|
|
Sponsored Content
Special Forums
Cybersecurity
IT Security RSS
Using SIEM tools for Fraud Detection
Post 302278988 by Linux Bot on Wednesday 21st of January 2009 04:20:02 PM
01-21-2009
Using SIEM tools for Fraud Detection
Some time ago I was assigned for a project in a Telecom in South America to design, build and deploy a SOC Infrastructure.
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
We decided to use the same SIEM Tool acquired to do the network security events correlation instead of using a dedicated Fraud Detection System for several reasons;
More...
The customer objective was to monitor the network against attacks (vulnerable devices, brute force attacks, etc) and correlate events in order to identify hidden treats (DDOS, scanning, worms) and to identify business and operational frauds.
I meet the audit team and then I got able to understand where their main frauds happen, some examples were:
- ADSL and Dial users sharing username/password;
- ADSL Subscribers connecting with higher speeds than they had hired;
- Operators accessing the system outside of their working hours;
- Saves investment;
- Improves ROI;
- More freedom to create behavioral rules than using a statistic Fraud system;
All logs to make these correlations were available but were scattered among several existing systems ( electronic turnstile, access control systems, Radius and Ldap databases, Provisioning System, CRM, etc.) so the first task was to create the proper collectors and apropriate parsings.
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
After that, we start developing the correlation rules to identify the "suspicious fraud events" and restricting the event views, reports and alarms to only the Audit team.
This task took several months but in the end the Audit team obtained a powerful tool that allowed them to easily identify hundreds of violations (operational and business) and also easily to change or add new rules.
For some companies that have problems to justify the acquisition of a SIEM tool I believe this is a strong argument to convince the upper management. Just be carefull when studying the available SIEM tools because not all of them can be adapted in such way.
Best Regards and a Happy New Year
More...
|
|
We Also Found This Discussion For You
1. Programming
Hey, for the purpose of a research project I need to know if a specific type of parallel processing is being utilized by any user-run programs. Is there a way to detect whether a program either returns a value to another program at the end of execution, or just utilizes any form of parallel... (4 Replies)
Discussion started by: azar.zorn
4 Replies
LEARN ABOUT DEBIAN
nstat
RTACCT(8) System Manager's Manual RTACCT(8) NAME
nstat, rtacct - network statistics tools. SYNOPSIS
Usage: nstat [ -h?vVzrnasd:t: ] [ PATTERN [ PATTERN ] ] Usage: rtacct [ -h?vVzrnasd:t: ] [ ListOfRealms ] DESCRIPTION
nstat and rtacct are simple tools to monitor kernel snmp counters and network interface statistics. OPTIONS
-h, --help Print help -V, --version Print version -z, --zero Dump zero counters too. By default they are not shown. -r, --reset Reset history. -n, --nooutput Do not display anything, only update history. -a, --ignore Dump absolute values of counters. The default is to calculate increments since the previous use. -s, --noupdate Do not update history, so that the next time you will see counters including values accumulated to the moment of this measurement too. -j, --json Display results in JSON format. -d, --interval <INTERVAL> Run in daemon mode collecting statistics. <INTERVAL> is interval between measurements in seconds. Time interval to average rates. Default value is 60 seconds. SEE ALSO lnstat(8) 27 June, 2007 RTACCT(8)