SlideShare a Scribd company logo

SplunkLive! Splunk for Insider Threats and Fraud Detection

Splunk
Splunk

Splunk can be used to detect insider threats and fraud through monitoring and correlating machine data from various sources. It summarizes use cases where Splunk helped detect disgruntled employees stealing intellectual property, data leakage, and classroom fraud at an education company. It also discusses how Splunk detected millions of dollars in payment fraud at a cash wire transfer company by identifying emerging patterns. Finally, it provides examples of fraud patterns that could be detected at Etsy such as traffic from cloud services or brute force password attempts.

Technology
1 of 27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Copyright © 2013 Splunk Inc. Splunk for Insider Threats and Fraud Detection
Company Company (NASDAQ: SPLK) Founded 2004, first software release in 2006 HQ: San Francisco / Regional HQ: London, Hong Kong Over 850 employees, based in 12 countries Annual Revenue: $198M (YoY +60%) $5+ billion market valuation Business Model / Products Free download to massive scale On-premise, in the cloud and SaaS 6,000+ Customers; 2500 w/Security Use Cases Customers in over 90 countries 60 of the Fortune 100 Fast Company 2013: Named Splunk #4 Most Innovative Company in the World and #1 Big Data Innovator Largest license: 100 Terabytes per day Leader: Gartner SIEM Magic Quadrant, 2013 2
Make machine data accessible, usable and valuable to everyone. 3
The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Machine data is fastest growing, most complex, most valuable area of big 4
Machine Generated Data is a Definitive Record of Human-to-Machine and Machineto-Machine Interaction 5
Insider Threats – Employee Attitudes 52 • Percent of employees don’t believe it’s a crime to use competitor’s confidential information 44 • Percent believe a software developer who develops source code for a company has some ownership of work and inventions beyond their current employer 42 • Percent don’t think it is a crime to reuse source code with out permission from a former employer, in projects for other companies 60 • Percent say a co-worker hired from a competing company has offered documents from that company for their use Ponemon Institute Survey 2012 6
Employee Insider threats Are Authorized users Doing authorized things Have malicious intent A ‘people centric’ behavioral problem Are not Hackers using specialized tools A technical or "cybersecurity" issue alone Escalating their privileges for purposes of espionage
Context for Insider Threats • Who are your privileged internal people? • Who might be a likely enemy? • What data that would be at risk? Contextual Cyber Psychological Insider Threat Risk 8
Two Strategies for Combating Secondary Detection Primary Prevention/Deterrence • Pattern based • Specific indicators or alerts • Multiple factors • Definitive evidence • Uses heuristics and statistical models • Physical detection (stolen documents) • Requires base lining / watching for outlier behaviors “Rather than getting wrapped up in prediction or detection organizations should start first with deterrence.” Patrick Reidy CISO FBI 9
Splunk and the broken window theory Some employees test the limits of their access Employee feedback required for all unauthorized attempts (accidental or not). Splunk monitors access in realtime Splunk sends email (via script) to employee indicating awareness of attempt 10
Examples: Correlations / Detections / Context Detection Indicator Analysis Printer usage Number of print jobs over a given period of time Outlier Increase in size of print jobs Outlier Unusual times of day Outlier Rare network printer use (the one not closest employee Outlier Local vs. remote Outlier Time of day Outlier During vacation times Outlier Monitor’s employee behavior and attitude changes (proxy data) Outlier/Context Logins to AD or use of SSO Abrupt change in the ratio of website categories visited 11
Examples: Correlations / Detections / Context Detection Indicator Unused Vacation - 18 months or longer Employee remains in control -- work not turned over to others for review Context / Lookup Always first in / first out of the office Badge data and/or AD. Desire to control situation Context / Lookup Personal life change – marital status change stress trigger Can jeopardize emotional stability – HR system data Context / Lookup Lay-off notification Monitor for file transfers by individuals that occur immediately after lay-offs are announced Context / Lookup Attempted changes to document classifications Document metadata Direct indicator Attempts to use USB or CD Rom Log data events Direct indicator 12
Insider Threat Use Case: Disgruntled Employee Splunk at a Large Aerospace and Defense Contractor Goal: Protect intellectual property at the hands of disgruntled employee Use Case Scenario: In an environment where employees are sometimes mis-treated, fired, reprimanded you never know when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day he wants to take company proprietary data…from SharePoint servers…Below explains how Splunk could be use to detect/mitigate that type of behavior: Data Sources: Host based FW logs, Single Sign-on(SSO) logs, SharePoint connection logs, Content Logic Steps: 1. Upload all employees who received pink slips "login id's" to Splunk' s look-up table 2. Run trending reports on "id's" for the past 6 months 3. Correlate data sources with trend reports 4. Report on suspicious user id's who has increase downloads from SharePoint servers Splunk Capabilities: lookup, trends, reports, real-time alerts, index, correlation analytics, real-time rules 13
