© 2007 IBM Corporation
Threat and Fraud IntelligenceIBM’s Entity Analytics Solutions
John McBride, IBM Solutions Executive
© 2007 IBM Corporation2
Threat & Fraud IntelligenceA High Impact Business Opportunity Is EmergingHeightened regulatory pressures and an intensifying threat environment demand a new level of Threat & Fraud Intelligence
AMLAML$590bn to $590bn to $1.5tr, PY $1.5tr, PY 2%–5% of 2%–5% of
GGDPGGDP
Patriot Act Patriot Act KYCKYC
$10.9 billion $10.9 billion
Health Health InsuranceInsurance
$100bn $100bn lost lost
annuallyannually
Telecom Telecom Fraud Fraud $55bn $55bn
lost lost annuallyannually
Identity Identity TheftTheft
$8.0 bn $8.0 bn lost lost
annuallyannually
OFAC Hits OFAC Hits Criminal Criminal NetworksNetworks
Risk & Risk & ComplianceCompliance
EntitlementEntitlementFraudFraud
Account Account VerificationVerification
Law Law EnforcemenEnforcemen
tt
Home Home Land Land
SecuritySecuritySafe Safe
BordersBorders
National National SecuritySecurity
BankAtlantic committed ‘serious and systemic’ BSA violations April 27, 2006 - Moneylaundering.com. BankAtlantic provided clients something better than 7-day service – one branch manager opened its doors to drug traffickers and professional money launderers and helped commit their crimes. BankAtlantic Bancorp signed a deferred prosecution agreement and forfeited $10 million to the U.S. Department of Justice for criminally violating the Bank Secrecy Act (BSA)..
© 2007 IBM Corporation3
Today’s intensifying challenges mandate a fresh approach to managing threat information
Current Approaches have become obsolete.
Why Now?Threat & Fraud Pressures Are Intensifying
Information is compartmentalized – lack of full integration is obscuring visibility
Query State limits ability to address complexity of threats
Untimely – threats identified ex-post facto.
Inaccurate – Broadscale false positives and false negatives
Out of context – lack of decision support/guidance once threat is
identified
Multiplication of threat types, and frequency
Threats are increasingly asymmetrical
Explosion in complexity of threat identification
Frequency of transaction/interactionsTransparency is clouding
Regulatory pressures are increasing
Intensifying profit and business pressures
Information Must Become a
Strategic Asset
© 2007 IBM Corporation4
Threat & Fraud Challenges Are IntensifyingMultiplying Threat Types with Increased Frequency
FEMA Lost $1Billion to Fraud, ErrorsReport lists problems with hurricane reliefUSA Today, June 14, 2006
Sloppy mistakes and con artists cost FEMA at least $1Billion in disaster relief claims in the six months after last year’s devastating Gulf Coast hurricanes, according to a report by government investigators due out today. The government sent checks to thousands of people who registered with FEMA using information belonging to prison inmates, or who provided only a post office box for the their damaged home.
The investigation found that FEMA lacked basic mechanisms to detect and discourage rampant fraud. One person received 26 FEMA payments totaling $139,000, using 13 different social security numbers, and 13 addresses.
U.S. Government Plans to Overhaul Disaster AidThe New York Times, July 23 2006The Department of Homeland Security, responding to months of criticism and ridicule, is revamping several of its core disaster relief programs…Most important, officials said, emergency cash assistance will be granted only after FEMA officials have used computer records to ensure applicants are not repeatedly signing up for aid, or using false Social Security numbers or fabricated addresses.
© 2007 IBM Corporation5
Fraud &Threat Pressures Are IntensifyingThreats Are Increasingly Asymmetrical
Two Elderly Women Jailed In Deadly Insurance ScamWashington Post, Tuesday, May 23, 2006; Page A03 LOS ANGELES, May 22 -- Two elderly women devised a complex plot in which they befriended homeless men, took out life insurance policies on them, and then killed the men in hit-and-run accidents in alleys around Los Angeles to collect $2.2 million in payments, police said Monday.
California law allows an insurance company to contest a new policy for two years, Vernon said. "Between the first and second incident, there's a six-year span," Vernon said. "It's very naive to think there haven't been any victims in those six years, especially when you consider they're using these men as certificates of deposit, with a maturity date of two years."
2 Arrested in Homeless Life Insurance ScamLA Times Staff Writers, May 19, 2006 Two women in their 70s were arrested Thursday after they allegedly befriended two homeless men, took out 19 life insurance policies on them and filed claims worth more than $2.2 million after the transients mysteriously died in hit-and-run pedestrian accidents in Los Angeles.
