Haystax: Prioritized Risks, Actionable Intelligence

Financial Services Fraud Detection Case Study

The Challenge

_

Financial services institutions use various tools and techniques to prevent fraudulent activity and to quickly mitigate the impact of fraud when it does occur. Research and experience suggest, however, that financial fraud detection could be significantly improved.

As things stand, breaches have increased by 141% since 2011 (1) (2). Not only that, 50% of fraudulent events are first detected by customers – not by their banks’ Fraud teams. (3)

During a recent fraud detection project with a major international bank, Haystax Technology gained insight into key factors contributing to the relatively low prevention rate:

Screen Shot 2016-07-30 at 4.15.38 PM

Detection tools were unable to infer from diverse data sources whether certain activity was likely to be fraudulent.

In isolation many indicators (like type of user) are benign, but collectively they may reveal a fraudulent event taking place. For instance, a new user combined with unusual login activity might well be cause.

Detection tools could only search for known indicators of fraud.

Anomalous events that weren’t included in the list of known fraud indicators were either assessed individually or ignored altogether. This approach requires significant manpower, and is often not feasible due to limited resources.

A fraud domain model was not used to ensure data was mapped to the appropriate indicator categories.

Without such an organizing structure, data from a single fraudulent event was often thought to be from several different events. Redundancies like this can be a significant drain on resources.

The Solution

By interviewing subject matter experts across the bank, Haystax constructed a domain model of the bank’s specific fraud indicators. The model determines the likelihood that certain evidence (user behavior, user type, user actions) are indicators of fraud, just like a bank’s top analyst would do. These indicators on their own may have weak, strong, positive or negative correlations to fraudulent activity, but taken together, these correlations may change. For example, multiple log-ins in a day may not be a strong indicator on its own. However, when paired with an unusual HTML tag ID and an abnormal login device increase the probability that the event has been compromised.

Now operational, the model is a component of the Haystax Constellation Analytics Platform. The model is run in the platform and ingests data and prioritizes according to likelihood of fraudulent activity. Evidence with the highest probability is tackled first— improving the resource utilization and effectiveness of fraud teams. The solution also identifies anomalous activity that cannot readily be applied to a known fraudulent indicator. This behavior can be separately investigated—and if it turns out to be fraudulent—it can be added to the model.

Haystax deployed this solution at the international bank and was able to not only detect the same fraud/malware events the bank was currently detecting but also discovered fraud indicators not previously detected.

Based on these discoveries, we believe financial institutions can save a lot of time and money by developing and deploying a solution that includes these three core elements:

  • A holistic fraud model that eliminates the need for multiple tools focusing on separate issue areas, and reduces the number of missed attacks.
  • Open and transparent cause-and-effect nodes that allow model users to drill down into results to discern root causes, and avoid focusing on redundant events.
  • Prioritization and ranking capabilities that help users respond to the highest priority events first.

Prevention

Root Cause Identification:

Drill down into the data to determine why it was marked “interesting,” therefore focusing on root causes and improving allocation of resources to investigate.

Prevention

Root Cause Identification:

Drill down into the data to determine why it was marked “interesting,” therefore focusing on root causes and improving allocation of resources to investigate.

Remediation

Prioritize Events:

Look at the most “interesting” events first and therefore decrease time to respond to an attack.

Remediation

Prioritize Events:

Look at the most “interesting” events first and therefore decrease time to respond to an attack.

Key Assumptions

A key assumption made in this case study is that the ROI is an average of likely events normal to all financial institutions. However, it does not include banks that were targeted in larger attacks, totaling millions, if not billions to remediate. Attacks such as these happen to a smaller percentage of financial institutions but cost significantly more to remediate.

Implementing the Solution

_

Integrate Constellation

The model resides in the Constellation Analytics Platform and can be integrated into a company’s Security Information and Event Management (SIEM) tools (e.g., Splunk) or related devices. The Constellation Analytics Platform allows for real-time processing of structured or unstructured data.

Map Data to Model

Once integrated, the data is mapped to Haystax Technology’s Fraud Detection Model using Haystax Technology’s patented Fusion process of extracting and applying data to the custom model.

Prioritize Events

The model assesses the total data set and evaluates each event to determine the amount of evidence indicating that the event may be compromised. It then assigns the event a probability of compromise. The greater the likelihood the event is compromised, the higher the priority for investigation.

Analysts Investigate

A fraud risk score is generated and organized from high to low priority. The output is displayed in a dashboard, accessible to relevant personnel. Analysts are able to investigate based on qualitative reasoning and drill down into the score to determine where the source of risk exists.

Refine Model

The information and knowledge gained from the investigation is used to further refine the model. This allows the model to remain current with existing threats and expand its capabilities to detect other similar attacks.