Technology Predicts Your Next Security Failure

Uploaded on 2015-09-23 in NEWS-Cybersecurity News, FREE TO VIEW

splunk.jpgLeveraging Machine Data

In 2013, the  U.S Federal Tax Service (IRS) paid out $5.8 billion in refunds for tax filings it later realized were fraudulent, according to a 2015 report by the Government Accountability Office. This news comes as no surprise to the Kentucky Department of Revenue, which is stepping up its own war against rising fraud cases with predictive analytics.

Predictive analytics uses publicly available and privately sourced data to try to determine future actions. By analyzing what has already happened, organizations can detect what is likely to happen before anything affects the security of the organization's physical infrastructure, human capital or intellectual property.

The Kentucky Department of Revenue (DOR) already had an automated batch process in place that searched for signs of fraud based on certain criteria, which the department won't disclose. Even with the old system, the DOR was able to stop $8 million to $10 million in fraudulent tax filings but "there was more to do," according to Melody Tudor, revenue tax policy research consultant for the DOR. "Fraudsters are getting smarter and smarter."

Tudor and her team brought in SAS's Fraud Framework for Government Tax Enforcement software and consultants to explore how predictive analytics could harden the agency's defenses. They provided SAS with six years of data and asked SAS to come back with something different from the checklist they already had in place. Tudor wasn't sure they would turn up anything, but she says she would have considered that outcome a validation of the work her team had already done.
Instead, SAS came back with unique insight, such as the ability to detect similar filings from the same IP address, which could be an indicator of fraud. SAS also could more efficiently analyze small-dollar returns to make sure one person wasn't filing multiple returns hoping to go undetected.

The team tested the tool throughout last year and then put it to work in parallel with the existing system during this year's tax season. The SAS-based application stopped an additional $1 million in fraud in the early months of 2015 -- and Tudor says she expects that number to double by the end of this year.

Predictive analytics has definitely been cost-justified, she says. "The tools we had in place before were helpful but could not identify patterns and anomalies quickly across a huge number of returns," Tudor says. "We are now better able to assimilate a vast array of data and prevent improper payments from going out the door."
Predictive requires patience

While Kentucky's DOR is sold on predictive analytics, some other organizations have been hard-pressed to discover its full potential, according to a survey by the SANS Institute. Only 29% of respondents were using these intelligence tools and services as of the 2014 survey, down from 38% in the 2013 survey.

"There are a lot of offerings out there and organizations realize they can be difficult to adopt," says Phil Hagen, a certified instructor with the SANS Institute. "They are taking time to figure out if they have the human bandwidth to evaluate and integrate intelligence tools and services. "
Hagen adds, "You can't deploy a predictive analytics solution today and get value out of it tomorrow. It requires a lead-up and an establishment of a baseline of normalcy to then be able to see the threads, or deviations, to pull on."

Even the most sophisticated predictive analytics software requires human talent, though. For instance, once the Kentucky DOR tools (either the existing checklist or the SAS tool) suspect fraud, the tax return is forwarded to a human examiner for review. "Predictive analytics is only as good as the forethought you put into it and the questions you ask of it," Hagen warns.
Also, it's imperative that data scientists, not security teams, drive the predictive analytics project. "Security teams are the consumers of the data, not the creators," Hagen says.

At U.S. security firm, Surescripts, CISO Paul Calatayud manages a team of data scientists in-house and considers predictive analytics one of the best lines of defense his company has against fraud and data loss or theft. Surescripts is a health information network that routes and processes 7 billion transactions annually.With 13 years of data on more than 230 million patients, Calatayud has to stay ahead of those who want to do harm. "All of our contracts are dependent on our ability to have trust between systems. If we have data loss at our company, we will cease to exist," he says.

Surescripts uses Splunk Enterprise to carry out independent risk calculations and detect deviations from the norm. Surescripts executives worry about both internal and external threats, including customer credential theft and/or misuse and employee misconduct. For instance, Splunk Enterprise alerts Surescripts if a pediatrician prescribes a 70-year-old patient medication based on a physician profile that doesn't include treating geriatric patients.

Splunk Enterprise also monitors and aggregates data from raw data points such as Active Directory, firewalls, identity and access management software, file and print servers, and cloud-based applications to understand user behavior.
If an employee starts accessing or transferring files at a higher rate than usual, is more active on social platforms such as LinkedIn and is updating a resume document repeatedly, Splunk Enterprise assumes the employee is preparing to leave the company and will alert Calatayud. Together, these actions might indicate an employee is about to quit and might be trying to download proprietary or protected health data. With the heads-up, Calatayud can heighten monitoring, contact human resources and the employee's manager, and cut off network access if needed.
The key, Calatayud says, is to have performed crisis management tabletop exercises with necessary departments -- legal, HR, the privacy/compliance team, communications, external law enforcement and IT -- so that when suspicious activity occurs, there can be a swift response. If a threshold of alarms trip on a Surescripts employee, that person can be removed from the company within four hours, he says.
Without a rapid response, though, predictive analytics can become a liability in an organization's security portfolio. "You can't continue to acquire security technology and not be able to react to it," Calatayud says.
A build-your-own solution
Jason O'Connor, vice president of analysis and mission solutions at defense contractor Lockheed Martin, says the number of data sources that can be culled to detect threats can be overwhelming to many organizations -- especially as social media use grows.
"As the threats become near real-time, countering them needs to be faster than that; it needs to be predictive," he says. "With nearly every major geopolitical event that's happened in the past decade, there has been a tremendous amount of information present on the Internet."

