Over the last decade, we have seen a steady increase in cyber capabilities that executives can leverage to support board-level commitments and the individual Lines of Business (LoB). Furthermore, threat actors, such as organized crime and nation-states, are often buoyed by the myriad list of challenges modern organizations face (e.g., dispersed workforce, disruptive technology, siloed business verticals, complex legal and regulatory frameworks). As such, adversaries feed from this complexity, leading to losses in the areas of Fraud, Waste, and Abuse (FWA).
Managing FWA is not a new problem, in 2018, federal inspectors general (IGs) identified $36.2 billion in potential savings and reported $15.1 billion in investigative recoveries and 5,131successful prosecutions and civil actions. Each industry is affected to different degrees; as such, organizations craft risk appetites, thresholds, and tolerances tailored to minimize exposure to threats. This exercise can be nuanced – for example, an organization may be willing to accept some level of risk for financial loss; however, there may be zero tolerance for reputational impact or regulatory inquiry. The level of risk an entity accepts, and the tolerable level of risk is fundamentally an assessment of the desired future state of the risk environment within an organization wishes to work.
Outside some of the more prominent examples shown in the media, FWA is often nuanced and persistent. This can manifest as fraudulent transactions, overpayments, duplicate payments, or processing errors and is more challenging to identify since it often falls within the standard deviation of what is considered “normal.” Because of this, governance, processes, standards, technologies are all used to customizing elements of loss prevention through monitoring & minimizing the attack surface. Zero Trust Architecture (ZTA) is one emerging framework to help with this.
ZTA, at its core, is a security framework based on an acknowledgment that threats exist both inside and outside the network boundary. ZTA’s purpose is to understand how users, processes, and data maps together and repeatedly question the premise of trust. For organizations that wish to leverage ZTA to support their FWA risk treatments &tolerance levels, the following principles should be considered:
1. Never trust: For processes tied to risk appetite, every step should be considered untrusted. Explicitly authorize each action to the least privilege using dynamic security policies. Decisions around ZTA require a clear understanding of the process maps around all transactions relevant to risk tolerance and targets.
2. Assume FWA is embedded in all transactions: Log, inspect, and continuously monitor all aspects of processes tied to risk tolerances for suspicious activity. Focus on applying ZTA concepts to critical process steps first -- then secure all paths with access to these process steps. Inspect and log all activity before closing the process or transaction to establish complete visibility of all activity across all control planes to enable analytics to detect suspicious activity.
3. Verify explicitly: Transactions should be evaluated using multiple attributes to derive confidence levels for access and step-up authorization for decisions over a certain threshold. Determine who/what needs access to each process step and create access control policies.
In 2020, governments and industry reacted swiftly with programs to support economic recovery from the global pandemic (e.g., grants, loans, payment checks, and salary coverage). According to a recent Thompson Reuters survey, 40% believe that instances of FWA would increase through 2021, which is coupled with existing tight budgets and stretched resources. This highlights an expressed desire to shift more resources to prevention of FWA. Integrating Zero Trust elements can help to address these challenges.
Transitioning to a mature Zero Trust Architecture all at once is also not necessary and incorporating ZTA incrementally as part of a strategic plan can reduce risk accordingly at each step. The ZTA concepts mitigate many FWA risks, enhance visibility, and automate responses. This allows defenders to better keep pace with ever evolving threats and continually to reduce losses.