We value your opinion. Please contact Dan Schutzer, if you have comments about this edition of The Innovator.

Transcription

1 The Innovator Big Data and Security BITS & BYTES: Big Data and Security, Dan Schutzer, BITS The Role of Big Data in Security, Torsten George, Vice President, Agiliance Finance: The Value Challenge of Big Data and Actionable Analytics Is it all Hype?, Lynn Price, Financial Sector Strategist, IBM Security Systems Big Data Evolution of Security Intelligence, Tony Spinelli, Equifax Identity Fraud: Who, What Where, How, Stephen Coggeshall, CTO, ID Analytics We value your opinion. Please contact Dan Schutzer, if you have comments about this edition of The Innovator. Disclaimer: The views and opinions expressed in the enclosed articles are those of the authors and do not necessarily reflect the official policy or position of The Financial Services Roundtable or BITS. BITS and BYTES: Big Data and Security By Dan Schutzer, Chief Technology Officer, BITS This issue of the Innovator explores how the use of Big Data can help to combat fraud and improve security. 1 As, Torsten George states in his article, Given increasingly creative and aggressive hacking, the myriad of regulations, complex technologies (such as the cloud), and high profile data breaches, it s clear the financial services industry has to find new ways to improve security and stop fraud. He goes on to discuss how aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners can improve situational awareness by exposing exploits and threats in a timely manner, and providing historic trend data to assist in predictive security. He talks about a risk-based remediation process that includes asset classification to define business criticality, and continuous scoring to enable risk-based prioritization, as well as tracking and measurement. He points out however, the mere volume and velocity of this data provides a challenge to analyze and derive the desired actionable insight, quoting Gartner as saying that By 2016, 40% of enterprises will actively 1 Big Data has also been the subject of two CTO Corner articles (It s all about Data, Hadoop and Big Data, 1

2 analyze at least 10 terabytes of data for information security intelligence, up from less than 3% in Lynn Price of IBM discusses a number of important applications of Big Data including: Correlating large volumes of DNS network traffic to identify anomalous DNS behavior and suspicious domains; Analyzing the types and sentiment of the communications to see behavior trends that may indicate an employee is upset with the company or his or her management; Analyzing large data volumes to more accurately derive a continuous risk score; and Corroborating a scenario with like events to avoid reaching incorrect judgments. Lynn stresses that to succeed, it is important to: 1) Understand the data you have 2) Ensure the data is accurate 3) Evaluate your capabilities and technologies to perform the tasks described above 4) Demonstrate value by using conclusions to drive actions 5) Develop and distinguish data quality In short, while the value proposition is clear, organizations must have the smarts and organizational structure to support big data. This means garnering the skills, constructing the right technology platforms, following through on actionable analytics, and measuring and promoting the business impact. Tony Spinelli talks about how Equifax is applying intelligence and analytics on terabytes of data to predict behaviors. He notes a 99% accuracy rate was achieved in blocking transactions which did not meet security requirements. He also discusses algorithms Equifax Security has developed to monitor deviations in web traffic patterns. Stephen Coggeshall discusses how ID Analytics employs big data analytics on several terabytes of data (derived from collected applications, white pages, credit bureau header records, 3 million confirmed identity fraud events, SSA data, and OFAC lists) to enable better decisions, through realtime scoring, and a deeper understanding into the nature and dynamics of identity fraud. The outputs of these analyses are also used to improve tools used to find and prevent occurrences of this continuing problem. He also provides some alarming statistics around Identity Fraud, such as: more than 20 million people in the U.S deliberately manipulate their PII in an attempt to improperly obtain products and services; at least one million children have been victims of identity theft; and about 800,000 applications each year are using deceased people s identities. We hope this issue will provide the reader a better appreciation and understanding of the potential benefits and challenges in applying Big Data to help fight cyber security and fraud. [Back to top] 2

3 The Role of Big Data in Security By Torsten George, Agiliance As the popularity of online and digital service channels in banking and finance have grown, so, too, have the risks of cyber-attacks. These industries are prime targets for advanced persistent threats (APTs), since, as the famous saying goes, that s where the money is. Recently, several large financial institutions have been subject to cyber-attacks intended to disrupt the availability of their websites. At the same time, the industry has seen world-wide cases of sophisticated data theft and fraud. A recent report by McAfee and Guardian Analytics revealed a new generation attack method that runs off hijacked servers that can be frequently changed to avoid detection. The attacks are completely automated so that hundreds of thousands of consumer accounts can be compromised without even raising the owners' suspicion. With technology outpacing regulatory mandates and the financial services industry's IT infrastructure constantly under attack, it s time for Wall Street to shore up its defenses and leverage big security data to mitigate the risks. Practical Steps to Minimize Cyber Threats Financial institutions spend millions of dollars each year to maintain their IT environment and implement some of the most sophisticated computer defenses available today. However, given increasingly creative and aggressive hacking, the myriad of regulations, complex technologies (such as the cloud), and high profile data breaches, it s clear the financial services industry has to find new ways to improve security and stop fraud. So what practical steps can be taken to minimize cyber threats? Unfortunately, the majority of organizations are still using a check box mentality as part of a compliance-driven approach to security. This method achieves point-in-time compliance certification rather than improving the company s security posture. Emerging legislation (such as NIST SP , FISMA, FedRAMP, SEC Cyber Guidance, and the Pending Cyber Security Act of 2012), stricter enforcement of existing regulations by the Office of the Comptroller of the Currency Regulation Enforcement, and the FCC case against the Wyndham Hotel Group are all forcing organizations to rethink this check-box mentality. The rising tide of insider and advanced persistent threats, mounting regulatory pressure, and the impact of big security data on an organization s operational efficiency have led many progressive organizations to instead adopt a risk-based approach to security. This preventive, pro-active model is based on interconnecting otherwise silo-based security and IT tools and continuously monitoring and assessing the data they generate. In turn, the organization can achieve a closed-loop, automated remediation process, which is based on risk. Continuous security monitoring includes the reconciliation of assets and automation of data classification, alignment of technical controls, automation of compliance testing, deployment of assessment surveys, and automation of data consolidation. It can reduce overlap by leveraging a common control framework, increase accuracy in data collection and data analysis, and reduce redundant as well as manual, labor-intensive efforts by up to 75%. 3

