Combating Constantly Evolving Advanced Threats – Solution Architecture
•Download as PPT, PDF•
2 likes•1,590 views
IBM Security. Trusteer Web Fraud. Combating Constantly Evolving Advanced Threats – Solution Architecture.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Combating Constantly Evolving Advanced Threats – Solution Architecture
Similar to Combating Constantly Evolving Advanced Threats – Solution Architecture (20)
More from IBM Sverige
More from IBM Sverige (20)
Recently uploaded
Recently uploaded (20)
Combating Constantly Evolving Advanced Threats – Solution Architecture
- 1. 10.45-11.15 Combating Constantly Evolving Advanced Threats – Solution Architecture Mats Aronsson, Nordic Technical Leader Trusteer, IBM Security
- 2. © 2014 IBM Corporation IBM Security 2 IBM Trusteer Pinpoint Services Making advanced research work for you Online/Mobile Banking Trusteer Cloud Snippets forwards data to IBM cloud 3 IBM Cloud returns actionable information via: -API -Email -Other 5 User connects to Online Banking Application 1 Application returns page, with IBM snippets 2 INTERNET IBM Fraud ExpertsIBM Fraud Experts IBM Fraud Experts Analyze Access 4
- 3. © 2014 IBM Corporation IBM Security 3 IBM Counter Fraud Management Detect Respond Investigate Discover GeoSpatial Analytics Context Analytics Content Analytics Entity Analytics Predictive Analytics Behavioral Analytics Content Management Business Intelligence Forensic Analysis Social Network Analysis Decision Management Case Management GeoSpatial Analytics GeoSpatial Analytics Context AnalyticsContext Analytics Content AnalyticsContent Analytics Entity Analytics Predictive Analytics Predictive Analytics Behavioral Analytics Behavioral Analytics Content Management Business Intelligence Business Intelligence Forensic AnalysisForensic AnalysisForensic Analysis Social Network Analysis Social Network Analysis Decision Management Decision Management Case Management Case Management Adapt with Agility - Integrated platform capabilities in one product line - Different fraud typologies need different analytical techniques - Ingest more data to find threats (cyber, aml, fraud, identiity) - Best-in-class capabilities blended together for strong defense - Supported with Integrated Implementation Services IBM Counter Fraud Management An unparalleled arsenal of capabilities to combat today’s fraud and compliance threats … and anticipate tomorrow’s schemes
- 4. © 2014 IBM Corporation IBM Security 4 WWW Phishing and Malware Fraud Advanced Threats (Employees) Online Banking Enterprise Apps Account Takeover, New Account Fraud Mobile Fraud Risk Trusteer Rapport Trusteer Rapport Trusteer Pinpoint Malware Detection Trusteer Pinpoint Malware Detection Counter Fraud Management Counter Fraud Management Transactional Fraud Fraud Risk Indicators • Compromised Device (Malware) • Compromised Account/Credentials (Phishing) • Criminal Account Takeover • Device Risk (Fingerprint/Location/Reputation) • Compromise History (Malware + Phishing) Confirmed Fraud Trusteer Mobile SDK/APP Trusteer Mobile SDK/APP Trusteer Mobile Risk Engine Trusteer Mobile Risk Engine IBM Trusteer and CFM: Combine Cyber Fraud Risk with Cross-Channel Customer and Payments Txn Risk
- 5. © 2014 IBM Corporation IBM Security 5 IBM Trusteer and CFM: Combine Cyber Fraud Risk with Cross-Channel Customer and Payments Txn Risk Online Banking Counter Fraud Management Trx Review Counter Fraud Management Trx Review 21 43+ + + Together: High risk! OR Cyber Risk Moderate risk Device Risk New Device ID Remote Access Tool Proxy Device New Location/Time Mobile Risk factors Cyber Fraud Indicators Phished Credentials Malware Infection 1 2 Cross Channel Txn Anomalies ATM Wire Check ACH Customer Lifecycle Anomalies Profile changes New Payees New Beneficiaries New Account 3 4 Cross Channel, Trx Anomalies Moderate risk Card Online IVR etc
