ABCs of UEBA: F is for Fraud

Enterprise fraud management platforms have been around for years, but many legacy platforms lack the capabilities to make critical data associations and identify anomalous behaviors of user accounts. However, recent advancements in a range of technologies from Big Data to machine learning have coalesced to help build a new kind of advanced fraud analytics platform born from UEBA technologies.

Cybersecurity Breaches Lead to Fraud

Banks have suffered losses tied to abuses of the SWIFT system due to their own cybersecurity breaches that allowed account takeovers. Attackers obtained and used the credentials of bank employees who had legitimate authority to initiate and approve payment transfer transactions. To SWIFT, the instructions appeared to be normal because, for all intents and purposes, they came from authorized user accounts.

The common theme among these attacks is the lack or failure of measures that could detect the account takeovers that eventually enabled the payment transfers. In all these cases of the SWIFT system abuse, if an advanced fraud analytics platform with user and entity behavior analytics (UEBA) capabilities had been in place, the fraud could have been prevented.

UEBA Can Help Prevent Fraud

Machine learning can be used to analyze millions of datapoints from a variety of siloed, cross-channel sources, such as a core banking system (CBS) and the SWIFT system. By linking data from these disparate systems in a Big Data system, anomalous behavior can be identified quickly. For example, if payments are made from the CBS but there are no corresponding activities reported as required by SWIFT, this is not normal procedure. This mismatch of activities would raise a high priority alert to prompt immediate investigation.

Now consider instances where malicious actors gain access to legitimate credentials. It might not seem possible to detect that payment instructions aren’t being directed by the authorized employee, but this is where UEBA comes into play. Behavioral analytics look at everything about a specific user identity, including what his network and application permissions are, when and where he typically performs his work activities, what device he commonly uses, and so on. While it’s possible for a hacker to gain access to a worker’s login credentials – and thus assume his permissions and privileges – it’s not possible to mimic everything else about the worker’s behavior. A hacker wouldn’t use the worker’s computer and his IP address, or have the same work schedule and the same geolocation. Those variations in behavior would raise an alert, and the bank could activate an immediate mitigation such as dropping the person’s access to the payment transfer system.

The fraud detection measures are completely unobtrusive to workers performing their legitimate duties. Yet the speed and accuracy of identifying, prioritizing and alerting on high-risk activity can drive corrective or response actions in other systems based on the value of the risk score. Such actions can be automated to take place in real time or near real time; for example, to put a hold on the SWIFT funds transfer until the alert details can be investigated.

Fraud Use Cases

While there are many different fraud use cases, the theme that is common among them is that organizations want the ability to do cross-channel fraud detection, to aggregate and link more data coming from many different systems. It is this cross-channel capability that shines a brighter light on not just transactions but also subtle behavioral activities and peer group analysis that would otherwise go undetected.

Here are just a few examples.

Insider Fraud

An organization’s insiders, especially those with privileged access to sensitive systems and data, pose a serious risk to financial organizations. UEBA analyzes and creates user baselines based on various data elements such as identity profile data, system entitlements and activities performed by users.

It looks at activities from disparate data sources including:

  • HR events
  • Physical badge access
  • Security alerts from Endpoint Protection Platforms and Data Loss Prevention solutions
  • Document repositories
  • Sensitive data access
  • Internet activities
  • Core banking systems transactions

In case of any deviation from the normal baseline behavior such as suspicious loan applications submission or approvals, transaction overwrites, emails to competitor domains or self-personal emails, unusual physical access to sensitive areas, etc., an alert is generated with appropriate risk score. Based on the risk score, data criticality, resource and transaction risk levels, the system provides automated response workflow to ensure rapid action and risk mitigation.

Transaction Fraud

One challenge of managing transaction fraud is having the visibility into all stages and elements of a given transaction across disparate and disconnected systems. UEBA can flag any process related control failures due to inconsistent or abnormal transactions across disconnected processes or systems such as core banking and SWIFT. This enables banks to potentially prevent and block significant financial frauds.

Gurucul MinerTM, a natural language-based search engine, provides a simple but powerful tool to analysts and auditors to gain 360° identity-centric visibility across all systems. It also pivots on any of the data elements such as account number, type of transactions, amounts and so on for any further investigation or periodic risk assessment.

Customer Service Representative (CSR) Fraud

A form of insider fraud, Customer Service Representative fraud consists of insiders in customer service who have privileged access to a wide range of customer accounts, performing fraudulent activities which impact an organization’s brand reputation or cause financial loss.

A mature UEBA solution allows ingestion of data from a wide range of sources including ticketing systems, VoIP phone data, badge access data, workstation events and network events which are linked to the user identity. This allows detection of CSR fraud scenarios including abnormal data transfer and unusual pattern of activities, such as customer profile changes without corresponding ticketing or service request, malicious in-bound or out-bound phone activity, session time, etc.

Gurucul Fraud Analytics

Building on our industry-leading UEBA product, Gurucul has spun off a new product tailored to predict, detect and prevent fraud and other financial crimes. Gurucul Fraud Analytics provides a holistic risk-based approach for fraud detection of both internal and external users, using award-winning machine learning algorithms and an open big data architecture. Its data science architecture creates a unique risk score for each internal user, customer or provider entity, using context-driven sensors from public and private data and transactions. It ingests both structured and unstructured data and aggregates risk context for intelligent predictive fraud detection.

Gurucul Fraud Analytics can link data from a multitude of sources to provide a contextual view and to highlight anomalous transactions based on historic user and community profiles. It analyzes online and offline activity, including public records, contact center interactions, point of sale transactions, ATM transactions, and so on. Gurucul Fraud Analytics mines and normalizes data and then creates a risk score for fraud and abuse. It’s used for real-time decision making or batch scoring of an event. It also can provide scores and risk factors for other systems to use in a decision.

The post ABCs of UEBA: F is for Fraud appeared first on Gurucul.

*** This is a Security Bloggers Network syndicated blog from Blog – Gurucul authored by Jane Grafton. Read the original post at:

Secure Coding Practices