4 This approach also implies an increased frequency of data assessments (e.g., on a weekly basis) and requires security data automation by aggregating and normalizing data from a variety of sources such as security information and event management (SIEM), asset management, threat feeds, and vulnerability scanners. The benefits are situational awareness which can expose exploits and threats in a timely manner, and historic trend data to assist in predictive security. Lastly, closed-loop, risk-based remediation leverages subject matter experts within business units to define a risk catalog and risk tolerances. This process also entails asset classification to define business criticality, continuous scoring to enable risk-based prioritization, as well as tracking and measurement. It also dramatically increases operational efficiency, improves collaboration between business, security, and IT operations, and enables organizations to measure security efforts and make them tangible. The Big Security Data Conundrum As mentioned earlier, the financial services industry has implemented some of the most advanced computer defense systems anywhere. To ensure proper coverage, many organizations are relying on multiple, best-of-bread, silo-based tools (e.g., fraud and data loss prevention, vulnerability management, or SIEM) to produce the necessary security data. This only adds to the volume, velocity, and complexity of data feeds that must be analyzed, normalized, and prioritized. Unlike adaptive authentication, which is being used to automate behavioral pattern analysis for fraud prevention in the payments industry, many commonly used security tools lack the capability to provide self-analysis. Instead, security operations staff is often required to piece together data from different sources, connect the dots, and detect suspicious patterns that would indicate a cyber-attack or data breach. Unfortunately, relying on manual processes to comb through mountains of logs is one of the main reasons that critical issues are not being addressed in a timely fashion. According to the Verizon 2012 Data Breach Investigations Report, 92% of breaches were discovered by a third party and not through internal resources. At the end of the day, the ultimate goal is to shorten the window attackers have to exploit a software or network configuration flaw. Big data sets can assist in putting specific behavior into context, but there are some real technological challenges to overcome. According to Gartner (see Information Security Is Becoming a Big Data Analytics Problem, written by Neil MacDonald, March 2012) the amount of data required for information security to effectively detect advanced attacks and, at the same time, support new business initiatives will grow rapidly over the next five years. Gartner adds, that the amount of data analyzed by enterprise information security organizations will double every year through By 2016, 40% of enterprises will actively analyze at least 10 terabytes of data for information security intelligence, up from less than 3% in Following a continuous monitoring approach as propagated by the National Institute of Standards and Technology (NIST) only adds to the big security data conundrum, as an increase in frequency of scans and reporting exponentially increases the data volume. This raises the question, how can organizations take advantage of big security data without having to hire a legion of new employees? Solving the Security Risk Management Puzzle While security monitoring generates big data, in its raw form it remains only a means to an end. Ultimately, information security decision making should be based on prioritized, actionable insight 4

5 derived from the data. To achieve this, big security data needs to be correlated with its business criticality or risk to the organization. Without a risk-based approach to security, organizations can waste valuable IT resources mitigating vulnerabilities that in reality pose little or no threat to the business. Furthermore, big security data needs to be filtered to just the information that is relevant to specific stakeholders roles and responsibilities. Not everyone has the same needs and objectives when it comes to leveraging big data. To deal with big security data and achieve continuous compliance and monitoring, progressive financial services organizations are leveraging Information Security Risk Management (ISRM) systems to automate many manual, labor-intensive tasks. This results in tremendous time and costs savings, increased accuracy, shorten remediation cycles, and overall improved operational efficiency. ISRM systems empower organizations to make threats and vulnerabilities visible and actionable, while enabling them to prioritize and address high risk security exposures before breaches occur. Ultimately, they can protect against and minimize the consequences of cyber-attacks in the banking and financial services industry and solve the security risk management puzzle. About the Author: Torsten George is vice president of worldwide marketing and products at integrated risk management vendor Agiliance [Back to top] 5