Insider Threat Use Case: Data Leakage/Spill Splunk at a Large Aerospace and Defense Contractor Goal: To detect/monitor potential data leakage/spill of very sensitive intellectual property Use Case Scenario: In an environment where employees are Govt contractors who has access to sensitive R&D projects and/or supporting Govt programs, data leakage is highly likable. An employee can intentional/unintentional download any text docs associated to that program/project to personal laptop, personal email, etc. Below explains Data Sources: Data Loss prevention (DLP) logs, key words, email logs, Anti-virus logs(USB) Content Logic Steps: 1.Upload "program keywords" and "user ids" in Splunk's lookup table 2. correlate data sources/lookup table 3. Develop/Report on alerts (rule hits) 4. Developed alert visualization & monitor Data Sources: Data Loss prevention (DLP) logs, key words, email logs, AV, Splunk Capabilities: lookup, search processing language, real-time alerts, reports, visualization, advance correlation, real-time rules 14
“Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game 15
Splunk for Fraud Detection Across Verticals Financial Services eCommerce Mobile / Wireless Fraud Detections 16 Online Education “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game
Online Education Company – Fraud Background Use Case Before Splunk After Splunk Classroom activity / fraud Affects accreditation Difficult to identify fraudulent student loan and attendance activity accurately Complete visibility to classroom activity and increased confidence that financial aid fraud is being detected thoroughly Seats not taken from legit students Internet browsing history Bluecoat Reporter had so Faster and lower cost response to much data it stopped internal production requests and working making them unable data costs to report on this for HR 17
Online Education Company– Detections Benefits Use Case After Splunk Classroom activity / fraud Affects accreditation $10s of Millions of fraudulent funds have been stopped from being distributed Internet browsing history Saves 75-90% of the Corporate Forensics team’s efforts (can offer more services) Reputation and Dept. of Education accreditation maintained seamlessly Saves $45,000/year in external production services (external Legal) Saves $1.5M/year in data processing costs (process, collect, cull, review, etc.) 18
Cash Wire Transfer Company Subsidiary of Major Financial Institution With targeted and ever evolving fraud techniques, number of fraud attempts and amounts rise rapidly, Splunk was introduced to fill a detection gap in June 2012 • Splunk agility to react to emerging fraud patterns saved millions for the bank • Broader view Splunk introduced is able us to quickly identify fraud techniques, discover and fix design flaws in applications • – 11 detection rules deployed – 2 application flaws were discovered and fixed
Cash Wire Transfer Company - Fraud Detection 12/2012 – 4/15/2013 Payment Amount Total Splunk Detected Attempted Stopped Splunk & Other methods Splunk Alone Total Recovered Net Loss $33.5 MM $27.5 MM $ 6 MM $5 MM $ 15 MM $13 MM $ 2 MM $ 1.7 MM Recovered 14.41% Loss 3.62% $1 MM $ 0.2 MM Actual Loss Attempted Other Detection methods Released Net Loss $18,5 MM $ 1 MM Stopped $14 MM 52% Stopped Recovered Recovered $ 3 MM $5 MM $0.2 MM $ 3.4 MM 12% $10 MM $0.00 $ 9.8 MM 36% $ 0.2 MM $33.5 MM $1 MM $27.5 MM $ 5 MM Stopped 81.97% $ 1.3 MM • Attempted: payments created or released Stopped: payments didn’t leave the bank • Released: payments were out of the bank • Recovered: payments were recalled back • Net loss: payments were cashed out $35,000,000.00 $30,000,000.00 $25,000,000.00 $20,000,000.00 $15,000,000.00 $10,000,000.00 $5,000,000.00 $0.00 Splunk Alone Splunk & Other methods Other Detection methods
Intuit Financial Services - Fraud Background • We noticed a similar fraud pattern across 15 banks • Then we mapped them to see they were within 15 miles of one another • Fraud was coming from one data processing vendor who they all shared 21
Intuit Financial Services Organization -- Wire Transfers Watching fraudster in real-time—seeing $5M, $7M, $8M wire attempts • Splunk exposed every element of our infrastructure that he touched • Next we could correlate activities based on time to understand his pattern of activity • 22
Detecting Fraud at Etsy – Sample patterns of possible fraud:      User traffic coming from “rent a VM”, cloud-based services Brute force password guessing Single IP excessively selecting the “I forgot my password” option for several accounts Abnormally large payments, or very high velocity of payments, from a single account Customer info that should be stable changing often: email/physical address, payment card, etc – Automatically lock accounts that appear to be compromised – Weave Splunk data into customer service tools so CSRs also see fraud indicators – Use Splunk for fraud, security, compliance, IT Ops, and app mgmt 2 3
East Coast Financial Services: Use of Splunk for Fraud Investigations Phish detection – 500+ customers protected and ~$5M saved – – Used to be done 100% by customers; log files weren’t available for searching for 1 day Use Splunk to detect the patterns with referrers who are testing their phish to see if it works Malware detection – 14 detections stopped $140K – – This use case used data already indexed in Splunk…no incremental cost Using Splunk to research and detect anomalies within logs specific to malware/web injects Alert and block the PIN within 10 minutes of identification and before account access Trading on uncollected funds - ~500 customers protected, stopping over $4.5M – – – This takes place when a customer places a trade before money transfers in clear Without Splunk they had to wait a day to get access to this data for analysis Fastest detection and PIN block was 37 seconds Online Bank Wire fraud – blocked 60+ incidents saving over $240k – – Transaction completion involves a code sent to a mobile phone, detecting now every 5 minutes Actually detected an occurrence of this before the capability went live with customers 24
Other Companies • Using Splunk to track unauthorized cell phone activations at franchiser locations Online Ticket Reseller • Using web log patterns to determine fraudulent buyer and sellers On-Line 25
Other Companies • Monitoring for anomalous usage patterns based on plans. An open international call connection for multiple hours, discovered a fraud ring selling intl. calling. On-line Educational Institution • Using Splunk to track academic and financial aid fraud use weblogs and session IDs. Students that are flagged come up on a list for investigation 26
Thank You

