By Andy Scherpenberg
Still too few organisations realize just how much recent evolutions in the digital world have changed the spectrum, efficacy, depth and invisibility of fraud. The far-reaching automation and sophistication of the systems of cybercriminals allow them to do a huge amount of damage with a very small team and very little effort. But with terrifying results, if you realize that fraud in 2014 is estimated to cost roughly around 3 trillion euros (yes, that’s a 3 with 12 zeros after it).
And even then, it is not unusual to see allocated budgets rise and fall in a synchronous dance with the intensity of the attack, completely ignoring what is happening in the outside world. This is a very dangerous vision. One that can have potentially disastrous results.
So what has the increased automation and digitization of crime changed ?
Just as e-commerce is booming due to greater efficiency and lower prices, there is now more online fraud than ever. Furthermore, it no longer limits itself to traditional goals like big banks, but migrates to a much broader spectrum of domains like smaller SMEs (who have more vulnerable defense structures than large organisations). But online fraud has also grown much more refined. Some of the cybercrime campaigns have very intricate schemes and social engineering can be extremely subtle and well planned. Some polymorph types of malware, for instance, keep adapting and can therefore not be tracked and erased by traditional anti-virus software. That is because the latter is programmed to detect malicious code that was identified before and does not transform all the time.
In the face of such an evolved online fraud environment, we need to be aware that we have no actual digital equivalent for the “big iron door” in the physical world. That is why you need a holistic approach: management and staff awareness, build an inventory of digital assets and their value, encryption, restoration processes and communication plans. And, of course, technological defenses. I find it frankly dangerous how so many companies rely solely on firewalls, anti-malware and anti-virus software – often badly configured – for their safety. And that the bigger ones still depend so much on a lot of manual work. Often, system defense is strictly managed with powerful detection engines which are configured by domain specialists who manually devise rules. When a threat or a situation changes, they adapt the configuration, counting mostly on their experience (which, granted, is often very impressive). However, the amount of data that need to be crunched today and the information that ought to be analysed in order to be able to find the most efficient rules (not too strict, to avoid too many false positives, but certainly not too lenient either), is vast. So much so that it is impossible for human intelligence to grasp the entire situation and make the best decision. On top of that, humans are biased. They tend to respond with what they know. The problem is that the current fraud environment is so dynamic that mere experience will not cut it if you want to understand, find and combat it. The creativity of fraudsters is truly impressive (read about the recent Carbanak attack and you’ll surely agree) and as long as we rely on detecting previously seen behaviour, it will remain a game of cat-and-mouse.
The only way to fight the increasingly complex attack schemes and cyber scams of fraudsters is to use intelligent analytics that alert companies about anomalous behaviour. For instance, if a workstation that is attributed to the HR department is exhibiting behaviour which is normally associated with the financial or IT department (something you would typically see during the reconnaissance phase of an advanced persistent threat), this suspicious conduct will be reported. A classic anti-virus program would never see this. A manually configured detection engine might but the likelihood that it will generate an unmanageable quantity of false positives is high. And once the attack starts its execution phase, a lot of damage can be done in a short time.
So what do you need to fight fraud and cyber threats ?
The answer lies in the combination of two concepts which are now taking hold as a key element in high-performing businesses: “big data” – a colossal volume of high-velocity data, in all kinds of structured and unstructured formats – and `analytics’. But why? Well, first of all, analytics are objective and never biased: they detect strange behaviour on the basis of a plethora of data, patterns and models, not based on “gut feeling”. Unlike humans, they can crunch an enormous amount of big data in the blink of an eye. Which means that they are based on a lot more information and thus much more accurate. Also, all fraud knowledge is centralized in the system and thus not only resides in the heads of the domain specialist.
Still, the best combination is a winning mix of analytics and domain specialists. Solutions can make flawed interpretations too, obviously, even if they are less biased than humans. So what is the difference between mixing analytics and human intelligence on the one hand and the combo detection engines programmed by specialists on the other? In the latter case it is the humans that steer the machines while, in this era of exploding data, it should be the other way around: the solutions should provide the insights to the specialists who can then still change course based on their experience. It might be a subtle, but it is a very big distinction. I believe that the role of fraud domain specialist will become a lot more coordinating, going far beyond manually distilling rules out of data.
For many companies this change is already long overdue. But if they decide to switch, the results will be overwhelming. Just to give a radical example: the case story of a bank where the detection engine was manually built on no fewer than 55 rules, resulting in a staggering 12,000 notifications per day. With the use of analytics, we built a brand-new model – recycling 5 from the original 55 rules and adding 9 new ones – which reduced the amount of alarms to 110 per day and doubled the actual detection of fraud. Now, I do admit that this was an extreme situation, but it perfectly illustrates how human intelligence and intuition alone is no longer sufficient in the ever more complex fraud battle. You need big data analytics. It’s as simple as that.
The author, Andy Scherpenberg, is Solution Specialist – Fraud & Cyber Security at SAS.
