SplunkLive! Splunk for Insider Threats and Fraud Detection
20 likes6,235 views
Splunk can be used to detect insider threats and fraud through monitoring and correlating machine data from various sources. It summarizes use cases where Splunk helped detect disgruntled employees stealing intellectual property, data leakage, and classroom fraud at an education company. It also discusses how Splunk detected millions of dollars in payment fraud at a cash wire transfer company by identifying emerging patterns. Finally, it provides examples of fraud patterns that could be detected at Etsy such as traffic from cloud services or brute force password attempts.
SplunkLive! Splunk for Insider Threats and Fraud Detection
- 1. Copyright © 2013 Splunk Inc. Splunk for Insider Threats and Fraud Detection
- 2. Company Company (NASDAQ: SPLK) Founded 2004, first software release in 2006 HQ: San Francisco / Regional HQ: London, Hong Kong Over 850 employees, based in 12 countries Annual Revenue: $198M (YoY +60%) $5+ billion market valuation Business Model / Products Free download to massive scale On-premise, in the cloud and SaaS 6,000+ Customers; 2500 w/Security Use Cases Customers in over 90 countries 60 of the Fortune 100 Fast Company 2013: Named Splunk #4 Most Innovative Company in the World and #1 Big Data Innovator Largest license: 100 Terabytes per day Leader: Gartner SIEM Magic Quadrant, 2013 2
- 3. Make machine data accessible, usable and valuable to everyone. 3
- 4. The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Machine data is fastest growing, most complex, most valuable area of big 4
- 5. Machine Generated Data is a Definitive Record of Human-to-Machine and Machineto-Machine Interaction 5
- 6. Insider Threats – Employee Attitudes 52 • Percent of employees don’t believe it’s a crime to use competitor’s confidential information 44 • Percent believe a software developer who develops source code for a company has some ownership of work and inventions beyond their current employer 42 • Percent don’t think it is a crime to reuse source code with out permission from a former employer, in projects for other companies 60 • Percent say a co-worker hired from a competing company has offered documents from that company for their use Ponemon Institute Survey 2012 6
- 7. Employee Insider threats Are Authorized users Doing authorized things Have malicious intent A ‘people centric’ behavioral problem Are not Hackers using specialized tools A technical or "cybersecurity" issue alone Escalating their privileges for purposes of espionage
- 8. Context for Insider Threats • Who are your privileged internal people? • Who might be a likely enemy? • What data that would be at risk? Contextual Cyber Psychological Insider Threat Risk 8
- 9. Two Strategies for Combating Secondary Detection Primary Prevention/Deterrence • Pattern based • Specific indicators or alerts • Multiple factors • Definitive evidence • Uses heuristics and statistical models • Physical detection (stolen documents) • Requires base lining / watching for outlier behaviors “Rather than getting wrapped up in prediction or detection organizations should start first with deterrence.” Patrick Reidy CISO FBI 9
- 10. Splunk and the broken window theory Some employees test the limits of their access Employee feedback required for all unauthorized attempts (accidental or not). Splunk monitors access in realtime Splunk sends email (via script) to employee indicating awareness of attempt 10
- 11. Examples: Correlations / Detections / Context Detection Indicator Analysis Printer usage Number of print jobs over a given period of time Outlier Increase in size of print jobs Outlier Unusual times of day Outlier Rare network printer use (the one not closest employee Outlier Local vs. remote Outlier Time of day Outlier During vacation times Outlier Monitor’s employee behavior and attitude changes (proxy data) Outlier/Context Logins to AD or use of SSO Abrupt change in the ratio of website categories visited 11
- 12. Examples: Correlations / Detections / Context Detection Indicator Unused Vacation - 18 months or longer Employee remains in control -- work not turned over to others for review Context / Lookup Always first in / first out of the office Badge data and/or AD. Desire to control situation Context / Lookup Personal life change – marital status change stress trigger Can jeopardize emotional stability – HR system data Context / Lookup Lay-off notification Monitor for file transfers by individuals that occur immediately after lay-offs are announced Context / Lookup Attempted changes to document classifications Document metadata Direct indicator Attempts to use USB or CD Rom Log data events Direct indicator 12