More Related Content

What's hot (20)

PDF
Announcing Databricks Cloud (Spark Summit 2014)
Databricks
 
PPTX
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
PDF
How Graph Algorithms Answer your Business Questions in Banking and Beyond
Neo4j
 
PDF
A Brief Introduction to Knowledge Graphs
Heather Hedden
 
PPTX
Splunk Overview
Splunk
 
PDF
Optimizing XaaS
Cognizant
 
PDF
Big Data Analytics : Understanding for Research Activity
Andry Alamsyah
 
ODP
Splunk
Knoldus Inc.
 
PDF
Neo4j Bloom: Data Visualization for Everyone
Neo4j
 
PPTX
Introduction to Cognitive Automation
Priyab Satoshi
 
PDF
Cost Efficiency Strategies for Managed Apache Spark Service
Databricks
 
PPTX
Taking Splunk to the Next Level - Architecture
Splunk
 
PPTX
Snowflake Data Access.pptx
Anup Mukhopadhyay
 
PPTX
Cloud Migration, Application Modernization, and Security
Tom Laszewski
 
PPTX
Cloud Computing and Microsoft Azure
Suhail Jamaldeen
 
PPTX
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Timothy McAliley
 
PDF
Azure Data Factory V2; The Data Flows
Thomas Sykes
 
PPT
OpenSearch
hchen1
 
PDF
The Acord Framework - An Insurance Enterprise Architecture (2011).pdf
havoc2003
 
PDF
re:cap Generative AI journey with Bedrock
PhilipBasford
 
Announcing Databricks Cloud (Spark Summit 2014)
Databricks
 
Splunk Tutorial for Beginners - What is Splunk | Edureka
Edureka!
 
