Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Idea to Insight:
HowWestern Union Built a Security Analytics Program from the Ground Up
Using Alteryx
#inspire16
Session Speaker
#inspire163
Agenda
• Introduction
• Company /Team
• Where we started
• Enter Alteryx
• Where we are
• What’s next
• Takeaw...
#inspire16
To watch a recording of this session from Inspire 2016, visit
alteryx.com/inspire-2016-tracks
#inspire16
• Building program to measure risk across
Western Union
• Growing operational & big data analytic
concepts in t...
#inspire16
• Financial Services company
• Founded in 1851
• 200+ countries
• 20,000+ employees and contractors
• 500,000+ ...
#inspire16
• Small team of three
• Kim Hickman – Currently focused on
Agent Location analytics
• XinYuan Liu – Currently f...
#inspire16
In the beginning…
#inspire16
• Our team started out as an army of one
• Approached to run a POC on Agent analytics
• Painful process with Ex...
#inspire16
• Met Alteryx & fell in love!!!
• Initial focus was on building Agent analytics POC
into a program
• Downloaded...
#inspire16
• Everything broken down into bite-sized modules
• Modules easily moved in, out, and around just by
changing on...
#inspire16
That was then, this is now…
#inspire16
• Our data is becoming increasingly complex
• Users & Contractors
• Log files (~1,000 events per second)
• Malw...
#inspire16
• All of our seemingly disparate data needs to come
together to tell a story
• Combine network identities and a...
#inspire16
Our current use cases – BehavioralAnalytics
15
#inspire16
• What’s the point of what we do?
• We want to be able to identify, quantify, rank, and prioritize
risks (and r...
#inspire16
So why Alteryx?
#inspire16
Why Alteryx?
Alteryx allows us to be analytical, pull and manipulate massive amounts of data, and
produce actio...
#inspire16
Before Alteryx
• Unsustainable POC – 100 hours
• No country level details
• 1 team member
• 6 data source
• One...
#inspire16
• Remember all the workflows I mentioned earlier? Now imagine being able to automate
processes even further. Ex...
#inspire16
KeyTakeaways, Our Future, &The Best
ROI EVER
#inspire16
• Alteryx is fast – save time & headaches with simplistic, yet powerful interface
• No coding necessary – even ...
#inspire16
• Additional employee / contractor behavior analytics
• Expanded Identity & Access Management Analytics program...
#inspire16
• Saved 100 hours per month initially – now at
nearly 250 hours with new processes
• Alteryx paid for itself be...
#inspire16
Questions?
Erik Miller
720.332.4242 | erik.miller@westernunion.com | twitter: @ermiller | LinkedIn: ermiller
#inspire16
alteryx.com/trial
You can also achieve the incredible
benefits described in this slide deck
Download a FREETria...
Upcoming SlideShare
Loading in …5
×

Idea to Insight: How Western Union Built a Security Analytics Program from the Ground Up Using Alteryx: Western Union, Inspire 2016

1,627 views

Published on

In 2015, Western Union set out to gain visibility into the information security measures implemented at each Agent Location around the world. Erik Miller was tasked in building out a program designed to analyze each location, utilizing fraud data, terminal/computer information, and transactional information. With over 500,000 locations, the task was not simple. Totaling well over 4 million records from 5 different systems, the process initially took over 100 hours per month, making it unsustainable. Using Alteryx, Erik was able to take a 100 hour process and turn it into a 5 ½ minute workflow, with only a 2 ½ hours development timeframe. Now leading a team of analysts, Erik is taking the project forward to develop a strategic security analytics program designed to assess the risks posed to Western Union by malicious insiders, hackers, and uninformed users. In this session, Erik will cover how with Alteryx at the core, the Security Analytics team is building out an extensive risk analytics program covering multiple threat vectors across Western Union's environment. He will also share why Alteryx has become the must have tool at the center of this team's success.

