Technology that predicts your next security fail
Predictive analytics uses publicly available and privately sourced data to try to determine future actions. By analyzing what has already happened, organizations can detect what is likely to happen before anything affects the security of the organization's physical infrastructure, human capital or intellectual property.
The Kentucky Department of Revenue (DOR) already had an automated batch process in place that searched for signs of fraud based on certain criteria, which the department won't disclose. Even with the old system, the DOR was able to stop $8 million to $10 million in fraudulent tax filings but "there was more to do," according to Melody Tudor, revenue tax policy research consultant for the DOR. "Fraudsters are getting smarter and smarter."
Tudor and her team brought in SAS's Fraud Framework for Government Tax Enforcement software and consultants to explore how predictive analytics could harden the agency's defenses. They provided SAS with six years of data and asked SAS to come back with something different from the checklist they already had in place. Tudor wasn't sure they would turn up anything, but she says she would have considered that outcome a validation of the work her team had already done.
Instead, SAS came back with unique insight, such as the ability to detect similar filings from the same IP address, which could be an indicator of fraud. SAS also could more efficiently analyze small-dollar returns to make sure one person wasn't filing multiple returns hoping to go undetected.
The team tested the tool throughout last year and then put it to work in parallel with the existing system during this year's tax season. The SAS-based application stopped an additional $1 million in fraud in the early months of 2015 -- and Tudor says she expects that number to double by the end of this year.
Predictive analytics has definitely been cost-justified, she says. "The tools we had in place before were helpful but could not identify patterns and anomalies quickly across a huge number of returns," Tudor says. "We are now better able to assimilate a vast array of data and prevent improper payments from going out the door."
While Kentucky's DOR is sold on predictive analytics, some other organizations have been hard-pressed to discover its full potential, according to a survey by the SANS Institute. Only 29% of respondents were using these intelligence tools and services as of the 2014 survey, down from 38% in the 2013 survey.
"There are a lot of offerings out there and organizations realize they can be difficult to adopt," says Phil Hagen, a certified instructor with the SANS Institute. "They are taking time to figure out if they have the human bandwidth to evaluate and integrate intelligence tools and services. "
Hagen adds, "You can't deploy a predictive analytics solution today and get value out of it tomorrow. It requires a lead-up and an establishment of a baseline of normalcy to then be able to see the threads, or deviations, to pull on."
Even the most sophisticated predictive analytics software requires human talent, though. For instance, once the Kentucky DOR tools (either the existing checklist or the SAS tool) suspect fraud, the tax return is forwarded to a human examiner for review. "Predictive analytics is only as good as the forethought you put into it and the questions you ask of it," Hagen warns.
Also, it's imperative that data scientists, not security teams, drive the predictive analytics project. "Security teams are the consumers of the data, not the creators," Hagen says.
At Arlington, Va.-based Surescripts, CISO Paul Calatayud manages a team of data scientists in-house and considers predictive analytics one of the best lines of defense his company has against fraud and data loss or theft. Surescripts is a health information network that routes and processes 7 billion transactions annually.
With 13 years of data on more than 230 million patients, Calatayud has to stay ahead of those who want to do harm. "All of our contracts are dependent on our ability to have trust between systems. If we have data loss at our company, we will cease to exist," he says.
Surescripts uses Splunk Enterprise to carry out independent risk calculations and detect deviations from the norm. Surescripts executives worry about both internal and external threats, including customer credential theft and/or misuse and employee misconduct. For instance, Splunk Enterprise alerts Surescripts if a pediatrician prescribes a 70-year-old patient medication based on a physician profile that doesn't include treating geriatric patients.
Splunk Enterprise also monitors and aggregates data from raw data points such as Active Directory, firewalls, identity and access management software, file and print servers, and cloud-based applications to understand user behavior.
If an employee starts accessing or transferring files at a higher rate than usual, is more active on social platforms such as LinkedIn and is updating a resume document repeatedly, Splunk Enterprise assumes the employee is preparing to leave the company and will alert Calatayud. Together, these actions might indicate an employee is about to quit and might be trying to download proprietary or protected health data. With the heads-up, Calatayud can heighten monitoring, contact human resources and the employee's manager, and cut off network access if needed.
The key, Calatayud says, is to have performed crisis management tabletop exercises with necessary departments -- legal, HR, the privacy/compliance team, communications, external law enforcement and IT -- so that when suspicious activity occurs, there can be a swift response. If a threshold of alarms trip on a Surescripts employee, that person can be removed from the company within four hours, he says.
Without a rapid response, though, predictive analytics can become a liability in an organization's security portfolio. "You can't continue to acquire security technology and not be able to react to it," Calatayud says.
Jason O'Connor, vice president of analysis and mission solutions at defense contractor Lockheed Martin, says the number of data sources that can be culled to detect threats can be overwhelming to many organizations -- especially as social media use grows.
"As the threats become near real-time, countering them needs to be faster than that; it needs to be predictive," he says. "With nearly every major geopolitical event that's happened in the past decade, there has been a tremendous amount of information present on the Internet."
Seven years ago, Lockheed Martin approached this challenge by using its own mathematicians and scientists to develop an analytics engine that now can predict a broad range of events such as social unrest and biological outbreaks. "We not only wanted to see what was going on tactically, but to find characteristics and signals in the data that could infer or assess an outcome," O'Connor says.
After succeeding internally, Lockheed Martin marketed the analytics engine commercially as LM Wisdom to its suppliers and other partners. The company is still using LM Wisdom internally for critical security issues such as supply chain analytics.
Lockheed Martin has thousands of suppliers that help make platforms or products -- all of them channels that introduce risk. The company monitors suppliers for counterfeit parts and materials, including their social media feeds, websites and Internet marketplaces. LM Wisdom's predictive model evaluates the likelihood of a seller being a counterfeit.
"No supplier is going to say 'come buy counterfeit parts,' but LM Wisdom can study the linguistics features of content and marketing materials as well as the types of things a supplier sells," O'Connor says. Employees can then use a system-generated matrix to verify trusted suppliers and avoid counterfeits, reducing the risk associated with delivery of parts, integrity of parts and exposure to bad suppliers.
Predictive analytics also can be used to protect human assets, such as volunteers for international aid organizations or employees of global oil and gas companies. In certain regions, workers are kidnapped and held for millions of dollars in ransom. By monitoring local social media feeds of political groups, news outlets and the like, organizations can detect unrest near outposts and tell workers to stay inside a protected zone, according to Luca Scagliarini, CEO of intelligence software maker Expert System USA.
Insight into geopolitical unrest can reveal changing vulnerabilities of physical assets and mitigate risk of supply chains as well. By analyzing relevant social media streams and other data, for instance, an oil company can get early warning of a port strike and avoid having fully loaded ships stuck at those docks.
In the private sector, predictive analytics tends to operate best when provided a broader context of information from a combination of public, open-source services and private, pay-for-service feeds, according to David Monahan, security and risk management research director at Enterprise Management Associates.
"Multiple data providers are often part of the strategy as they have specialties that make them valuable," he says. The providers often focus on specific types of threats -- human, geographical, physical or information assets. He adds that government organizations have their own data-gathering methods beyond those available commercially.
"Every organization has a risk profile of things that are going to affect them and a risk tolerance of things that they are willing to let happen," Monahan says. "While nobody is truly 'money is no object,' certain companies with higher attack surfaces will obviously have higher budgets for predictive analytics." That said, as predictive analytics tools become more affordable and easier to use, they will no doubt have broader appeal.