A Nucleus of Information-Sharing: Mastercard’s Fusion Center

Post-9/11, we found that we were winning our fights but we weren’t winning the war,” says Matt Nyman, Fusion Center Director for Mastercard. Nyman previously served with Delta Force and the Joint Special Operations Command, and he helped to stand up the first Fusion Centers within the U.S. government following 9/11.

With so many government agencies and departments involved in security operations abroad (such as eliminating key targets or searching for specific terrorists), the essential flow of information was so slow and clunky that only three operations could be coordinated each month.

“Globalization and technology had created an entirely new type of threat; before it was nation-states, and now it’s threat networks,” Nyman adds. “We needed to build a function that facilitated a shared consciousness and purpose.”

Working off of this concept, the U.S. established its first Fusion Center, building a network of intelligence and cooperation to defeat terrorist networks.

By bringing stakeholders from multiple intelligence sources and government agencies into one room, the government’s Fusion Center helped to facilitate faster and more effective information sharing and collaboration, and within 18 months, the U.S. was conducting 10 counterterrorism operations a night, instead of three a month, Nyman says.

Years later, Nyman was tasked with standing up a new Fusion Center – at Mastercard. While the private sector has its own unique challenges and goals, Nyman says that the philosophy of establishing a Mastercard Fusion Center remains the same: Find the business units that have a stake in threat mitigation and that can contribute to the greater good of the enterprise, and bring them to the table.

Mastercard’s Fusion Center is located in O’Fallon, Missouri, around 30 minutes outside of St. Louis, and it is connected by a sliding wall to the company’s Security Operations Center. The wall can be quickly removed to facilitate faster communication during a crisis. The Fusion Center has been in operation for around 10 months, and includes both corporate security functions and business or fraud prevention functions.

“The Fusion Center actually pulls together teams from across Mastercard, so it’s not just security, and when something happens, we have all the right people there at the same time,” says Ron Green, CSO for Mastercard. “We have a Security Operations Center, and they’re the ones watching the frauds and alerts, and they’re the first to notice if something bad is happening. They start to explore that, and as the problem gets bigger, the Fusion Center is right there, and we’re able to react to it much quicker and more efficiently.”

Stakeholders in the Fusion Center include Intelligence, Corporate Resilience (including crisis management, business continuity and technical recovery), Corporate Security (vulnerability management, corporate security and investigations), the Security Operations Center, Account Data Compromise (which leads investigations after a customer breach), Fraud Intelligence and more.

The key to selecting which teams operate in the Fusion Center involves determining which business units have active telemetry on events and factors that could affect Mastercard, which units – if something were awry – could detect it and respond quickly, says Green.

Supporting business units also have a liaison in the room, including customer service-facing personnel, compliance, legal and communications. In addition to detecting potential problems quickly, the units can quickly inform Mastercard customers, card-issuers, government agencies and other organizations.

For example, the Fusion Center intelligence team learns about a threat of malware in country X. Prior to the Fusion Center, it would have taken approximately a month for that information to disseminate to all relevant stakeholders to determine if Mastercard is at risk, if they’ve already been penetrated and how to proceed. Now, that process can happen in one business day.

“At the rate that threats are coming in – at Mastercard, last year we dealt with 105 million events that we had to process – and when you look at the magnitude and rate of those events, you’ve got to speed up how you respond to those. It creates a greater efficiency and effectiveness for the company,” says Nyman.

When Nyman was standing up the Mastercard Fusion Center, he had each participating business unit give a 30- to 60-minute presentation on their core competencies, missions and challenges. In every case, he says, the units were asking for help, and someone in the room had what they needed.

“Being in a room together really helps break down tribalism within the organization, so people begin to trust each other and rely on each other,” Nyman says. “The tribalism isn’t malicious; it’s the way businesses have been set up. Siloes were very efficient in the Industrial Revolution, but with the technology revolution and globalization, you’ve got to come up with a different model about communicating, not only about threats but within the environment.”

However, Nyman warns, it’s not just a matter of shuffling everyone into the same room and expecting instant collaboration; building trust and breaking down barriers between units, which often have historically competing interests, takes time. He also recommends that Fusion Centers include a broader range of stakeholders than just security.

“We would be missing out on a huge aspect if I limited this to corporate security; we wouldn’t have a way to quickly communicate with our customers and vice versa. In the financial sector, folks on the fraud side have nothing to do with corporate security, and yet there are a lot of interdependencies between them,” he says.

Blending the two sides of the house can result in surprising returns on investment. For the Account Data Compromise group, their core competency is conducting fraud attack investigations, but Corporate Security and Investigations’ specialty is investigating and dissecting malware. If the two teams work together, they could conduct an operation more efficiently and effectively, allowing each to use those core competencies to their fullest.

“I see a difference in how business units are coordinating efforts outside of the Fusion Center, because ultimately it starts to raise visibility of what the other business units are doing and provides an opportunity to collaborate and secure our network for our customers even more than we thought was previously possible,” Nyman says.

For example, the intelligence group recently identified an intelligence provider that they didn’t have a specific need for, but could be useful to the Account Data Compromise team. As a result of that connection, in Q1 of 2018, the team has prevented more than $15 billion worth of fraud.

“That all starts with the give-and-take concept behind a Fusion Center,” Nyman adds. “In this case, the Intel team identified an opportunity that could be useful to another business unit, seized it, and that has had a multi-billion-dollar impact.”

The Fusion Center also has a large role in communicating about fraud, cyber risks and trends with outside organizations.

“Fundamentally, as we look at problems, I’m constantly asking the team to look at them with a multi-layered approach: what’s the impact to Mastercard, what’s the impact to our customers, what’s the impact to the financial sector at large,” says Nyman. “As long as it’s information to disrupt illicit activities, I even have open communication with some of the other brands to share intelligence.”

Green adds: “As a sector, we have our act together around sharing intelligence information effectively, and we work collaboratively as an industry. There are industries where they aren’t congealed as well; they still see competitive advantages. This is not a space where we should compete against each other.”

While the Fusion Center is the nucleus of information-sharing at Mastercard, Nyman is also building out the network around the globe with Mastercard’s regional security officers, the customer fraud management team, the Financial Sector Information Sharing and Analysis Center (FS-ISAC) and the National Cyber-Forensics and Training Alliance (NCFTA) in the U.S., liaisons with the UK government, and key customers of various levels, among other partners. The essential point, Nyman says, is to ensure communication moves both ways; as the outside stakeholders send information into the Fusion Center, the Center can also push data on fraud trends or specific risks that have been detected back out.

Moving forward, Mastercard will implement a “follow the sun” model, with new Fusion Centers being added in Singapore and London to ensure there are staff prepared to address a crisis or detect emerging threats worldwide, 24/7.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.