How to Address the Insider Threats

Rick Caccia is the Vice President of product marketing at ArcSight.

It is true that cases of fraud are increasing, and we read about them on an almost daily basis. This is a consequence of the rise in the amount of sensitive information that is now online, an increased number of online applications that access this information, and the growing number of users who use internet for financial services. The result is, more opportunity for fraud, so it’s no surprise that criminals have moved their activities online and that insider-led fraud is on the rise. Let’s look at the insider-led fraud first. Insider-led incidents involve a malicious employee or contractor who uses company systems to commit some form of fraud against the company.

Everyone seems to use the example of an accounting clerk adding her brother-in-law as a new payee, then cutting a payment to him and splitting the proceeds. This is a common example of the separation-of-duties control to prevent fraud, but there are plenty of others. Consider, for example, a quote fraud in the insurance industry, where someone in the insurance company provides details to a rival firm so the rival can outbid and win a contract.

There are many variations to insider-led fraud, and these continue to grow as new applications and business processes come online. Separation of duties control monitoring, and privileged user data access monitoring are the two common methods of detecting this fraud.

The other type of fraud is led by external criminals against an organization’s customers. This usually includes some form of account takeover to enter fraudulent transactions and drain the customer’s account. Account takeover techniques might include phishing, smishing (phishing via SMS) and vishing (phishing using VOIP).
These fraudulent techniques can be detected by analyzing items such as geographic location (e.g. the customer is located in London but the wire transfer is being requested from Russia), trend analysis (e.g. the customer never requests transfers over $1,000, but this transfer is for $25,000), or device analysis (e.g. this PC has requested wire transfers from three different accounts today).

Even more insidious is the “Man in the Browser” fraud technique, where malware is installed in a customer’s browser, and during a banking transaction, the malware sends transfer requests or creates bill-payees and payment requests without the customer knowing. The customer doesn’t discover the problem until her monthly statement arrives containing a batch of unauthorized payments, but the money is long gone. This technique is harder to detect, but analysis of Web page requests can be an effective prevention method for this type of fraud.

The best approach to fraud detection is what I call “collect and connect”–gather all the relevant information and then connect the dots to see where risk lays; and then take action to prevent the loss. Sounds easy, but it isn’t always so. Fortunately, tools exist and the correlation capabilities of a SIEM engine make it one of the best of these tools.

SIEM technologies help detect fraud in two ways. First, they assist in both data collection and in rules-based analysis of that data. Second, many financial and insurance organizations already deploy many specialized fraud detection tools, such as IP blacklists, account profiling solutions, and risk-based authentication tools. SIEM can also collect and connect across these other fraud technologies, producing composite fraud scores that integrate all of these other produces.

Earlier this year, Gartner estimated that 7.5 percent of all adults in the US lost money to financial fraud in 2008. This year will even likely be worse. Given the increasing frequency of fraud and the amount of dollars at risk, this situation is not acceptable. Organizations have powerful tools available; hopefully they will use them.