Technology Predicts Your Next Security Failure

splunk.jpgLeveraging Machine Data

In 2013, the  U.S Federal Tax Service (IRS) paid out $5.8 billion in refunds for tax filings it later realized were fraudulent, according to a 2015 report by the Government Accountability Office. This news comes as no surprise to the Kentucky Department of Revenue, which is stepping up its own war against rising fraud cases with predictive analytics.

Predictive analytics uses publicly available and privately sourced data to try to determine future actions. By analyzing what has already happened, organizations can detect what is likely to happen before anything affects the security of the organization's physical infrastructure, human capital or intellectual property.

The Kentucky Department of Revenue (DOR) already had an automated batch process in place that searched for signs of fraud based on certain criteria, which the department won't disclose. Even with the old system, the DOR was able to stop $8 million to $10 million in fraudulent tax filings but "there was more to do," according to Melody Tudor, revenue tax policy research consultant for the DOR. "Fraudsters are getting smarter and smarter."

Tudor and her team brought in SAS's Fraud Framework for Government Tax Enforcement software and consultants to explore how predictive analytics could harden the agency's defenses. They provided SAS with six years of data and asked SAS to come back with something different from the checklist they already had in place. Tudor wasn't sure they would turn up anything, but she says she would have considered that outcome a validation of the work her team had already done.
Instead, SAS came back with unique insight, such as the ability to detect similar filings from the same IP address, which could be an indicator of fraud. SAS also could more efficiently analyze small-dollar returns to make sure one person wasn't filing multiple returns hoping to go undetected.

The team tested the tool throughout last year and then put it to work in parallel with the existing system during this year's tax season. The SAS-based application stopped an additional $1 million in fraud in the early months of 2015 -- and Tudor says she expects that number to double by the end of this year.

Predictive analytics has definitely been cost-justified, she says. "The tools we had in place before were helpful but could not identify patterns and anomalies quickly across a huge number of returns," Tudor says. "We are now better able to assimilate a vast array of data and prevent improper payments from going out the door."
Predictive requires patience

While Kentucky's DOR is sold on predictive analytics, some other organizations have been hard-pressed to discover its full potential, according to a survey by the SANS Institute. Only 29% of respondents were using these intelligence tools and services as of the 2014 survey, down from 38% in the 2013 survey.

"There are a lot of offerings out there and organizations realize they can be difficult to adopt," says Phil Hagen, a certified instructor with the SANS Institute. "They are taking time to figure out if they have the human bandwidth to evaluate and integrate intelligence tools and services. "
Hagen adds, "You can't deploy a predictive analytics solution today and get value out of it tomorrow. It requires a lead-up and an establishment of a baseline of normalcy to then be able to see the threads, or deviations, to pull on."

Even the most sophisticated predictive analytics software requires human talent, though. For instance, once the Kentucky DOR tools (either the existing checklist or the SAS tool) suspect fraud, the tax return is forwarded to a human examiner for review. "Predictive analytics is only as good as the forethought you put into it and the questions you ask of it," Hagen warns.
Also, it's imperative that data scientists, not security teams, drive the predictive analytics project. "Security teams are the consumers of the data, not the creators," Hagen says.

At U.S. security firm, Surescripts, CISO Paul Calatayud manages a team of data scientists in-house and considers predictive analytics one of the best lines of defense his company has against fraud and data loss or theft. Surescripts is a health information network that routes and processes 7 billion transactions annually.With 13 years of data on more than 230 million patients, Calatayud has to stay ahead of those who want to do harm. "All of our contracts are dependent on our ability to have trust between systems. If we have data loss at our company, we will cease to exist," he says.

Surescripts uses Splunk Enterprise to carry out independent risk calculations and detect deviations from the norm. Surescripts executives worry about both internal and external threats, including customer credential theft and/or misuse and employee misconduct. For instance, Splunk Enterprise alerts Surescripts if a pediatrician prescribes a 70-year-old patient medication based on a physician profile that doesn't include treating geriatric patients.

Splunk Enterprise also monitors and aggregates data from raw data points such as Active Directory, firewalls, identity and access management software, file and print servers, and cloud-based applications to understand user behavior.
If an employee starts accessing or transferring files at a higher rate than usual, is more active on social platforms such as LinkedIn and is updating a resume document repeatedly, Splunk Enterprise assumes the employee is preparing to leave the company and will alert Calatayud. Together, these actions might indicate an employee is about to quit and might be trying to download proprietary or protected health data. With the heads-up, Calatayud can heighten monitoring, contact human resources and the employee's manager, and cut off network access if needed.
The key, Calatayud says, is to have performed crisis management tabletop exercises with necessary departments -- legal, HR, the privacy/compliance team, communications, external law enforcement and IT -- so that when suspicious activity occurs, there can be a swift response. If a threshold of alarms trip on a Surescripts employee, that person can be removed from the company within four hours, he says.
Without a rapid response, though, predictive analytics can become a liability in an organization's security portfolio. "You can't continue to acquire security technology and not be able to react to it," Calatayud says.
A build-your-own solution
Jason O'Connor, vice president of analysis and mission solutions at defense contractor Lockheed Martin, says the number of data sources that can be culled to detect threats can be overwhelming to many organizations -- especially as social media use grows.
"As the threats become near real-time, countering them needs to be faster than that; it needs to be predictive," he says. "With nearly every major geopolitical event that's happened in the past decade, there has been a tremendous amount of information present on the Internet."

