Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SplunkLive! Splunk for Insider Threats and Fraud Detection


Published on

Published in: Technology
  • Making a living taking surveys at home! I have been a stay at home mom for almost 5 years and I am so excited to be able to still stay home, take care of my children and make a living taking surveys on my own computer! It's so easy to get started and I plan to make enough money each week so that my husband can actuallly quit his second job!!! Thank you so much! ▲▲▲
    Are you sure you want to  Yes  No
    Your message goes here
  • How we discovered the real reason nice guys don't get laid, and a simple "fix" that allows you to gain the upper hand with a girl... without changing your personality or pretending to be someone you're not. learn more... ●●●
    Are you sure you want to  Yes  No
    Your message goes here
  • FREE TRAINING: "How to Earn a 6-Figure Side-Income Online" ... ■■■
    Are you sure you want to  Yes  No
    Your message goes here
  • Legitimate jobs paying $40/h Tap into the booming online job, industry and start working now! ◆◆◆
    Are you sure you want to  Yes  No
    Your message goes here

SplunkLive! Splunk for Insider Threats and Fraud Detection

  1. 1. Copyright © 2013 Splunk Inc. Splunk for Insider Threats and Fraud Detection
  2. 2. Company Company (NASDAQ: SPLK) Founded 2004, first software release in 2006 HQ: San Francisco / Regional HQ: London, Hong Kong Over 850 employees, based in 12 countries Annual Revenue: $198M (YoY +60%) $5+ billion market valuation Business Model / Products Free download to massive scale On-premise, in the cloud and SaaS 6,000+ Customers; 2500 w/Security Use Cases Customers in over 90 countries 60 of the Fortune 100 Fast Company 2013: Named Splunk #4 Most Innovative Company in the World and #1 Big Data Innovator Largest license: 100 Terabytes per day Leader: Gartner SIEM Magic Quadrant, 2013 2
  3. 3. Make machine data accessible, usable and valuable to everyone. 3
  4. 4. The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Machine data is fastest growing, most complex, most valuable area of big 4
  5. 5. Machine Generated Data is a Definitive Record of Human-to-Machine and Machineto-Machine Interaction 5
  6. 6. Insider Threats – Employee Attitudes 52 • Percent of employees don’t believe it’s a crime to use competitor’s confidential information 44 • Percent believe a software developer who develops source code for a company has some ownership of work and inventions beyond their current employer 42 • Percent don’t think it is a crime to reuse source code with out permission from a former employer, in projects for other companies 60 • Percent say a co-worker hired from a competing company has offered documents from that company for their use Ponemon Institute Survey 2012 6
  7. 7. Employee Insider threats Are Authorized users Doing authorized things Have malicious intent A ‘people centric’ behavioral problem Are not Hackers using specialized tools A technical or "cybersecurity" issue alone Escalating their privileges for purposes of espionage
  8. 8. Context for Insider Threats • Who are your privileged internal people? • Who might be a likely enemy? • What data that would be at risk? Contextual Cyber Psychological Insider Threat Risk 8
  9. 9. Two Strategies for Combating Secondary Detection Primary Prevention/Deterrence • Pattern based • Specific indicators or alerts • Multiple factors • Definitive evidence • Uses heuristics and statistical models • Physical detection (stolen documents) • Requires base lining / watching for outlier behaviors “Rather than getting wrapped up in prediction or detection organizations should start first with deterrence.” Patrick Reidy CISO FBI 9
  10. 10. Splunk and the broken window theory Some employees test the limits of their access Employee feedback required for all unauthorized attempts (accidental or not). Splunk monitors access in realtime Splunk sends email (via script) to employee indicating awareness of attempt 10
  11. 11. Examples: Correlations / Detections / Context Detection Indicator Analysis Printer usage Number of print jobs over a given period of time Outlier Increase in size of print jobs Outlier Unusual times of day Outlier Rare network printer use (the one not closest employee Outlier Local vs. remote Outlier Time of day Outlier During vacation times Outlier Monitor’s employee behavior and attitude changes (proxy data) Outlier/Context Logins to AD or use of SSO Abrupt change in the ratio of website categories visited 11
