New SplunkforAn Fraud,*TheG,*Abuse* · 2017. 10. 13. · Web fraud Credit card fraud Visits to fraud IPs Internal teller fraud POS fraud Trading fraud Events by Fraud Tool "...
Post on 14-Oct-2020
5 Views
Preview:
Transcript
Copyright © 2014 Splunk Inc.
Joe Goldberg Product Marke@ng, Splunk
Splunk for An@-‐Fraud, TheG, Abuse
Disclaimer
2
During the course of this presenta@on, we may make forward-‐looking statements regarding future events or the expected performance of the company. We cau@on you that such statements reflect our current expecta@ons and
es@mates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements,
please review our filings with the SEC. The forward-‐looking statements made in the this presenta@on are being made as of the @me and date of its live presenta@on. If reviewed aGer its live presenta@on, this presenta@on may not contain current or accurate informa@on. We do not assume any obliga@on to update any forward-‐looking statements we may make. In addi@on, any informa@on about our roadmap outlines our general product direc@on and is subject to change at any @me without no@ce. It is for informa@onal purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obliga@on either to develop the features or func@onality described or to
include any such feature or func@onality in a future release.
Fraud is Pervasive and Costly
3
• High annual costs: Merchants $200-‐250 billion; banks and financial ins@tu@ons $12-‐15 billion1
• Growing: Online fraud revenue loss grew 85% from 2003-‐122
• Reputa@on/brand damage
• External & internal • Types: Account takeover, credit card, wire
transfer, an@-‐money laundering, educa@on loans, insurance, healthcare, and more
• No industry or region is immune • Business moving online has made it worse
1. Forrester Feb 2013 2. CyberSource/Visa 2013
Exis@ng Fraud Tools Are Limi@ng
NARROW VIEW OF FRAUD
SCALE AND SPEED ISSUES
DIFFICULT TO DEPLOY; LIMITED ROI
RIGID AND INFLEXIBLE
Machine Generated Data is a Defini@ve Record of Human-‐to-‐Machine and
Machine-‐to-‐Machine Interac@on
5
2013-‐08-‐09 16:21:38 10.11.36.29 98483 148 TCP_HIT 200 200 0 622 -‐ -‐ OBSERVED GET HTTP/1.1 0 "Mozilla/4.0 (compa@ble; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; www.neverbeenseenbefore.com InfoPath.1; MS-‐RTC LM 8; .NET CLR 1.1.4322; .NET CLR 3.0.4506.2152; ) User John Doe,"
[2013-‐09-‐04-‐14.45.54.608000] proc_source="B24A", tmst_target="2013-‐09-‐04-‐14.45.54.724000", serv_id="ISS", proc_input="MAST", proc_target="B24H", interface_acq="BNET_1", interface_iss="02008", cod_msg="1110", oper_rrn="090448764439", card_id="526430VS350Y2992", oper_amount="000000008000", oper_ currency="978", oper_country="380", term_id="00599307", circuito="", ser_merc="4722", bin_acq="002111", id_merc="329017246168", prcode="003000", ac@on_code="000", approval_code ="H8H766", oper_ mod_input="1", channel="O", flag_dupl="Y", flag_onus="N", auth_rout_dst="INTFHI93", auth_ rout_id="HISO_AUTH", msg_subst="", ndg="0000000078507391", sta@on_acq="STA-‐BNET-‐MI1", acceptor =“ TRAWEL SPA\\MILANO\ 380", tmst_ins="2013-‐09-‐04-‐14.48.56.277466", lpar="B"
Machine Data Contains Cri@cal Fraud Insights
6
Sources
Authen=ca=on
Web Proxy
Card Payment System
Referring URL
20130806041221.000000 Cap@on=ACME-‐2975EB\JohnDoe Descrip@on=User account Built-‐in account for administering the computer/domainDo\n=ACME-‐2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-‐1-‐5-‐21-‐1715567821-‐926492609-‐725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts
Source IP User Name
Card ID Amount
Source IP
Client ID
Merchant ID
7
Example Parerns of Fraud in Machine Data Type of Fraud PaJern of fraud Industry
Financial Services
E-‐tailing
Healthcare
Telecoms
Online educa@on
Account takeover Many transac@ons between $9-‐10k
Many accounts accessed from one IP
Physician billing Physician billing for drugs outside their exper@se area
Roaming abuse Excessive roaming on partner network by unlimited use customers
Student loan fraud Student IP in “high-‐risk” country and student absent from classes & assignments
Account takeover
Splunk: Machine Data Plavorm For Fraud Use Cases
8
Machine Data: Any Loca=on, Type, Volume
Online Services Web
server
Servers Malware
GPS Loca@on
Storage Desktops
Networks
Packaged Applica@ons
Custom Applica@ons Messaging
Badge records Online
Shopping Cart
Fraud tools
Databases/ transac@ons Call Detail
Records
Smartphones and Devices
Authen@ca@ons
On-‐ Premises
Private Cloud
Public Cloud
Answer Any Ques=on
Developer PlaRorm
Report and analyze
Custom dashboards
Monitor and alert
Ad hoc search
External Lookups Threat feeds
Asset Info
Employee Info
Data stores
Payment Systems
Any amount, any loca@on, any source
Schema-‐on-‐the-‐fly
Universal indexing
No back-‐end RDBMS
No need to filter data
Mobile
Why Splunk for Fraud Detec@on?