6 Finance: The Value Challenge of Big Data and Actionable Analytics Is it all Hype? By: Lynn Price, Financial Sector Strategist, IBM Security Systems Financial firms are not alone in their quest to find scientific thinking when it comes to big data and making value assessments especially when as it applies to client centric applications. They are finding assistance in many forms. For instance, IBM Watson, the computer, is in a pilot program with a leading global bank to help advance customer interactions, and improve and simplify the banking experience. Watson s ability to consume vast amounts of information to recognize patterns and make informed hypotheses lends itself to assist individuals with making informed decisions. In another application of big data, an online payments leader wrote and implemented programs to root out money laundering by identifying patterns of successive payments, all of which were close to the reporting limits. The effort was made as the result of a near business collapse from fraud crimes. Other firms have followed suit and adopted the technology. Leading financial firms are using similar technologies for a variety of purposes, from structuring equity derivatives to reducing loan loss. Use cases of big data can be categorized to help put it in perspective. Below are just a few. Fraud and Money Laundering A recent study by Carnegie Melon 1 validates that the most impactful fraud techniques use low and slow tactics that often go unnoticed by traditional discovery and situational awareness processes and tools. Clearly the demand for alternative technology is beckoning. In today s world of continuously available web sites and mobile applications, fraud is eating up financial firms resources and revenue. Certified examiners (AACFE) have found that crime costs an estimated five to six percent of a company s revenue each year 2. As the sophistication and use of big data and analytics advance, the ability to convert a cornucopia of raw data into early and actionable responses make this an appealing weapon to solve fraud crime. For example, big data analytics can analyze a combination of application, user data, transaction details, and historical information about users, accounts and their relationships to one another. In the case of insider fraud, expanding data sources to understand intercompany communications and external social media can build linkages in people to people communication patterns. It also allows analytics of the types and sentiment of the communications enabling technology to see behavior trends that may indicate an employee is upset with the company or his or her management. Profiling Advanced Targeted Attacks A second top of mind use case is the ability to defend against the rising occurrence of targeted attacks. The average time to respond to such attacks today is measured in weeks, well past the window where it is useful to apply protections. The subtle qualities of this kind of attack call for new means of intelligence gathering. There is a defined sequence of events that make up the anatomy of this threat. The targeted attack is usually initiated with spear phishing attempts and ends with the exfiltration of data. Most 6

7 technologies today lack the sophistication of being able to sense the subtleties, reconstruct the anatomy and visualize the attack profile. New solutions can help in the reconstruction through the dissection of the attack. For instance, a machine or host can be compromised utilizing a series of DNS requests. Once a host is identified, it can be commandeered to serve as an active and malicious botnet in the targeted attack. Big data analytics can correlate large volumes of DNS network traffic, identify anomalous DNS behavior and connect it to suspicious domains. Big data analytic solutions can profile the attack much earlier, and trigger the response process in time. Risk Management A third use case category for big data is risk management and the notion of continuous risk scoring. This trend is currently in place for the Federal Government and is well documented by NIST standards. The financial industry looks to be pursuing a similar path. The platform has four basic levels: sensors, database, analysis/scoring and reporting. Continuous risk scoring requires the ability to effectively take in large data volumes which are then manipulated and massaged to accurately derive a score. New technologies hold promise of improving traditional means of improving the veracity of the risk and of reducing the overall calculation time. From a very broad perspective, most business decisions have the potential to benefit from data crunching and analytics. Changes to the security program, from strategies and roadmaps to business operations, controls, and measurements, can be simulated utilizing big data analytics. The impact of these changes to the business can be scored for risk to make timely decisions. These are just a few examples of useful applications for financial firms. What is clear is the potential of big data and all that can be envisioned. However, there are three base elements that challenge the overall viability and value of its realization. Volume, Velocity and Variety of Data An organization must utilize and embrace the power of data today with its soaring volume, velocity and variety and not run from it. As big data warehouses are architected and constructed, they can be designed to break down business and technology silos, merging data across traditional boundaries that have limited the perspective of what is happening in an environment. The problem of sensing a dried pea under a mountain of mattresses threatens to grow substantially worse as the world becomes hyper-connected. There are two technologies that have actually been around for some time, that now have much improved performance and computing capabilities, making it possible to simplify some of the variety (structured and unstructured) of data and its velocity (streams of data flowing over constantly running queries) 3. Technologies that enable Big Data processing, such as Hadoop and stream computing capabilities, provide deep contextual meaning to data in a much improved and actionable time-frame. Hadoop is an open source data framework that allows applications to work with thousands of computation-independent computers and large amounts of data. Interestingly, Hadoop was originally developed by engineers working at Yahoo who were tasked with supporting Internet search engines. Hadoop provides flexibility as it is schema-less and can store any type of data, structured or not. Data from multiple sources can be glued together in simple ways, thus allowing for greater interrogation. 7

