Using pattern-based strategies to spot fraud and improve security
Mark Nicolett and Avivah Litan, vice presidents and analysts at Gartner, identify the three phases of Gartner's Pattern-Based Strategy to signal a potential threat.
The management of security and fraud involves protecting the organisation and its customers from external and internal attacks, including fraud, theft and unauthorised or inappropriate data access. To accomplish this task, the patterns of potential attack, fraud and inappropriate data movement must be discerned from normal or acceptable user activity, account activity and data access. This will enable scarce resources to be applied to critical issues for further investigation and resolution.
Gartner's Pattern-Based Strategy provides a framework for evaluating the capabilities of security and fraud management technologies. It identifies three distinct phases: Seek, Model and Adapt. These phases describe the process of identifying patterns that can have a positive or negative impact on an organisation's strategy or operations – in the case of information security, it signals a potential threat. The next step is to model the collected information to work out which patterns present the most risk to the organisation by qualifying and quantifying the impact. In many cases, intelligence about identity and access policies is needed for this risk assessment. Finally, the adaptation phase allows organisations to make changes that fit the pattern – either adapting to or overcoming it.
In information security, the seek phase is about the discovery of potentially malicious code, anomalous network activity or resource access and suspicious user, account or entity activity.
The act of discovery requires quite different tools and techniques that are sometimes specific to what they are trying to detect. Within information security, this discovery can be achieved using monitoring technologies, such as security information and event management, and database activity monitoring. At the data layer, data loss prevention technology provides the required functionality. At the application, user, defined entity and transaction layer, pattern recognition can be achieved using fraud-detection technology.
Network intrusion prevention systems (IPS) technology operates in line with network traffic on network boundaries, inspecting network packets in real-time. Endpoint protection (EPP) technology uses endpoint-resident code to inspect data and applications, while content-aware data loss prevention (DLP) discovers sensitive data at rest, monitors sensitive data both in motion and in use through seek functions on the network, email and web gateways, and endpoints. Finally, security information and event management (SIEM) collects security event data in real-time from network and security devices, servers, databases management systems and applications.
Fraud management technologies implement a variety of monitoring points that are focused primarily at the application layer. Many also include monitoring at the network and application access layers.
Each of these seek methods has key strengths and weaknesses. For example, network inspection can be implemented without changes to systems or applications, but the deployment of many monitoring points on a segmented network can be very complicated and costly, and may have negative network performance implications.Model
During the model phase, data collected during the seek phase is analysed to determine if there is a threat and to assess the risk. For many security technologies, modelling includes a combination of embedded knowledge, business context, business-specific policy, intelligence derived externally and industry- or sector–specific policy.
Embedded knowledge can include identity and access policies, DLP patterns for personally identifiable information data, predefined correlation rules for SIEM and buffer overflow sensing within EPP. Business context encompasses vulnerability assessment scans, asset classification and IT service dependency maps, while business-specific policy involves customised SIEM correlation rules, user-defined fraud scenarios, IPS tuning and custom signatures, business-specific sensitive data patterns, and identity and access policies. Intelligence derived externally includes network and code signatures for malicious actors and malware. Finally, industry- or sector-specific policy covers fraud models that are specific to a particular market segment or type of business. In all of these cases, information about identity and access policies is needed to evaluate user activity and resource access in order to discover abnormal patterns that may indicate a problem or threat.Adapt
The adapt phase is focused on action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases. The degree of integration between seek, model and adapt will vary by technology type.
Many security technologies are capable of blocking or exercising control in real-time. This requires tight coupling of the seek, model and adapt process within a single vendor technology offering. However, this is not always required or present. Sometimes, more than one vendor solution can be integrated to achieve the same result. This 'loose integration' approach is common with both fraud detection and SIEM technologies. For example, a bank may integrate fraud detection from one vendor with a transaction verification and authentication solution from another, and they can work together in real-time. SIEM loosely integrates with a wide variety of event data sources for seek and modelling functions.
When adopting a Pattern-Based Strategy, the first step for IT leaders with responsibility for information security and identity access management (IAM) is to understand the activities, users and entities they need to monitor based on current risks and compliance requirements. They can then present the business case for more effective monitoring and pattern-based analytics that will discover and mitigate threats, define incident response processes and identify vendors that meet their requirements.