How to Use Splunk To Detect and Defeat Fraud, TheK And Abuse

Transcription

1 Copyright 2015 Splunk Inc. How to Use Splunk To Detect and Defeat Fraud, TheK And Abuse Joe Goldberg Product Splunk Young Cho Technical Product Splunk

2 Disclaimer During the course of this we may make forward looking statements regarding future events or the expected performance of the company. We you that such statements reflect our current and based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this are being made as of and date of its live If reviewed aker its live this may not contain current or accurate We do not assume any to update any forward looking statements we may make. In any about our roadmap outlines our general product and is subject to change at without It is for purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no either to develop the features or described or to include any such feature or in a future release. 2

3 Personal Joe Goldberg 3.5 years at Splunk Product for fraud/thek/abuse. Also security and compliance Previously Symantec Data Loss (Vontu) Young Cho 2 years at Splunk Technical Product Marke@ng for an@- fraud/thek/abuse. Also security and compliance. Formerly Solu@ons Architect in APAC for 1.5 years Previously Splunk Partner in APAC, MOS 3

4 Agenda Splunk for Fraud, TheK, & Abuse Detailed bank fraud use case Demo permi`ng) 4

5 Splunk for Fraud, TheK, Abuse ( Fraud )

6 Why You Should Care: Fraud is Costly - Associa'on of Cer'fied Fraud Examiners High annual costs & growing: Merchants $ billion; banks and financial ins@tu@ons $12-15 billion 1 Reputa@on/brand damage Labor costs from manual inves@ga@ons and review 1. Forrester Feb

7 Business Moving Online Has Increased Fraud Data breaches Lead to downstream thek and credit card fraud No boundaries Fraudsters are able to act from away with impunity Creden2al the4 Account takeovers are easier due to phishing and malware More sophis2ca2on Fraudsters use new and change behavior to evade 7

8 Machine Data Contains Fraud Insights Sources Card Payment System [ ] proc_source="b24a", tmst_target=" ", serv_id="iss", proc_input="mast", proc_target="b24h", Card interface_acq="bnet_1", ID Amount interface_iss="02008", cod_msg="1110", oper_rrn=" ", card_id="526430vs350y2992", oper_amount=" ", oper_ currency="978", Merchant oper_country="380", ID term_id=" ", circuito="", seu_merc="4722", bin_acq="002111", id_merc=" ", prcode="003000", approval_code ="H8H766", oper_ mod_input="1", channel="o", flag_dupl="y", flag_onus="n", Client ID auth_rout_dst="intfhi93", auth_ rout_id="hiso_auth", msg_subst="", ndg=" ", BNET- MI1", acceptor = TRAWEL SPA\\MILANO\ 380", tmst_ins=" ", lpar="b" Web Proxy :21: TCP_HIT OBSERVED GET HTTP/1.1 0 "Mozilla/4.0 (compa@ble; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR ; InfoPath.1; MS- Source IP RTC LM 8;.NET CLR ;.NET CLR ; ) User John Doe," Referring URL Authen2ca2on Cap@on=ACME- 2975EB\JohnDoe Descrip@on=User account Built- in account for administering the computer/domaindo\n=acme- 2975EB InstallDate=NULLLocalAccount = IP: TrueName=Administrator SID =S User Name 500SIDType=1 Source IP Status=Degradedwmi_ type=useraccounts 8

9 Example Pauerns of Fraud in Machine Data There are Hundreds of Pa9erns of Internal/External Fraud! Industry Financial Services Healthcare E- tailing Telecoms Online Type of Fraud Account takeover Physician billing Account takeover Roaming abuse Student loan fraud 9 PaAern of fraud High velocity of transac@ons under $10k Physician billing for drugs outside their exper@se area Many accounts accessed from one IP or user agent string Unlimited use customers doing excessive roaming on partner networks Student IP in high- risk country and student absent from classes & assignments

10 Splunk: Machine Data Plaworm for Fraud Use Cases Machine Data: Any Loca2on, Type, Volume Answer Any Ques2on On- Premises Private Cloud Public Cloud Mobile Servers Storage Online Shopping Cart Online Services Smartphones and Devices Malware Desktops Badge records GPS Web server Networks Call Detail Records Fraud tools Packaged Messaging Databases/ Payment Systems Custom Ad hoc search Monitor and alert Asset Info Report and analyze External Lookups Employee Info Threat feeds Custom dashboards Data stores Developer PlaJorm 10