Detectives said they connected the two cases several months ago during a chance meeting between two investigators in the LAPD's West Traffic Bureau squad room. A detective handling the death of Kenneth McDavid, 50, was talking about the peculiarity of the case when another detective interrupted him to say he had worked on a similar-sounding, unsolved hit-and-run six years ago.
© 2007 IBM Corporation6
Threat & Fraud Challenges Are IntensifyingMultiplying Threat Types with Increased Frequency
Mackenzie created new customer identification numbersA bank manager carried out a £21m fraud on his employers as they named him business manager of the year.As a business manager at the Royal Bank of Scotland, Donald MacKenzie had the authority to open personal bridging loan accounts.His scam involved creating new customer identification numbers (CINs) using details of customers, sometimes by omitting just one letter from their name.
Last Updated: Tuesday, 6 June 2006, 17:01 GMT 18:01 UK
Mackenzie created new customer identification numbers
IBM’s Threat & Fraud Intelligence platform, utilizing the Name Recognition capability, would have detected the name variations, and helped prevent the fraud
© 2007 IBM Corporation7
Maiden Names, Deaths, Moves, New Accounts
Name / Address / DOB Deception
Intermediators, Introducers, Beneficiaries,
Pooled Accounts
NefariousUn-IdentifiedThird Parties
Data Islands/Silos/Transposition Errors
Online & Remote Clients
Data Degradation / Data Drift
Multiple Prefixes, Abdul, Fitz, O', De La,
Multiple Name Variants
Phonetic Transposition Errors, Lester - Leicester
Name Order, “Maria del Carmen Bustamante de la
Fuente”
Multiple Titles, Dr., Rev, Haj, Sri., Col
Nicknames, Hammed, Mogs
Ambiguous, Misrepresented, Blurry IdentityThe Challenges Go Beyond Date Silos
??
© 2007 IBM Corporation8
Full pattern & identity resolutionPattern linked to name, identity & relationship
Complete & Self ImprovingUtilizing all sources of information within the enterprise and beyond
Active & Dynamic Persistent & Autonomic Analysis
On-Line, On Demand & TimelyRespond to threats in real time
In ContextFull decision support and guidance
What’s Needed?Early adopters beginning to recognize requirements
The capability now exists.Integrated Software Platform Business Know
How
Current State Future State
Threat and FraudStatistics & Reporting
Limited Discovery& Analysis
Incomplete View
InformationOverload
Passive & Query Based
© 2007 IBM Corporation
Conquering Enterprise AmnesiaNext Generation Business Intelligence
© 2007 IBM Corporation10
Human Resources Department
CorporateSecurity
Department
ProspectDatabase
EmployeeDatabase
FraudDatabase
MarketingDepartment
Hiring employees who had previously been arrested for stealing from you!
Consequences of Enterprise Amnesia
© 2007 IBM Corporation11
ProspectDatabase
EmployeeDatabase
Human Resources Department
CorporateSecurity
Department
InvestigationsDatabase
Marketing department is mailing offers to a person currently in jail for stealing from you!
MarketingDepartment
Consequences of Enterprise Amnesia
© 2007 IBM Corporation12
Amnesia is Embarrassing
Amnesia is Expensive
© 2007 IBM Corporation13
Enterprise Intelligence
Requires Persistent Context
The Brain!