FLEXIBLE
SCALE & SPEED
BROAD VIEW
FAST VALUE; COMPELLING ROI
9
Supports Needs of An@-‐fraud Teams
Fraud Inves@ga@ons
Fraud Analy@cs and Repor@ng
Enhance Exis@ng Fraud Tools
Fraud Monitoring and
Detec@on
Fraud Monitoring and Detec@on
11
" Advanced correla@ons to spot parerns of fraud
" Baseline and then detect anomalies that might be fraud
" Real-‐@me searches & alerts
" Ini@ate automated remedia@on
Referrer strings can indicate phishing vic1ms
Spot outliers
Fraud Inves@ga@ons
12
" Quickly pivot through current or historical data – Who, what, where, when, why – Need all the original data in one
place
" If fraud found: – See if parern exists elsewhere in
the data – Turn parern into a real-‐@me
search/alert
" May be a “cold case” inves@ga@on going back months
Suspect C
Suspect A Suspect B
SrcIP = 41.67.128.1, user john doe, atm withdrawal, $4,500
ScrIP=41.77.333.1, user john doe, $20k loan application
Accomplice B
Accomplice A
ClientIP=41.65.222.1, user john doe, wire transfer, $9,999
January February March April
Suspect A
Fraud Analy@cs and Repor@ng
13
" Many types of visualiza@ons to measure and manage fraud risk
" Easy to create in Splunk – List of new possible fraud events – Informa@on for order reviewer – Historical reports – Fraud trends – Execu@ve/auditor dashboards – GeoIP maps – Splunk is architected for ad hoc
analy@cs
Fraud Events by Time and Domain
Suspicious physician transactions
Enhance Exis@ng Fraud Tools A single pane of glass for fraud
14
Web fraud
Credit card fraud
Visits to fraud IPs
Internal teller fraud
POS fraud
Trading fraud
Events by Fraud Tool
" Collect data from exis@ng point fraud tools: – Provide a single transac@on/event an
aggregate risk score – Enable consolidated risk repor@ng to
see overall risk posture and trends
Session ID Web fraud risk score
Credit card risk score
Threat Intel risk score
Splunk Total
1234567 0 2 0 27654321 6 9 15 301231789 1 2 0 3
Sample Splunk Summary Index
Splunk for Fraud Detec@on Across Ver@cals
15
Financial Services Mobile / Wireless eCommerce Online Educa=on
“Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game
Customer Examples
16
Cash Wire Transfer Company
17
Loss 3.62%
Stopped 81.97%
Recovered 14.41%
Actual Loss
Stopped
Recovered
$0.00 $5,000,000.00 $10,000,000.00 $15,000,000.00 $20,000,000.00 $25,000,000.00 $30,000,000.00 $35,000,000.00
Splunk Alone
Splunk & Other methods
Other Detec@on methods
Payment Amount AJempted
Stopped Released Recovered Net Loss
Total $33.5 MM $27.5 MM $ 6 MM $5 MM $1 MM
Splunk Detected $ 15 MM $13 MM $ 2 MM $ 1.7 MM $ 0.2 MM
• A8empted: payments created or released • Stopped: payments didn’t leave the bank • Released: payments were out of the bank • Recovered: payments were recalled back • Net loss: payments were cashed out
Online Marketplace
18
" Etsy needed a faster way to iden@fy fraud and account takeovers " With Splunk, fast, automated fraud detec@on and preven@on
– Use Splunk to iden@fy indicators of account takeovers in real-‐@me – Automa@cally lock accounts that appear to be compromised – Weave Splunk data into customer service tools so CSRs can also see
indicators of fraud – Use Splunk for fraud, security, compliance, IT Ops, and app mgmt.
“We use data and Splunk to help make Etsy a safer place to conduct business. And we are barely scratching the surface of Splunk!”
Nick Galbreath, Director of Engineering
Top 5 Online University
19
" Challenge: Needed solu@on to detect fraudulent student loans – Difficult to iden@fy fraudulent loans and arendance ac@vity
" Enter Splunk: Significant cost savings in reduced loan fraud – Cross-‐check students with loans against classroom ac@vity to
iden@fy fraudsters – Stopped $10s of millions of fraudulent funds from distribu@on – Reputa@on and Dept of Educa@on accredita@on maintained – Single tool for fraud, compliance, cybersecurity, IT Opera@ons, and
Classroom Ops
Loss Preven@on at Retail Chain
20
Loss Preven@on at Retail Chain
Q&A
THANK YOU
top related