In his 1982 book Megatrends, John Naisbitt wrote: “We are drowning in information but starved for knowledge.” This is one of my favorite quotes, as I find that it so accurately captures the state of many things in modern life.
In particular, it succinctly describes the state of many enterprise fraud and risk management programs. Many of these programs, unfortunately, suffer from high levels of false positives and other ‘noise’ that reduce their effectiveness.
To understand why noise is such a problem in fraud and risk management, we must first understand its consequences for the enterprise. While not an exhaustive list, here are a few key ones:
- Wasted cycles: When fraud teams build a workflow around a centralized work queue, all events in the queue need to be prioritized and reviewed. Noise fills this queue with items that need to be reviewed but do not add value to the fraud and risk program. In other words, noise wastes the team’s precious and valuable cycles.
- Missed true positives: The phrase ‘finding a needle in a haystack’ is a good one to describe what it’s like to look for fraud among the large volume of data and events that the typical enterprise sees. In this analogy, the needle represents true positives (fraud incidents), while the haystack represents false positives that are not fraud. The more false positives there are, the more difficult it is to find the true positives.
- Increased infrastructure costs: Noise also comes with an infrastructure cost. Each log, alert, and event, regardless of whether it adds value to the fraud and risk program, must be retained. Thus, if the team is collecting a large amount of information that adds little to no value, they are merely using excess infrastructure. This comes with a cost that takes budget away from areas where it could add significantly more value.
- Skewed metrics: False positives have made a habit of skewing metrics. Certain metrics, particularly those that focus on percentage of time spent on true fraud incidents, ratios of true positives to false positives, volume of events, number of events handled, analyst time per event, and others will be highly affected by the volume of noise. The lower the rate of false positives can be, the more accurately and favorably these metrics will turn out.
Knowing a few of the reasons why false positives and noise negatively affect our fraud program helps us build a plan to address the problem. Here are a few suggestions that I’ve found helpful over the course of my career:
- Begin with risk: Not surprisingly, all successful paths begin with a firm understanding of and a commitment to risk. Assess the risks and threats to the enterprise, understand what they affect within the enterprise, and learn the potential cost/loss associated with each one.
- Set goals and priorities: Selecting what to address and when is one of the most important strategic decisions a fraud and risk team can make. Prioritize the risks and threats enumerated in the previous step and set goals and priorities that will be addressed both near-term and longer-term.
- Assess impact: Identifying critical assets, key resources, and important data stores, among other things, helps the team understand the potential impact of an incident. Knowing where the most sensitive and important assets, resources, and data are helps focus the team on where gaps in telemetry exist.
- Identify data and gaps: Understand the existing telemetry collection in place and evaluate whether each data source contributes to the fraud and risk program. If it doesn’t, then collecting it just adds infrastructure costs while not adding any value. Identify gaps in telemetry that leave the team blind to potential fraud, and develop a plan to address those gaps.
- Consider technology and gaps: Look closely at existing technology that is in place, examine where it is helpful, such as detecting fraud reliably with low false positive volumes, collecting valuable telemetry data, and/or making process and workflow more efficient. Keep a close eye on where technology is fighting, rather than helping, the fraud team, as well as where gaps exist in telemetry and detection.
- Throw out noisy rules and signatures: Rules, signatures, and other detection techniques that generate a large volume of noise do not add value to the fraud program. Instead, they bury the team in false positives and actively work against timely and accurate detection of fraud incidents. It may sound radical, but there are far more benefits to throwing away these noisy detection mechanisms than there are disadvantages.
- Implement tight detection: Truly embracing the ‘less is more’ philosophy includes understanding the need to incisively interrogate the data and produce high fidelity and high reliability alerts and events. While implementing more sophisticated approaches to detection requires a significant time investment up front, it pays big dividends. The better the alerting and eventing, the more signal and the less noise the work queue will have.
- Focus on process: The highest quality work queue in the world won’t help when there are broken or non-existent processes. A world-class fraud team has mature, efficient, and effective processes that guide and govern how they work.
- Continuously improve: No fraud team is perfect, and the best fraud teams are keenly aware of their weaknesses and their opportunities for improvement. Taking lessons learned from each of the above points and using them to continuously improve the fraud program is critical to the long-term success of the fraud team.
The conventional wisdom that more data, more events, and more alerts makes for better fraud detection is outdated and misinformed. Through a strategic focus on risk and a methodical approach to reducing noise, enterprises can improve both the state of their fraud detection and the maturity of their fraud programs. Improving the signal-to-noise ratio and embracing the ‘less is more’ philosophy for fraud detection can help enterprises detect more fraud while wasting significantly fewer resources on false positives.
Interested in learning more? Come and chat with Josh at Infosecurity Europe from 21-22 June (Stand P20).