- 13. Insider Threat Use Case: Disgruntled Employee Splunk at a Large Aerospace and Defense Contractor Goal: Protect intellectual property at the hands of disgruntled employee Use Case Scenario: In an environment where employees are sometimes mis-treated, fired, reprimanded you never know when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day he wants to take company proprietary data…from SharePoint servers…Below explains how Splunk could be use to detect/mitigate that type of behavior: Data Sources: Host based FW logs, Single Sign-on(SSO) logs, SharePoint connection logs, Content Logic Steps: 1. Upload all employees who received pink slips "login id's" to Splunk' s look-up table 2. Run trending reports on "id's" for the past 6 months 3. Correlate data sources with trend reports 4. Report on suspicious user id's who has increase downloads from SharePoint servers Splunk Capabilities: lookup, trends, reports, real-time alerts, index, correlation analytics, real-time rules 13
- 14. Insider Threat Use Case: Data Leakage/Spill Splunk at a Large Aerospace and Defense Contractor Goal: To detect/monitor potential data leakage/spill of very sensitive intellectual property Use Case Scenario: In an environment where employees are Govt contractors who has access to sensitive R&D projects and/or supporting Govt programs, data leakage is highly likable. An employee can intentional/unintentional download any text docs associated to that program/project to personal laptop, personal email, etc. Below explains Data Sources: Data Loss prevention (DLP) logs, key words, email logs, Anti-virus logs(USB) Content Logic Steps: 1.Upload "program keywords" and "user ids" in Splunk's lookup table 2. correlate data sources/lookup table 3. Develop/Report on alerts (rule hits) 4. Developed alert visualization & monitor Data Sources: Data Loss prevention (DLP) logs, key words, email logs, AV, Splunk Capabilities: lookup, search processing language, real-time alerts, reports, visualization, advance correlation, real-time rules 14
- 15. “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game 15
- 16. Splunk for Fraud Detection Across Verticals Financial Services eCommerce Mobile / Wireless Fraud Detections 16 Online Education “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game
- 17. Online Education Company – Fraud Background Use Case Before Splunk After Splunk Classroom activity / fraud Affects accreditation Difficult to identify fraudulent student loan and attendance activity accurately Complete visibility to classroom activity and increased confidence that financial aid fraud is being detected thoroughly Seats not taken from legit students Internet browsing history Bluecoat Reporter had so Faster and lower cost response to much data it stopped internal production requests and working making them unable data costs to report on this for HR 17
- 18. Online Education Company– Detections Benefits Use Case After Splunk Classroom activity / fraud Affects accreditation $10s of Millions of fraudulent funds have been stopped from being distributed Internet browsing history Saves 75-90% of the Corporate Forensics team’s efforts (can offer more services) Reputation and Dept. of Education accreditation maintained seamlessly Saves $45,000/year in external production services (external Legal) Saves $1.5M/year in data processing costs (process, collect, cull, review, etc.) 18
- 19. Cash Wire Transfer Company Subsidiary of Major Financial Institution With targeted and ever evolving fraud techniques, number of fraud attempts and amounts rise rapidly, Splunk was introduced to fill a detection gap in June 2012 • Splunk agility to react to emerging fraud patterns saved millions for the bank • Broader view Splunk introduced is able us to quickly identify fraud techniques, discover and fix design flaws in applications • – 11 detection rules deployed – 2 application flaws were discovered and fixed
- 20. Cash Wire Transfer Company - Fraud Detection 12/2012 – 4/15/2013 Payment Amount Total Splunk Detected Attempted Stopped Splunk & Other methods Splunk Alone Total Recovered Net Loss $33.5 MM $27.5 MM $ 6 MM $5 MM $ 15 MM $13 MM $ 2 MM $ 1.7 MM Recovered 14.41% Loss 3.62% $1 MM $ 0.2 MM Actual Loss Attempted Other Detection methods Released Net Loss $18,5 MM $ 1 MM Stopped $14 MM 52% Stopped Recovered Recovered $ 3 MM $5 MM $0.2 MM $ 3.4 MM 12% $10 MM $0.00 $ 9.8 MM 36% $ 0.2 MM $33.5 MM $1 MM $27.5 MM $ 5 MM Stopped 81.97% $ 1.3 MM • Attempted: payments created or released Stopped: payments didn’t leave the bank • Released: payments were out of the bank • Recovered: payments were recalled back • Net loss: payments were cashed out $35,000,000.00 $30,000,000.00 $25,000,000.00 $20,000,000.00 $15,000,000.00 $10,000,000.00 $5,000,000.00 $0.00 Splunk Alone Splunk & Other methods Other Detection methods
- 21. Intuit Financial Services - Fraud Background • We noticed a similar fraud pattern across 15 banks • Then we mapped them to see they were within 15 miles of one another • Fraud was coming from one data processing vendor who they all shared 21
