The traditional Loss Prevention systems in any industry are undergoing a profound transformations: from manual controls to automated, from periodical to continuous monitoring, from controls’ monitoring to transaction data monitoring.

1.
The data breach at JPMorgan Bank (December, 2014)
Last October, JP Morgan revealed that names, addresses, phone numbers and email
addresses of about 83 million customers were exposed when the bank’s computer
systems were compromised by hackers, making it one of the biggest data breaches in
history.
How would Transaction Watchdog™ stop this data theft?
Transaction Watchdog™ (TW) monitors each “data copy” event with controlling the
process aware context. For this purpose the TW engine uses data-centric process
model (virtual value chain) built across systems and channels.
Once a “data copy” event is identified, TW exposes process instant for this event and
detects data integrity breaches, like discrepancy, process bypass, missing data and
duplicates. Any of such alerts should stop the data theft.
JPMorgan applies a lot of security tools and spends in this area 250M dollars a year.
But if security guy, for example, didn’t put two-factor authentication for
compromised by hacker server or system, or this function for whatever reason doesn’t
work, no system today can alert about it in real time.
That’s exactly what happened at JPMorgan and this problem TW solves, alerting: 2nd
Factor Authentication Breach.
But it’s not the only alert that could prevent the data theft.
Once hacker accesses the data and starts to copy file, TW will alert: Ghost file export
or Copy Directory discrepancy.
If hacker uses credentials stolen from company’s employee or contractor or partner,
then TW fires alert: User geo-location discrepancy.
So, the TW underlying magic is based on:
• Predefined data-centric process model built for industry, not for specific
customer
• Incorporation of application data, like Termination Note, Attendance Time
and HR Record, with data provided by security systems, like SIEM and Active
directory.
• Data-to-process correlation
• Analyzing just data correlated to the same process-instance which replace any
need in fraud and behavior patterns
Source: http://www.reuters.com/article/2014/12/23/us-jpmorgan-cybersecurity-
idUSKBN0K105R20141223

2.
Cybercrime ring steals up to $1 billion from as many
as 100 financial institutions around the world in
about two years (February 2015)
The gang, which Kaspersky dubbed Carbanak, takes the unusual approach of stealing
directly from banks, rather than posing as customers to withdraw money from
companies’ or individuals’ accounts.
Carbanak used carefully crafted emails to trick pre-selected employees into opening
malicious software files, a common technique known as spear phishing…
In this way, Kaspersky said, the criminals learned how the bank clerks worked and
could mimic their activity when transferring the money.
In some cases, Carbanak inflated account balances before pocketing the extra funds
through a fraudulent transaction. Because the legitimate funds were still there, the
account holder would not suspect a problem.
How would Transaction Watchdog™ stop this money theft?
First of all, this cybercrime use case teaches us that financial institutions check theirs
accounts through a total balance. They unable monitor each individual deal,
comprising in account’s total amount, across their systems. For example, if bank pays
to one payee $1,000 more and to other $1,000 less, nothing is warning because the
total amount of account doesn’t change.
The fraud schema doesn’t matter for TW, while TW monitors the long-live
transactions (takes hours or more to be completed). Examples of such transactions are
security trade and wire transfer, which involve the compromised payment system.
The mentioned security trade transaction is started from Sale/Purchase Order, passes
Share delivery Note provided by Stock Exchange and ends with Payment.
TW is continuously looking for multiple data integrity breach in connection to
individual Order or Customer Request.
As many systems are involved in this process and just one of them is compromised,
once the hacker inserts a fraudulent transaction in this system or changes its
application data, his activity causes to somewhat data inconsistency. TW detects it
and fires alert.
From TW perspective, the difference between this use case and previous case of data
theft is in the used process model. The process model applied in TW defines the
models of data (business objects, metadata) that TW collect and analyze in real time
(at once the data is sent to TW by a customer’s application).
If data from one of application is not received by TW or is sent with unacceptable
delay, then TW alerts that something wrong is going in operations.
Source: http://www.reuters.com/article/2015/02/15/us-cybersecurity-banks-
idUSKBN0LJ02E20150215