  12. 12. Examples: Correlations / Detections / Context Detection Indicator Unused Vacation - 18 months or longer Employee remains in control -- work not turned over to others for review Context / Lookup Always first in / first out of the office Badge data and/or AD. Desire to control situation Context / Lookup Personal life change – marital status change stress trigger Can jeopardize emotional stability – HR system data Context / Lookup Lay-off notification Monitor for file transfers by individuals that occur immediately after lay-offs are announced Context / Lookup Attempted changes to document classifications Document metadata Direct indicator Attempts to use USB or CD Rom Log data events Direct indicator 12
  13. 13. Insider Threat Use Case: Disgruntled Employee Splunk at a Large Aerospace and Defense Contractor Goal: Protect intellectual property at the hands of disgruntled employee Use Case Scenario: In an environment where employees are sometimes mis-treated, fired, reprimanded you never know when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day he wants to take company proprietary data…from SharePoint servers…Below explains how Splunk could be use to detect/mitigate that type of behavior: Data Sources: Host based FW logs, Single Sign-on(SSO) logs, SharePoint connection logs, Content Logic Steps: 1. Upload all employees who received pink slips "login id's" to Splunk' s look-up table 2. Run trending reports on "id's" for the past 6 months 3. Correlate data sources with trend reports 4. Report on suspicious user id's who has increase downloads from SharePoint servers Splunk Capabilities: lookup, trends, reports, real-time alerts, index, correlation analytics, real-time rules 13
  14. 14. Insider Threat Use Case: Data Leakage/Spill Splunk at a Large Aerospace and Defense Contractor Goal: To detect/monitor potential data leakage/spill of very sensitive intellectual property Use Case Scenario: In an environment where employees are Govt contractors who has access to sensitive R&D projects and/or supporting Govt programs, data leakage is highly likable. An employee can intentional/unintentional download any text docs associated to that program/project to personal laptop, personal email, etc. Below explains Data Sources: Data Loss prevention (DLP) logs, key words, email logs, Anti-virus logs(USB) Content Logic Steps: 1.Upload "program keywords" and "user ids" in Splunk's lookup table 2. correlate data sources/lookup table 3. Develop/Report on alerts (rule hits) 4. Developed alert visualization & monitor Data Sources: Data Loss prevention (DLP) logs, key words, email logs, AV, Splunk Capabilities: lookup, search processing language, real-time alerts, reports, visualization, advance correlation, real-time rules 14
  15. 15. “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game 15
  16. 16. Splunk for Fraud Detection Across Verticals Financial Services eCommerce Mobile / Wireless Fraud Detections 16 Online Education “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game
  17. 17. Online Education Company – Fraud Background Use Case Before Splunk After Splunk Classroom activity / fraud Affects accreditation Difficult to identify fraudulent student loan and attendance activity accurately Complete visibility to classroom activity and increased confidence that financial aid fraud is being detected thoroughly Seats not taken from legit students Internet browsing history Bluecoat Reporter had so Faster and lower cost response to much data it stopped internal production requests and working making them unable data costs to report on this for HR 17
  18. 18. Online Education Company– Detections Benefits Use Case After Splunk Classroom activity / fraud Affects accreditation $10s of Millions of fraudulent funds have been stopped from being distributed Internet browsing history Saves 75-90% of the Corporate Forensics team’s efforts (can offer more services) Reputation and Dept. of Education accreditation maintained seamlessly Saves $45,000/year in external production services (external Legal) Saves $1.5M/year in data processing costs (process, collect, cull, review, etc.) 18
