The financial world has become hugely complicated with ever-faster trading and a requirement for more elaborate security, surveillance and reporting to meet stricter regulations.
The threats too are constantly changing. Financial organisations now face being defrauded by staff colluding with crooks at trading partners, or becoming unwitting vehicles for global money launderers. All the time of course, cyber-criminals are incessantly trying to breach security measures to commit theft or extortion.
Combating these fast-developing threats now demands that suspicious patterns and links are immediately spotted from a vast volume of data and changing variables. Unfortunately it is not something that conventional databases do very well.
The difficulty of making the right connections and flagging up suspicious anomalies quickly without generating time-consuming false positives requires the deployment of graph analytics on a supercomputing platform.
Graph analytics work because in the real world detection depends on establishing suspicious links and connections from all kinds of information in many different formats. Conventional analytics, relying on neat rows and tables will not deliver. Graph, by contrast, has no rival in working out significant relationship patterns between variegated data types. What might cause conventional analytics to explode, graph analytics can accomplish in seconds.
An investment bank concerned about insider-trading, for example, can use graph to quickly find all employees who have used instant messaging to contact a third party who is in turn, a friend on Facebook with someone else who has access to the back-office settlements system. For graph, this is a simple matter of three hops, whereas conventional methods require three sets of data to be joined together.
Equally, a graph engine will use data from a dozen or more sources to establish an unfamiliar pattern of activity indicating a cyber-attack is in progress that needs immediate countermeasures. An entire network infrastructure and all its links to third parties can be represented in graph, establishing connections with patterns of previous cyber-security incidents and with technical information on government security databases.
This takes a lot of data and involves a level of complexity that only graph can handle, given that the data volumes required for cyber-detection can be huge, including weblogs, telemetry, emails, firewall and IP data. In a large organisation this can easily amount to 20 terabytes per day.
Using graph, new cyber reconnaissance and analytics services can also build a high-resolution image of each organisation's cyber-landscape from the criminal's perspective, allowing countermeasures to be concentrated where they will have most effect. Joining together pieces of information at vast scale, these services provide security insights at a much higher level of frequency than conventional signature-based security technologies. Without this protection, malicious content has the space to hide and operate undetected inside an IT system.
This capacity to determine links and connections from raw data also makes graph supreme in detecting new patterns of fraud, immediately flagging up suspicious chains of events.
For example, the chain may be that a bank trader phones a colleague in IT and then at the close of trading, the door security technology indicates they have walked out within a minute of each other, followed by another data source showing the IT employee quickly purchasing shares. A sequence of events deserving immediate investigation. Graph will also throw a light on overlooked areas of activity, by drawing on data already in the public domain, such as an employee or contractor's friendship on social media with a CFO.
In insurance fraud, a graph engine has the power to expose collusion where real identities are being recycled or manipulated to create fake evidence. A single social connection from among thousands can unravel an entire plot, saving substantial amounts of money.
Supercomputer-powered graph will also slash costs in anti-money laundering (AML) operations which can involve many thousands of staff at a large multi-national investment bank and often involve the expensive suspension of transactions while investigations are conducted. With graph, the time it takes for such investigations will be slashed from typically, three-to-four hours, to a mere 20 minutes.
Results on a big scale
The most scalable way of using graph analytics is through a graph engine powered by supercomputing. The engine can expand to meet evolving demands, without having to partition data between nodes to store data in a way that makes assumptions about the questions to be answered and the relationships involved. It is not necessary to “normalise” the data in order to achieve the desired outcome, merely to add a new set of nodes (containing data) and relations between them.
Indeed, whichever field it is, the combination of graph analytics and supercomputing delivers substantial return on investment with remarkable rapidity, saving time and costly man-hours, and offering a shortcut to expertise that would otherwise be inaccessible. Without it, organisations such as banks that rely on conventional methods, risk disasters that could have been prevented long before.
Contributed by Phil Filleul, financial services global lead, Cray Inc.