|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
Using SIEM tools for Fraud Detection
Post 302278988 by Linux Bot on Wednesday 21st of January 2009 04:20:02 PM
01-21-2009
Using SIEM tools for Fraud Detection
Some time ago I was assigned for a project in a Telecom in South America to design, build and deploy a SOC Infrastructure.
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
We decided to use the same SIEM Tool acquired to do the network security events correlation instead of using a dedicated Fraud Detection System for several reasons;
More...
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
- ADSL and Dial users sharing username/password;
- ADSL Subscribers connecting with higher speeds than they had hired;
- Operators accessing the system outside of their working hours;
- Saves investment;
- Improves ROI;
- More freedom to create behavioral rules than using a statistic Fraud system;
All logs to make these correlations were available but were scattered among several existing systems ( electronic turnstile, access control systems, Radius and Ldap databases, Provisioning System, CRM, etc.) so the first task was to create the proper collectors and apropriate parsings.
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
More...
|
|
We Also Found This Discussion For You
1. Programming
Hey, for the purpose of a research project I need to know if a specific type of parallel processing is being utilized by any user-run programs. Is there a way to detect whether a program either returns a value to another program at the end of execution, or just utilizes any form of parallel... (4 Replies)
Discussion started by: azar.zorn
4 Replies
LEARN ABOUT DEBIAN
libprinterconf
libprinterconf(3) Library Functions Manual libprinterconf(3) NAME
libprinterconf - A C library of routines for autodetecting printers in Linux SYNOPSIS
Libprinterconf is a C library for autodetecting printers from Linux. It currently supports two methods of autodetection: parallel port detection and network detection. The following functions are available: pconf_detmethod_t *pconf_get_detection_methods (int *count); char ** pconf_detect_printer (int dettype, char *detinfo); char * pconf_autodetect_pport (long int port); DESCRIPTION
Each of these is described in detail in its own man page. Of most interest is pconf_detect_printer(). This function will execute one of the detection methods and return an array of character strings, each representing a single detected printer. The actual format of these strings will depend on the detection method. For parallel port detection, the string will be in the basic form: "port=p;model=m". For a network printer the form is: "printer=hostaddr;vendor=v;model=m". This library is intended for use by printer detection and configuration tools. SEE ALSO
pconf_detect(6), pconf_detect_printer(3), pconf_get_detection_methods(3), pconf_autodetect_pport(3), pconf_read_xref_file(3), pconf_find_xref_by_id(3) Printerconf Docs 12 April 2000 libprinterconf(3)