Using the McAfee SIEM to Augment Successful Detection of Financial Fraud

By on Oct 17, 2013

Financial fraud has a wide range of impact across a society: Providers of financial services may incur the largest losses, but the users of financial services who become victims may be hit much harder. Fraud victims range across the income scale, and even a small fraud can be catastrophic to a vulnerable member of a society. For example, the United Kingdom’s Annual Fraud Indicator 2012 report estimated losses to the financial services sector at 3.5 billion. This does not include identity fraud, which adds more than a billion to the number.

While analytics-based fraud detection has helped to stem the rapid growth of these losses, the attractiveness of the industry to fraudsters remains strong. Two criminal endeavors targeting the financial services sector, Operation High Roller and Project Blitzkrieg have been identified and researched by McAfee in 2012. The analysis of these attacks show that their sophistication has grown significantly.

The McAfee SIEM aids fraud analysts in two ways: both by enabling the combination of transaction analysis with analysis of network events, and also by bringing the products of McAfee research to identify known bad actors around the world.

Combining Fraud Analysis with Network Analysis

Current research has shown that a successful way to improve the efficiency of fraud detection, seen as unusual activity in a system, is to combine it with other measures of unusual activity, such as on a network. A useful example is combining the output of a Benford test and then some of the built-in correlation rules that identify unusual activity on a network.

Benford’s Law, informally stated, says that in certain sets of numbers, the digits 1 through 9 are not equally likely to occur. The dollar amounts of checking account transactions are an example of such a set. Fraud analysts use Benford’s law and some related formulas to identify transactions that cause the set to break the law, often indicating some form of financial fraud. Below is an example of how a Benford test is used.

While the Benford Test is a powerful tool for fraud detection, it can be limited in the insight it provides. If multiple spikes come out of a test, the fraud analyst may struggle to eliminate the ones that have a reasonable explanation, or may need additional context that the transaction amounts alone cannot provide.

The McAfee SIEM can provide correlation rules that identify unusual activity on a network by combining events from several sources such as OS logs, firewalls, databases, and even applications. Built-in rules, shipped with the product, that are valuable for fraud analysis include:

  • Same User Logon from Different Geolocation
  • Same User Logon from Different Host
  • Same User Logon from Different IP
  • Successful database logons after repeated failed logons
  • Successful login after suspicious activity

These rules match up well to the records of recent attacks against financial institutions.

If the output of a Benford test is setup as a custom data source, and the transaction IDs are set up as a custom datatype, then spikes in the Benford test can be correlated with the network events raised by the McAfee SIEM. This helps to both focus the response effort from security and fraud teams, and to add some needed context to the numerical data provided by fraud detection algorithms.

Combining Fraud Analysis with Threat Intelligence

McAfee lives and breathes security. In addition to teams providing tools that reduce risk for a company, other teams focus on content that makes the tools more effective. For detection of fraud, two important sources are the correlation rules created to combat specific pervasive threats, and the Global Threat Intelligence feed that identifies suspicious and malicious IP traffic based on a continuous big data analysis of worldwide traffic.

While a financial services company may have its own mature fraud detection program, any program can benefit from solid external intelligence. It may fill in missing gaps, or it may supplement existing work and allow the group to better focus its efforts. Companies using the McAfee SIEM can avail themselves of content teams who identify global threats and create correlation rules on the SIEM to detect them. One example is a recently published rule, “Project Blitzkrieg – Communication with Known Command and Control Server” to aid detection of a threat directed at the financial services sector.

In addition to correlation rules, the McAfee SIEM has a component called the Advanced Correlation Engine (ACE), which is both unique and invaluable to enhancing fraud detection. The ACE allow risk-based correlation, which goes beyond the power of real-time rule based correlation (tells you quickly what you want to know), and gives you a dynamic picture of the evolving risk at your company (tells what you didn’t know). When the GTI feed is used as an input for a risk correlation manager, your organization can gauge how much traffic from malicious sources like bot-nets or other known bad actors is directed at your organization and filter traffic so that only traffic with a malicious reputation is in the risk calculation.

You can configure the risk correlation manager to reflect business rules at your company.

Combining fraud analysis with network analysis and incorporating external intelligence are two important enhancements to detecting fraud. Each alone is a worthwhile effort for a fraud detection program; a company could choose to adopt both to gain even more benefits in its efforts to stem fraud losses. Both leverage the unique capabilities and advantages of the McAfee SIEM.

Keep up with the latest in security and fraud detection by following @McAfee_Business on Twitter

About the Author


We're here to make life online safe and enjoyable for everyone.

Read more posts from McAfee

Subscribe to McAfee Securing Tomorrow Blogs