To watch a recording of this session from Inspire 2016, visit alteryx.com/inspire-2016-tracks.

Published in: Data & Analytics
  • Be the first to comment

Idea to Insight: How Western Union Built a Security Analytics Program from the Ground Up Using Alteryx: Western Union, Inspire 2016

  1. 1. Idea to Insight: HowWestern Union Built a Security Analytics Program from the Ground Up Using Alteryx
  2. 2. #inspire16 Session Speaker
  3. 3. #inspire163 Agenda • Introduction • Company /Team • Where we started • Enter Alteryx • Where we are • What’s next • Takeaways & ROI • Q&A #inspire16
  4. 4. #inspire16 To watch a recording of this session from Inspire 2016, visit alteryx.com/inspire-2016-tracks
  5. 5. #inspire16 • Building program to measure risk across Western Union • Growing operational & big data analytic concepts in the information security world • RunWestern Union’s Governance, Risk & Compliance system • Manage three person cyber security analytics team • Manage Alteryx Server forWU • Work with multiple groups to get their Alteryx processes off the ground • i.am.data Who is Erik? Sr. Systems Engineer – Cyber Security Analytics 5
  6. 6. #inspire16 • Financial Services company • Founded in 1851 • 200+ countries • 20,000+ employees and contractors • 500,000+ global Agent Locations • $150 billion moved globally in 2015 • Online & mobile presence • 31 transactions per second • Bonus fact: First company to launch commercial satellite, Westar 1, in 1974 A little aboutWestern Union 6
  7. 7. #inspire16 • Small team of three • Kim Hickman – Currently focused on Agent Location analytics • XinYuan Liu – Currently focused on employee behavioral analytics • Erik Miller – Currently focused on Identity & Access Management analytics • Analytics for most people in Information Security doesn’t mean what you think it does… About the Cyber Security AnalyticsTeam 7 Erik Miller Kim Hickman XinYuan Liu
  8. 8. #inspire16 In the beginning…
  9. 9. #inspire16 • Our team started out as an army of one • Approached to run a POC on Agent analytics • Painful process with Excel, Access, MySQL, and 36 input files from six different sources (Netezza, Business Objects, fraud analytics system, credit & risk reporting, transaction pattern system, and global Agent listing) • 100 hours per month spent on producing a risk profile of our 500,000+ Agent Locations, 200+ countries, over 2 million POSTerminals, 13 security measures, and all fraud in the past 365 days • 4,000,000+ records each month • COMPLETELY UNSUSTAINABLE! Our humble beginnings 9
  10. 10. #inspire16 • Met Alteryx & fell in love!!! • Initial focus was on building Agent analytics POC into a program • Downloaded demo and spent 30 minutes learning the software • Workflow (picture to the right) took a total of 2.5 hours to build – decided to purchase well before 14-day trial was over • Built hooks into data services rather than downloading files • Process shrunk from 100 hours to just 5.5 minutes Along cameAlteryx and hours became minutes 10
  11. 11. #inspire16 • Everything broken down into bite-sized modules • Modules easily moved in, out, and around just by changing one or two connections • It feeds into our interactive Tableau visualizations seamlessly • Alteryx made analytics easy! And analytics became insanely flexible! 11
  12. 12. #inspire16 That was then, this is now…