  19. 19. Cash Wire Transfer Company Subsidiary of Major Financial Institution With targeted and ever evolving fraud techniques, number of fraud attempts and amounts rise rapidly, Splunk was introduced to fill a detection gap in June 2012 • Splunk agility to react to emerging fraud patterns saved millions for the bank • Broader view Splunk introduced is able us to quickly identify fraud techniques, discover and fix design flaws in applications • – 11 detection rules deployed – 2 application flaws were discovered and fixed
  20. 20. Cash Wire Transfer Company - Fraud Detection 12/2012 – 4/15/2013 Payment Amount Total Splunk Detected Attempted Stopped Splunk & Other methods Splunk Alone Total Recovered Net Loss $33.5 MM $27.5 MM $ 6 MM $5 MM $ 15 MM $13 MM $ 2 MM $ 1.7 MM Recovered 14.41% Loss 3.62% $1 MM $ 0.2 MM Actual Loss Attempted Other Detection methods Released Net Loss $18,5 MM $ 1 MM Stopped $14 MM 52% Stopped Recovered Recovered $ 3 MM $5 MM $0.2 MM $ 3.4 MM 12% $10 MM $0.00 $ 9.8 MM 36% $ 0.2 MM $33.5 MM $1 MM $27.5 MM $ 5 MM Stopped 81.97% $ 1.3 MM • Attempted: payments created or released Stopped: payments didn’t leave the bank • Released: payments were out of the bank • Recovered: payments were recalled back • Net loss: payments were cashed out $35,000,000.00 $30,000,000.00 $25,000,000.00 $20,000,000.00 $15,000,000.00 $10,000,000.00 $5,000,000.00 $0.00 Splunk Alone Splunk & Other methods Other Detection methods
  21. 21. Intuit Financial Services - Fraud Background • We noticed a similar fraud pattern across 15 banks • Then we mapped them to see they were within 15 miles of one another • Fraud was coming from one data processing vendor who they all shared 21
  22. 22. Intuit Financial Services Organization -- Wire Transfers Watching fraudster in real-time—seeing $5M, $7M, $8M wire attempts • Splunk exposed every element of our infrastructure that he touched • Next we could correlate activities based on time to understand his pattern of activity • 22
  23. 23. Detecting Fraud at Etsy – Sample patterns of possible fraud:      User traffic coming from “rent a VM”, cloud-based services Brute force password guessing Single IP excessively selecting the “I forgot my password” option for several accounts Abnormally large payments, or very high velocity of payments, from a single account Customer info that should be stable changing often: email/physical address, payment card, etc – Automatically lock accounts that appear to be compromised – Weave Splunk data into customer service tools so CSRs also see fraud indicators – Use Splunk for fraud, security, compliance, IT Ops, and app mgmt 2 3
  24. 24. East Coast Financial Services: Use of Splunk for Fraud Investigations Phish detection – 500+ customers protected and ~$5M saved – – Used to be done 100% by customers; log files weren’t available for searching for 1 day Use Splunk to detect the patterns with referrers who are testing their phish to see if it works Malware detection – 14 detections stopped $140K – – This use case used data already indexed in Splunk…no incremental cost Using Splunk to research and detect anomalies within logs specific to malware/web injects Alert and block the PIN within 10 minutes of identification and before account access Trading on uncollected funds - ~500 customers protected, stopping over $4.5M – – – This takes place when a customer places a trade before money transfers in clear Without Splunk they had to wait a day to get access to this data for analysis Fastest detection and PIN block was 37 seconds Online Bank Wire fraud – blocked 60+ incidents saving over $240k – – Transaction completion involves a code sent to a mobile phone, detecting now every 5 minutes Actually detected an occurrence of this before the capability went live with customers 24
  25. 25. Other Companies • Using Splunk to track unauthorized cell phone activations at franchiser locations Online Ticket Reseller • Using web log patterns to determine fraudulent buyer and sellers On-Line 25
  26. 26. Other Companies • Monitoring for anomalous usage patterns based on plans. An open international call connection for multiple hours, discovered a fraud ring selling intl. calling. On-line Educational Institution • Using Splunk to track academic and financial aid fraud use weblogs and session IDs. Students that are flagged come up on a list for investigation 26
  27. 27. Thank You