|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
Using SIEM tools for Fraud Detection
Post 302278988 by Linux Bot on Wednesday 21st of January 2009 04:20:02 PM
01-21-2009
Using SIEM tools for Fraud Detection
Some time ago I was assigned for a project in a Telecom in South America to design, build and deploy a SOC Infrastructure.
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
We decided to use the same SIEM Tool acquired to do the network security events correlation instead of using a dedicated Fraud Detection System for several reasons;
More...
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
- ADSL and Dial users sharing username/password;
- ADSL Subscribers connecting with higher speeds than they had hired;
- Operators accessing the system outside of their working hours;
- Saves investment;
- Improves ROI;
- More freedom to create behavioral rules than using a statistic Fraud system;
All logs to make these correlations were available but were scattered among several existing systems ( electronic turnstile, access control systems, Radius and Ldap databases, Provisioning System, CRM, etc.) so the first task was to create the proper collectors and apropriate parsings.
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
More...
|
|
We Also Found This Discussion For You
1. Programming
Hey, for the purpose of a research project I need to know if a specific type of parallel processing is being utilized by any user-run programs. Is there a way to detect whether a program either returns a value to another program at the end of execution, or just utilizes any form of parallel... (4 Replies)
Discussion started by: azar.zorn
4 Replies
LEARN ABOUT DEBIAN
vitacilina
Vitacilina(3pm) User Contributed Perl Documentation Vitacilina(3pm) NAME
Vitacilina - AXAh, quA~X buena medicina! DESCRIPTION
A simple feeds engine exporter that uses YAML to get list of feeds and TT as templating system. Some people would call it an aggregator. It was intended to be a reliable Planet (<http://planetplanet.org>) alternative, then some development ideas evolved into rFeed (http://github.com/damog/rfeed). Vitacilina runs on production services on a couple of systems. SYNOPSIS
use Vitacilina; my $v = Vitacilina->new( config => 'config.yaml', template => 'template.tt', output => 'output.html', limit => '20', ); $v->render; FILES
config The "config" parameter specifies the path to a YAML file specifying a list of feeds. Use this format: http://myserver.com/myfeed: name: Some Cool Feed http://feeds.feedburner.com/InfinitePigTheorem: name: InfinitePigTheorem ... template A "Template::Toolkit" file which will be taken as the template for output. Format: [% FOREACH p IN data %] <a href="[% p.permalink %]">[% p.title %]</a> by <a href="[% p.channelUrl %]">[% p.author %]</a> <br /> [% END %] The "data" is an ordered array with a bunch of hashes with the simple data such as "permalink", "title", "channelUrl", "author", etc. output File path where the output will be written. EXAMPLES
Take a look at the "examples/" directory for fully working example. SEE ALSO
Git repository is located at <http://github.com/damog/vitacilina>. Also take a look at the Stereonaut! blog where similar developments from the author are announced and sampled, <http://log.damog.net/>. AUTHOR
David Moreno, david@axiombox.com. Alexandr Ciornii contributed with patches. COPYRIGHT
Copyright (C) 2009 by David Moreno. This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. perl v5.10.1 2009-11-29 Vitacilina(3pm)