- 22. Intuit Financial Services Organization -- Wire Transfers Watching fraudster in real-time—seeing $5M, $7M, $8M wire attempts • Splunk exposed every element of our infrastructure that he touched • Next we could correlate activities based on time to understand his pattern of activity • 22
- 23. Detecting Fraud at Etsy – Sample patterns of possible fraud: User traffic coming from “rent a VM”, cloud-based services Brute force password guessing Single IP excessively selecting the “I forgot my password” option for several accounts Abnormally large payments, or very high velocity of payments, from a single account Customer info that should be stable changing often: email/physical address, payment card, etc – Automatically lock accounts that appear to be compromised – Weave Splunk data into customer service tools so CSRs also see fraud indicators – Use Splunk for fraud, security, compliance, IT Ops, and app mgmt 2 3
- 24. East Coast Financial Services: Use of Splunk for Fraud Investigations Phish detection – 500+ customers protected and ~$5M saved – – Used to be done 100% by customers; log files weren’t available for searching for 1 day Use Splunk to detect the patterns with referrers who are testing their phish to see if it works Malware detection – 14 detections stopped $140K – – This use case used data already indexed in Splunk…no incremental cost Using Splunk to research and detect anomalies within logs specific to malware/web injects Alert and block the PIN within 10 minutes of identification and before account access Trading on uncollected funds - ~500 customers protected, stopping over $4.5M – – – This takes place when a customer places a trade before money transfers in clear Without Splunk they had to wait a day to get access to this data for analysis Fastest detection and PIN block was 37 seconds Online Bank Wire fraud – blocked 60+ incidents saving over $240k – – Transaction completion involves a code sent to a mobile phone, detecting now every 5 minutes Actually detected an occurrence of this before the capability went live with customers 24
- 25. Other Companies • Using Splunk to track unauthorized cell phone activations at franchiser locations Online Ticket Reseller • Using web log patterns to determine fraudulent buyer and sellers On-Line 25
- 26. Other Companies • Monitoring for anomalous usage patterns based on plans. An open international call connection for multiple hours, discovered a fraud ring selling intl. calling. On-line Educational Institution • Using Splunk to track academic and financial aid fraud use weblogs and session IDs. Students that are flagged come up on a list for investigation 26
- 27. Thank You
Editor's Notes
- #3: Splunk now has more than 850 employees worldwide, with headquarters in San Francisco and 14 offices around the world.Since first shipping its software in 2006, Splunk now has over 6,000 customers in 90+ countries. These organizations are using Splunk software to improve service levels, reduce operations costs, mitigate security risks, enable compliance, enhance DevOps collaboration and create new product and service offerings. Please always refer to latest company data found here: http://www.splunk.com/company.
- #4: At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. Andthis overarching mission is what drives our company and product priorities.
- #5: Data is growing and embodies new characteristics not found in traditional structured data:Volume, Velocity, Variety, Variability/Veracity.Machine data is one of the fastest, growing, most complex and most valuable segments of big data.All the webservers, applications, network devices – all of the technology infrastructure running an enterprise or organization – generates massive streams of data, in an array of unpredictable formats that are difficult to process and analyze by traditional methods or in a timely manner. Why is this “machine data” valuable? Because it contains a trace - a categorical record - of user behavior, cyber-security risks, application behavior, service levels, fraudulent activity and customer experience.
- #7: Ponemon Institute 2012.
- #8: Patrick Reidy CISO FBI
- #11: The broken window theory says that if someone breaks a window and they don’t see an indication of notice or any repercussion they determine that no one cares and they’ll likely do it again. It’s the same with access to systems or documents.
- #20: Bank of America
- #21: Bank of America
- #22: Intuit
- #23: Intuit
- #24: Etsy, the online marketplace, has spoken at numerous Splunk events around how they use Splunk for fraud detection, security, compliance, and IT operations. Public info is at:http://www.splunk.com/view/SP-CAAAGH3http://codeascraft.com/2013/06/04/leveraging-big-data-to-create-more-secure-web-applications/
- #25: Fidelity Investments
- #26: CricketStubhub
- #27: MetroPCS