The recent wave of successful high profile cyberattacks and disastrous data leaks added new level of activity into search for the perfect fraud detection and early alerting solution.
With attackers changing their activity vectors, attack patterns and techniques on a daily basis this makes many legacy fraud detection tools to lose their efficiency and get outdated very quickly.
In the never ending quest to protect enterprise against fraud losses the ideas of Automated Anomaly Detection are picking up steam.
The way it generally works – anomaly detection system would establish baseline for certain predefined dimensions and system would then monitor (often in real time) for deviations from established baseline. Once sufficiently abnormal condition is detected – the alert is issued. Such system could operate pretty automatically and learn from historical and present data constantly updating it’s baselines as well as trigger thresholds.
I’ve observed a number of tools in this space and have to say they are pretty efficient to catch interesting anomalous events that indicate some sort of problem.
Having said that – the whole space of fraud detection is somewhat different beast.
Successful fraudsters are more likely being sophisticated humans rather than automated scripts. They are trying to stay under the radar to avoid detection as much as possible.
The new solutions are being pitched pretty aggressively selling automated anomaly detection concepts as a “new and better approach” against fraud, promising fully automated, never-need-to-be-updated, catch-it-all products.
Before you’ll buy into disappointment, here are few bullet points to be aware of when evaluating new security products and vendors covering the fraud space:
- Beware of “blackbox”-type, “closed” solutions with vendor-proprietary “ip” inside and a few knobs outside to configure it. When these type of solutions need to be customized for new fraud types, integrated or adjusted for new deployment architectures – this usually involves pricey mandatory “professional services” from the vendor. This cycle has rinse and repeat tendency and the whole thing could get very costly.
Gravitate toward full stack security frameworks allowing for deep customizations of all layers, and ability of building vendor and business specific solutions on top of them.
- Beware of pure anomaly detection based solutions for fraud detection. These usually come with a pitch of requiring very little configuration and ability to automatically adjust themselves to incoming data in real time and detect fraud “forever”. Sort of set-and-forget scenario that sounds like a music to ears of CISO’s.
These type of tools are an ultimate utopia for vendors themselves to strive for because it would mean that they won’t have to care about business domain specifics and just work on detecting anomalies covering 100% of all industries. Anomalies – yes, fraud – not so fast.
In reality successful fraud detection tasks are very vertical-specific, require deep knowledge of business domain, and demand complex real time evaluations of multiple activity points, correlation with external unstructured threat feeds and complex references to past profile activities for each incoming user session in real time. If solution is based only on