The Truth About Anomaly Detection

What You Really Need to Know About Effective Solutions
The Truth About Anomaly Detection
The FFIEC Authentication Guidance has resulted in a cottage industry of anomaly detection solutions. But look carefully before you buy - separate myth from reality - says Terry Austin, CEO of Guardian Analytics.

"One of the myths is that it's really hard to get this information - it's hard to get the data and hard to integrate to a banking platform that a financial institution is using," Austin says. "That's just simply not true. The data is actually readily available, and it's very easy to deploy a solution like this."

Another myth is that it's easy to do the math and spot the anomalies. But, in fact, this process requires sophisticated mathematics, Austin says. "We have a team of mathematicians who have been working on this literally for six years," he says. "You need to have the skills, capabilities and experience, really, to do the math properly."

In an exclusive interview about anomaly detection, Austin discusses:

  • What's most misunderstood about the concept;
  • Shortcomings of current anomaly detection solutions in the marketplace;
  • What banking institutions must do to conform with the FFIEC guidance and deploy effective anomaly detection solutions.

Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.

TOM FIELD: The FFIEC and its authentication guidance says that proper anomaly detection can defend against incidences of account takeover. Can you explain how that is?

TERRY AUSTIN: It's really pretty straight forward, and it really starts with an understanding of each individual accountholder's or user's online banking behavior, then doing deep analytics of that behavior to detect normal behavior and distinguish from fraudulent, or risky, behavior.

It's very similar to the analytics that have been done on the marketing side, understanding online users' behavior to figure out what to market to them, but in this case we're using predictive analytics and behavioral analytics to understand if this is truly the legitimate person using online banking or if a fraudster has gotten access to and taken over the account. Something that's really important to note about anomaly detection is that it doesn't really matter how a fraudster might have gained access, what technique they used, what malware they used. It works on the simplest forms of attack and it works on the most sophisticated forms of attack, because it's really based on knowing what the normal user's behavior is like and then spotting anomalies from there.

FIELD: One of the things I've noticed since the release of the guidance this past summer is that there seems to be a lot of market confusion about exactly what anomaly detection is. What do you find is most misunderstood about the concept?

AUSTIN: There is a lot of confusion. Some of it is created by the vendor community itself, but there are some myths out there and we deal with this all the time as we're talking to financial institutions. One of the myths is that it's really hard to get this information, hard to get the data and hard to integrate to the banking platform that a financial institution is using. That's just simply not true. The data is actually readily available and it's very, very easy to deploy a solution like this. In fact, we've integrated to over 15 of the major banking platforms, so chances are we've integrated to one of the financial institution's platforms and it's very easy to get at the data. The great thing about online banking is there's a huge wealth of data about every customer, about every accountholder and what they do when they interact with the system.

While there's this myth that it's hard to get the data ... there's another myth that it's actually easy to do the math and figure out and spot the anomalies. There are a lot of people out there reporting to have anomaly detection all of a sudden because the FFIEC emphasized it, but really to detect anomalies from this behavioral data requires very sophisticated mathematics. It requires deep applied statistics and probability, and it needs to be developed over time. We have a team of mathematicians that have been working on this literally for six years and understanding how to decipher the information from the data. The myth is that it's hard to get to the data but easy to do the math, and the reality is the exact opposite. It's actually very easy to get the data, but you need to have the skills and capabilities and experience to do the math correctly.

FIELD: Why do you believe that the FFIEC choose anomaly detection as a minimum requirement vs. some of the layered security controls that they offer in the new guidance?

AUSTIN: The answer to that is simple. It's because anomaly detection works. It works kind of in all situations and all cases. The FFIEC stated pretty clearly that they reviewed a number of high-profile fraud cases and determined that the behavior was clearly unusual relative to normal behavior and that if anomaly detection had been in place, those fraud cases could have been stopped. I think the FFIEC correctly recognized that this approach can provide complete coverage from day one. It protects all accountholders. It protects against all threats. It does it at all times. It's not specific to understanding the type of threat. It's very resilient to changing threat landscapes. It really makes it the right starting point. It applies the risk to everyone and all threats, so it really is the right layer to start with. Then the other layers can really be added as the financial institution does their risk assessments and understands where those other solutions can have an impact.

FIELD: I want to pick up on a comment you made a few minutes ago about some of the confusion in the market place being caused by the vendor community. As we know, there are many supposed anomaly detection solutions in the marketplace. What do you see as some of the shortcomings of some of these solutions that could be causing some of the confusion?

AUSTIN: There are a few different things, and there are certainly a lot of solutions out there kind of being recast as anomaly detection in light of the guidance that really aren't anomaly detection. Often these things are focused on a narrower slice of the puzzle. Anomaly detection is by nature end-to-end and it's a complete behavioral view of an individual accountholder, but there are other solutions that focus on the end point. They focus on the device, the particular machine that is logging in, or they focus on the other end. They focus on the transactions, the money that is flowing out, but they don't really take that end-to-end view. We see a lot of that out there.