How Graph Algorithms Answer your Business Questions in Banking and Beyond
Neo4j
 
A Brief Introduction to Knowledge Graphs
Heather Hedden
 
Splunk Overview
Splunk
 
Optimizing XaaS
Cognizant
 
Big Data Analytics : Understanding for Research Activity
Andry Alamsyah
 
Splunk
Knoldus Inc.
 
Neo4j Bloom: Data Visualization for Everyone
Neo4j
 
Introduction to Cognitive Automation
Priyab Satoshi
 
Cost Efficiency Strategies for Managed Apache Spark Service
Databricks
 
Taking Splunk to the Next Level - Architecture
Splunk
 
Snowflake Data Access.pptx
Anup Mukhopadhyay
 
Cloud Migration, Application Modernization, and Security
Tom Laszewski
 
Cloud Computing and Microsoft Azure
Suhail Jamaldeen
 
Azure Cloud Adoption Framework + Governance - Sana Khan and Jay Kumar
Timothy McAliley
 
Azure Data Factory V2; The Data Flows
Thomas Sykes
 
OpenSearch
hchen1
 
The Acord Framework - An Insurance Enterprise Architecture (2011).pdf
havoc2003
 
re:cap Generative AI journey with Bedrock
PhilipBasford
 

Viewers also liked (20)

PDF
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk
 
PDF
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Erin Sweeney
 
PPTX
Data Mining with Splunk
David Carasso
 
PDF
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
PDF
Molina Healthcare Customer Presentation
Splunk
 
PPTX
Building an Analytics - Enabled SOC Breakout Session
Splunk
 
PPTX
Insider threat event presentation
IISPEastMids
 
PDF
Virtual SplunkLive! for Higher Education Overview/Customers
Splunk
 
PPT
.conf2011: Web Analytics Throwdown: with NPR and Intuit
Erin Sweeney
 
PPTX
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Zivaro Inc
 
PDF
Splunk | Reporting Use Cases
Beth Goldman
 
POTX
Using the Splunk Java SDK
Damien Dallimore
 
PPTX
Best Practices for a CoE
Splunk
 
PPTX
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
PPT
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
PDF
Splunk conf2014 - Splunk for Data Science
Splunk
 
PPT
Making Pretty Charts in Splunk
Splunk
 
PPTX
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
PDF
Splunk Enterprise for InfoSec Hands-On
Splunk
 
PDF
Threat Hunting
Tripwire
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk
 
Splunk .conf2011: Splunk for Fraud and Forensics at Intuit
Erin Sweeney
 
Data Mining with Splunk
David Carasso
 
SplunkSummit 2015 - Splunk User Behavioral Analytics
Splunk
 
Molina Healthcare Customer Presentation
Splunk
 
Building an Analytics - Enabled SOC Breakout Session
Splunk
 
Insider threat event presentation
IISPEastMids
 
Virtual SplunkLive! for Higher Education Overview/Customers
Splunk
 
.conf2011: Web Analytics Throwdown: with NPR and Intuit
Erin Sweeney
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Zivaro Inc
 
Splunk | Reporting Use Cases
Beth Goldman
 
Using the Splunk Java SDK
Damien Dallimore
 
Best Practices for a CoE
Splunk
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Harry McLaren
 
Splunk .conf2011: Real Time Alerting and Monitoring
Erin Sweeney
 
Splunk conf2014 - Splunk for Data Science
Splunk
 
Making Pretty Charts in Splunk
Splunk
 
Visualizing the Insider Threat: Challenges and tools for identifying maliciou...
Phil Legg
 
Splunk Enterprise for InfoSec Hands-On
Splunk
 
Threat Hunting
Tripwire
 
Ad

Similar to SplunkLive! Splunk for Insider Threats and Fraud Detection (20)

PPTX
Splunk for Security Breakout Session
Splunk
 
PDF
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
Splunk EMEA
 
PPTX
SplunkLive! Splunk for Security
Splunk
 
PPTX
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
PPTX
SplunkLive! - Splunk for Security
Splunk
 
PDF
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
PPTX
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
PPTX
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
PDF
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
PDF
Splunk for security
Greg Hanchin
 
PPTX
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
 
PDF
Splunk for Security
Gabrielle Knowles
 
PDF
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
PDF
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
PDF
Analytics Driven SIEM Workshop
Splunk
 
PDF
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
PDF
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
PPTX
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
PPTX
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk
 
