Detect Advanced Crime in the

Financial Sector

Ryan Kalember

Director, Product Marketing

Fraud Detection is More Challenging Than Ever

You Need to See…

… Networked Systems

… Zero-day Threats

… Critical Data Stores

… Privileged Users

… Network Connections

… Fraud Techniques

… Application Activity

2www.arcsight.com © 2010 ArcSight Confidential

Cybercrime Keeps Growing

100 Million Credit Cards$130 Million Cost

45 Million Credit Cards$250 Million Cost

1.5 Million Debit CardsProcessing License Revoked

$73 Billion Risked by Rogue Trader$7 Billion Lost

www.arcsight.com © 2010 ArcSight Confidential 3

Modern Breaches Share a Pattern

Acquire target, sneak in, hop around(Perimeter doesn’t help)

Get privileged access to critical assets(Impact takes time)

Conduct the crime for an extended time(Early detection matters)

www.arcsight.com © 2010 ArcSight Confidential 4

Today’s Cybercrime Is Different

Smart Humans

High Value Targets

Signatures Ineffective

No Choke Point

Key Systems Unwatched

Key Users Unwatched

Attacks

Defenses

Vulnerabilities

www.arcsight.com

Business faces more risk than ever.

Traditional defenses won’t work.

A different approach is required.

© 2010 ArcSight Confidential 5

Modern Threats

6© 2010 ArcSight Confidentialwww.arcsight.com

1. Spear-Phishing1. Spear-Phishing

2. Hackers and Coordinated Attacks2. Hackers and Coordinated Attacks

3. Malware/Bot Infiltration3. Malware/Bot Infiltration

4. Man in the Browser Attacks (MITB)4. Man in the Browser Attacks (MITB)

5. Insider Attacks5. Insider Attacks

6. Insider Theft6. Insider Theft

Spear-Phishing Threat Vectors

www.arcsight.com 7© 2010 ArcSight Confidential

MyFriend This is hilarious: bit.ly/p0wn3d

Myfriend2010

RT@myotherfriend best thing I’ve read all day bit.ly/p0wn3dabout 39 minutes ago from web

From:

To:

colleague@mycompany.comcolleague@mycompany.com

me@mycompany.comme@mycompany.com

Report.pdf210 KB

Report.pdf210 KB

PDFPDF

Thought you’d find this report interesting.

Hackers and Coordinated Attacks

© 2010 ArcSight Confidential 8www.arcsight.com

Detection Techniques

www.arcsight.com 9© 2010 ArcSight Confidential

RBS WorldPay Breach

10© 2010 ArcSight Confidentialwww.arcsight.com

RBS WorldPay Breach

Breach:Hack Perimeter Security

Privilege Escalation:Access Debit Card System

Monetize:ATM Network Fraud

© 2010 ArcSight Confidential 11www.arcsight.com

Malware Beaconing

12

BOTBOT

© 2010 ArcSight Confidentialwww.arcsight.com

Man in the Browser: Zeus Bot

© 2010 ArcSight Confidentialwww.arcsight.com 13

Bot Detection Event Sequencing

Normal Transaction:

Fraudulent Transaction:

© 2010 ArcSight Confidentialwww.arcsight.com 14

Insider Attacks

ID: JOHN

PWD: ******

ID: JOHN

PWD: ******

Login Successful

Welcome User: JOHN

Alert: Unauthorized use

of account JOHN

JOHN

Windows user SAM 9-08-09 12:38SAP user JOHN 9-08-09 12:39

SAM

© 2010 ArcSight Confidentialwww.arcsight.com 15

Insider Theft

© 2010 ArcSight Confidentialwww.arcsight.com 16

ID: AdminPWD: Pa$$wd

Admin/Pa$$wd

Who extracted the confidential files?

Admin/Pa$$wd

Admin/Pa$$wd

Admin/Pa$$wd

Detecting Hackers and Coordinated Attacks

www.arcsight.com 17© 2010 ArcSight Confidential

Convert Transactions into Events

Mainframe Transaction:

5000000 4857382225004272 4857382225000247 20081201 20081201 651227 999999998 74857388336478441246882083360000002199 5411 000000000000000 ATM TXN REV MARLOW BE 74857388336478441246882 34800000000000001411113480000000000000141111 000000000000000000 000000001.00001NN 000000000000000000 0000000000000000001 D0000005 0000000000000000001 000070053 4857382225000247 3822250042727485738833647844124688283369500000069

© 2010 ArcSight Confidentialwww.arcsight.com 18

Analyze Transactions for Patterns

© 2010 ArcSight Confidentialwww.arcsight.com 19

Pattern Investigation: Accounts vs. Amounts vs. Types

© 2010 ArcSight Confidentialwww.arcsight.com 20

Two accounts are making very similar sets of transactions through the retail channel

Cross-Channel Attack

Uses Harvested

Web Credentials

Get Personal Data

from Autoforms

Authenticate using

Personal Details

Request Transfer

Card Application

AccountBalance

My Accounts

Call CenterAccount ID 12345678

Passcodes rover12

2-Factor Auth ?

