Detecting Fraud with ArcSight ESM

HP ArcSight ESM has long been known to monitor for security incidents (DoS, SQL Injection, Malware) and to track high-risk users (insider threats, PII/IP Protection).  What you may not know, is that ArcSight ESM also proves very useful in identifying fraud.  Fraud can come from various sources, including online banking, compromised accounts, payments, internal fraud, and even daily debit card transactions.

 

When identifying and designing fraud-use cases, the key is to understand the existing manual investigation process, and what data and applications  you are using for those investigations. Once that is understood, you can outline the specific use cases and which Smart/Flex Connectors are needed and automate that manual process. HP ESP Global Services have followed this methodology at several financial institutions over the years with great success.

 digital hoodie.jpg

Our approach includes:

 

Workflow: Suspicious activity reporting—creating a common body of knowledge

Business Logic: Advanced analytics applied with cross-line of business logic

Data Integration: Connector infrastructure to gather data from disparate business systems

 

The systems we’ve worked with include traditional security information sources such as firewall, IDS, Antivirus and proxies in combination with internal application logs, customer transactions, DLP, email, DB, Mainframe, weblogs and CRM.  Transactions in the financial industry can come from online banking applications, ATM/Debit cards and data warehouses to name a few.

 

Fraud is a data and anomaly detection problem

 

ArcSight ESM can be configured to monitor online activity, debits and credits and automatic payments. It can also be cross referenced with customer context to identify normal patterns of behavior and alert on anomalous behavior.  Sample fraud detection alerts could be:

  • Customer travelling more than 500km/hour—based on IP addresses from current transaction and last transaction
  • Logging-in from known bad IP addresses and accessing multiple accounts
  • Customer using a new browser, new IP, new ISP or new OS
  • Large payments from a "typical" customer profile

 

Additionally, ArcSight ESM can be paired with the Threat Response Manager to automatically take action based on highly suspicious patterns.  It can integrate with firewall to add newly discovered bad IP addresses to the firewall deny list.  It can also integrate with online banking systems to automatically suspend customer accounts that show signs of being compromised.

 

The HP ESP Global Services solution provides functional use cases provided through collaborative sessions with enterprises to enable system capabilities, such as:

 

Statistical Profiling of Users and Computers

  • Profiling typical online activity and demonstrating how risk scores can be built against the baseline (e.g. page views, statement views, number of logins)
  • Profiling computer-related behavior (e.g. multiple IP accessing single account, geographic disparity of account access)
  • Alerting immediately on known risky behavior (e.g. mid-session changes to browser, OS, IP, accessing from known bad IP address)
  • Profiling account activity that adjusts risk scores based on risky behavior (e.g. new to bank, occupation = student)
  • Profiling account activity that adjusts risk scores based on typical money mule activity
  • Detecting anomalous customer account activity based on the trending of typical usage activity
  • Identifying insider threats based on real-world "headline news" attacks that have occurred, and could have been prevented
  • Monitoring of privileged accounts, unauthorized customer account modifications, and alerting of malicious activity
  • Detecting suspicious patterns of activities, based on fraudster attack patterns observed within the industry

Real-Time Risk Modeling

  • Real-time risk scoring, alerting, and dashboards for analyst interaction
  • Case management capability, including agent workflows, queue management and prioritization

Workflow and Analyst Interaction

  • Business users can create and test their own detection rules without affecting the production environment.
  • Rules can be real-time, based on profiles, and can alert or escalate a score.  Scores are completely configurable by business users.
  • Full reporting suite that allows for custom reports (or online dashboards) to be created across transaction and workflow metrics.
  • Ability to provide recommendations and continued learning to constantly improve rules, scoring model and workflows.

 

To learn more about the HP ESP Global Services and available solutions visit: hp.com/go/espservices

Tags: HP| security
Comments
custom ATM machines(anon) | ‎10-21-2013 08:02 AM

Online banking and ATM frauds are the major problem for banking instituion and should be able detect it and prevent it from happening. These type of technologies should be given more and more importance inorder to minimze these fruads and prevent this from happening again. 

Lisa_Chow | ‎10-21-2013 03:20 PM

Indeed @custom ATM machines(anon) we are hearing from our banking customers that ATM and online banking fraud are major issues, especially given customers growing preference for these distribution channels. We have also witnessed how SIEM technologies have proven valuable in keeping fraud at bay at least as a first line of defense. Also exciting is the development of Big Data-supported security intelligence. Integrating that into SIEM technologies, banks will be able to handle detection and protection of fraud with greater sophistication avoiding false positives etc, which are still major issues that hinder customer service. 

 

If interested, check out my earlier blog http://h22154.www2.hp.com/blog/going-behind-the-scenes-on-how-a-bank-deals-with-fraud-detection/  that highlights how one of our bank customers have built their fraud detection system using ArcSight ESM.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.