- Products
- |
- Customer Success
- |
- Partners
- |
- News & Events
- |
- About
- |
- Contact Us
Creating Online Trust
Guardian Analytics' Impact Report
Guardian Analytics makes antifraud personal – really personal
Analyst: Nick Selby
Sector: Enterprise Software
Date: 9 Jul 2008
After the brouhaha raised in 2006 and 2007 over the Federal Financial Institutions Examination Council (FFIEC)'s 'more-than-single-factor-authentication' mandate, the world of antifraud marched on, but things got a bit quieter: acquisitions slowed (RSA bought Verid, and some extant firms raised more money), but essentially banks, retailers and credit unions cut bait, waiting to see what would shake out.
Meantime, Guardian Analytics emerged with interesting technology that is beginning to gain traction among organizations looking to add some more specific antifraud intel to their stronger authentication initiatives. GA produces products that create dynamic user models based on a number of core inputs, and seek weird things that may be indicative of account takeover or other fraudulent activity. It looks interesting.
The 451 Take
We like Guardian Analytics' technical approach, which is passive, smart and transparent to users; we like that it's not trying to be the overall solution to everything in the world of fraud, and that it leverages and builds upon competence and experience of the founders. Bayesian analysis tends to get a bad rap for any number of reasons, chief among them that it's often misapplied by marketers to products that have in the past disappointed – most people now associate it with debunked anti-spam attempts of the late 1990s. But done right, Bayesian analysis is probably just the ticket to have a look at a collection of data about how someone's behaving online in a strictly controlled setting. The Guardian Analytics approach looks as if it can scale to meet the needs of larger organizations, and generally we like what we see.
Context
President and CEO Tom Miltonberger was VP of products at Quova, and cofounder and VP of marketing Craig Priess was part of the marketing team at Above All Software before starting Guardian Analytics. The two formed the company in 2005 and have since raised a total of $7.5m in two rounds from Foundation Capital. Series A closed in June 2006 with $1.5m; series B raised a total of $6m in two tranches: $4.5m in November 2007 and $1.5m during 2008. GA says it is not currently seeking funding.
The company has 15 employees, about half of which are on the tech side of operations. Sales are currently 100% direct.
Customers
GA now claims at least five paying customers, and several additional unpaid or partly paid pilots, though it asks us not to name the customers; suffice it to say they are solid names in the banking and credit union worlds. A newly signed customer is a subsidiary of a much larger bank. GA says that nearly all its banking customers have, in addition to the GA deployment, some form of enhanced authentication, such as Oracle (Bharosa), RSA's PassMark or Cyota, TriCipher, etc. We assume that these were basically 'one-point-five-factor' authentication products bought to comply with FFIEC and not necessarily to battle fraud, per se. Some of the early customers are known to us to be committed early adopters, which speaks both well and not so well about the efficacy of the product – on the one hand, these customers buy things that promise to solve very complex problems; on the other, they're willing to tolerate setbacks a bit more than the average customer.
Two customer references it is willing to provide are Star One Credit Union and Digital Federal Credit Union (we've not spoken with either); GA says Star One has been using the product for more than a year, and has claimed publicly that GA has helped it avert more than half a million in fraud losses.
Strategy
Guardian Analytics says that it is focusing initially on account takeover fraud, initially at banks, brokerages and credit unions, and of course intends to build out from there to more mainstream applications such as social networking and similar applications. The company intends to leverage its ability to create models on a per-user basis of what looks 'normal,' and the experience of its executives at companies including Quova, to clue it in to weird people coming in from weird places to bring higher confidence to transactions that might seem, well, weird. However, it stresses that much of its antifraud chops are based around its rich models of individual transaction history as opposed to inferences made by things such as geo-location or other elements of a transaction. This ain't a geo-IP play, it's an analytics-based antifraud play.
