Visa: Using AI To Separate The Good, Bad — Across Billions Of Daily Security Events

Three billion credit and debit cards. More than 100 billion transactions, worth more than $11 trillion.

That’s the payments volume running over Visa’s global network, a network whose vast global expanse is a tempting playground for cyberthieves.

Visa’s cybersecurity team, as Chief Information Security Officer Sunil Seshadri told Karen Webster, also logs as many as 8 billion security events every day — that’s billion with a “b.” Not all events are intrusions or even attempts, but also include routine security logs and regular everyday network activity. These logs provide deep insight into what is happening in Visa’s infrastructure and network on a real-time basis. But finding the signal in this noisy data is a challenge.

That’s where applied artificial intelligence (AI), such as machine learning, comes in. AI has become an essential tool for Visa in identifying the needle in the haystack: the attempted piece of malware or malicious code buried among the billions of normal events. This has become even more critical given the lightning-fast speed at which sophisticated hackers now operate.

At a high level, Seshadri told Webster, successful breaches show some common themes. Many hackers are taking advantage of poor identity management and access protocols — meaning hackers need only steal the credentials of a single employee to gain access to critical administrative functions. Malware has become more advanced and adept at evading traditional technologies. And tech infrastructure has grown increasingly complex, making it harder to keep up with the steady stream of vulnerability patches.

Moving Past the Way It’s Always Been Done

The modus operandi for most companies’ cybersecurity defense tactics is to rely on signature-heavy solutions, which scan for patterns of code associated with known threats, or to wait for new patches to be deployed. While these are table-stake activities, they are turning out to be reactive ways of protecting organizations.

“With applied AI techniques such as machine learning using neural networks, deep learning and anomaly detection capabilities, we can take a much more proactive approach in building self-defending systems that don’t only rely on vendors to supply patches or anti-malware to keep up with new threat signatures,” he said.

Intelligence-Driven Security 

Those 8 billion security events that Visa captures every day are analyzed in depth on a continuous basis to understand “what is good and what is bad” in day-to-day operations.

“The machines learn for themselves, using unsupervised learning models,” said Seshadri. “They ask ‘what does an attack look like?’ and ‘what does normal behavior look like?’ so we can take action against threats in an automated way.”

That automated aspect is crucial against a backdrop where there simply is not enough manpower to deal with every incident or log alert that may come their way. Rather than rely exclusively on manpower and manual review, the heavy lifting is done by AI- and machine learning-driven models.

Staying A Step Ahead

The difference between a major intrusion and successful containment of a threat is a function of speed, Seshadri said. By way of example, he said several organizations that have been breached or hacked have taken days or even months to discover the intrusion — and by then, the damage is done.

He cautioned that a company’s controls are never absolute in nature — because, after all, software comes with bugs. People make mistakes. The fraudsters gain access, because at some level, humans are vulnerable to phishing campaigns and other attacks.

If cybercriminals do gain access, though, said Seshadri, the strategy is to make data — whether it is in use, at rest or in motion — useless. When it comes to managing and securing the organization, its assets and data, he said an effective strategy is based on what Visa has termed “defense in-depth architecture.” The architecture dictates how Visa applies detection and prevention techniques across every layer of a firm’s operating environment. This includes how Visa looks at the perimeter and how controls can be applied at the network level. Efforts and examination drill down to the application level and then, eventually, down to the operating system level and ultimately data level. There are AI-driven solutions at different layers of this architecture stack.

In the case of a successful phishing attempt, where a victimized employee clicks on an email, the goal is to completely contain and isolate the malware so it does not affect the computing platform or network the users are operating from.

And in illustrating the ultimate lines of defense against hackers, Seshadri said, payment account information in a database can be rendered unusable to unauthorized parties. The devaluation comes through encrypted solutions or tokenization. Devaluing the data in its native environment is key, he said, because data is what has the most tangible value to fraudsters.

“We call this the ‘belt and suspenders approach’ to security,” he told Webster, “where we do not implicitly trust any single solution, but rather take a layered, complementary, AI-driven approach to cybersecurity ending with data devaluation.”