8 In order to make use of this eclectic assortment of unstructured text data, technology must be able to extract and contextualize the data. It must be able to selectively pull out nouns and verbs, subjects and predicates and determine meaningful (opinions and sentiment) conclusions. For example: Joe Sonders came into the bank three times this week. He deposited cash just below the regulated limit each time. These conclusions must then compound further into scenarios related to people, locations and businesses. Great you say but there is more. If a scenario is not corroborated by other scenarios with similar facts and figures, it runs the risk of leading to a false conclusion. As a specific scenario about a person evolves, it is important to corroborate it with like events to avoid reaching incorrect judgments about events, judgments that could range from credit worthiness to criminal activity. By comparing scenarios, the identification of similarities improves the veracity of the analytics. See Figure 1 below where an individual deposit may not appear unusual, but in the context of multiple deposits, it may well be an exception. Jo Sonders Josie Sonders Jo Sonders-Ryder 1/25/2012 3/5/2012 9/16/2012 deposit deposit deposit th St 44 12th St Oakland, CA Oakland, CA Clamont, NE $47,231 $48,222 $49,123 Figure 1 The next advancement is to merge relevant text data from Hadoop with video scene analysis. Running traditional statistical analyses such as decision tree and linear regressions on text, video and structured data is powerful stuff especially when fused with scenario corroboration. Further, streaming analytic technologies provide the ability to perform trend analyses on structured and unstructured data in motion. Capturing data in motion greatly enhances the time to respond as it sees the data coming into the environment. In summary, there are four capabilities required to derive actionable value from big data and analytics: Effectively extract data at rest and in motion; Derive meaning and knowledge from the acquired data store; Construct opinions and patterns based on multiple scenarios resulting in situational awareness; and Perform predictive modeling using scientific method reasoning. These use cases and technical capabilities can now be evaluated and applied, but firms must ensure that big data is just not bigger data. 8

9 If you are an influencer in your financial firm and you have the authority to propel your big data analytics program, here is where you need to start: 1) Understand the data you have 2) Ensure the data is accurate 3) Evaluate your capabilities and technologies to perform the tasks described above 4) Demonstrate value by using conclusions to drive actions 5) Develop and distinguish data quality team 4 While the value proposition is clear, FSS organizations must have the smarts to make sure they are strategically planning the desired outcomes and creating the organizational structure to support big data. This means garnering the skills, constructing the right technology platforms, following through on the actionable analytics, and then measuring and promoting the business impact. Lynn Price has over 25 years experience in the Information Technology arena with broad expertise in the IT application, networking and security domains. She has held many leadership and management positions advising IT Strategic Outsourcing clients in their overall IT and security management strategies and programs. She has focused expertise and deep insights in the financial sector. She is a currently a Security Strategist for the Financial Sector for IBM Security Systems. In that capacity she provides business collateral to external and internal clientele with leading trends, insights and best practices in a fast changing IT security world http: //www/ibm/com software/ data/infosphere/ hadoop 4 Management/informationweek-november html [Back to top] 9

10 Big Data Evolution of Security Intelligence By Tony Spinelli, Equifax Equifax Security continually challenges itself to pioneer creative and innovative methods of leveraging data and security intelligence to protect the enterprise. As has been the case since it began as a company in 1900, Equifax specializes in data and analytics. This is no different in the area of security, where the data itself is a key element of protection, and data flows of all types are utilized to identify deviations of previously established patterns of behavior. The Equifax Cyber-Security Intelligence Center (CIC) has gained unprecedented visibility and leveraged data for protection in unique and meaningful ways through the use of what has recently been coined big data analytics. This has been accomplished through the implementation of self-protecting credit data, automated analytics, and the application of security intelligence into monitoring practices. Compliance requirements have historically been the primary motivator for SIEM (Security Information and Event Manager) implementations. Initial implementations of the technology primarily focused on log collection and correlation and served to meet the requirements established by various compliance mandates and regulations. These early SIEMs produced output required by auditors in the form of reports based on logged activity and also served as a repository of activity when investigating events surrounding a past security incident. However, they provided little to no value in proactively identifying a possible or future security issue, generally only serving as a rear view mirrors after a security event had been identified. The past success of SIEM is unfortunately unimpressive, challenging the investments into such platforms as a whole. However, solutions are still needed to not only provide auditing and reporting for regulatory and compliance requirements, but most importantly to protect organizations from today s ever changing, sophisticated and increasing threats. Due to the failing state of SIEM and current attack landscape, organizations must innovate in order to improve their ability to quickly identify security issues in order to respond proactively and near real time. Further, organizations must evolve from a reactive mode of operations into becoming predictive through intelligence driven analytics and automation. Equifax Security began to utilize information to protect that same information in This was accomplished by developing a process to leverage credit data, traditionally used by the business but now for security purposes, to identify itself with precision, and block any undesirable or unauthorized transactions. To do so, terabytes of data were analyzed and reduced into a five gigabyte hash file. That file was then fed into already deployed Data Loss Prevention systems in order to perform content matching. Through the implementation of this process a 99% accuracy rate was achieved, empowering the CIC to block any transactions which did not meet security requirements. This process is currently under patent (2009/0205,051) and has been expanded to incorporate additional important data elements unique to Equifax. This ability to ensure data storage and movement are within compliance of security policy has prevented opportunities for data loss that many organizations have experienced over the years. A second area of innovation has been applying intelligence and analytics to predict behaviors. To predict behaviors massive log information is analyzed in order to ascertain new information for threat and fraud detection, as well as decision making. This was first established by deploying network based sensors across the global network, with added focus on areas housing credit data. Utilizing an understanding of general business operations, rules have been developed in order to identify skews to baseline activity. For example, an auto dealership that increases credit inquiries by 350% has either just started a magnificent sale or financing offer, or has a fraudulent associate. History tends to support the latter. Through the intelligence and analytics built into transaction monitoring, Equifax Security is able to quickly identify such outliers and work with our customers 10