Splunk for Security Breakout Session
Splunk
 
Power the SOC of the Future with scale, speed and choice - Splunk Public Sect...
Splunk EMEA
 
SplunkLive! Splunk for Security
Splunk
 
SplunkLive! Munich 2018: Intro to Security Analytics Methods
Splunk
 
Virtual Gov Day - Security Breakout - Deloitte
Splunk
 
SplunkLive! - Splunk for Security
Splunk
 
Splunk Discovery: Warsaw 2018 - Intro to Security Analytics Methods
Splunk
 
SplunkLive! Paris 2018: Intro to Security Analytics Methods
Splunk
 
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Splunk for security
Greg Hanchin
 
Build a Security Portfolio That Strengthens Your Security Posture
Splunk
 
Splunk for Security
Gabrielle Knowles
 
SplunkLive Wellington 2015 - Splunk for Security
Splunk
 
SplunkLive Auckland 2015 - Splunk for Security
Splunk
 
Analytics Driven SIEM Workshop
Splunk
 
SplunkLive! Amsterdam 2015 - Analytics based security breakout
Splunk
 
Webinar: Neues zur Splunk App for Enterprise Security
Georg Knon
 
Mapping the Enterprise Threat, Risk, and Security Control Landscape with Splunk
Andrew Gerber
 
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktio...
Splunk
 
Ad

More from Splunk (20)

PDF
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
PDF
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
PDF
Building Resilience with Energy Management for the Public Sector
Splunk
 
PDF
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
PDF
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
PDF
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
PDF
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
PDF
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
PDF
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
PDF
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
PDF
.conf Go 2023 - Data analysis as a routine
Splunk
 
PDF
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
PDF
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
PDF
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
PDF
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
PDF
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
PDF
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
PDF
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
PDF
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
PDF
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 
Splunk Leadership Forum Wien - 20.05.2025
Splunk
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Building Resilience with Energy Management for the Public Sector
Splunk
 
IT-Lagebild: Observability for Resilience (SVA)
Splunk
 
Nach dem SOC-Aufbau ist vor der Automatisierung (OFD Baden-Württemberg)
Splunk
 
Monitoring einer Sicheren Inter-Netzwerk Architektur (SINA)
Splunk
 
Praktische Erfahrungen mit dem Attack Analyser (gematik)
Splunk
 
Cisco XDR & Splunk SIEM - stronger together (DATAGROUP Cyber Security)
Splunk
 
Security - Mit Sicherheit zum Erfolg (Telekom)
Splunk
 
One Cisco - Splunk Public Sector Summit Germany April 2025
Splunk
 
.conf Go 2023 - Data analysis as a routine
Splunk
 
.conf Go 2023 - How KPN drives Customer Satisfaction on IPTV
Splunk
 
.conf Go 2023 - Navegando la normativa SOX (Telefónica)
Splunk
 
.conf Go 2023 - Raiffeisen Bank International
Splunk
 
.conf Go 2023 - På liv og død Om sikkerhetsarbeid i Norsk helsenett
Splunk
 
.conf Go 2023 - Many roads lead to Rome - this was our journey (Julius Bär)
Splunk
 
.conf Go 2023 - Das passende Rezept für die digitale (Security) Revolution zu...
Splunk
 
.conf go 2023 - Cyber Resilienz – Herausforderungen und Ansatz für Energiever...
Splunk
 
.conf go 2023 - De NOC a CSIRT (Cellnex)
Splunk
 
conf go 2023 - El camino hacia la ciberseguridad (ABANCA)
Splunk
 

Recently uploaded (20)

PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PPT
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PPTX
Q2 Leading a Tableau User Group - Onboarding
lward7
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Timothy Rottach - Ramp up on AI Use Cases, from Vector Search to AI Agents wi...
AWS Chicago
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
Interview paper part 3, It is based on Interview Prep
SoumyadeepGhosh39
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Reverse Engineering of Security Products: Developing an Advanced Microsoft De...
nwbxhhcyjv
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Q2 Leading a Tableau User Group - Onboarding
lward7
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 

