A common theme during this week's SAS and FICO user conferences was how to use Big Data to make fraud decisions faster, more accurately and without impacting the customers in any negative way.
Big Data is basically about 3Vs: Volume, Velocity and Variety of data to gain veracity and value in fraud management. Volume and Velocity are nothing new: fraud management products have long been capable of analyzing terabytes of data in billions of transactions - in real time.
What's really new for Fraud Management about Big Data is Variety. Using all types of new information to make better decisions with lower false positive rates. The new data sources that are increasingly used in Fraud Management are:
Social network data. Has this user been writing about committing fraud on Facebook? After seeing how dumb some criminals can be, this data source is pretty important.
Geolocation of a mobile devices. The fraud management system should warn ahead of time if a user has been in the same location as the ATM when he/she used her ATM card to empty her bank account)
Identity and Access Management systems logs. The fraud management system should warn ahead of time if the authentication system in front of my customer facing system see any evidence of the user logging in from a risky geography or from a new device before the user emptied their bank online by making unauthorized transfers to a mule account)
Textual and unstructured data. The fraud management system should warn ahead of time if, for example, a medical provider or insurance adjustor is always using the same combination of terms of "suture removal" or "rear hit accident" in suspicious contexts or just in an excessively repeated way)
Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas Security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk. The problem is, when it comes to social media, these two facets of the organization need to come to terms with each other – and this was clearly on display Tuesday when the Dow Jones briefly plummeted over 100 points due to false Tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.
This recent breach signifies two things: 1) the potentially damaging impact of social media is real and growing, and 2) companies today aren’t doing enough to mitigate the risks.
As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behavior continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand. Companies need to do more to protect their organization from social media risk because:
Well, we just saw Samsung launch its latest ubergizmo with tons of interesting features, like pause video playback at the blink of the eye. However, there is an important hardware feature of the Samsung Galaxy S4 to note here: finally a Near Field Communications (NFC) chip is embedded in the device (something that Apple left out of the iPhone 5), making it useful for mobile payments, building access control, and lots of other security uses. Issuers, payment services providers and trusted services managers have long been dreaming of mobile phones with NFC chips: not having to send plastic credit cards with EMV chips (or magstripes in the US) but being able to personalize the credit card right on the phone reduces card management costs, improves end user satisfaction. There is nothing new here. But here's where NFC finally in a mainstream mobile phone can revolutionize fraud management:
1) GPS verification. So if you use it to make a card present transaction by touching your phone NFC credit card to a PayPass or other proximity based credit card reader, the payment authorization platform can immediately know where you are, correlate it with the riskiness of the location (country) and use your location to build a risk score.
2) More factors and better capabilities for payment authentication. Instead or in addition to asking for a PIN code for transaction authentication, the payment processor can contact your registered phone and - based on risk - can ask for a PIN code signature, or secondary authentication like facial recognition or biometric retina vein recognition to authorize a higher value transaction.
3) Linking the NFC chip to an eWallet. This will be easier than ever before. If the NFC chip is initialized to be a credit card, the eWallet application can check for the presence of it and maybe even use it in a card present transaction.
“Enterprise rights management? What does that even mean?! You’re using security speak!” exclaimed my colleague TJ Keitt.
TJ sits on a research team serving CIOs, and covers collaboration software. We were having a discussion around collaboration software and data security considerations for collaboration. “Security speak” got in the way. It wasn’t the first time, and it will likely not be the last, but it is a good reminder to remember to communicate clearly using non security speak – and not just to fellow S&R pros, but to the rest of the business (in this case – the CIO) – to talk about what we really mean. That’s how collaboration starts.
Collaboration is also not just about S&R pros engaging the rest of the business to bring them into the security-minded fold, but to also listen and be aware of what’s bubbling up in other parts of the organization as it can have implications for security too. One of the more interesting examples that I see today come from the marketing side of the business, specifically those involved with strategies for customer experience and digital marketing. Mobile is huge (no surprise, right?), and is transforming how companies interact with customers. The future of mobile is all about context: 1) situation, 2) preferences, and 3) attitudes.