11 and law enforcement to take appropriate action when necessary. Relative to malware and hacking, similar methodologies can be utilized. Though Equifax Security has taken extraordinary measures to prevent malware installation and execution, we have also prudently created checks and balances to ensure those controls are functioning as designed. These balances again come from analyzing logs for variances in typical behavior. As today s malware generally operates over protocols provisioned across enterprise environments, such as HTTP & HTTPS, Equifax Security has developed algorithms to monitor deviations in web traffic patterns. Traffic analysis has shown user behavior and business practices in the area of web connectivity to be fairly static. A user generally tends to visit a set number of web sites a day, and generally visits those same web sites daily. Similarly, business practices functioning over these protocols are also static. This being the case, the CIC has developed rules to identify deviations of normal behavior, such as a web site that an Equifax system or user has connected to for the first time- where no other user or system has ever connected before, flagging them for additional investigation. Such behaviors drive rules that have proven useful in identifying systems that have become infected with unwanted or malicious software and incident response processes followed. An additional layer of intelligence applied against the logs will highlight any connectivity to sites which have been identified as having nefarious intentions. Once again, these systems are investigated for either legitimate purposes or presence of malicious software. Finally, as security tool logs often generate millions of alerts daily for review, it s imperative that analysts have a tool which enabled them to quickly identify and action truly suspicious or malicious activity. Log analytics at Equifax drive efficiency and effective monitoring practices by automatically separating alerting analysts to the highest priority of issues. This, again, is achieved through applying intelligence to the myriad of logs collected in order to identify the most severe and most utilized threats and enabling the identification of attackers who may be targeting your networks and systems in an inconspicuous manner. Implementing these controls and processes are often complex and encounter resistance from business partners. Often a phased approach must be taken in order to achieve success in stages, rather than trying to implement multiple changes to existing standards and processes at once. Through our experience, the following lessons have been learned: Define required fields early in the project and ensure you are consistent across all similar log types. Standard logging formats for most webserver products do not provide key data elements required for advanced analysis. Evaluate whether elements like User Agent, Referrer URL, and Hostname are required and include them in a logging standard prior to implementation. Truncation of logs is an issue when working with legacy syslog implementations. The default syslog daemons on many UNIX systems (Solaris, AIX, BSD, etc.) are not able to send syslog via TCP. UDP syslog will truncate logs around 1500 bytes. Replacing the default syslog daemon with Syslog NG or rsyslog is the best option for ensuring TCP delivery is supported and truncation will not occur. Most webservers including Apache do not natively support syslog for log delivery. Logs from Apache can be piped to another application allowing for real-time log delivery. Be cautious of the tool you chose and do proper testing. We standardized on logger (a CLI interface to syslog). Logger has the advantage or writing to a UNIX socket locally on the system. Syslog is then responsible to log delivery at that point. In testing, applications such as NetCat functioned, but would hold server threads open if a network socket was lost. Proper testing of a solution is imperative to ensure no impact on production traffic. 11

12 Identify logs that can provide the most value at the least cost (from EPS or device count). VPN authentication logs are an obvious choice to identify remote access anomalies. Consider VPN concentrator logs instead. The VPN concentrator logs will typically provide Username and Authentication status (Accepted or Failed) in addition to IP address information that is not found in the authentication logs. Equifax Security utilizes the connecting IP from VPN logs and through GEO location we are able to identify travel anomalies such as impossible travel. For example, if a user connects via VPN from the USA and is then identified as connecting from Brazil a short time later, an alert is triggered for analyst review. Perspective is important for developing analysis rules. Make sure to take time to define your networks. You will find that defining different rules for internal traffic and external traffic allows you to set the appropriate thresholds. Real-Time is important for threat identification. Many log sources like windows do not natively support a real-time logging format such as syslog. Ensure your solution has a solution to enable realtime logging on these platforms. In order to do proper threat analysis, real-time data feeds are needed for proper trending and identification of threats in a trimly manner. Communicate. Ensure that any affected business partners within your organization are aware and supportive of the initiative prior to launch. Some systems may require software updates, and perhaps hardware refreshes in order to support logging requirements. Identifying such systems early will allow for appropriate budgeting in order to accomplish the objective. Innovation is a primary objective of Equifax Security in order to create, develop and deliver additional methods to utilize data analysis and intelligence to provide information protection. This evolution is required as the threat landscape and adversaries also continually change. While they will continue to be an important foundation, signature based alerting must no longer be the focus for security teams. Instead, security groups will need to mature into utilizing behavioral based data analytics to identify nuances within the environment that may be important. Information security is no longer about collecting logs to review once an issue is known. This intelligence must be used to identify and disrupt adversary activity before significant damage can be achieved. Tony Spinelli is Senior Vice President, Chief Security Officer for Equifax, Inc. In this role, Mr. Spinelli oversees five global organizations to include Security Compliance & Risk, Security Operations, Physical Security, Security Engineering, and Investigations and Fraud. Prior to joining Equifax, Mr. Spinelli was Vice President, Chief Information Security Officer for First Data Commercial Services. Previous to First Data, he was a National Director at Ernst & Young's Security and Risk practice, where he was also a founder of esecurityonline, an Ernst & Young Ventures Company. With deep industry expertise, Mr. Spinelli was honored to be appointed as a member of the Board of the US Department of Defense and National Security Agency. He also maintains an external presence on corporate advisory boards of leading information security companies and is a member of CredAbility s Board of Directors. Mr. Spinelli earned a BS in Finance from Saint Louis University, and received his MBA in the Executive Program at Washington University. He maintains CISSP accreditation [Back to top] 12

