In his 1982 book Megatrends, John Naisbitt wrote: “We are drowning in information but starved for knowledge.” This is one of my favorite quotes, as I find that it so accurately captures the state of many things in modern life.
In particular, it succinctly describes the state of many enterprise fraud and risk management programs. Many of these programs, unfortunately, suffer from high levels of false positives and other ‘noise’ that reduce their effectiveness.
To understand why noise is such a problem in fraud and risk management, we must first understand its consequences for the enterprise. While not an exhaustive list, here are a few key ones:
- Wasted cycles: When fraud teams build a workflow around a centralized work queue, all events in the queue need to be prioritized and reviewed. Noise fills this queue with items that need to be reviewed but do not add value to the fraud and risk program. In other words, noise wastes the team’s precious and valuable cycles.
- Missed true positives: The phrase ‘finding a needle in a haystack’ is a good one to describe what it’s like to look for fraud among the large volume of data and events that the typical enterprise sees. In this analogy, the needle represents true positives (fraud incidents), while the haystack represents false positives that are not fraud. The more false positives there are, the more difficult it is to find the true positives.
- Increased infrastructure costs: Noise also comes with an infrastructure cost. Each log, alert, and event, regardless of whether it adds value to the fraud and risk program, must be retained. Thus, if the team is collecting a large amount of information that adds little to no value, they are merely using excess infrastructure. This comes with a cost that takes budget away from areas where it could add significantly more value.
- Skewed metrics: False positives have made a habit of skewing metrics. Certain metrics, particularly those that focus on percentage of time spent on true fraud incidents, ratios of true positives to false positives, volume of events, number of events handled, analyst time per event, and others will be highly affected by the volume of noise. The lower the rate of false positives can be, the more accurately and favorably these metrics will turn out.
Knowing a few of the reasons why false positives and noise negatively affect our fraud program helps us build a plan to address the problem. Here are a few suggestions that I’ve found helpful over the course of my career:
- Begin with risk: Not surprisingly, all successful paths begin with a firm understanding of and a commitment to risk. Assess the risks and threats to the enterprise, understand what they affect within the enterprise, and learn the potential cost/loss associated with each one.
- Set goals and priorities: Selecting what to address and when is one of the most important strategic decisions a fraud and risk team can make. Prioritize the risks and threats enumerated in the previous step and set goals and priorities that will be addressed both near-term and longer-term.
- Assess impact: Identifying critical assets, key resources, and important data stores, among other things, helps the team understand the potential impact of an incident. Knowing where the most sensitive and important assets, resources, and data are helps focus the team on where gaps in telemetry exist.
- Identify data and gaps: Understand the existing telemetry collection in place and evaluate whether each data source contributes to the fraud and risk program. If it doesn’t, then collecting it just adds infrastructure costs while not adding any value. Identify gaps in telemetry that leave the team blind to potential fraud, and develop a plan to address those gaps.
- Consider technology and gaps: Look closely at existing technology that is in place, examine where it is helpful, such as detecting fraud reliably with low false positive volumes, collecting valuable telemetry data, and/or making process and workflow more efficient. Keep a close eye on where technology is fighting, rather than helping, the fraud team, as well as where gaps exist in telemetry and detection.
- Throw out noisy rules and signatures: Rules, signatures, and other detection techniques that generate a large volume of noise do not add value to the fraud program. Instead, they bury the team in false positives and actively work against timely and accurate detection of fraud incidents. It may sound radical, but there are far more benefits to throwing away these noisy detection mechanisms than there are disadvantages.
- Implement tight detection: Truly embracing the ‘less is more’ philosophy includes understanding the need to incisively interrogate the data and produce high fidelity and high reliability alerts and events. While implementing more sophisticated approaches to detection requires a significant time investment up front, it pays big dividends. The better the alerting and eventing, the more signal and the less noise the work queue will have.
- Focus on process: The highest quality work queue in the world won’t help when there are broken or non-existent processes. A world-class fraud team has mature, efficient, and effective processes that guide and govern how they work.
- Continuously improve: No fraud team is perfect, and the best fraud teams are keenly aware of their weaknesses and their opportunities for improvement. Taking lessons learned from each of the above points and using them to continuously improve the fraud program is critical to the long-term success of the fraud team.
The conventional wisdom that more data, more events, and more alerts makes for better fraud detection is outdated and misinformed. Through a strategic focus on risk and a methodical approach to reducing noise, enterprises can improve both the state of their fraud detection and the maturity of their fraud programs. Improving the signal-to-noise ratio and embracing the ‘less is more’ philosophy for fraud detection can help enterprises detect more fraud while wasting significantly fewer resources on false positives.
Interested in learning more? Come and chat with Josh at Infosecurity Europe from 21-22 June (Stand P20).
About the Author
Related Blog Posts
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
F5 Silverline: Our Data Centers are your Data Centers
Customers count on F5 Silverline Managed Security Services to secure their digital assets, and in order for us to deliver a highly dependable service at global scale we host our infrastructure in the most reliable and well-connected locations in the world. And when F5 needs reliable and well-connected locations, we turn to Equinix, a leading provider of digital infrastructure.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.
The Internet of (Increasingly Scary) Things
There is a lot of FUD (Fear, Uncertainty, and Doubt) that gets attached to any emerging technology trend, particularly when it involves vast legions of consumers eager to participate. And while it’s easy enough to shrug off the paranoia that bots...