Every second counts: how data can help combat cybercrime

With headlines of the latest cyber attack dominating the news and roughly one report made to the Australian Cyber Security Centre every seven minutes, it’s clear cybercriminals are more sophisticated and more dangerous than ever before. Fraud in particular is a major issue today, with even the most cyber-resilient organisations incurring huge financial losses and reputational damage.

When it comes to protecting an organisation from a cyberthreat, having the right security tools and processes on-hand is important. But another crucial factor — and one often overlooked — is the role that real-time data plays in cultivating strong defences.

With the threat landscape quickly evolving and adversaries employing new tools to get past network defences, the ability to detect and respond to anomalies in real time is crucial to preventing and minimising the impact of an attack. This article will look at a few data-centric insights technology leaders should consider when reviewing how best to strengthen their cyber defences.

Why current approaches fail to deliver

While organisations are now investing millions of dollars to fight cyberthreats and secure their networks, existing systems still often fail to detect and prevent fraudulent behaviour and attacks in an effective way, lacking the timely information and contextual intelligence to determine if an event is legitimate or malicious in nature. This is due to the fact that many organisations’ fraud teams operate independently from cybersecurity teams and have different views and access to the data, which can lead to gaps in threat detection.

Fraud teams, for example, tend to rely on sparse, structured data that provide limited contextual insight into transactions, and most lean on statistical models and rules to detect that a malicious event has taken place. But with attacks growing in volume and in complexity, the number of indicators that can influence a fraud assessment has also grown.

On the other hand, cybersecurity teams typically invest heavily in analytics-oriented security information and event management (SIEM) tools that rely on the ingestion of log data and other unstructured sources for incident investigation. Although there is a rich pool of contextual data, by the time it’s collected, processed and analysed, precious seconds and minutes are wasted. Additionally, the cyber teams often have difficulty extracting insights from transactional systems like databases, mainframes and ecommerce platforms.

With an ever-widening threat attack surface and traditional distinctions between cyber breaches, fraud and financial crimes fading, such siloed approaches and incomplete data models are becoming increasingly untenable.

Time and context matter

Effective cybersecurity and fraud management requires data infrastructure that supports the timely prevention and detection of cyberthreats, as well as an intelligent response. This includes the ability to capture and send contextual and situational data to the right tools in real time, so potentially malevolent activities can be identified before an unauthorised transaction is invoked.

To explore this in practice, consider the scenario of payment fraud. In order to determine that an instance of payment fraud has happened, we need to be able to quickly access information that shows the nature of the transaction, decipher whether it was legitimate or fraudulent, and the context surrounding that transaction, which can be anything from failed login attempts, changes of passwords, user geolocation, new payment recipient, user and software device information, and more. Critical information comes in different types, volumes and formats, and in order to proactively detect and prevent fraud from taking place, all of this must be aggregated and analysed in order to derive the right security context and develop an effective response.

It’s also important to gain this context in a timely fashion. The traditional forensic style of data analysis means that we are discovering attacks or breaches minutes, hours or days too late. Traditional tools only allow detailed analysis after collection, indexing and storage of data after the attack. Similarly, systems that only analyse historical data retrieved from data-at-rest sources such as databases or logs for after-the-fact analysis are unable to detect and prevent fraud from occurring. Rather, these types of attacks can only be averted if organisations shift from a transaction-centric, data-at-rest mindset to an event-driven, real-time processing approach.

Strengthening the cybersecurity backbone

In today’s heightened threat landscape, real-time, event-driven data streaming and stream processing is emerging as a critical backbone of cybersecurity and fraud detection, helping teams manage risk by allowing for real-time continuous monitoring of network traffic, system logs and user behaviour. In fact, according to the Confluent 2023 Data Streaming report, data streaming is used by 54% of organisations to power five or more critical systems, with 61% of Australian leaders saying ‘improving cybersecurity and digital risk management’ presents the highest potential value of data streaming for their business.

But how does this type of data infrastructure work differently to enhance an organisation’s cybersecurity posture? Essentially, unlike traditional, after-the-fact, transaction-based threat detection systems, event-driven architecture can understand the occurrence of any event, whether it is part of the actual transaction or unstructured insights enriched by stream processing that tell the whole story of a transaction. Data streaming enables new insights and analytics informed by telemetry generated from all threat touch points far faster than data indexed in a SIEM.

Today, organisations across a range of industries from financial services through to retail and ecommerce are using data streaming to power real-time data analytics and strengthen their cyber defences. Grocery delivery service Instacart, for example, implemented Confluent to improve fraud detection and enable faster execution during the height of the pandemic. Meanwhile, enterprises like Intel are using our real-time infrastructure to build a scalable cyber intelligence platform powered by high-throughput, low-latency event streaming.

Ultimately, data streaming doesn’t exist in isolation — it needs to work as part of a robust strategy that incorporates cyber readiness as a priority. But while real-time data infrastructure alone might not protect an organisation from a cyber attack, it is a crucial component to identifying and preventing malicious activity from occurring. As the arsenal of tools malicious actors employ becomes ever more sophisticated, every millisecond that an organisation has to detect and respond to a threat counts.

Image credit: iStock.com/Panuwat Sikham