SplunkLive! Splunk for Insider Threats and Fraud Detection

  • 1. Copyright © 2013 Splunk Inc. Splunk for Insider Threats and Fraud Detection
  • 2. Company Company (NASDAQ: SPLK) Founded 2004, first software release in 2006 HQ: San Francisco / Regional HQ: London, Hong Kong Over 850 employees, based in 12 countries Annual Revenue: $198M (YoY +60%) $5+ billion market valuation Business Model / Products Free download to massive scale On-premise, in the cloud and SaaS 6,000+ Customers; 2500 w/Security Use Cases Customers in over 90 countries 60 of the Fortune 100 Fast Company 2013: Named Splunk #4 Most Innovative Company in the World and #1 Big Data Innovator Largest license: 100 Terabytes per day Leader: Gartner SIEM Magic Quadrant, 2013 2
  • 3. Make machine data accessible, usable and valuable to everyone. 3
  • 4. The Accelerating Pace of Data Volume | Velocity | Variety | Variability GPS, RFID, Hypervisor, data Web Servers, Email, Messaging, Clickstreams, Mobile, Telephony, IVR, Databases, Sensors, Telematics, Storage, Servers, Security Devices, Desktops Machine data is fastest growing, most complex, most valuable area of big 4
  • 5. Machine Generated Data is a Definitive Record of Human-to-Machine and Machineto-Machine Interaction 5
  • 6. Insider Threats – Employee Attitudes 52 • Percent of employees don’t believe it’s a crime to use competitor’s confidential information 44 • Percent believe a software developer who develops source code for a company has some ownership of work and inventions beyond their current employer 42 • Percent don’t think it is a crime to reuse source code with out permission from a former employer, in projects for other companies 60 • Percent say a co-worker hired from a competing company has offered documents from that company for their use Ponemon Institute Survey 2012 6
  • 7. Employee Insider threats Are Authorized users Doing authorized things Have malicious intent A ‘people centric’ behavioral problem Are not Hackers using specialized tools A technical or "cybersecurity" issue alone Escalating their privileges for purposes of espionage
  • 8. Context for Insider Threats • Who are your privileged internal people? • Who might be a likely enemy? • What data that would be at risk? Contextual Cyber Psychological Insider Threat Risk 8
  • 9. Two Strategies for Combating Secondary Detection Primary Prevention/Deterrence • Pattern based • Specific indicators or alerts • Multiple factors • Definitive evidence • Uses heuristics and statistical models • Physical detection (stolen documents) • Requires base lining / watching for outlier behaviors “Rather than getting wrapped up in prediction or detection organizations should start first with deterrence.” Patrick Reidy CISO FBI 9
  • 10. Splunk and the broken window theory Some employees test the limits of their access Employee feedback required for all unauthorized attempts (accidental or not). Splunk monitors access in realtime Splunk sends email (via script) to employee indicating awareness of attempt 10
  • 11. Examples: Correlations / Detections / Context Detection Indicator Analysis Printer usage Number of print jobs over a given period of time Outlier Increase in size of print jobs Outlier Unusual times of day Outlier Rare network printer use (the one not closest employee Outlier Local vs. remote Outlier Time of day Outlier During vacation times Outlier Monitor’s employee behavior and attitude changes (proxy data) Outlier/Context Logins to AD or use of SSO Abrupt change in the ratio of website categories visited 11
  • 12. Examples: Correlations / Detections / Context Detection Indicator Unused Vacation - 18 months or longer Employee remains in control -- work not turned over to others for review Context / Lookup Always first in / first out of the office Badge data and/or AD. Desire to control situation Context / Lookup Personal life change – marital status change stress trigger Can jeopardize emotional stability – HR system data Context / Lookup Lay-off notification Monitor for file transfers by individuals that occur immediately after lay-offs are announced Context / Lookup Attempted changes to document classifications Document metadata Direct indicator Attempts to use USB or CD Rom Log data events Direct indicator 12
  • 13. Insider Threat Use Case: Disgruntled Employee Splunk at a Large Aerospace and Defense Contractor Goal: Protect intellectual property at the hands of disgruntled employee Use Case Scenario: In an environment where employees are sometimes mis-treated, fired, reprimanded you never know when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day he wants to take company proprietary data…from SharePoint servers…Below explains how Splunk could be use to detect/mitigate that type of behavior: Data Sources: Host based FW logs, Single Sign-on(SSO) logs, SharePoint connection logs, Content Logic Steps: 1. Upload all employees who received pink slips "login id's" to Splunk' s look-up table 2. Run trending reports on "id's" for the past 6 months 3. Correlate data sources with trend reports 4. Report on suspicious user id's who has increase downloads from SharePoint servers Splunk Capabilities: lookup, trends, reports, real-time alerts, index, correlation analytics, real-time rules 13
  • 14. Insider Threat Use Case: Data Leakage/Spill Splunk at a Large Aerospace and Defense Contractor Goal: To detect/monitor potential data leakage/spill of very sensitive intellectual property Use Case Scenario: In an environment where employees are Govt contractors who has access to sensitive R&D projects and/or supporting Govt programs, data leakage is highly likable. An employee can intentional/unintentional download any text docs associated to that program/project to personal laptop, personal email, etc. Below explains Data Sources: Data Loss prevention (DLP) logs, key words, email logs, Anti-virus logs(USB) Content Logic Steps: 1.Upload "program keywords" and "user ids" in Splunk's lookup table 2. correlate data sources/lookup table 3. Develop/Report on alerts (rule hits) 4. Developed alert visualization & monitor Data Sources: Data Loss prevention (DLP) logs, key words, email logs, AV, Splunk Capabilities: lookup, search processing language, real-time alerts, reports, visualization, advance correlation, real-time rules 14