© 2007 IBM Corporation14
M. Randal SmithDOB: 06/07/74713 731 5577
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
Record #B-9103
Observations
FEATURES:Mark Randal Smith
123 Main Street713 731 5577DOB 06/07/74
IdentitiesEvents
JobApplication
Arrest
Employee Database
Fraud Database
Sensors
Problem: Non-Observables and Isolated Perceptions
Non-Observable
© 2007 IBM Corporation15
Marc R Smith123 Main St713 730 5769
M. Randal SmithDOB: 06/07/74713 731 5577
Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577 Employee
Database
Fraud Database
Record #A-701The Query
Record #B-9103
SensorsObservations
Consequence of Perception Isolation
© 2007 IBM Corporation16
Marc R Smith123 Main St713 730 5769
M. Randal SmithDOB: 06/07/74713 731 5577
The Query Record #A-701
Record #B-9103
Employee Database
Fraud Database
SensorsObservations
Some Observations … are Discoverable
Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577
© 2007 IBM Corporation17
Marc R Smith123 Main St713 730 5769
M. Randal SmithDOB: 06/07/74713 731 5577
The Query Record #A-701
Record #B-9103
Employee Database
Fraud Database
SensorsObservations
Some Observations … are Undiscoverable
Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577
© 2007 IBM Corporation18
M. Randal SmithDOB: 06/07/74713 731 5577FEATURES:
Mark Randy Smith, M. Randal Smith123 Main Street, 713 731 5577
DOB 06/07/74EVENTS:
Job ApplicationArrest
Constructed Context
SensorsObservations
Record #A-701
Record #B-9103
Employee Database
Fraud Database
First: Context is Pre-Constructed (Features and Events)
Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577
© 2007 IBM Corporation19
PersistentContext
Mark
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Context is Persisted
M. Randal SmithDOB: 06/07/74713 731 5577
SensorsObservations
Record #A-701
Record #B-9103
Employee Database
Fraud Database
Mark Randy Smith123 Main StreetDOB: 06/07/74713 731 5577
© 2007 IBM Corporation20
Marc R Smith123 Main St713 730 5769
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
M. Randal SmithDOB: 06/07/74713 731 5577
Record #B-9103
Queries
Now the Un-discoverable …
© 2007 IBM Corporation21
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
M. Randal SmithDOB: 06/07/74713 731 5577
Record #B-9103
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Persistent Context
Observations
Using Persistent Context
Marc R Smith123 Main St713 730 5769
Queries
© 2007 IBM Corporation22
Marc R Smith123 Main St713 730 5769
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
M. Randal SmithDOB: 06/07/74713 731 5577
Record #B-9103
Queries Persistent Context
Observations
Enterprise Discovery is Possible
© 2007 IBM Corporation23
Marc R Smith123 Main St713 730 5769
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
M. Randal SmithDOB: 06/07/74713 731 5577
Record #B-9103
Queries Persistent Context
Observations
Enterprise Discovery is Possible
© 2007 IBM Corporation24
Marc R Smith123 Main St713 730 5769
The query could be: - A user with a question
Or, also could be data: - An account opening - A new watch list entry - A background check - An address change - A vendor application - A customer inquiry
Queries
New Think: Treat Data as a Query!
© 2007 IBM Corporation25
1st principle
If you do not process every new piece of key data (perception) first like a
query … then you will not know if it matters … until
someone asks.
© 2007 IBM Corporation26
Emile SwelterToronto12/03/72
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
M. Randal SmithDOB: 06/07/74713 731 5577
Record #B-9103
?
Queries PersistentContext
Observations
New Think: Treat Queries as Data
© 2007 IBM Corporation27
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
Record #A-701
M. Randal SmithDOB: 06/07/74713 731 5577
Record #B-9103
PersistentContext
ObservationsQueries
Emile SwelterToronto12/03/72
In Which Case … Queries can Persist
© 2007 IBM Corporation28
PersistentContext
Notably, in the Same Data Space
© 2007 IBM Corporation29
Question answered when it becomes true!
Emilee Swelter321 Ovington PlaceToronto03/12/72
New ObservationPersistentContext
Emile SwelterToronto12/03/72
Queries
New Observations Answer Persistent Queries
© 2007 IBM Corporation30
2nd principle
Treat queries like data to avoid having to ask every
question every day.
© 2007 IBM Corporation31
New Think: Data and Query Equality
Queries find data
Data finds queries
Data finds data
TraditionalIntelligentSystems
Queries find queries!
© 2007 IBM Corporation32
M. Randal SmithDOB: 06/07/74713 731 5577
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577 Employee
Database
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
Mark
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Sensors
This is Context Construction (Identity Resolution)
© 2007 IBM Corporation33
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
FEATURES:Mark Randy Smith, M. Randal Smith, Randy Smith
123 Main Street, Flat 6 20 Lennox Gardens713 731 5577, 796 064 03 04
DOB 06/07/74, Passport: 001003429002
2 Observations 6 Observations
More Observations More
More Observations (data) = Better Context
© 2007 IBM Corporation34
M. Randal SmithDOB: 06/07/74713 731 5577
EmployeeDatabase
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
Mark
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Sensors
!
The Ideal Moment for Enterprise Awareness
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577
© 2007 IBM Corporation35
3rd principle
Enterprise awareness is computationally most
efficient when performed at the moment the
observation is perceived.
© 2007 IBM Corporation36
The “data finds the data” …
and “relevance finds the user.”