Then from the detection technique itself, there are a lot of old rules-based systems in the market that are trying to recast themselves as anomaly detection and rules-based systems just simply don't work. You can't write a rule to detect the next risk or threat or the fraud attempt because it changes too fast. Rule systems by their very nature throw up a huge number of false-positives so it makes it very unmanageable.

The third thing besides the narrow focus, the rules approach, is there are often solutions out there that provide alerts but they don't provide any context. They don't help the financial institution understand why this was risky behavior and put it in the context of the normal behavior for the accountholder. There may be too many alerts or the alerts may not be actionable because it doesn't have that context, so the financial institution doesn't really know what to do. They know there may be a risk, but they don't know what to do. There are a lot of financial institutions out there that may have solutions deployed from RSA. They may have an adaptive authentication solution, for example, from RSA, or they may have an enterprise fraud solution from Actimize looking at cross-channel enterprise fraud, and those are fine solutions and serve a good purpose. But I think what's really neat and the FFIEC is calling for is a deeper level of very specific behavioral risk and anomaly detection in electronic banking, and that's really what's missing from a lot of the solution platforms that are out there today.

FIELD: Let's turn this around now and talk about effective solutions. What do you believe that institutions should be looking for in a truly effective solution?

AUSTIN: It's kind of the reverse of some of the things I just said. First, it needs to be end-to-end and provide a complete view of individual behavior, not just the transaction, but the entire session to ensure that the banking can really detect the precursors, or the leading indicators, of fraud.

It needs to be based on deep and proven analytics. The analytics themselves and the risk engine itself need to be based on sophisticated probability and statistics, and it needs to be applied in an effective manner.

Third, it needs to be at an individual account level. This approach doesn't work if it's aggregated up. If you do it generically for the bank or do it generically for the credit union, it just doesn't work. It needs to be at a specific individual accountholder level, because that's where you can really discern the specific normal behavior.

It needs to be actionable, so it needs to provide context and actionable information. It needs to be proven on the banking platform that a financial institution uses for online banking, whether that's an in-house, home-grown solution or one of the major platform vendors that are in the market, like Fiserv or Intuit, Jack Henry or S1, one of the many others that are out in the market today.

FIELD: Let's talk for a minute about your customers. How have some of Guardian Analytics' customers tackled anomaly detection and been successful?

AUSTIN: We're really proud of what we've been able to contribute to our customers' success here. We are deployed at nearly 100 banks and credit unions now, and we interoperate on 15-plus the major online banking platforms. We've got a lot of track record now. We're completely staff-based so it's delivered as a service, so it's very, very easy for a bank or credit union to get started with the solution. Our financial institutions are very effective with using anomaly detection to stay ahead of the criminals. They're able to be proactive and spot fraud before it happens, and then they're able to use that detection of events as a chance to build customer trust. So even if they detect something that's unusual that doesn't turn out to be fraud, they're using that to effectively interact with their accountholders and interact with their customers and demonstrate tangibly that they're doing a lot to protect their accounts. It's really become a great trust building tool.

These banks have stopped fraud in the face of very, very simple attacks and very, very sophisticated attacks with the most recent man-in-the-browser type of attacks and attacks on commercial accounts that manipulate dual control. We see everyday fraud that's being stopped throughout and across the payments system, across ACH transactions, wire transactions, bill payment transactions and finally this has given our customers the confidence in their e-banking solution that they need to be able to enhance the service levels, provide more services, roll out new innovations, roll out mobile, roll out remote capture and some of these new innovations that are coming out. Now that they have this trust in the online channel and their ability to manage their risk, they're able to roll these things out with a lot more confidence.

FIELD: Every banking institution has got an examination coming up. What do the institutions need to do to ensure that they conform to the FFIEC guidance and, most importantly, deploy effective anomaly detection solutions?

AUSTIN: At the risk of sounding self-serving here, I would suggest strongly that they call us and they do it now. They need to get going, you're absolutely right - 2012. This is going to be a minimum expectation in their exam and they need to have an approach to anomaly detection in place and we're out there. We're proven. I think we're unique in our ability to be really end-to-end at an individual accountholder level. We've got close to 100 references from financial institutions using the solution today, stopping fraud, using it to great effect. Chances are, with our 15-plus banking platforms that we integrate to, we work on the platform that the financial institution is using. So call us. We hopefully are the right solution. If not, then there are other approaches, but we would love to engage in dialog and find out if we can be helpful.


About the Author

Information Security Media Group

Information Security Media Group (ISMG) is the world's largest media company devoted to information security and risk management. Each of its 28 media sites provides relevant education, research and news that is specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from the North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud. Its yearly global Summit series connects senior security professionals with industry thought leaders to find actionable solutions for pressing cybersecurity challenges.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.