Address 12 Acacia Ave.

D.O.B. 1/12/1966

Products Current, Card

Mother’s Name Smith

Cross-Channel Attack

Card Application

AccountBalance

My Accounts

Call Center

Sources:

CRM/VOIP Fraud Mobile List ApplicationServers

Web Servers

Detect Strange

Browsing Pattern

Put Account on

Watch List

Detect Xfer by

Phone Banking

Elevated Risk =

Txn Blocked

Account ID 12345678

Passcodes rover12

2-Factor Auth ?

Address 12 Acacia Ave.

D.O.B. 1/12/1966

Products Current, Card

Detecting Bot Malware Beaconing

www.arcsight.com 23© 2010 ArcSight Confidential

Malware Beacon Detection – Behavioral Analysis

24© 2010 ArcSight Confidentialwww.arcsight.com

Detecting MITB Attacks

25© 2010 ArcSight Confidentialwww.arcsight.com

Identity Correlation

� Correlate common identifiers such as email address, badge ID, phone extension

� Events occurring across devices that identify users by different attributes

� Attribute the event to a unique “identity” allowing correlation across any type of device

© 2010 ArcSight Confidentialwww.arcsight.com 26

Identifiers

RobertJackson

Identity

rjackson

348924323

jackson@arc.com

robertj

rjackson_dba

510-555-1212

Detecting Role Violation Attacks

© 2010 ArcSight Confidentialwww.arcsight.com 27

Role Violations by Department and Employee Type

Detecting Attacks in Shared Admin Accounts

Application Access: Source: 10.10.10.10

[02.5.2009 10:33:46] Login Success 10.10.10.1010.10.10.1010.10.10.1010.10.10.10 fmadminfmadminfmadminfmadmin

Application Access: Source: 192.168.10.6

[02.5.2009 11:21:51] Login Success 192.168.10.6192.168.10.6192.168.10.6192.168.10.6 fmadminfmadminfmadminfmadmin

?

?

© 2010 ArcSight Confidentialwww.arcsight.com 28

IP Address Identity

10.12.23.7 haroldr

10.12.23.23 czfb12

10.12.22.35 bobc

192.168.10.6 katie

10.10.10.10 jimmyj

Detecting Attacks in Shared Admin Accounts

Application Access: Source: 10.10.10.10

[02.5.2009 10:33:46] Login Success 10.10.10.1010.10.10.1010.10.10.1010.10.10.10 fmadminfmadminfmadminfmadmin

Application Access: Source: 192.168.10.6

[02.5.2009 11:21:51] Login Success 192.168.10.6192.168.10.6192.168.10.6192.168.10.6 fmadminfmadminfmadminfmadmin

© 2010 ArcSight Confidentialwww.arcsight.com 29

Detecting Terminated User Attacks

© 2010 ArcSight Confidentialwww.arcsight.com 30

Why is he accessing the finance file server?

Terminated

HR

Finance

Conclusion

www.arcsight.com 31© 2010 ArcSight Confidential

ArcSight

Analyst RecognitionCompany Background

• Founded May 2000

• 2000+ Clients

• 500+ employees, offices worldwide

• NASDAQ: ARST

#1 In-use for both SIEM and Log Management

#1 in Market Share –Last three reports

SIEM Leader’s Quadrant -SEVEN years running

Industry Recognition

© 2010 ArcSight Confidentialwww.arcsight.com 32

Enterprise Threat and Risk Management:

Comprehensive View of Business Risk

FW, IDS, AV, Proxy, VA Internal Apps, DLP, Email, Web, Badge

Customer Transactions, Web Logs, Mainframe, CRM

Global Reporting by Lines of Business

Security

IncidentsHigh Risk

Users

High Risk

Transactions

Security

- DoS- SQL Injection

- Malware- External Threats

Identity

- Insider Threat- PII/IP Protection- Privileged Users- Internal Fraud

Transactions

- 1st and 3rd Party- Online Banking

- AML- Trading

www.arcsight.com 34© 2010 ArcSight Confidential

Thank You for Attending