Towards Enterprise Intelligence
New Paradigm: Perpetual Analytics
© 2007 IBM Corporation37
Time
Grow
th o
f Com
putin
g Po
wer New
Information
Sensemaking Algorithms
Growing Amnesia Index?
Faster Computing is Producing Greater Amnesia!
© 2007 IBM Corporation38
Technical Overview
© 2007 IBM Corporation39
IBM Entity AnalyticsTechnologies
Basic Architecture
Data Sources
Queries
Analytics Engine
Persistent Context
Database
Discovery
SQL DBMS
C++ Code
XMLXML
© 2007 IBM Corporation40
Enterprise Service Bus
Entity Analyti
cs
Service Oriented Architecture (SOA)
Vendors
EmployeesAnd
Applicants
Arrests
Credit Applications
Investigations
Transactional
Activity
Customer Acquisition
© 2007 IBM Corporation41
Real World Enterprise Amnesia
© 2007 IBM Corporation42
Detected Relationships• 24 active players were known
cheaters• 23 players had relationships to
prior arrests/incidents• 12 employees were themselves
the player• 192 employees had possible
vendor relationships• 7 employees were the vendor
Data Sources
• 20,000 plus employees
• All vendors• All slot club & table
games-related players
• In-house arrests/incidents
• Known cheaters
Case Study: Las Vegas Casino
© 2007 IBM Corporation43
Detected Relationships• 2 out of every 1000 employees
had been arrested for shoplifting• 8 out of every 1000 employees
were related to known shoplifters
• 9 vendors on the internal security file
• 1 executive related to a vendor (a charity). Possible case of embezzlement.
Data Sources
• 40,000 plus employees
• 10,000 plus vendors• 26,000 international
security/arrest records (shoplifters, etc.)
Case Study: Retail
© 2007 IBM Corporation44
Case Study: US Federal Agency
Detected Relationships• 140 employee relationships to
vendors• 1451 potential vendor
relationships to security risks• 253 employee relationships to
security risk entities• 2 vendors were the security
risk• “n” employees were the
security risk/vendor
Data Sources
• 20,000 plus employees
• 75,000 plus vendors• 200,000 plus Type 1
security risk entities• 200,000 plus Type 2
security risk entities
© 2007 IBM Corporation45
Katrina Reunification Project Statistics
Total data sources 15
Usable identity records 1,570,000
Unique persons 36,815
Families Reunited >100
© 2007 IBM Corporation46
Responsible Innovation in Support of Privacy and Civil Liberties
Analytics in the Anonymized Data Space
© 2007 IBM Corporation47
M. Randal SmithDOB: 06/07/74713 731 5577
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577 Employee
Database
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Sensors
Observations Are Anonymized
© 2007 IBM Corporation48
EmployeeDatabase
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Sensors
Cd5dced41028cb …00c9782a552a2 …7f2b6e48ea7d0 ……
0d06b31faa7c…B5e341a4b0c…00c9782a552……
Observations Are Anonymized
© 2007 IBM Corporation49
EmployeeDatabase
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
FEATURES:Mark Randy Smith, M. Randal Smith
123 Main Street713 731 5577DOB 06/07/74
Sensors
Cd5dced41028cb …00c9782a552a2 …7f2b6e48ea7d0 ……
0d06b31faa7c…B5e341a4b0c…00c9782a552……
Observations Are Anonymized
© 2007 IBM Corporation50
EmployeeDatabase
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
FEATURES:Cd5dced41028cb7ea51…00c9782a552a2d09b1b…7f2b6e48ea7d042bbe8…
…
Sensors
Cd5dced41028cb …00c9782a552a2 …7f2b6e48ea7d0 ……
0d06b31faa7c…B5e341a4b0c…00c9782a552……
Risk of Unintended Disclosure Vastly Reduced
© 2007 IBM Corporation51
EmployeeDatabase
Fraud Database
Record #A-701
Record #B-9103
ObservationsPersistentContext
FEATURES:Cd5dced41028cb7ea51…00c9782a552a2d09b1b…7f2b6e48ea7d042bbe8…
…
Sensors
Cd5dced41028cb …00c9782a552a2 …7f2b6e48ea7d0 ……
0d06b31faa7c…B5e341a4b0c…00c9782a552……
!
Discovery Achieved Post Anonymization!
