As the cost and ability to deploy machine learning (and in turn predictive analytics) have decreased, he said, expect to see many security companies add it to their solutions and apply it to the ransomware problem.
Often the “next-gen” moniker afforded to many new security products are just applying machine learning to existing problem sets, he said. The availability of platforms such as the Google Cloud Machine Learning Engine and Amazon Machine Learning have reduced the cost and complexity. In addition the community has improved the state of best practice for those who choose to build it on their own.
“Less complex, expensive and faster [machine learning] allow companies to apply it to cybersecurity in more of a near real-time mode to predict/prevent, versus react. Of course, this presumes that companies are able to build [machine learning] models that can identify this activity while it is still nascent. And this is where you need strong data scientists to extract the relevant features to build the models,” Huber said.
TIBCO’s Michael O’Connell pointed out some examples of when predictive analytics and machine learning come in handy.
Issue: Too many false positives arise because organizations tend to set independent thresholds for the rules and KPIs they believe need to be kept under surveillance. This is a nice starting point but inevitably leads to large inefficiencies, as the number of rules augments and their intra-correlations are not understood.
Solution: Using machine learning for optimally combining existing or new rules into rich fraud indicators, based on tried and tested math, ensure you are way more likely to get relevant alerts in a much smaller sample of investigation efforts. TIBCO’s machine learning models have both supervised and an unsupervised component. Supervised machine learning models focus on distinguishing within historic data known past fraud cases from the remainder. Financial crime detection also needs to be able to accommodate surprises through the use of unsupervised models. This type of model focuses on profiling typical past transactions and spotting odd ones. Not necessarily fraudulent, but odd, and therefore worthy of investigation.
Issue: Dangerous transactions will be investigated by humans, who must decide for each transaction whether it is criminal or not. This leads to long investigation times to come to accurate and precise conclusions.
Solution: Investigators’ decisions can be made maximally efficient with a TIBCO Spotfire investigative template that collects all information about the transaction’s history from any number of disparate sources. Investigators can complete their analyses on TIBCO Business Process Management (BPM), such that all decisions regarding each alert are auditable at any time. Furthermore, by placing Spotfire on top of BPM, we can identify bottlenecks in the investigation process and suggest how to address them. More importantly, as transactions get investigated and a conclusion is made regarding whether they were actually fraud or not, this information is used to monitor model health over time.
Sign up for CIO Asia eNewsletters.