I was very excited to finally get a copy of the much-anticipated 2013 Verizon Data Breach Investigations Report (DBIR.) I have found the report to be valuable year after year. This is the 6th iteration and this year’s report includes 621 confirmed data breaches, as well as over 47,000 reported security incidents. 18 organizations from across the globe contributed to the report this year. The full report is 63 pages, and I have to say that Wade Baker and company did a great job making it an enjoyable read. I enjoyed the tone, and I found myself laughing several times as I read through it (Laughing and infosec aren't commonly said in the same breath.) There are tons of great references as well, ranging from NASCAR, to Biggie Smalls, the Violent Femmes and more. The mantra of this year’s report is “Understand Your Adversary’ is Critical to Effective Defense and Response.” Here are a few observations:
The focus on the adversary answers customer questions. Who is the adversary? This is a frequent question from Forrester clients. The Mandiant APT1 report stirred up much debate on state sponsored actors and Verizon's data and analysis gives us more perspective on this class of threat actor. The first table in the report profiles the threat actors that are targeting organizations. It provides a high level view that I suggest you include in any type of executive engagement activity you participate in. This 3rd party snapshot of the threat actors should resonate with a wide degree of audiences.
After RSA's acquisition of SilverTail, things are heating up in mobile application level behavioral detection.
We see fraud management vendors increasingly looking at mobile application behaviors (beyond web fraud management and device fingerprinting) to build out a normal and abnormal behavior profile for the network traffic signatures coming out of the application (similarly to how SilverTail/RSA looks at web traffic signatures). Note that this is clearly a grey area that falls between what device fingerprinting vendors (iovation, 41st Parameter, BlueCava, ThreatMetrix), or risk-based authentication (RBA) vendors (RSA, Entrust, CA/Arcot, etc.) or what traditional back-end, cross-channel transaction monitoring vendors (Actimize, ACI, Detica, SAS, etc.) have been doing. Although device fingerprinting and RBA vendors have long been providing SDKs and APIs for developers to include in their mobile applications, understanding mobile application network traffic and building good and bad behavioral models is becoming something people are increasingly interested in.
Mobile application behavior detection has the benefits of not having to open up application code, not having to define too many security policies or rules. Because of this, mobile application behavior detection and network traffic signature profiling is something we expect to see a lot of vendor interest in the next 9-12 months.
"My master made me this collar. He is a good and smart master and he made me this collar so that I may speak. Squirrel!"
In the Pixar film Up, squirrels frequently distract Dug the talking dog. In our space, we are frequently distracted by technology. "I am a good and smart security professional; I must protect my enterprise so that we are secure. APT defense in a box!"
The expo floors at industry events such as the RSA Conference and Blackhat contribute to this. Signage touts the next great piece of technology that will solve all of our security problems. We allow Big Data, security analytics, threat intelligence, and APT defense in a box to distract us. It is easy to do; there is no shortage of challenges for today’s security and risk professional. The threat landscape is overwhelming. We have problems recruiting and retaining the right staff. Day-to-day operational duties take up too much time. Our environments are complex, and we struggle to get the appropriate budget.
These “security technology du jour” solutions are very appetizing. They compel us much like IDS, IPS, and SIM did in the past. We want and need the “easy” button. Sadly, there is no “easy” button and we must understand that threat protection doesn't equal a product or service; there is no single solution. Technology alone isn't the answer we are looking for.
Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results.
Here's what we offer for your participation:
If you complete the survey,
You will eligible to win a 128 GB iPad in a raffle organized by UBC.
Forrester will send you a courtesy PDF copy of the report.
Stephanie Balaouras and I published a report last week on the current state of crisis communications, and one thing is clear: most companies are not ready to invoke their crisis communications plan.
We analyzed data from our recent 2012 Forrester/Disaster Recovery Journal (DRJ) joint online study, which surveyed 115 business continuity decision-makers about their organizations’ crisis communications strategies. The results were disconcerting. Despite roughly half of organizations having invoked their business continuity plan in the past five years, only 15% said their crisis communication efforts were very effective.
Recent events such as Hurricane Sandy and the Sandy Hook school shooting illustrate the damaging, and often tragic, impact crises can have on organizations and the broader community. In fact, Hurricane Sandy was the second costliest in US history. Yet, most organizations are not prepared to manage an effective response to such a crisis. We found that crisis communication programs routinely underperform because:
When I talk to security (S&R) leaders, they always tell me that in an ideal world, they would have enough advanced warning of impending business and technology disruptions in order to understand the security, privacy and overall risk implications and then prepare and present their business executives with a balanced opinion about how best to proceed if and when the enterprise decides to move forward. Unfortunately, most often, business and IT colleagues move on these disruptions and technology shifts far in advance of the security team’s readiness, and we don’t have to look far for examples; just think of employee BYOD, mobile apps for customer engagement, cloud services, social technology for marketing and collaboration, massive big data projects for business intelligence, or virtual and converged infrastructures within the data center.