11 Supports Many Needs of Fraud Teams Fraud Monitoring and Fraud Fraud and Enhance Fraud Tools

12 Why Splunk for Fraud Exis,ng Fraud Tools Splunk for Fraud RIGID AND INFLEXIBLE FLEXIBLE NARROW VIEW OF FRAUD BROAD VIEW SCALE AND SPEED ISSUES DIFFICULT TO DEPLOY; LIMITED ROI SCALE & SPEED FAST VALUE; COMPELLING ROI 1

13 Splunk For Fraud Across Financial Services Mobile/Telecom ecommerce Health Care Online Educa2on Government 1 3

14 Leading Online Retailer Challenge: Fraud were too slow with no unified logging took 12 hours using 10 resources 90 minutes from alert to Enter Splunk: Big data, flexible plaworm to accelerate Sample pauerns of fraud Splunk looks for: ê One referrer string or IP logging into user accounts ê One referrer string or IP many new accounts to get account opening OR opening new account to fast to be human ê Single IP excessively the I forgot my password op@on for several accounts ê User traffic coming from rent a VM, cloud- based services ê Brute force password guessing ê Customer info that should be stable changing oken: /physical address, payment card, etc Splunk unites all context around possible fraud on single dashboard Splunk adds together point fraud tool scores to give a consolidated transac@on score Many fraud visualiza@ons, including geo- IP mapping Inves@ga@on takes 0.2 hours using 2 resources Under 10 minutes from alert to inves@ga@on Use Splunk for fraud, security, compliance, IT Ops, and App Mgmt 14

15 Top 5 Online University Challenge: Needed solu@on to detect fraudulent student loans Difficult to iden@fy fraudulent loans and auendance ac@vity Enter Splunk: Significant cost savings in reduced loan fraud Cross- check students with loans against classroom ac@vity to iden@fy fraudsters Stopped $10s of millions of fraudulent funds from distribu@on Reputa@on and Dept of Educa@on accredita@on maintained Single tool for fraud, compliance, cybersecurity, IT Opera@ons, and Classroom Ops 15

16 Bank Fraud Use Case

17 Successful Tier 1 Bank Real- Time Wire Blocking Reference Based a Korean financial news in 2014 : (Money Today ) On the 16 th of December 2014, financial community revealed that Hana Bank 1 bank in Korea) overall bank s fraud detec2on rate has risen to 71.7%. It means that Hana Bank were able to block 70% above all bank s fraudulent transac@ons. Hana Bank has deployed next genera@on fraud detec@on last October AKer they deployed the next genera@on fraud detec@on plaworm, there were significant increase of fraud detec@on rate, originally from 24.8% in January of AKer Hana Bank started deploying the FDS, their fraud detec@on rate immediately increase to 66.8, star@ng from last September.

18 Sorted by the size of asset Top Korean Tier 1 Banks, Splunk Based FDS Adop@on Splunk Based Real-time Fraud Adoption Status 1 W Finance Holdings Splunk based FDS 2 S Financial Group Not Decided 3 H Financial Group Splunk based FDS 4 K Financial Group Local Compe@tor 5 I Bank Splunk based FDS 6 K Bank Local Compe@tor 7 E Bank Splunk based FDS 8 S Bank Splunk based FDS Out of eight tier 1 banks, five banks (63%) have selected Splunk as real-time fraud detection platform, including the largest bank in Korea.

19 High Impact Customer Values Created Various Major Financial Institutions Rate of 1 Bank Asset Blocked Amount Incident Financial Credibility Long term Biz Impact 71% 24% $X0,000 Daily Fast Effec@ve J Sa@sfac@on Rapid Increase Turning all financial transac@ons to cri@cal Intelligence

20 Finance Service Industry Needs > What are some of the technical challenges in managing data? Ability to process transactions in " real-time for detection of fraud Ability to process large volumes of transactional data for long period of time. Ability to analyze complex patterns " of transactions and be able to profile user objects

21 MISSION : Advanced fraud detection platform that COLLECT / PROCESS / ANALYZE Financial transactions in real-time Sensitive Data High Entrance Barrier Mission Critical Real-time Impact

22 The Jargon Channels Tier 1 banks offer many different channels to access their services: BANKING SERVICE CHANNELS ATMs Tellers Online Banking Core Service Plaworm BUS Banking Plaworm Service Telephone Banking Mobile Banking Highest Value Servers / OS Applica@on / Database Network Security