  13. 13. #inspire16 • Our data is becoming increasingly complex • Users & Contractors • Log files (~1,000 events per second) • Malware / infection data • Identity & access management entitlements • Installed applications • Customers • Full clickstream data for digital assets • Infrastructure • Servers, data centers, information, and applications • Alteryx helps us structure the unstructured Our current use cases – Data Parsing and Structuring 13 Dec 1, 2015, 4:37:19 AMWindowsAuthServer @ QA2012IIS08A<13>Nov 30 23:37:19 QA2012IIS08A AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft- Windows-Security- Auditing Computer=QAWEB238A.corp.com User= Domain= EventID=5152 EventID Code=5152 EventType=16 EventCategory=12809 RecordNumber=19915703 TimeGen erated=1448944636 TimeWritten=1448944636 Message=The Windows Filtering Platform has blocked a packet. Application Information: Process ID: 0 Application Name: - Network Information: Direction: %%14592 Source Address: 127.0.0.1 Source Port: 35903 Destination Address: 127.0.0.1 Destination Port: 3000 Protocol: 6 Filter Information: Filter Run-Time ID: 67138 Layer Name: %%14597 Layer Run-Time ID: 13 Dec 1, 2015, 4:37:19 AMWindowsAuthServer @ BS9DBSQLB02N1<13>Nov 30 20:37:19 BS9DBSQLB02N1 AgentDevice=WindowsLog AgentLogFile=Security Source=Microsoft- Windows-Security- Auditing Computer=WORKSTATION.BIZ User= Domain= EventID=4634 EventIDCo de=4634 EventType=8 EventCategory=12545 RecordNumber=1405697363 TimeGener ated=1448944638 TimeWritten=1448944638 Message=An account was logged off. Subject: Security ID: CHGFEsqldmsvc Account Name: sqldmsvc Account Domain: CHGFE Logon ID: 0x21cfe950b Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. This is just two log example entries Username Source Workstation Windows - Workstation Source IP Destination IP Destination Network Geographic Country/Region Source Network WW-URL WW-Category EMILLER null null 10.0.0.1 10.0.0.1 Other UnitedStates Other N/A N/A "|<Attributes> <Map> <entry key="“LOCAL GUID"" value=""baad2a67c7c9bf419762ab2bc595a5c9""/> <entry key="“LOCAL sAMAccountName"" value="“EMILLER""/> <entry key=""companycode"" value=""311""/> <entry key=""companynumber"" value=""Western Union, LLC 312""/> <entry key=""costcentercode"" value="“9999999999999""/> <entry key=""customfield4"" value=""Information Security""/> <entry key=""displayName"" value=""Erik Miller""/> <entry key=""email"" value=""Erik.Miller@westernunion.com""/> <entry key=""employeeid"" value="“123456""/> <entry key=""firstname"" value=""Erik""/> <entry key=""jobcode"" value="“4422""/> <entry key=""lastname"" value=""Miller""/> <entry key=""middlename"" value=""R""/> <entry key=""status"" value=""Active""/> <entry key=""usersource"" value=""Workday""/> <entry key=""usertype"" value=""EMPLOYEE""/> <entry key=""workphone"" value=""+1 720 332-4242""/> </Map></Attributes>|“ <Attributes> <Map> <entry key="“LOCAL GUID"" value=""baad2a67c7c9bf419762ab2bc595a5c9""/> <entry key="“LOCAL sAMAccountName"" value="“EMILLER""/> <entry key=""companycode"" value=""311""/> <entry key=""companynumber"" value=""Western Union, LLC 312""/> <entry key=""costcentercode"" value="“9999999999999""/> <entry key=""customfield4"" value=""Information Security""/> <entry key=""displayName"" value=""Erik Miller""/> <entry key=""email"" value=""Erik.Miller@westernunion.com""/> <entry key=""employeeid"" value="“123456""/> <entry key=""firstname"" value=""Erik""/> <entry key=""jobcode"" value="“4422""/> …Or one of 28 other possibilities Name,HQINTL1,EmployeeID,Company,JobTitle,Status,Source,Type "Erik Miller",“EMILLER",“123456","Western Union, LLC 312","Information Security","Active",“HR System","EMPLOYEE“
  14. 14. #inspire16 • All of our seemingly disparate data needs to come together to tell a story • Combine network identities and activity with employee HR identities?Yes please! • Look for terminated user credentials still being used in our systems? Absolutely! Our current use cases – Data Blending 14
  15. 15. #inspire16 Our current use cases – BehavioralAnalytics 15
  16. 16. #inspire16 • What’s the point of what we do? • We want to be able to identify, quantify, rank, and prioritize risks (and risk profiles) within our organization through data • We’re looking for the bad (or questionable) in a sea of good • We want to tell the story of what’s normal so the abnormal is apparent • People in similar roles are typically, well, similar • Behavior and patterns are key! • Once our data is together, we scour it to find the hackers, malicious insiders, negligent users, and most importantly, opportunities to mitigate risk atWU • Malicious insiders (and hackers) eventually give themselves away…if you listen Our current use cases –Why we do what we do 16