Seven years ago, Lockheed Martin approached this challenge by using its own mathematicians and scientists to develop an analytics engine that now can predict a broad range of events such as social unrest and biological outbreaks. "We not only wanted to see what was going on tactically, but to find characteristics and signals in the data that could infer or assess an outcome," O'Connor says.

After succeeding internally, Lockheed Martin marketed the analytics engine commercially as LM Wisdom to its suppliers and other partners. The company is still using LM Wisdom internally for critical security issues such as supply chain analytics.
Lockheed Martin has thousands of suppliers that help make platforms or products -- all of them channels that introduce risk. The company monitors suppliers for counterfeit parts and materials, including their social media feeds, websites and Internet marketplaces. LM Wisdom's predictive model evaluates the likelihood of a seller being a counterfeit.
"No supplier is going to say 'come buy counterfeit parts,' but LM Wisdom can study the linguistics features of content and marketing materials as well as the types of things a supplier sells," O'Connor says. Employees can then use a system-generated matrix to verify trusted suppliers and avoid counterfeits, reducing the risk associated with delivery of parts, integrity of parts and exposure to bad suppliers.
Early warning to protect people

Predictive analytics also can be used to protect human assets, such as volunteers for international aid organizations or employees of global oil and gas companies. In certain regions, workers are kidnapped and held for millions of dollars in ransom. By monitoring local social media feeds of political groups, news outlets and the like, organizations can detect unrest near outposts and tell workers to stay inside a protected zone, according to Luca Scagliarini, CEO of intelligence software maker Expert System USA.

Insight into geopolitical unrest can reveal changing vulnerabilities of physical assets and mitigate risk of supply chains as well. By analyzing relevant social media streams and other data, for instance, an oil company can get early warning of a port strike and avoid having fully loaded ships stuck at those docks.

In the private sector, predictive analytics tends to operate best when provided a broader context of information from a combination of public, open-source services and private, pay-for-service feeds, according to David Monahan, security and risk management research director at Enterprise Management Associates.
"Multiple data providers are often part of the strategy as they have specialties that make them valuable," he says. The providers often focus on specific types of threats -- human, geographical, physical or information assets. He adds that government organizations have their own data-gathering methods beyond those available commercially.
"Every organization has a risk profile of things that are going to affect them and a risk tolerance of things that they are willing to let happen," Monahan says. "While nobody is truly 'money is no object,' certain companies with higher attack surfaces will obviously have higher budgets for predictive analytics." That said, as predictive analytics tools become more affordable and easier to use, they will no doubt have broader appeal.
Computerworld:  http://bit.ly/1MlydS5

« How Susceptible are U.S Jobs To Automation?
Cyberspace: The New Frontier in Warfare »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Snort

Snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

Radware

Radware

Radware is a global leader of application delivery and cyber security solutions for virtual, cloud and software defined data centers.

Magic Software Enterprises

Magic Software Enterprises

Magic provide Mobile Device Management (MDM) for Secure Enterprise Mobility. Magic MDM overcomes the challenges of mobile device management security by protecting all of your devices, data and content

Yubico

Yubico

Yubico sets new global standards for simple and secure access to computers, mobile devices, servers, and internet accounts.

SecuDrive

SecuDrive

SecuDrive, provides hardware encrypted external storage devices to protect a company’s sensitive and important data.

Secarma

Secarma

Secarma provides penetration testing, security assessments, consultancy, and training services to ensure your digital infrastructure is secure from cybersecurity threats.

SITA

SITA

SITA is a multinational information technology company providing IT and telecommunication services to the air transport industry including vulnerability assessments and managed security services.

Cyber Physical Security Research Center (CPSEC)

Cyber Physical Security Research Center (CPSEC)

CPSEC aims to contribute to the security enhancement of industrial infrastructure that creates value across cyber space and physical space.

Jobsora

Jobsora

Jobsora is an innovative job search platform in the UK and more than 35 other countries around the world. Sectors covered include IT and cybersecurity.

Conatix

Conatix

Conatix was formed to apply recent advances in AI and other fields of technology to insider fraud, one of the most intractable problems in cybersecurity.

ToucanX

ToucanX

ToucanX has eliminated remote attack vectors without sacrificing productivity. We’ve brought embedded near real time virtualization to the enterprise endpoint.

NexGenT

NexGenT

NexGenT have combined military-style training with decades of network engineering and cyber security experience into an immersive program to get people into cyber security fast and effectively.

VanishID

VanishID

VanishID (formerly Picnic) is a gritty, pioneering team of intelligence and cybersecurity specialists focused on solving the security challenge of our time - social engineering.

SolidityScan

SolidityScan

SolidityScan is an advanced smart contract scanning tool designed to uncover vulnerabilities and proactively address risks within your code.

Cloud Native Computing Foundation (CNCF)

Cloud Native Computing Foundation (CNCF)

CNCF seeks to drive adoption of cloud native technologies by fostering and sustaining an ecosystem of open source, vendor-neutral projects.

ArmorX AI

ArmorX AI

ArmorX AI (formerly Kapalya) operates an encryption management platform designed to encrypt all data in transit and at rest on mobile end-points, corporate servers, and cloud servers.