1. Copyright © 2013 Splunk Inc.
Splunk for Insider Threats
and Fraud Detection

2. Company
Company (NASDAQ: SPLK)
Founded 2004, first software release in 2006
HQ: San Francisco / Regional HQ: London, Hong Kong
Over 850 employees, based in 12 countries
Annual Revenue: $198M (YoY +60%)
$5+ billion market valuation
Business Model / Products
Free download to massive scale
On-premise, in the cloud and SaaS
6,000+ Customers; 2500 w/Security Use Cases
Customers in over 90 countries
60 of the Fortune 100
Fast Company 2013: Named Splunk #4 Most Innovative
Company in the World and #1 Big Data Innovator
Largest license: 100 Terabytes per day
Leader: Gartner SIEM Magic Quadrant, 2013
2

3. Make machine data accessible, usable
and valuable to everyone.
3

4. The Accelerating Pace of Data
Volume | Velocity | Variety | Variability
GPS,
RFID,
Hypervisor,
data
Web Servers,
Email, Messaging,
Clickstreams, Mobile,
Telephony, IVR, Databases,
Sensors, Telematics, Storage,
Servers, Security Devices, Desktops
Machine data is fastest growing, most
complex, most valuable area of big
4

5. Machine Generated Data is a Definitive
Record of Human-to-Machine and Machineto-Machine Interaction
5

6. Insider Threats – Employee Attitudes
52
• Percent of employees don’t believe it’s a crime to use competitor’s
confidential information
44
• Percent believe a software developer who develops source code
for a company has some ownership of work and inventions beyond
their current employer
42
• Percent don’t think it is a crime to reuse source code with out
permission from a former employer, in projects for other
companies
60
• Percent say a co-worker hired from a competing company has
offered documents from that company for their use
Ponemon Institute Survey 2012
6

7. Employee Insider threats
Are
Authorized users
Doing authorized things
Have malicious intent
A ‘people centric’
behavioral problem
Are not
Hackers using specialized
tools
A technical or
"cybersecurity" issue alone
Escalating their privileges for
purposes of espionage

8. Context for Insider Threats
• Who are your
privileged internal
people?
• Who might be a likely
enemy?
• What data that would
be at risk?
Contextual
Cyber
Psychological
Insider
Threat Risk
8

9. Two Strategies for Combating
Secondary
Detection
Primary
Prevention/Deterrence
•
Pattern based
•
Specific indicators or alerts
•
Multiple factors
•
Definitive evidence
•
Uses heuristics and statistical
models
•
Physical detection (stolen
documents)
•
Requires base lining / watching
for outlier behaviors
“Rather than getting wrapped up in prediction or detection organizations
should start first with deterrence.” Patrick Reidy CISO FBI
9

10. Splunk and the broken window theory
Some employees test the limits of
their access
Employee feedback required for
all unauthorized attempts
(accidental or not).
Splunk monitors access in realtime
Splunk sends email (via script) to
employee indicating awareness of
attempt
10

11. Examples: Correlations / Detections / Context
Detection
Indicator
Analysis
Printer usage
Number of print jobs over a given period of time
Outlier
Increase in size of print jobs
Outlier
Unusual times of day
Outlier
Rare network printer use (the one not closest
employee
Outlier
Local vs. remote
Outlier
Time of day
Outlier
During vacation times
Outlier
Monitor’s employee behavior and attitude changes
(proxy data)
Outlier/Context
Logins to AD or use of SSO
Abrupt change in the ratio
of website categories
visited
11

12. Examples: Correlations / Detections / Context
Detection
Indicator
Unused Vacation - 18 months
or longer
Employee remains in control -- work not turned
over to others for review
Context / Lookup
Always first in / first out of the
office
Badge data and/or AD. Desire to control
situation
Context / Lookup
Personal life change – marital
status change stress trigger
Can jeopardize emotional stability – HR system
data
Context / Lookup
Lay-off notification
Monitor for file transfers by individuals that
occur immediately after lay-offs are announced
Context / Lookup
Attempted changes to
document classifications
Document metadata
Direct indicator
Attempts to use USB or CD
Rom
Log data events
Direct indicator
12