  17. 17. #inspire16 So why Alteryx?
  18. 18. #inspire16 Why Alteryx? Alteryx allows us to be analytical, pull and manipulate massive amounts of data, and produce actionable information quickly…more importantly, it allows us to be creative with big data – something which other tools promise, but do not deliver. 18 Science is analytical, descriptive, informative. Man does not live by bread alone, but by science he attempts to do so. Hence the deadliness of all that is purely scientific. – Eric Gill
  19. 19. #inspire16 Before Alteryx • Unsustainable POC – 100 hours • No country level details • 1 team member • 6 data source • OneTableau dashboard • Frustrated trying to get data out • Focused on stabilizing what we had • Corporate Information Security Manager Before and After After Alteryx • Full cyber security analytics program • 200+ countries covered • 3 team members • ~25-30 data sources • FiveTableau dashboards + more • Spinning data every which way • Branching out and helping other teams • Sr. Manager – Cyber Security Analytics 19
  20. 20. #inspire16 • Remember all the workflows I mentioned earlier? Now imagine being able to automate processes even further. Example: our first workflow: 100 hours to 5 ½ minutes to 1 minute, thanks to Scheduler • We can move persistent data through our workflows and output the information into our databases – parsed, blended, and calculated – without ever touching Alteryx • We allow users to generate their own reports for data management in the Gallery. Example: we allow BCM users to look up names, departments, teams, and management chains based off of lists of Network IDs • Our Customer Care Analytics group has automated several Netezza-based (read: manual) reports to be automatically produced & distributed • Most importantly, Alteryx Server is simple to deploy and manage – it’s not needy & you don’t need another resource to manage it. And then there was Alteryx Server… 20
  21. 21. #inspire16 KeyTakeaways, Our Future, &The Best ROI EVER
  22. 22. #inspire16 • Alteryx is fast – save time & headaches with simplistic, yet powerful interface • No coding necessary – even if you can, don’t! • Structuring, parsing, blending, and analyzing data works beautifully • Visualizing? Seamless integration withTableau. No more ElapsedTime notifications • Server takes everything to 11 – much less repetitive work: automation & self service is beautiful! • Alteryx &You – together can do the unimaginable KeyTakeaways 22
  23. 23. #inspire16 • Additional employee / contractor behavior analytics • Expanded Identity & Access Management Analytics program • Employee job, geographic, title end point usage analytics • Server & asset cataloging and anomaly detection • Machine Learning on massive data sets Our future initiatives - 2016 23 Alteryx Privileged Access Management Entitlement/Micro Reauthorization User Behavior Analytics Employee Access Management Reporting & Risk Rankings
  24. 24. #inspire16 • Saved 100 hours per month initially – now at nearly 250 hours with new processes • Alteryx paid for itself before 14-day demo was completed • Able to keep lean team – rather than having to hire several analysts, we’re able to build processes with just three people • Freed up nights & weekends to spend more time with my family!!! ROI 24
  25. 25. #inspire16 Questions? Erik Miller 720.332.4242 | erik.miller@westernunion.com | twitter: @ermiller | LinkedIn: ermiller
  26. 26. #inspire16 alteryx.com/trial You can also achieve the incredible benefits described in this slide deck Download a FREETrial of Alteryx and experience self-service data analytics on your next data project

×