  • 15. “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game 15
  • 16. Splunk for Fraud Detection Across Verticals Financial Services eCommerce Mobile / Wireless Fraud Detections 16 Online Education “Fraud is the daughter of greed.” ― Jonathan Gash, The Great California Game
  • 17. Online Education Company – Fraud Background Use Case Before Splunk After Splunk Classroom activity / fraud Affects accreditation Difficult to identify fraudulent student loan and attendance activity accurately Complete visibility to classroom activity and increased confidence that financial aid fraud is being detected thoroughly Seats not taken from legit students Internet browsing history Bluecoat Reporter had so Faster and lower cost response to much data it stopped internal production requests and working making them unable data costs to report on this for HR 17
  • 18. Online Education Company– Detections Benefits Use Case After Splunk Classroom activity / fraud Affects accreditation $10s of Millions of fraudulent funds have been stopped from being distributed Internet browsing history Saves 75-90% of the Corporate Forensics team’s efforts (can offer more services) Reputation and Dept. of Education accreditation maintained seamlessly Saves $45,000/year in external production services (external Legal) Saves $1.5M/year in data processing costs (process, collect, cull, review, etc.) 18
  • 19. Cash Wire Transfer Company Subsidiary of Major Financial Institution With targeted and ever evolving fraud techniques, number of fraud attempts and amounts rise rapidly, Splunk was introduced to fill a detection gap in June 2012 • Splunk agility to react to emerging fraud patterns saved millions for the bank • Broader view Splunk introduced is able us to quickly identify fraud techniques, discover and fix design flaws in applications • – 11 detection rules deployed – 2 application flaws were discovered and fixed
  • 20. Cash Wire Transfer Company - Fraud Detection 12/2012 – 4/15/2013 Payment Amount Total Splunk Detected Attempted Stopped Splunk & Other methods Splunk Alone Total Recovered Net Loss $33.5 MM $27.5 MM $ 6 MM $5 MM $ 15 MM $13 MM $ 2 MM $ 1.7 MM Recovered 14.41% Loss 3.62% $1 MM $ 0.2 MM Actual Loss Attempted Other Detection methods Released Net Loss $18,5 MM $ 1 MM Stopped $14 MM 52% Stopped Recovered Recovered $ 3 MM $5 MM $0.2 MM $ 3.4 MM 12% $10 MM $0.00 $ 9.8 MM 36% $ 0.2 MM $33.5 MM $1 MM $27.5 MM $ 5 MM Stopped 81.97% $ 1.3 MM • Attempted: payments created or released Stopped: payments didn’t leave the bank • Released: payments were out of the bank • Recovered: payments were recalled back • Net loss: payments were cashed out $35,000,000.00 $30,000,000.00 $25,000,000.00 $20,000,000.00 $15,000,000.00 $10,000,000.00 $5,000,000.00 $0.00 Splunk Alone Splunk & Other methods Other Detection methods
  • 21. Intuit Financial Services - Fraud Background • We noticed a similar fraud pattern across 15 banks • Then we mapped them to see they were within 15 miles of one another • Fraud was coming from one data processing vendor who they all shared 21
  • 22. Intuit Financial Services Organization -- Wire Transfers Watching fraudster in real-time—seeing $5M, $7M, $8M wire attempts • Splunk exposed every element of our infrastructure that he touched • Next we could correlate activities based on time to understand his pattern of activity • 22
  • 23. Detecting Fraud at Etsy – Sample patterns of possible fraud:      User traffic coming from “rent a VM”, cloud-based services Brute force password guessing Single IP excessively selecting the “I forgot my password” option for several accounts Abnormally large payments, or very high velocity of payments, from a single account Customer info that should be stable changing often: email/physical address, payment card, etc – Automatically lock accounts that appear to be compromised – Weave Splunk data into customer service tools so CSRs also see fraud indicators – Use Splunk for fraud, security, compliance, IT Ops, and app mgmt 2 3
  • 24. East Coast Financial Services: Use of Splunk for Fraud Investigations Phish detection – 500+ customers protected and ~$5M saved – – Used to be done 100% by customers; log files weren’t available for searching for 1 day Use Splunk to detect the patterns with referrers who are testing their phish to see if it works Malware detection – 14 detections stopped $140K – – This use case used data already indexed in Splunk…no incremental cost Using Splunk to research and detect anomalies within logs specific to malware/web injects Alert and block the PIN within 10 minutes of identification and before account access Trading on uncollected funds - ~500 customers protected, stopping over $4.5M – – – This takes place when a customer places a trade before money transfers in clear Without Splunk they had to wait a day to get access to this data for analysis Fastest detection and PIN block was 37 seconds Online Bank Wire fraud – blocked 60+ incidents saving over $240k – – Transaction completion involves a code sent to a mobile phone, detecting now every 5 minutes Actually detected an occurrence of this before the capability went live with customers 24
  • 25. Other Companies • Using Splunk to track unauthorized cell phone activations at franchiser locations Online Ticket Reseller • Using web log patterns to determine fraudulent buyer and sellers On-Line 25
  • 26. Other Companies • Monitoring for anomalous usage patterns based on plans. An open international call connection for multiple hours, discovered a fraud ring selling intl. calling. On-line Educational Institution • Using Splunk to track academic and financial aid fraud use weblogs and session IDs. Students that are flagged come up on a list for investigation 26