23 Splunk For Core Financial ATMs Tellers Online Banking Telephone Banking Mobile Banking Core Service Platform BUS (Message Queue) IBM MQ / Oracle Weblogic / Core Database Each transac@ons as separate files in AIX server file system 200 G Daily Volume Real- 2me collec2on of core banking transac@ons 32,000+ Types of different transac@on formats

24 Why Is This Such A Big Deal? Reason 1 Tradi@onal 6~12 Hour Batch Collec@on Limited Amount Data Processed Core Banking System Batch Data Collec@on System Processing RDBMS Data Analysis System Splunk Core Banking System Real@me Data Collec@on Data Collec@on Ability Process big data (200G + per day) Big Data Plaworm High Performance Complying customer s 30 seconds fraud detec@on and blocking requirement

25 Why Is This Such A Big Deal? Reason 2 Ability to process 32,000 types of different transac@on types 32,000 Types of different transac@ons RDBMS RDMBS Can t model 32,000 types of different formats Because of that, can t " query/ search 32,000 Types of different transac@ons As a No-SQL database process all 32,000 types Able to search all data based on value-pairs matching

26 How Do Look Like? Format example Bank Code Branch Code Service Code Ac@on Code Account Code Validate Code Format example 2 Change Position New Bank Code Service Code Sub Ac@on Code Branch Code Ac@on Code Account Code v 32,000 types of these formats

27 New Breed Of Bank Robbers Today s bank robbers know you more than you know yourself. Your Human Network Your Bank Info Your Personal Info Your Card Info Your Bank Login Your Financials Your Computer

28 Banking Fraud Example : Phase 1 Internet Bank Network Internet Banking Customer Channels Mul@ Channel Applica@on Customer Account Transac@on Flows Internet Banking Normal Transfer 1 Hacking / Phishing / Pharming Customer PC Teller ATM Normal Transfer 2 Issue a new Cer@ficate Acquire accounts info Phone Banking Mobile Banking With in 60 Sec Fraudulent Transfer 1 Fraudulent Transfer 2 Hacker

29 Of Financial Fraud And Abuse Fast Knows what to do, fast transfers to a temporary accounts Intelligent Highly technical, access the target accounts with proper creden@als and cer@ficates Structured Works as in teams for different roles

30 Banking Fraud Example : Phase 2 Exposed Customer Bank Accounts Bank Network Hacker Target Intermediate Account ATM Hacker ATM Account Cancella@on

31 How Can Fraud Be Stopped? Internet Banking Customer Channel Multi Channel Application Commit Bank Service Plaworm Customer Account Transaction Status Access Terminal ALLOW TRANSFER ATM Customer Allow STOP TRANSFER ATM Suspicious Transaction FRAUD DETECTION PLATFORM Risk Management (Automated / Manual )

32 Success Factor : Real-time MCA Server Forwarder Splunk Cluster Pre Processing Server Uncooked Data Profile DB Internet Banking Service Plaworm Results Forwarder Search Head LBF Real-time collec@on of raw data send for pre processing Splunk Inc. Turning banking format data into Key Value format (Cust Mod) Processing Structure Splunk Cluster Processing of ingests Key marts and Value format applying data into complex Fraud Indexers Rules Results of Fraud detec@on results send over to Internet banking server The fraudsters are warned with warning and aborts wire transfer

33 How Does Splunk Make It Possible? Online Banking Customer Account Normal Transfer 1 > Fraudulent PaAerns / Condi2ons Combo Normal Transfer Issue a new Cer@ficate Acquire accounts info Fraudulent Transfer 1 Hacker Fraudulent Transfer 2 Different Channel Different MAC Address with no prior history Issue a new cer@ficate Target wire account with no prior history Create new cert and wire transfer happens in 5 minutes Index=mul@_access check_hist_mac mac check_hist_wire target_account FRAUD DETECTION PLATFORM Splunk Inc. Transac@ons Account history Summary MAC history Summary Wire history Summary

34 Concept of Profiling Extrapolation of information about something, based on known qualities. Request Committed Wire Request / Ac@on Good Customer Laura Compare the transactions with previous trending Update the transactions so the profile is updated to reflect as new behavior Profiling Database Splunk Inc.

