
The key, Calatayud says, is to have performed crisis management tabletop exercises with necessary departments -- legal, HR, the privacy/compliance team, communications, external law enforcement and IT -- so that when suspicious activity occurs, there can be a swift response. If a threshold of alarms trip on a Surescripts employee, that person can be removed from the company within four hours, he says.
Without a rapid response, though, predictive analytics can become a liability in an organization's security portfolio. "You can't continue to acquire security technology and not be able to react to it," Calatayud says.
A build-your-own solution
Jason O'Connor, vice president of analysis and mission solutions at defense contractor Lockheed Martin, says the number of data sources that can be culled to detect threats can be overwhelming to many organizations -- especially as social media use grows.
"As the threats become near real-time, countering them needs to be faster than that; it needs to be predictive," he says. "With nearly every major geopolitical event that's happened in the past decade, there has been a tremendous amount of information present on the Internet."

Seven years ago, Lockheed Martin approached this challenge by using its own mathematicians and scientists to develop an analytics engine that now can predict a broad range of events such as social unrest and biological outbreaks. "We not only wanted to see what was going on tactically, but to find characteristics and signals in the data that could infer or assess an outcome," O'Connor says.

After succeeding internally, Lockheed Martin marketed the analytics engine commercially as LM Wisdom to its suppliers and other partners. The company is still using LM Wisdom internally for critical security issues such as supply chain analytics.
Lockheed Martin has thousands of suppliers that help make platforms or products -- all of them channels that introduce risk. The company monitors suppliers for counterfeit parts and materials, including their social media feeds, websites and Internet marketplaces. LM Wisdom's predictive model evaluates the likelihood of a seller being a counterfeit.
"No supplier is going to say 'come buy counterfeit parts,' but LM Wisdom can study the linguistics features of content and marketing materials as well as the types of things a supplier sells," O'Connor says. Employees can then use a system-generated matrix to verify trusted suppliers and avoid counterfeits, reducing the risk associated with delivery of parts, integrity of parts and exposure to bad suppliers.
Early warning to protect people

Predictive analytics also can be used to protect human assets, such as volunteers for international aid organizations or employees of global oil and gas companies. In certain regions, workers are kidnapped and held for millions of dollars in ransom. By monitoring local social media feeds of political groups, news outlets and the like, organizations can detect unrest near outposts and tell workers to stay inside a protected zone, according to Luca Scagliarini, CEO of intelligence software maker Expert System USA.

Insight into geopolitical unrest can reveal changing vulnerabilities of physical assets and mitigate risk of supply chains as well. By analyzing relevant social media streams and other data, for instance, an oil company can get early warning of a port strike and avoid having fully loaded ships stuck at those docks.

In the private sector, predictive analytics tends to operate best when provided a broader context of information from a combination of public, open-source services and private, pay-for-service feeds, according to David Monahan, security and risk management research director at Enterprise Management Associates.
"Multiple data providers are often part of the strategy as they have specialties that make them valuable," he says. The providers often focus on specific types of threats -- human, geographical, physical or information assets. He adds that government organizations have their own data-gathering methods beyond those available commercially.
"Every organization has a risk profile of things that are going to affect them and a risk tolerance of things that they are willing to let happen," Monahan says. "While nobody is truly 'money is no object,' certain companies with higher attack surfaces will obviously have higher budgets for predictive analytics." That said, as predictive analytics tools become more affordable and easier to use, they will no doubt have broader appeal.
Computerworld:  http://bit.ly/1MlydS5

« How Susceptible are U.S Jobs To Automation?
Cyberspace: The New Frontier in Warfare »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Teneo

Teneo

Teneo is a Solutions Provider focused on reducing complexity. We combine leading technology with deep expertise to create new ideas on how to simplify IT operations.

CUIng.org

CUIng.org

The CUIng initiative was launched to tackle the problem of criminal exploitation of information hiding techniques.

Deep Instinct

Deep Instinct

Deep Instinct provides comprehensive defense that is designed to protect against the most evasive unknown malware in real-time, across an organization’s endpoints, servers, and mobile devices.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

Hivint

Hivint

Hivint is a new kind of Information Security professional services company enabling collaboration between our clients to reduce unnecessary security spend.

FinlayJames

FinlayJames

FinlayJames supports cyber security companies to meet the increasing demand and pressure on them by finding top talent within the industry for their sales, marketing and technical teams.

Cybersecurity Professionals

Cybersecurity Professionals

Search vacancies from top cyber security jobs worldwide on CyberSecurity Professionals. View IT security jobs or upload your CV to be seen by recruiters from industry leading firms.

Atakama

Atakama

With Atakama, data remains encrypted until the very moment it is used, and the ability to decrypt is based on zero trust architecture.

Hex-Rays

Hex-Rays

Founded in 2005, privately held, Belgium based, Hex-Rays SA focuses on the development of fast, stable, and robust binary analysis tools for the IT security market.

Guidepost Solutions

Guidepost Solutions

Guidepost Solutions are a diverse, global team of investigators, experienced security and technology consultants, and compliance and monitoring experts.

Mage Data

Mage Data

Mage (formerly Mentis Software) is a leading solutions provider for data security and data privacy software for global enterprises.

Votiro

Votiro

Votiro is an award-winning cybersecurity company that specializes in file sanitization, ensuring every organization is safe from zero-day and undisclosed attacks.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Infoline Tec Group Berhad

Infoline Tec Group Berhad

Infoline Tec Group Berhad is principally involved in providing IT infrastructure solutions, cybersecurity service provider and solutions, managed IT and other IT services.

ThreatDown

ThreatDown

ThreatDown, powered by Malwarebytes, is on a mission to overpower threats and empower IT by removing the complexity of detecting and stopping today’s most advanced threats.

DuploCloud

DuploCloud

DuploCloud offers an end-to-end DevOps software platform for dev teams that don’t have dedicated DevOps engineers and augments those that do.