If it all works, to us this seems eminently sensible. It also counts on agreements with Quova and others to provide some basic and not-so-basic IP information, and here is where a deep knowledge of the true power of Quova comes in handy; someone truly familiar with Quova's dataset will likely make more of it than, say, me, and GA has people like that who can make more nuanced decisions based on Quova's data than would some others. But we note that Guardian Analytics is using much more than just licensed Quova data – a distinction we heard was that it can use data it gets from Quova to disprove certain assumptions, but, we understand, it does not use third-party data to prove assumptions it makes in its modeling.
Technology
We've been asked not to say much about GA's technical approach. We can say that GA creates and maintains profiles based on its own analysis and information from the banking application it is monitoring. As information about sessions and applications is fed to GA through a series of inputs – from other products and its own assessment, the product, called FraudMAP, acts as risk engine and risk application. Inputs are added to each user's profile and enriched with GA's assessment of how reliable it feels is each piece of information it receives.
The risk application is used by a fraud analyst team or incident response person, through a Web-based interface. In addition to the risk score, the risk engine is also adding the information to GA's data warehouse, where it is added to a detailed history of individual users. This, says GA, allows it to make probabilistic determinations about things it might see you – the user – do. For example, based on what GA knows of you and your behavior, how likely did Guardian Analytics think it was that you would do what you just did? Previously unseen behavior is run through the engine and calculations as to the likelihood of you doing something like that are made; when they come back 'tilt,' an alert is made on a color-coded scale for investigation by an analyst. GA also has models of known fraudulent activity against which individual transactions are run.
Competition
The biggest competition faced by GA is likely to come from the RSA crowd. However the folks at RSA did it – by strategic design or lucky breaks – it is generally agreed that RSA did an inspired job of rolling up FFIEC-related companies and authentication technologies with PassMark, Cyota and Verid in addition to Network Intelligence. Combined with its strong authentication, we have seen RSA do some powerful marketing, such as its E-Trade dongle boondoggle, whereby E-Trade Financial's marketing department turned a pain-in-the-neck SecureID token into a status symbol. Most accounts into which GA enters will have had some interaction with the folks from Bedford, and it is now GA's problem to explain how its approach differs and in fact complements that of RSA's. Entrust, through its earlier acquisition of Business Signatures, also competes here, creating a data warehouse of transactions against which new transactions are measured. Oracle, through its acquisition of Bharosa as well as its majority ownership of anti-money-laundering giant i-flex Solutions competes here, as does Iovation and Authentify (for out-of-band authentication). Radware (Covelight), with whom GA has a partnership, also seeks weird transactions in conjunction with its Web application firewall. For that matter, so do database transaction monitoring firms like Guardium, Imperva, Tizor Systems, Sentrigo, Application Security Inc and Secerno, though the latter group is looking for break-ins and theft of databases, not account fraud. Back in the straight antifraud world are firms including 3i Infotech, NICE Systems (Actimize), Cyveillance, Digital Resolve (Cydelity), Fair Isaac, Fortent, Green Armor Solutions, MarkMonitor, Quova, Retail Decisions and SAS Institute.
SWOT analysis
| Strengths | Weaknesses |
| Passive and scalable, Guardian Analytics' kit would seem to offer a nice back-end method of looking at individual users as well as trends without having to rely on fraud-nets, fraud signatures or other narrow approaches like geo-IP intel, without turning its back on any single approach. | RSA seriously has the authentication market rolled up, and it is difficult to penetrate even in the antifraud space, because of the level of noise RSA makes to blur the lines between authentication and antifraud. This doesn't speak to efficacy, just to marketing clout and market penetration. |
| Opportunities | Threats |
| Because of RSA's dominance in the FFIEC space and multiple acquisitions in the field, Guardian Analytics is in a fine position – if it can get in the door. Once in the door, GA's offering sounds sufficiently different and compelling to at least get a trial going, and that may be all it takes. And a new FFIEC-like compliance driver in the space – Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions act of 2003 – proffers GA and others in the space a new wave of 'compliance-based' marketing opportunities through the November 2008 compliance deadline. | RSA, Oracle, Entrust and several other better-funded, better-established companies in the antifraud space threaten. |
