"There are a lot of offerings out there and organizations realize they can be difficult to adopt," says Phil Hagen, a certified instructor with the SANS Institute. "They are taking time to figure out if they have the human bandwidth to evaluate and integrate intelligence tools and services. "
Hagen adds, "You can't deploy a predictive analytics solution today and get value out of it tomorrow. It requires a lead-up and an establishment of a baseline of normalcy to then be able to see the threads, or deviations, to pull on."
Even the most sophisticated predictive analytics software requires human talent, though. For instance, once the Kentucky DOR tools (either the existing checklist or the SAS tool) suspect fraud, the tax return is forwarded to a human examiner for review. "Predictive analytics is only as good as the forethought you put into it and the questions you ask of it," Hagen warns.
Also, it's imperative that data scientists, not security teams, drive the predictive analytics project. "Security teams are the consumers of the data, not the creators," Hagen says.
At Arlington, Va.-based Surescripts, CISO Paul Calatayud manages a team of data scientists in-house and considers predictive analytics one of the best lines of defense his company has against fraud and data loss or theft. Surescripts is a health information network that routes and processes 7 billion transactions annually.
With 13 years of data on more than 230 million patients, Calatayud has to stay ahead of those who want to do harm. "All of our contracts are dependent on our ability to have trust between systems. If we have data loss at our company, we will cease to exist," he says.
Surescripts uses Splunk Enterprise to carry out independent risk calculations and detect deviations from the norm. Surescripts executives worry about both internal and external threats, including customer credential theft and/or misuse and employee misconduct. For instance, Splunk Enterprise alerts Surescripts if a pediatrician prescribes a 70-year-old patient medication based on a physician profile that doesn't include treating geriatric patients.
Splunk Enterprise also monitors and aggregates data from raw data points such as Active Directory, firewalls, identity and access management software, file and print servers, and cloud-based applications to understand user behavior.
If an employee starts accessing or transferring files at a higher rate than usual, is more active on social platforms such as LinkedIn and is updating a resume document repeatedly, Splunk Enterprise assumes the employee is preparing to leave the company and will alert Calatayud. Together, these actions might indicate an employee is about to quit and might be trying to download proprietary or protected health data. With the heads-up, Calatayud can heighten monitoring, contact human resources and the employee's manager, and cut off network access if needed.
Sign up for Computerworld eNewsletters.