Luminet security attachement

987
-1

Published on

Attachemate Luminet Sales Presentation

Published in: Business, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
987
On Slideshare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Luminet security attachement

  1. 1. © Attachmate Corporation. All rights reserved.1 Stopping Insider Threats Before They Start: Using Leading Techniques and Predictive Analysis to Presage Your Environment
  2. 2. © Attachmate Corporation. All rights reserved.2 Results show that it can take more than 87 days to discover insider fraud. Source: Ponemon Institute, February 2013
  3. 3. © Attachmate Corporation. All rights reserved.3 of businesses polled report loss of confidential information or violation of confidentiality policy as a consequence of insecure mobile devices. http://www.websense.com/assets/reports/websense-mobility-risks-ponemon-report.pdf
  4. 4. © Attachmate Corporation. All rights reserved.4
  5. 5. © Attachmate Corporation. All rights reserved.5 Agenda The pitfalls of traditional fraud detection methods The mobile device challenge The benefits of continuous monitoring and risk- based alerting New approaches to stop insiders Understanding the insider threat
  6. 6. Who are the insiders? How do they hide in plain sight?
  7. 7. © Attachmate Corporation. All rights reserved.7 Trust, but… How do you know?
  8. 8. © Attachmate Corporation. All rights reserved.8 Insider Facts Insider threats are not hackers Insider threat is not a technical or “cyber security” issue alone A good insider threat program should focus on deterrence, not detection Detection of insider threats has to use behavioral based techniques The science of insider threat detection and deterrence is in its infancy Source: FBI
  9. 9. © 2011 The Attachmate Group, Inc. All rights reserved.9
  10. 10. © Attachmate Corporation. All rights reserved.10 What Can You Do? To Protect Data? Systems? Trust?
  11. 11. Bringing New Rules and Methods to Your Efforts
  12. 12. © Attachmate Corporation. All rights reserved.12 Determine who will investigate a reported incident and how - Use case management and technology tools - Emphasize cross-group collaboration - Put fraud prevention at the forefront of a successful business strategy - Institute a hotline - Develop a code of conduct and confirmation process - Institute continuous fraud awareness training designed to deter unethical conduct and influence an employee’s responsibility to report fraud - Create a positive workplace environment and a culture of honesty. Set a moral and ethical tone at the top - Establish realistic performance goals and reward systems - Hire and promote appropriate employees. Perform background checks and credit histories on new recruits or promotions to positions of trust - Exhibit fair and balanced discipline for fraudulent behavior Traditional Fraud Prevention Best Practices © Attachmate Corp. All rights reserved.12
  13. 13. © Attachmate Corporation. All rights reserved.13 Barriers to Taking a Proactive Approach to Fraud Traditional Systems are Based on Existing Audit Trails  Originally designed for capturing logs for security infrastructure & administration; there is no log standard each app log is unique  Assumptions that audit trails already exists  Difficult to tie function performed in app with end user across multiple platforms / apps  Account profiling isn’t captured Investigations are Resource Intensive & Costly Barriers to Taking a Proactive Approach to Fraud
  14. 14. © Attachmate Corporation. All rights reserved.14 Traditional Fraud Prevention Best Practices • Develop a code of conduct and confirmation process • Institute continuous fraud awareness training designed to deter unethical conduct and influence an employee’s responsibility to report fraud • Create a positive workplace environment and a culture of honesty. Set a moral and ethical tone at the top • Establish realistic performance goals and reward systems • Hire and promote appropriate employees. Perform background checks and credit histories on new recruits or promotions to positions of trust • Exhibit fair and balanced discipline for fraudulent behavior • Identify and measure fraud risks • Implement and monitor internal controls • Maintain a strong and independent audit committee • Hire effective internal auditors • Contract independent external auditors • Evaluate antifraud processes and controls, and develop an appropriate oversight process • Determine who will investigate a reported incident and how • Use case management and technology tools • Emphasize cross-group collaboration • Put fraud prevention at the forefront of a successful business strategy • Institute a hotline Source: Association of Certified Fraud Examiners Business Benefits of Addressing Insider Threats and Organizational Risk
  15. 15. Understanding the Power of Fraud Detection Rules
  16. 16. © Attachmate Corporation. All rights reserved.16 Abnormal after working hours activity Real rules capturing anomalous behavior. Alerting in real-time. © Attachmate Corp. All rights reserved.16 Implement Leading Fraud Detection Rules: What to Look For Several User-IDs logged-in consecutively from the same IP Same User-IDs logged-in from different IPs consecutively User logged in without scanning physical badge earlier
