Related Blogs

« Ace Your Next Regulatory Exam | Main | Paying Cash May Cost Americans More Than They Realize »

Cyber Security: The Streaming Analytic Battlefield


For several years, I have been actively “fighting the good fight” in the area of cyber security. Beyond my anti-fraud work here at FICO, I also participate in various industry efforts focused on preventing cyber crime, most recently joining the board of directors for the Cyber Center for Excellence. Cyber security touches our lives daily, whether it's protecting our national infrastructure, securing payment systems, or installing virus protection for personal computers and devices.

The recent data breach at Target caused many to rally around the adoption of EMV payment cards. But while it’s a step in the right direction, it would not have prevented the loss of data estimated to affect more than 70 million customers. The Target breach, however, does point to the need to monitor the computer networks for malware designed to steal PII (personally identifiable information). These are costly problems for both consumers, who need to stay vigilant of any PII misuse, and to financial institutions, where an estimated $200 million will be spent just to replace the compromised cards.

Fortunately, fraud protection solutions like FICO® Falcon® Fraud Manager continue to detect the subsequent fraudulent use of these payment cards. The larger question is whether other analytic solutions could have prevented the data from being compromised in the first place.

Ever since the early days when the Morris worm first spread via the internet, malware has been evolving and exploiting technical and human shortcomings. People and corporations are increasingly dependent on networked devices, and are demanding more content. This enables not only the rapid sharing of information, but it also creates many points of compromise. Furthermore in this connected world, organizations make more use of contractors and third parties, which add to the risk of network intrusion.

In Target’s case, the intruders were quite sophisticated. They managed to penetrate the network via a contractor, implant point-of-sale machines with custom-tailored malware, scrape the machines' memory to extract credit card data, send the data to a local server with internet access, and from there, upload the sensitive information to an outside server. Entering the network and collecting the credit card data were the difficult parts. Moving the data outside Target’s network was relatively easy; it appears that the bad guys simply used FTP.

To help advance the detection of cyber threats and prevent loss of sensitive information, we recently developed a streaming analytic model (as opposed to common static rules) to detect malware communications. Our cyber security analytics not only detect some known patterns used by malware to connect to command-and-control structures, but also spot unusual computer activity. The analytics combine several features that are sensitive to such anomalies, and these components are ultimately fused into a single score indicating threat risk, based on the in-stream Multi-Layered Self-Calibrating analytics techniques that I’ve discussed previously. All this takes place in real time. These advances are made possible by leveraging a data set gathered from a consortium of lenders, as well as our two decades of analytic innovation in the fraud detection space.

I am extremely excited about bringing FICO in-stream predictive analytics to the cyber security field. Stay tuned to our blog as I continue to provide updates.

First time on the Banking Analytics Blog?
Subscribe to the Banking Analytics Blog Feed or check out some other recent posts:


Chris ule

Are you suggesting that the streaming analytic model you developed might have prevented the Target breach, or at least alerted Target eariler had FICO streaming analytic models been in use by Target? If so I look forward to learning more about how that would have worked.

Scott Zoldi

Chris: Yes – our Streaming Cyber Security Analytics model is focused on real-time detection of command & control messaging and abnormal netflow activity. The real-time analytics we’ve used over the last 20 years for fraud detection will be quite impactful in Cyber Security, where the median time to detect breaches is estimated at 243 days!


ANY analytics are based on and after event happen so how dose this prevent current running attacks until unless u have loop feedback. If i am not wrong it may prevent the fall out from a brach than prevent the breach.

Scott Zoldi

Satya, Unsupervised analytics is looking for indicators of risk prior to the event or the specific threat vector. Supervised analytics indeed requires examples of past events to model off (training exemplars), but Unsupervised and Self-learning technologies will point to outlier and abnormalities in the network traffic that can point to potential new threats unseen by models.

The comments to this entry are closed.