35 Concept of Entity Profiling Purpose Profiling Database Baseline customer behaviors Design analysis model CUST_ID : Laura DEVICE : xx:xx:xx:01 xx:xx:xx:03 IP ADDR : TARGET ACCT : HB HB Other user specific profiling info. Normal Transfer 1 : Target ACCT HB Good Customer Laura Splunk Inc. Normal Transfer 2 : Target ACCT HB The target account exists already in profiling DB

36 Concept of Entity Profiling Purpose Profiling Database Baseline customer behaviors Design analysis model CUST_ID : Laura DEVICE : xx:xx:xx:01 xx:xx:xx:03 IP ADDR : TARGET ACCT : HB HB Other user specific profiling info. Normal Transfer 1 : Target ACCT HB Fraudster Splunk Inc. Normal Transfer 2 : Target ACCT HB Fraudulent Transfer 3 : Target ACCT AB239242? Since this is a unknown account, is this legi@mate?

37 Detecting Based on Profiled Info: Profiling Search Profiling Database Search Data CUST_ID(:(Laura( DEVICE(:(xx:xx:xx:01(xx:xx:xx:3( IP(ADDR(:( (( ( TARGET(ACCT(:((HB092831((HB726383(..(More(user(specific(profiling(info(.( Insert / Update new profiling attributes Search 1 : Profiling Search!!!CUST_ID(:(Laura(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!xx:xx:xx:03! DEVICE(:(xx:xx:xx:01( IP(ADDR(:( (!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ! TARGET(ACCT(:(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!HB726383!!!..(Other(user(specific(profiling(info(.( CUST_ID(:(Laura( DEVICE(:(xx:xx:xx:01( IP(ADDR(:( ( TARGET(ACCT(:(..(Other(user(specific(profiling(info(.( Create New Customer Profile (Scheduled -2m@m ~ -1m@m) Create new customer profiles Update atributes of profiles based on analysis criteria Splunk Inc.

38 Detecting Based on Profiled Info: Detecting Search Profiling Database Realtime Data CUST_ID(:(Laura( DEVICE(:(xx:xx:xx:01(xx:xx:xx:3( IP(ADDR(:( (( ( TARGET(ACCT(:((HB092831((HB726383(..(More(user(specific(profiling(info(.( Lookup / Join Profiled Data CUST_ID(:(Laura( DEVICE(:(xx:xx:xx:01(xx:xx:xx:3( IP(ADDR(:( (( ( TARGET(ACCT(:((HB092831((HB726383(..(More(user(specific(profiling(info(.( Match rule alerts With profile DB CUST_ID(:(Laura( DEVICE(:(xx:xx:xx:01(xx:xx:xx:3( IP(ADDR(:( (( ( TARGET(ACCT(:((HB092831((HB726383(..(More(user(specific(profiling(info(.( Kick off an event / send signal to banking system Wire Fraud Alert Search 2 : Pattern Detection Search (Real-time RT) Real-time searching, Joining lookups and other verification Match the status in profile DB for condition verification Splunk Inc.

39 Processing Logic Machine Learning (Anomaly Fraudulent Pauern Normal Pauern Fraudulent Pauern

40 Importance Of Being Data Store Enterprise Big Data, Intelligence Fraud Money Laundry Internal/ External Compliance FSI Big Data

41 Why is This So Significant? These transaction data is at the heart of all financial service analysis FDS Fraud Detection System Government Regulations Big Data Target Marketing IT OPS Business Analytics Security Expects various financial service Future Data Projects

42 Synergy Factors of Splunk (To Joe) Near Realtime CEP Real-time Collection > Storage > Query Big Data Platform Storing and Summarization of BIG DATA Analysis / Integrations Analyze, Visualize and extend to Service Integrated Real-time Fraud Detection/ Prevention Platform

43 Demo

44 Take- Aways Pauerns of fraud are in machine data Splunk can harness machine data to detect, and report on a wide range of fraud Splunk can address the more demanding and technical fraud use cases (financial services, etc) 44

45 What Now? Go the Compliance & Fraud booth at the App Showcase Other sessions: Exposing Fraud and Risk for Health Agencies, Tues, 3-3:45 Orrstown Bank, Tues, 5-5:45 From Zero to Preuy Robust Fraud Tool, Wed, 10-10:45 Bank Account Takeover and Fraud Auacks with Splunk, Wed, 2-2:45 Info, case study at: Ø Splunk.com > > Security & Fraud > Fraud Contact sales team at Splunk.com > Contact Us 45

46 46

47 THANK YOU