  17. 17. © 2011 The Attachmate Group, Inc. All rights reserved.17 Rules Based Detection Examples: Suspicious Address Related Activity The following rules are designed to look for suspicious employee activity related to address changes in customer accounts Title Scheme Description Account Address Change from/to a Banking Facility To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address, the address of a collusive employee or address of a bank facility. An Incident is generated when an employee changes the account address from one of bank’s facilities addresses. Account Address Change to an Employee Self Address or to PO Box To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address or the address of a collusive employee. An Incident is generated when an employee changes the account address to the same as an employee or to PO Box. Redirect Account mail to any other employee address. To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address or the address of a collusive employee. An Incident is generated when an employee changes the account address to the same as any other employee address. Account mail address is suppressed To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address, the address of a collusive employee or address of a bank facility. An Incident is generated when an employee suppresses an account mail address. Change Customer Address Back to the Original Address To avoid a customer detecting their fraud, internal fraudsters will redirect customer statements and correspondences to their own mailing address, the address of a collusive employee or address of a bank facility. An Incident is generated when an employee changes the customer address back to the original address.
  18. 18. © 2011 The Attachmate Group, Inc. All rights reserved.18 Rules Based Detection Examples: Suspicious Account Balance Activity The following rules are designed to look for suspicious employee activity related to account balances in customer accounts. Title Scheme Description Excessive Adjustments to Cash Figures in the Settlement Field During this fraud, a Teller is skimming from the till, does a recount of the drawer to see how much extra cash has been taken in, make the difference disappears and cash in the money. Looking for excessive number of recounts may indicate the teller is trying hide skimming activity. An incident is generated when employee performs excessive adjustments to cash figures in the settlement field on the same day. Cash settlement system shows increase of foreign currency without foreign currency transaction. Internal fraudsters may steal from foreign currency since it's infrequently used and less monitored than other cash. An incident is generated when an employee report on balance of foreign currency but no foreign currency transaction exist on the same day. Unusual Fields Change in Teller Balancing Screen Atypical changes in a teller balancing screen may indicate that a teller is improperly adjusting the till to hide suspicious cash activity. This behavior can be base lined against the activity of other tellers to spotlight unusual or abnormal activity. An incident is generated when employee performs adjustments in one of unusual field in teller balancing screen on the same day. An incident or report can also be generated is teller activity is significantly different from peers.
  19. 19. © 2011 The Attachmate Group, Inc. All rights reserved.19 Rules Based Detection Examples: Suspicious Dormant Account Activity The following rules are designed to look for suspicious employee activity in dormant accounts. Title Scheme Description Closing multiple dormant accounts To avoid detection, internal fraudsters will close accounts that they have been using to commit fraud. These mule accounts can be recently created accounts, other dormant accounts, fake accounts created by a party in collusion, etc. An Incident is generated when an employee closes multiple dormant accounts in a given time period. Dormant account withdrawal Internal fraudsters know that dormant accounts are infrequently monitored. They take advantage of that limited visibility to remove funds. An Incident is generated when an employee withdraws money from dormant account or accounts over a given time period. Inactive account withdrawal Internal fraudsters know that inactive accounts are infrequently monitored. "Inactive" may be determined by either a flag on the system or lack of activity for a period of months. An Incident is generated when an employee withdraws money from accounts with no recent activity in a given time period.
  20. 20. © 2011 The Attachmate Group, Inc. All rights reserved.20 Discover Hidden Linkages Link Analysis Reveals Connections
