Predicting likelihood of cyber breach by analyzing ...€¦ · 18 years at FICO • Guide analytic...

© 2017 Fair Isaac Corporation. Confidential. 1© 2017 Fair Isaac Corporation. Confidential. This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac Corporation’s express consent.

P redicting likelihood of cyber breach by analyzing external s ecurity pos ture of enterpris es

Scott M. Zoldi, Ph.D. Chief Analytics Officer FICO

@ScottZoldi

© 2017 Fair Isaac Corporation. Confidential. 2

S cott Zoldi, PhD – Chief Analytics Officer

• 18 years at FICO

• Guide analytic development, across Fintech, Fraud, AML, Retail, Insurance, Healthcare, Cyber-security and IoT.

• Author of 79 patents (39 granted and 40 in process)

• New initiatives in Machine Learning and Streaming Analytics

• Recent focus on self learning analytics for real-time detection of Cyber attacks and mobile device analytics

01020304050607080

2012 2013 2014 2015 2016

Pat

ent C

ount

*

*Includes published and filed

Fraud

Cyber and Other

Multilayer Self-Calibrating Analytics(Neural learning)

Unsupervised Archetype Profiling(Text Analytics)

Biometric Analytics(Streaming)

Auto-encoder Model-monitoring(Deep Learning)

Purchase Propensity(Context-aware)

© 2017 Fair Isaac Corporation. Confidential. 3

Cyber s ecurity threats : Everyone is a target and every vulnerability is exploited!

ATM

POS

Mobile

WebsiteSWIFT

Employees

Partners

ISV / Telecom

© 2017 Fair Isaac Corporation. Confidential. 4

Forres ter 2017 Breach Predictions :

S ignificant “cyber-cris is ”

A Fortune-1000 will fail due to cyber-breach

CIS Os to allocate 25% to externals ervices and automation tools

60% of s mall bus ines s es fail in the firs t 6 months

© 2017 Fair Isaac Corporation. Confidential. 5

A s ingle, eas ily interpreted, commonly unders tood s core of an organization’s potential breach ris k – a reference metric us ed enterpris e-wide: Board of Directors , CEO, CIS O, and s ecurity profes s ionals alike.

Quantifies how an organization appears to a cyber criminal

Inform breach ins urance underwriting proces s

As certain s ecurity ris k of partner organizations and the vendor s upply chain

What is facilitated by Cyber Risk Score

###

840

835

© 2017 Fair Isaac Corporation. Confidential. 6

Cyber R is k – Leveraging a Credit R is k Playbook

Top lenders us ing FICO® S cores when making lending decis ions90%

FICO Scores purchas ed in US annually10B

Bus ines s es that rely on the FICO S core 70K

Countries where the FICO S core is deployed20

Low RiskHigh Risk

© 2017 Fair Isaac Corporation. Confidential. 7

ES S Delivers a Pas s ively Obtained Empirical S core

• Millions of data elements continually monitored at internet s cale

• His torical depth to reflect s ecurity pos ture of breached networks prior to the incident

• Meas urements that s erve to as s es s policy effectivenes s and management behaviors

• Data richnes s that s upports empirical analys is , not judgment-bas ed grades

CommercialS ources

Breach Events

CompiledS ources

Internet P res ence

E.g., Spamhaus

Details of global breaches incidents

Firm demographics

FICO EnterpriseSecurity Score

Passive Scan Info

E.G., open ports, version / patches,

expired certs

Exposure

© 2017 Fair Isaac Corporation. Confidential. 8

2 тη

χc

c S

Ü ß

ģ

Cyber Breach R is k: Building an Empirical ModelPerformance Date (ex: 12-15-2016)

Data elements collected on observation date

Malware/Spam/Phishing

NTP/DNS/SNMP/SSDP

Certificates/configs

Demographic Data

300 350 400 450 500 550 600 650 700 750 800 850

BadsGoodsFICO: 24 Xothers: 5X

Observation Date (ex: 12-15-2015)

+ TAG+ FEATURES

Breached??

ScorecardModel(s)

© 2017 Fair Isaac Corporation. Confidential. 9

Data Collected; Operationalized via S core and R eas on Codes

Three categories of monitored issues with corresponding

reason codes

Endpoint SecurityMalware/Spam/Phishing

Infrastructure SecurityNTP/DNS/SNMP/SSDP

Services & SoftwareCertificates/Configurations

Organization Score

© 2017 Fair Isaac Corporation. Confidential. 10

Does S ize Matter? Identification of R is kies t Network As s ets

( ) [ ]CCsssxsxq

PR

Lii ,0,0,maxmin| ∈

−−

=

Low Risk

Variable

Rela

tive

prob

abili

ty

LS RSpS

ix

Current variable value

High Risk

Security posture of the organization informed by its weakest link using patent-pending technology

US Patent 8,027,439; 8,041,597; 13/367,344; 15/463,420

Multi-Layer S elf

Calibrating S core

Hidden Layer

Input Layer

Output Layer

WeightsTuning

© 2017 Fair Isaac Corporation. Confidential. 11

As s et s coring and remediation : Where’s my weakes t links

Weakest Link

© 2017 Fair Isaac Corporation. Confidential. 12

R emediation and Overs ight: Actionable Intelligence

Prefix 205.153.84.0/22 contains 11 endpoints with expired SSL certificates

Prefix 169.54.49.208/28 contains 3 endpoints engaging in spamming behavior

Prefix 205.167.52.0/23 contains 4 endpoints that resolve recursive DNS queries

© 2017 Fair Isaac Corporation. Confidential. 13

1. A single risk metric: ESS continuously quantifies the likelihood of a future data breach

2. Utility: In addition to breach prediction, ESS can be used to inform the breach insurance underwriting process

3. Liability: Know your vendors’ and partners’ risk along the entire vendor supply chain prior to data exchange

© 2017 Fair Isaac Corporation. Confidential. 14

Thank you!