13 Identity Fraud: Who, What Where, How By Stephen Coggeshall, CTO, ID Analytics Who is committing identity fraud? How? And, where does it occur? These are some of the questions we strive to answer by applying advanced analytics to very large, real time data flows. These data flows include information from applications for credit, requests for change of address, new checking account openings and a variety of loan applications such as mortgage, auto and payday. First, who are we and what do we see? In 2002, ID Analytics set out to help organizations combat identity fraud by delivering better visibility into identity use and misuse. We deliver scores that help organizations judge the potential risk for identity fraud associated with engaging with a consumer. Classic identity fraud usually occurs at account origination, so we initially scored account applications. We now also score other identity risk events such as change of address, new check orders and other transactions that may pose a risk for identity fraud. Today ID Analytics scores credit card applications for eight of the top 10 credit card issuers in the U.S., and cell phone service applications for four of the top five wireless providers. We also score many applications for retail store credit, payday loans, auto loans and other identity risk events. These events fuel our ID Network, a cross-industry compilation of data specifically built to detect identity fraud. ID Analytics has amassed the largest repository of reported identity fraud events in the world using client contributor data. In addition to protecting organizations, ID Analytics also powers a service that alerts consumers via or text when their identity is being used, potentially without their permission. The service is made available to consumers by a number of leading consumer identity protection service providers, including our parent company Lifelock. Advanced Analytics on Big Data ID Analytics has collected several terabytes of data to be available to our products. Our ID Network data consists primarily of: Approximately two billion applications for credit products and cell phones Applications for other services, such as utilities U.S. white pages phone history Credit bureau header records - personal identifying information (PII) Approximately three million confirmed identity fraud events Hot addresses, OFAC list Social Security number (SSN) area group tables and the Social Security Administration s Death Master File Our solutions examine this data in real time for decisions, scores and recommendations. Following is an example of how our identity fraud solutions calculate a score: Receive a score request, typically containing SSN, name, address, date of birth, phone, , IP address Examine this PII listed on the event and extract from our ID Network all other events that may be related, using about a dozen linking keys (such as SSN, phone, address, ) Construct the connectivity pattern of all related past events and how they connect to this current event 13

14 Encode this connectivity pattern into hundreds of expert variables tuned for the particular business need of the score Pass these variables into the previously-built machine learning algorithm Calculate the score and a handful of score reason codes Encrypt this result and pass back to the customer, all in under 1 second turnaround time ID Analytics uses a variety of machine learning algorithms including boosted random forests, Bayesian nets, neural networks, support vector machines and others. The company is continuously modifying modeling and learning algorithms, as well as building new classes of specialized variables. In order to solve fraud detection problems, our solutions must have visibility into real-time, continuously refreshed data. A fraudster may apply for multiple credit cards, loans or services across multiple industries. Our systems will identify such patterns in this real time data flow. One of the most difficult and important requirements is for a score to be aware of previous, related events that occurred even seconds before. To do this, our constructed connectivity patterns must be both real time and real time current, both of which are difficult to accomplish when working with these large data sets. What is Identity Fraud? Let s start with ID Analytic s definition of identity fraud the problem we are specifically seeking to resolve. Identity fraud is the act of misrepresenting which person you are in order to improperly obtain products or services, or to avoid detection. We make the distinction between classic identity fraud and lost/stolen credit cards, which most consumers also consider to be identity fraud. One main distinction here is that lost/stolen only affects that particular account whereas in classic identity fraud a fraudster can cause greater harm with misuse of your personal identifying information such as name, SSN, date of birth because this allows him to open new accounts using a stolen identity. Types of Identity Fraud Lost/Stolen Account A fraudster becomes aware of enough information around a specific account that allows him to impersonate a victim for account-level activity. This manifests itself as unauthorized transactions such as credit card charges or possibly unauthorized money transfers. This type of fraud is limited to the account level and, as mentioned above, is not generally considered classic identity fraud. Identity Theft This is when a fraudster targets a specific real individual and assumes his persona. It typically manifests itself as unauthorized new account openings in the victim s name/identity. In this mode of fraud, the imposter is aware that he is improperly representing himself as a specific, real person. Synthetic Identity Fraud The fraudster fabricates a new and false identity that is not related to a real person and does not exist. The perpetrator will invent a unique set of PII, then attempt to establish the existence of this invented identity. This may be accomplished through the repeated presentation of this collection of fictitious PII through various product applications and channels, 14