Editor's Notes

  • #3: Splunk now has more than 850 employees worldwide, with headquarters in San Francisco and 14 offices around the world.Since first shipping its software in 2006, Splunk now has over 6,000 customers in 90+ countries. These organizations are using Splunk software to improve service levels, reduce operations costs, mitigate security risks, enable compliance, enhance DevOps collaboration and create new product and service offerings. Please always refer to latest company data found here: http://www.splunk.com/company.
  • #4: At Splunk, our mission is to make machine data accessible, usable and valuable to everyone. Andthis overarching mission is what drives our company and product priorities.
  • #5: Data is growing and embodies new characteristics not found in traditional structured data:Volume, Velocity, Variety, Variability/Veracity.Machine data is one of the fastest, growing, most complex and most valuable segments of big data.All the webservers, applications, network devices – all of the technology infrastructure running an enterprise or organization – generates massive streams of data, in an array of unpredictable formats that are difficult to process and analyze by traditional methods or in a timely manner. Why is this “machine data” valuable? Because it contains a trace - a categorical record - of user behavior, cyber-security risks, application behavior, service levels, fraudulent activity and customer experience.
  • #7: Ponemon Institute 2012.
  • #8: Patrick Reidy CISO FBI
  • #11: The broken window theory says that if someone breaks a window and they don’t see an indication of notice or any repercussion they determine that no one cares and they’ll likely do it again. It’s the same with access to systems or documents.
  • #20: Bank of America
  • #21: Bank of America
  • #22: Intuit
  • #23: Intuit
  • #24: Etsy, the online marketplace, has spoken at numerous Splunk events around how they use Splunk for fraud detection, security, compliance, and IT operations. Public info is at:http://www.splunk.com/view/SP-CAAAGH3http://codeascraft.com/2013/06/04/leveraging-big-data-to-create-more-secure-web-applications/
  • #25: Fidelity Investments
  • #26: CricketStubhub
  • #27: MetroPCS