13. Insider Threat Use Case: Disgruntled Employee
Splunk at a Large Aerospace and Defense Contractor
Goal: Protect intellectual property at the hands of disgruntled employee
Use Case Scenario: In an environment where employees are sometimes mis-treated, fired, reprimanded you never know
when an employee has become disgruntle. Think of an employee receiving a "pink slip" and decides before his last day
he wants to take company proprietary data…from SharePoint servers…Below explains how Splunk could be use to
detect/mitigate that type of behavior:
Data Sources: Host based FW logs, Single Sign-on(SSO) logs, SharePoint connection logs,
Content Logic Steps:
1. Upload all employees who received pink slips "login id's" to Splunk' s look-up table
2. Run trending reports on "id's" for the past 6 months
3. Correlate data sources with trend reports
4. Report on suspicious user id's who has increase downloads from SharePoint servers
Splunk Capabilities: lookup, trends, reports, real-time alerts, index, correlation analytics, real-time rules
13

14. Insider Threat Use Case: Data Leakage/Spill
Splunk at a Large Aerospace and Defense Contractor
Goal: To detect/monitor potential data leakage/spill of very sensitive intellectual property
Use Case Scenario: In an environment where employees are Govt contractors who has access to sensitive R&D projects
and/or supporting Govt programs, data leakage is highly likable. An employee can intentional/unintentional download
any text docs associated to that program/project to personal laptop, personal email, etc. Below explains
Data Sources: Data Loss prevention (DLP) logs, key words, email logs, Anti-virus logs(USB)
Content Logic Steps:
1.Upload "program keywords" and "user ids" in Splunk's lookup table
2. correlate data sources/lookup table
3. Develop/Report on alerts (rule hits)
4. Developed alert visualization & monitor
Data Sources: Data Loss prevention (DLP) logs, key words, email logs, AV,
Splunk Capabilities: lookup, search processing language, real-time alerts, reports, visualization, advance correlation,
real-time rules
14

15. “Fraud is the daughter of greed.”
― Jonathan Gash, The Great California Game
15

16. Splunk for Fraud Detection Across Verticals
Financial Services
eCommerce
Mobile / Wireless
Fraud Detections
16
Online Education
“Fraud is the daughter
of greed.”
― Jonathan Gash, The Great
California Game

17. Online Education Company – Fraud Background
Use Case
Before Splunk
After Splunk
Classroom
activity / fraud
Affects
accreditation
Difficult to identify
fraudulent student loan and
attendance activity
accurately
Complete visibility to classroom
activity and increased confidence
that financial aid fraud is being
detected thoroughly
Seats not taken from legit students
Internet
browsing
history
Bluecoat Reporter had so
Faster and lower cost response to
much data it stopped
internal production requests and
working making them unable data costs
to report on this for HR
17

18. Online Education Company– Detections Benefits
Use Case
After Splunk
Classroom
activity / fraud
Affects
accreditation
$10s of Millions of fraudulent funds have been stopped from being
distributed
Internet
browsing
history
Saves 75-90% of the Corporate Forensics team’s efforts (can offer more
services)
Reputation and Dept. of Education accreditation maintained seamlessly
Saves $45,000/year in external production services (external Legal)
Saves $1.5M/year in data processing costs (process, collect, cull, review,
etc.)
18

19. Cash Wire Transfer Company
Subsidiary of Major Financial Institution
With targeted and ever evolving fraud techniques, number of fraud
attempts and amounts rise rapidly, Splunk was introduced to fill a
detection gap in June 2012
• Splunk agility to react to emerging fraud patterns saved millions for
the bank
• Broader view Splunk introduced is able us to quickly identify fraud
techniques, discover and fix design flaws in applications
•
– 11 detection rules deployed
– 2 application flaws were discovered and fixed