15 with the intention of establishing this synthetic identity in the many existing credit-related databases to be misused at a later time. There may be some unintended overlap to real PII, but the core identity is artificial. Identity Manipulation In this mode, a fraudster will make what may be slight and/or subtle variations to his true PII in the hopes of confusing the system to avoid having the application associated with his true identity. The fraudster may increment one digit of his SSN, or month, day or year of his date of birth, or interchange SSN digits or otherwise make manipulations of his real PII in the attempt to prevent the application process from linking this presented application to the fraudster. Identity manipulators may apply for products using slight variations of their true identity to attempt to avoid past delinquent history. Sex offenders and illegal immigrants commit identity manipulation to live under aliases to avoid detection, while other identity manipulators seek to gain improper access to health care or government services and benefits. The following table summarizes the main types of identity fraud, along with descriptions of the victims, the nature of the improper misrepresentation and some methods to catch the fraud. Table 1. Summary of the Different Modes of Identity Fraud Identity Theft Identity Manipulation Synthetic Identity Who is the victim The person whose identity is being misused. The company providing the product or service is also a victim. The company providing the fraudulently obtained product or service is the victim The company providing the fraudulently obtained product or service is the victim Nature of the misrepresentation Signals to find/catch the fraud Typically SSN, name and date of birth belong to the victim; address and phone number are associated with the fraudster Unusual activity around the SSN, name, date of birth, address, phone SSN, date of birth and/or name vary slightly from what s correct Look for systematic variations around the PII to differentiate from simple typos SSN, name and date of birth are fabricated or chosen randomly Closely examine the first instances of a PII assertion. Summary Victim s Core Identity Fraudster s Core Identity No Core Identity ID Analytics Tools and Visibility into Identity Fraud Previously we briefly described the data flow into the ID Network from which we can build a number of special tools, services, and perform specific analysis into the dynamics of identity fraud. In this section we describe some of these tools and processes we have built. ID Score Scores an event for the likelihood it is an identity fraud attempt. The events scored include account applications, new check orders, changes of address or other PII, and online payments. ID Analytics examines the PII (SSN, name, address, phone, date of birth, ) for inconsistencies and anomalous associations that might indicate misuse. My ID Score Determines an individual s risk of being a victim of identity fraud. We examine the activity around that individual s PII in our data network and quantify anomalies potentially associated with identity fraud. 15

16 ID Resolution Examines an asserted set of PII to determine the unique person behind the assertion and provides a confidence measure. Identity Manipulation (IM) Examines the multitude of variations of asserted PII at the person level, and quantitatively assesses the amount of intentional manipulations around SSN, date of birth, name and address. For each of more than 300 million individuals in the U.S. we have calculated an Identity Manipulation Score that quantifies such intentional and improper manipulation. Consumer Notification Service ( Not Me ) Alerts consumers enrolled in identity theft protection services when their identity is being used, potentially without their permission. When the system detects the use of an enrolled consumer s PII, it sends a near real time alert that allows the consumer to respond that s not me. If the consumer confirms his identity was used without his permission, the service notifies the organization to shut down the transaction (account application, change of address, online payment ). These solutions allow us to examine the flow of events and perform detailed analysis and research into the dynamics of identity fraud. Discovering Identity Manipulation ID Analytics has identified and defined a mode of identity fraud that we call identity manipulation. Here the fraudster makes slight variations to their own PII on applications for products or services with the intention of sufficiently confusing the system, so that the application will not be matched to the fraudster s true identity. This is done to avoid linking the submitted application to bad activity in either the past or future. Using our ID Resolution capability, we assign to every one of the billions of events and identity occurrences in our ID Network a unique label that identifies the specific person behind that event or PII occurrence. We then sort by this unique person label into 317 million unique people that we have seen in the U.S. We note that tens of millions of these unique identities are deceased, and some are likely illegal aliens. Most of our visibility is into the credit active population (including cell phones), so our visibility is not deep for individuals under the age of 18. Once the process of assigning unique person labels is completed, we now have the ability to examine the explicit variation of PII around each of these 317 million individuals. We can see much variation that falls into several categories, in particular: Normal, expected variations: first name nickname variations (John, Johnny, Jon, Jack ); multiple last names (very common in our society where many women take their husband s last name); use of initials for first or middle names; first/middle/last name misparsing. Typos: single or infrequent instances of one or more misplaced characters in any PII, particularly SSN, date of birth, address, phone, or name fields. Improper deliberate variations: instances of frequent or systematic variations in SSN or date of birth; more than one first name excluding nicknames; more than four or five last names; or frequent suspicious subtle address variations. 16

