When it comes to fraud is it critical to monitor in a cross-channel model. That is, monitor all points where users interact with data such as Web portals, telephony systems, applications, data stores, and even physical controls. This needs to be augmented by the supporting information gleaned from network infrastructure such as the firewalls, switches and VPNS. By collecting data in a cross-channel model:
- Events can be correlated in real-time - thus detecting the fraudulent activity early;
- Patterns can be generated to form baselines;
- Anomalies and statistical deviations can be highlighted;
- Profiling can be conducted against applications and users to separate normal from suspicious activity.
These advanced analytics, part of a robust SIEM platform, provide the necessary foundation for discovering the "devil inside."
So let's revisit the incident with Sam played out in a scenario where cross-channel network and data security monitoring are in place.
-- To lessen his chances of being caught Sam comes in unusually early or stays unusually late; this information is captured through physical access control monitoring;
-- Sam is logged into the payee application much longer than his peers; this information is captured through application and or database monitoring;
-- Sam has created a large number of payees that all have the same PO Box; again, this information is captured through application and or database monitoring;
-- Opting to work remotely to further reduce his risk of being discovered: Sam begins using a VPN connection to access the payee application; this information is captured by the VPN appliance; Sam's credentials over the VPN and credentials on the application while different are correlated with the identity solution to derive at a single person - Sam;
-- While the multiple instances by themselves may not warrant investigation, taken as an aggregate, and evaluated in a cross-channel model - physical access, remote access, application, database, and identity, the combination of activities seems potentially malicious and does warrant investigation.
Detection of insiders committing fraud requires broad event collection, robust analytics, and mechanisms that remove false positives and guide investigators down the most relevant paths first (all of which are delivered by a comprehensive SIEM platform). Most organizations agree that fraud will never be 100 percent removed; however, the mitigation of fraudulent activity remains a chief concern and anti-fraud strategies can be enriched using these techniques.