Seven years ago, Lockheed Martin approached this challenge by using its own mathematicians and scientists to develop an analytics engine that now can predict a broad range of events such as social unrest and biological outbreaks. "We not only wanted to see what was going on tactically, but to find characteristics and signals in the data that could infer or assess an outcome," O'Connor says.

After succeeding internally, Lockheed Martin marketed the analytics engine commercially as LM Wisdom to its suppliers and other partners. The company is still using LM Wisdom internally for critical security issues such as supply chain analytics.
Lockheed Martin has thousands of suppliers that help make platforms or products -- all of them channels that introduce risk. The company monitors suppliers for counterfeit parts and materials, including their social media feeds, websites and Internet marketplaces. LM Wisdom's predictive model evaluates the likelihood of a seller being a counterfeit.
"No supplier is going to say 'come buy counterfeit parts,' but LM Wisdom can study the linguistics features of content and marketing materials as well as the types of things a supplier sells," O'Connor says. Employees can then use a system-generated matrix to verify trusted suppliers and avoid counterfeits, reducing the risk associated with delivery of parts, integrity of parts and exposure to bad suppliers.
Early warning to protect people

Predictive analytics also can be used to protect human assets, such as volunteers for international aid organizations or employees of global oil and gas companies. In certain regions, workers are kidnapped and held for millions of dollars in ransom. By monitoring local social media feeds of political groups, news outlets and the like, organizations can detect unrest near outposts and tell workers to stay inside a protected zone, according to Luca Scagliarini, CEO of intelligence software maker Expert System USA.

Insight into geopolitical unrest can reveal changing vulnerabilities of physical assets and mitigate risk of supply chains as well. By analyzing relevant social media streams and other data, for instance, an oil company can get early warning of a port strike and avoid having fully loaded ships stuck at those docks.

In the private sector, predictive analytics tends to operate best when provided a broader context of information from a combination of public, open-source services and private, pay-for-service feeds, according to David Monahan, security and risk management research director at Enterprise Management Associates.
"Multiple data providers are often part of the strategy as they have specialties that make them valuable," he says. The providers often focus on specific types of threats -- human, geographical, physical or information assets. He adds that government organizations have their own data-gathering methods beyond those available commercially.
"Every organization has a risk profile of things that are going to affect them and a risk tolerance of things that they are willing to let happen," Monahan says. "While nobody is truly 'money is no object,' certain companies with higher attack surfaces will obviously have higher budgets for predictive analytics." That said, as predictive analytics tools become more affordable and easier to use, they will no doubt have broader appeal.
Computerworld:  http://bit.ly/1MlydS5

« How Susceptible are U.S Jobs To Automation?
Cyberspace: The New Frontier in Warfare »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

ON-DEMAND WEBINAR: Gen AI for Security: Adoption strategies with Amazon Bedrock

Watch this webinar and get a comprehensive roadmap for securely adopting generative AI using Amazon Bedrock, a fully managed service that offers a choice of high-performing foundation models (FMs).

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Becrypt

Becrypt

Becrypt is a trusted provider of endpoint cybersecurity software solutions. We help the most security conscious organisations to protect their customer, employee and intellectual property data.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

Sysmosoft

Sysmosoft

Sysmosoft specializes in providing highly secured telecommunication solutions for mobile devices for companies requiring protected access to sensitive data remotely.

Tevora

Tevora

Tevora is a specialized management consultancy focused on cyber security, risk, and compliance services.

Network Integrated Business Solutions (NIBS)

Network Integrated Business Solutions (NIBS)

NIBS is an IT services provider offering a range of services with the aim of simplifying and securing technology.

Danish Maritime Cybersecurity Unit

Danish Maritime Cybersecurity Unit

The Danish Maritime Cybersecurity Unit is tasked with delivering the initiatives set out in the Cyber and Information Security Strategy for the Maritime Sector.

River Loop Security

River Loop Security

River Loop Security specialize in solving complex cybersecurity challenges in the IoT and embedded devices space.

SpecterOps

SpecterOps

SpecterOps has unique insight into the cyber adversary mindset and brings the highest caliber, most experienced resources to assess your organizations defenses.

TrueFort

TrueFort

TrueFort take an application-first approach that offers comprehensive protection for real-time visibility and analysis, protection and better communication across business, IT, and security teams.

Vijilan Security

Vijilan Security

Vijilan provides 24/7 SOC services to MSPs/VARs. Our Security Operations Center is global, and our services are exclusive to the Channel.

Active Countermeasures

Active Countermeasures

Active Countermeasures believe in giving back to the security community. We do this through free training, thought leadership, and both open source and affordable commercial tools.

EDGE Group

EDGE Group

EDGE is one of the world’s leading advanced technology groups, established to develop agile, bold and disruptive solutions for defence and beyond.

AVEVA

AVEVA

AVEVA has a long history in providing Supervisory Control and Data Acquisition software for meeting complex and evolving automation requirements.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.

ConvergePoint

ConvergePoint

ConvergePoint is the leading compliance software provider on the Microsoft Office 365 SharePoint platform.

RADICL

RADICL

RADICL's mission is to give SMBs that serve America's Defense Industrial Base (DIB) access to strong, enterprise-grade cyber security protection.