17 We have constructed an algorithm to identify and quantify the extent of improper and deliberate PII variations that ignore the many occurrences of these normal variations and typos. We have assigned a numerical score around these variations called an Identity Manipulation Score and have scored the entire 317 million people we see in the U.S to determine the extent to which they deliberately and improperly manipulate their identity. We can examine this list from the worst offenders downward, and have found that about eight percent of the U.S. population (more than 20 million people) appears to have engaged in such improper manipulation. Table 2 below shows the PII variation for a severe identity manipulator. We have modified the personal information in this example to protect the privacy of the individual; however, the important interrelationships in the variations have been preserved. In this table the data is presented in columns showing the different variations in each of the column fields. The data across the rows is not coincident across the rows, so the field interrelationships are not shown in these tables. In this example we see many variations of first and last names, first names of clearly different genders, 24 different SSNs used, 11 different dates of birth. We see systematic variation around both SSN and dates of birth. We also see some examples of likely address manipulation, specifically the variations around Falcon Dr, Leonard and Dorman St. In these instances, the physical mail is likely delivered correctly by the local carrier, but address matching processes do not link the addresses. Table 2. Example of an identity manipulator using repeated, systematic PII variations. The data is in column format, and the data across the rows are not coincident. First Name Last Name SSNs DOBs Address IRENE ALMONE /7/ ALGONQUIN AVE LAQUINTA CALHONE /21/ SCRUB OAK CT LAQUITA CALHOON /27/ TERRACE TRL LAQUITE THOMPSON /7/ PARK BLVD LAQUTA TOMSON /16/ FAIR PARK BLVD LEQUITA /17/1969 PO BOX QUITA /20/ KINGSDALE DR RENEE /27/ MARYANN DR RICHARD /27/ KNOX ST /27/ FALCON DR /27/ FALCON DR GLEN PARK CIR LEONARD ST LEONARD ST DORMAN ST DORMAN ST PO BOX GALEMEADOW DR GLASGOW RD BIRDSONG DR MEADOWS DR HILL DR TRLR KEETER DR FOREST GLN Where Does Identity Fraud Occur? There are several ways in which we can answer this question using various data visibility and our algorithmic tools. Some of the specific questions we can answer are: 17

18 Where is identity fraud being committed? (ID Score) Where are people who are at risk to being victims? (My ID Score) Where do identity manipulators live? (Identity Manipulation Score) Where are identity fraud rings operating? (Identity Fraud Rings research) We note in parenthesis the tool we use to answer the location specific question. The Identity Fraud Ring research was recently published in a white paper. In the following pictures we used the same scaling for the colors, and we rank-ordered the ZIP codes by the particular risk measure. ZIP codes in the bottom 60 percent of risk (not risky) are shaded green. Those in the 60 percent to 90 percent risk band are shaded orange, and those in the top 10 percent (above 90 percent) are shaded red. Figure 1. ID Score shows where ID Fraud events are occurring. This map shows the use of our flagship product ID Score, which scores events for the likelihood they are identity fraud attempts. Figure 1 shows the addresses being used on these events, mostly applications for credit and cell phones. We see fraud attempts across the Southern U.S, with emphasis in Southern CA, AZ, the Mississippi delta area and across the South East including FL. 18

19 Figure 2. My ID Score shows where individuals are at risk of becoming victims. Figure 2 shows the use of our tool My ID Score, which measures the likelihood a person is at risk for identity fraud. Here we have scored tens of millions of people to assess their risk of being victims of identity fraud. Again we see similar areas of the Southern U.S. Southern CA, the Mississippi delta, FL and across the South East. Certain metropolitan areas have strong indications including Chicago, Detroit, St Louis, Miami, DC and the general NY metropolitan area. 19

20 Figure 3. IM Score shows where people are deliberately manipulating their identities In Figure 3 we examine the locations of people who are deliberately and improperly manipulating their PII as they apply for commercial products and services in the U.S. By law, an individual is required to represent oneself correctly on an application for credit vs social media sites or other semi-anonymous web interactions. Here we see a great deal of this identity manipulation and across a wider and more diverse area than the previous figures. We certainly see identity manipulation occurring in the large urban regions but also across the rural U.S. The map indicates widespread identity manipulation in the Southeast U.S., continuing up to Michigan. Figure 4. Locations of identity fraud ring activity. In this final figure we examine the locations of identity fraud ring activity. We define fraud rings as groups of two or more people actively collaborating to commit identity fraud. In our research of this activity we found not only the expected professional rings groups of unrelated people operating in a systematic manner, but also what we might call family and friends fraud rings. These are groups consisting of a handful of family members (spouses, siblings, multi-generations) sometimes collaborating with friends or other families. These family and friends rings look like and indeed are the people next door. We find identity fraud hotbeds in Southern CA, AZ, TX and a clear and somewhat disturbing belt of fraud rings across the Southern States of LA, AR, MI, AL, GE, FL, SC and NC. Dead People Applying The final topic we present in this paper is analysis around the use of identities of the deceased to apply for credit products and services. Again, we are examining the instances of applications for products and services where one is required to provide correct PII, and a signature is given for permission to pull a credit report. It is illegal to misrepresent your identity in these events. 20