  21. 21. © 2011 The Attachmate Group, Inc. All rights reserved.21 Rules Based Detection Examples: Privacy Violations Name Description Report of reports viewed Shows a list of reports that an admin has viewed in the last period. It will show user name, date, and the report(s) run. Inappropriate access of ePHI Shows a list of instances of users accessing ePHI inappropriately (as defined by the rules). Unauthorized permission sharing Shows a list of users that inappropriately shared their permissions with other users (as defined by the rules). Invalid login attempts Shows login attempts that did not work or otherwise were flagged as possible issues (as defined by the rules). Rules triggered Shows a list of rule violations in a given period. Application metrics Provides a list of monitored applications used by a particular employee during a given period. Improper user rights assignments Shows a list of violations of the assignment of user rights (in a given period). Suspicious login/password activity Provides a complete listing of login activity rules violations in a given period. Security incidents reviewed Shows a list of security incidents that were reviewed in a given period. Workstation use violations Shows a list of incidents generated because of improper use of workstations. Data integrity control violations Shows a list of incidents generated because of the violation of data integrity controls. ePHI access/use violations Shows a list of incidents generated because of the violation of ePHI access or use. Login metrics Displays information about user login behavior such as average logins per day/week/month, per person/group/overall. Patient records search metrics Displays information about user search behavior on patient records. High-risk user activity Displays information about showing what system resources high-risk users (as defined by the company) have accessed during a given period.
  22. 22. Implementing Fraud Detection Systems: How They Work
  23. 23. © 2011 The Attachmate Group, Inc. All rights reserved.23 General Architecture Luminet Users Auditors • Visual replay • Google-like search Compliance Officers • Reports • Google-like search Fraud Investigators • Alerts • Cases • Profiles Monitored Environment Existing Data Sources • Log files • Databases • Reference tables Database Server Client Server Web Server AS 400Mainframe Network Switch External Users • eBusiness • Customers Internal Users • Business user • Privileged IT user
  24. 24. © 2011 The Attachmate Group, Inc. All rights reserved.24 Luminet Architecture Luminet Sensor API Queues Channel Analyzers Central Repository Analytic Engine User Event Detected Business Events Client/ Server MQ Screen VT API HTTP SOA
  25. 25. © 2011 The Attachmate Group, Inc. All rights reserved.25 Distributed Deployment Enterprise Operational Environment Terminal Emulation TrafficClient/Server TrafficHTTP Traffic MQ Traffic Luminet Distributed Environment SensorSensorSensorSensor Internal Web Server Network Switch Network Switch App Server App Server App Server Message Queue API Data Mainframe
  26. 26. © 2011 The Attachmate Group, Inc. All rights reserved.26 Rules Engine Process User Events Web Service Data File Data Base Data Channels XML User Fact Attributes Business Entities Measures Rule Alerts
  27. 27. Concluding Thoughts
  28. 28. © Attachmate Corporation. All rights reserved.28 94% Breached org’s found out thru a 3rd party Source: 2012 Verizon Breach Report
  29. 29. © Attachmate Corporation. All rights reserved.29 Breached org’s had evidence in their logs 82% Source: 2012 Verizon Breach Report
  30. 30. © Attachmate Corporation. All rights reserved.30 Q: Why, given the variety of security technologies typically in place, do information assets remain at significant risk? A: Traditional methods fail to capture and alert on a complete trail of information. With fraud detection software, you can solve this problem.
  31. 31. © Attachmate Corporation. All rights reserved.31 Current Trends in Insider Threat: What to Look of Now The policy violator The low and slow fraudster The imposter
  32. 32. 1. When funds are gone, it’s too late 2. Logs never tell the complete story 3. Focus on analysis, not just alerts. 4. Outdated methods waste time and money. © Attachmate Corp. All rights reserved.32 5 THINGS TO THINK ABOUT 5. If you could find a way to “see” fraud before it starts, wouldn’t you want to?
  33. 33. About Attachmate
  34. 34. © Attachmate Corporation. All rights reserved.34 It’s a Complex Landscape Out There You have to chart the course to business success © Attachmate Corp. All rights reserved.34
  35. 35. © Attachmate Corporation. All rights reserved.35 How do you balance productivity, security, and IT investments? © Attachmate Corp. All rights reserved.35 It is a Tough Challenge
  36. 36. © Attachmate Corporation. All rights reserved.36 Delivers solutions for your core challenges Works with your existing IT assets Provides global leadership you can rely on © Attachmate Corp. All rights reserved.36 Why Attachmate Works for You
  37. 37. Questions?
  38. 38. © Attachmate Corporation. All rights reserved.38 Resources: Insider Threat Resources: http://www.attachmate.com/Products/efm/insider-threat-detection.htm Additional Luminet Customer Examples: http://www.attachmate.com/solutions/managing-enterprise- fraud/industry/insider-threat-mitigation.htm Business Benefits of Luminet: http://www.attachmate.com/Products/efm/luminet/anti-fraud- software.htm For a free copy of our latest research, contact: Dan.Dunford@Attachmate.com
  39. 39. © Attachmate Corporation. All rights reserved.39 Dan Dunford Dan.Dunford@Attachmate.Com Thank You! © Novell, Inc. All rights reserved.39 © Attachmate Corp. All rights reserved.39

×