© 2007 IBM Corporation52
Record #A-701Matches
Record #B-9103
Discovery
M. Randal SmithDOB: 06/07/74713 731 5577
Mark Randy SmithDOB: 06/07/74123 Main Street713 731 5577 Employee
Database
Fraud Database
Record #A-701
Record #B-9103
Observations Sensors
Policy Controls
Policy Controls
Maximizing Discovery - Minimizing Disclosure!
© 2007 IBM Corporation53
Different Missions – Different Measures Information sharing with oneself
Information sharing with similar organizations (e.g., private-private or public-public)
Information sharing across organization types (e.g., private-public)
Information sharing across friendly governments
Information sharing across other entities with high levels of bilateral distrust
© 2007 IBM Corporation54
Technology Status
© 2007 IBM Corporation55
IBM
Info
. Ser
ver -
ETL
W
eb S
ervi
ces
MQ
Threat and Fraud Intelligence – Reference Architecture
Acquisition AggregationResolution Analysis Action
Employee
Data
Data
Data
Transactions
Data
Watchlist
Customer
Structured Data
Sources (Inside
Enterprise)
Data
Unstructured
EAS
Visu
aliz
erIn
vest
igat
ion
Port
al
Web
Ser
vice
sM
Q
IB
M -
Fed
erat
ion
Serv
er
Cas
e M
anag
emen
t
Unstructured Images, Text, Audio, etc
Data
Entity Repository
Data
Entit
y A
naly
ticSo
lutio
ns
GNR
ALERT!
ALERT!
ALERT!
© 2007 IBM Corporation56
Founded in 1984 as Language Analysis Solutions (LAS) a professional services firm– The Gold Standard in name recognition and matching– The domain experts in multi-cultural name recognition– Early penetration within federal govt, intelligence, border
control, and defense
Established name recognition suite validated by our customers– More than 40 successful implementations – Full name recognition/scoring suite – Blue chip installations in banking, transportation, travel,
homeland security
IBM acquires LAS, March 15 -LAS becomes “IBM Entity Analytic Solutions”– Strong penetration into Financial Services, Insurance,
Healthcare, Retail
Founded in 1983 as Systems Research & Development (SRD) a custom identity-based software consultancy
Technology developed in Las Vegas – Lab for finding bad guys –
First software products introduced in 2001– In-Q-Tel Funding
Strong heritage customer base in Federal Government, Gaming, Financial Services– Customers with extreme low tolerance for risk
IBM acquires SRD, January 2005 -SRD becomes “IBM Entity Analytic Solutions”– Strong penetration into Financial Services,
Insurance, Healthcare, Retail
EAS GNR
IBM EAS & GNRHistory – 47 Combined Years
© 2007 IBM Corporation57
Threat and Fraud Intelligence Core Capabilities
1. Automatic, non-obvious relationship detection (Social Networks/Syndicates)
2. Attribute-based Identity-resolution (Short Time to Value)
3. Perpetual, real-time analytics and alerting (Business Process Impact)
4. Proactive, insightful, enterprise search (Complete Enterprise View)
5. Multicultural Name Recognition“Ask Every Smart Question,Every Day - Automatically.”
© 2007 IBM Corporation58
Anonymization – Real (new) Technology
Productized in May 2005
Produces materially similar matching results
Example: Government Customers– To solve cross-compartment exploitation– To solve a complex identity-sharing mission
Example: Health Care Customers– University program in support of anonymous heritability
research (genealogy data correlated with adverse clinical outcome data)
– A life sciences group in support of Lupus research
© 2007 IBM Corporation59
Heritage Foundation and Center for Democracy and TechnologyTechnologies That Can Protect Privacy as Information Is Shared to Combat
Terrorismhttp://www.heritage.org/RESEARCH/homelanddefense/lm11.cfmhttp://www.cdt.org/security/usapatriot/20040526technologies.pdf
Research Report (Peter Swire)Application of IBM Anonymous Resolution to the Health Care Sector(Available upon request)
Steptoe & Johnson (Stewart Baker)Anonymization, Data-Matching and Privacy: A Case Studyhttp://www.steptoe.com/publications/279d.pdf
Emergent Information Technologies and Enabling Policies for Counter-Terrorism
Robert L. Popp (Editor), John Yen (Editor)June 2006, Wiley-IEEE Presshttp://www.wiley.com/WileyCDA/WileyTitle/productCd-0471776157.html
Markle Foundation – National Security in the Information Age Task ForceThird Report: Mobilizing Information to Prevent Terrorismhttp://www.markle.org/downloadable_assets/2006_nstf_report3.pdf
Reference Materials
© 2007 IBM Corporation60
Questions?