20. Cash Wire Transfer Company - Fraud Detection
12/2012 – 4/15/2013
Payment Amount
Total
Splunk Detected
Attempted
Stopped
Splunk & Other
methods
Splunk Alone
Total
Recovered
Net Loss
$33.5 MM
$27.5 MM
$ 6 MM
$5 MM
$ 15 MM
$13 MM
$ 2 MM
$ 1.7 MM
Recovered
14.41%
Loss
3.62%
$1 MM
$ 0.2 MM
Actual Loss
Attempted
Other Detection
methods
Released
Net Loss
$18,5 MM
$ 1 MM
Stopped
$14 MM
52%
Stopped
Recovered
Recovered
$ 3 MM
$5 MM
$0.2 MM
$ 3.4 MM
12%
$10 MM
$0.00
$ 9.8 MM
36%
$ 0.2 MM
$33.5 MM
$1 MM
$27.5 MM
$ 5 MM
Stopped
81.97%
$ 1.3 MM
• Attempted: payments created or released Stopped: payments didn’t leave the
bank
• Released: payments were out of the bank
• Recovered: payments were recalled back
• Net loss: payments were cashed out
$35,000,000.00
$30,000,000.00
$25,000,000.00
$20,000,000.00
$15,000,000.00
$10,000,000.00
$5,000,000.00
$0.00
Splunk Alone
Splunk & Other
methods
Other Detection
methods

21. Intuit Financial Services - Fraud Background
•
We noticed a similar fraud
pattern across 15 banks
•
Then we mapped them to see
they were within 15 miles of one
another
•
Fraud was coming from one data
processing vendor who they all
shared
21

22. Intuit Financial Services Organization -- Wire
Transfers
Watching fraudster in real-time—seeing
$5M, $7M, $8M wire attempts
• Splunk exposed every element of our infrastructure
that he touched
• Next we could correlate activities based on time to
understand his pattern of activity
•
22

23. Detecting Fraud at Etsy
– Sample patterns of possible fraud:





User traffic coming from “rent a VM”, cloud-based services
Brute force password guessing
Single IP excessively selecting the “I forgot my password” option for several accounts
Abnormally large payments, or very high velocity of payments, from a single account
Customer info that should be stable changing often: email/physical address, payment
card, etc
– Automatically lock accounts that appear to be compromised
– Weave Splunk data into customer service tools so CSRs also see fraud indicators
– Use Splunk for fraud, security, compliance, IT Ops, and app mgmt
2
3

24. East Coast Financial Services: Use of Splunk for
Fraud Investigations
Phish detection – 500+ customers protected and ~$5M saved
–
–
Used to be done 100% by customers; log files weren’t available for searching for 1 day
Use Splunk to detect the patterns with referrers who are testing their phish to see if it works
Malware detection – 14 detections stopped $140K
–
–
This use case used
data already
indexed in
Splunk…no
incremental cost
Using Splunk to research and detect anomalies within logs specific to malware/web injects
Alert and block the PIN within 10 minutes of identification and before account access
Trading on uncollected funds - ~500 customers protected, stopping over $4.5M
–
–
–
This takes place when a customer places a trade before money transfers in clear
Without Splunk they had to wait a day to get access to this data for analysis
Fastest detection and PIN block was 37 seconds
Online Bank Wire fraud – blocked 60+ incidents saving over $240k
–
–
Transaction completion involves a code sent to a mobile phone, detecting now every 5 minutes
Actually detected an occurrence of this before the capability went live with customers
24

25. Other Companies
• Using Splunk to track unauthorized cell
phone activations at franchiser locations
Online Ticket
Reseller
• Using web log patterns to determine
fraudulent buyer and sellers
On-Line
25

26. Other Companies
• Monitoring for anomalous usage patterns
based on plans. An open international call
connection for multiple hours, discovered a
fraud ring selling intl. calling.
On-line
Educational
Institution
• Using Splunk to track academic and financial
aid fraud use weblogs and session IDs.
Students that are flagged come up on a list for
investigation
26

27. Thank You