- 6. © 2014 IBM Corporation IBM Security 6 Use Case: Fraud via Mobile Banking App (with SDK) New device and/or unusual device location + new acct + mobile deposit Online Banking Counter Fraud Management Trx Review Counter Fraud Management Trx Review 21 43+ + + Together: High risk! OR Cyber Risk Moderate risk Device Risk New Device ID Remote Access Tool Proxy Device Location/Time Jailbroken Cyber Fraud Indicators Phished Credentials Malware Infection 1 2 Cross Channel Txn Anomalies ATM Wire Check Customer Lifecycle Anomalies Profile Changes New Payees New Beneficiaries New Account 3 4 Cross Channel, Trx Anomalies Low risk Card Online IVR etc
- 7. © 2014 IBM Corporation IBM Security 7 Use Case: Malware Indicator Used to Limit Activity Credential Theft (malware), New Payees Online Banking Counter Fraud Management Txn Review Counter Fraud Management Txn Review 21 43+ + + Together: Monitor txns (esp higher risk customers) OR Cyber Risk High risk Device Risk New Device ID Remote Access Tool Proxy Device Location/Time Jailbroken Cyber Fraud Indicators Phished Credentials Malware Infection 1 2 Cross Channel Txn Anomalies ATM Wire Check ACH Customer Lifecycle Anomalies Profile Changes New Payees New Beneficiaries New Account 3 4 Cross Channel, Trx Anomalies Low risk Card Online IVR etc
- 8. © 2014 IBM Corporation IBM Security 8 Use Case: Account Takeover (Phishing) Credential Theft via phishing, possible ATO, password change Online Banking Counter Fraud Management Txn Review Counter Fraud Management Txn Review 21 43+ + + Together: Monitor high risk activities OR Cyber Risk High risk Device Risk New Device ID Remote Access Tool Proxy Device Location/Time Jailbroken Cyber Fraud Indicators Phished Credentials Malware Infection 1 2 Cross Channel Txn Anomalies ATM Wire Check ACH Customer Lifecycle Anomalies Profile Changes New Payees New Beneficiaries New Account 3 4 Cross Channel, Trx Anomalies Low risk Card Online IVR etc
- 9. © 2014 IBM Corporation IBM Security 9 Use Case: New Account Fraud Credentials purchased in underground (no malware/phishing), new account setup Online Banking Counter Fraud Management Txn Review Counter Fraud Management Txn Review 21 43+ + + Together: Moderate Risk. Double check. OR Cyber Risk High risk Device Risk New Device ID Known Fraud Device Proxy Device Location/Time Jailbroken Cyber Fraud Indicators Phished Credentials Malware Infection 1 2 Cross Channel Txn Anomalies ATM Wire Check ACH Customer Lifecycle Anomalies Profile Changes New Payees New Beneficiaries New Account 3 4 Cross Channel, Trx Anomalies Low risk Card Online IVR etc
- 10. © 2014 IBM Corporation IBM Security 9 Use Case: New Account Fraud Credentials purchased in underground (no malware/phishing), new account setup Online Banking Counter Fraud Management Txn Review Counter Fraud Management Txn Review 21 43+ + + Together: Moderate Risk. Double check. OR Cyber Risk High risk Device Risk New Device ID Known Fraud Device Proxy Device Location/Time Jailbroken Cyber Fraud Indicators Phished Credentials Malware Infection 1 2 Cross Channel Txn Anomalies ATM Wire Check ACH Customer Lifecycle Anomalies Profile Changes New Payees New Beneficiaries New Account 3 4 Cross Channel, Trx Anomalies Low risk Card Online IVR etc
Editor's Notes
- Counter Fraud Management provides a tightly integrated package of the advanced analytics and investigative capabilities needed for optimal fraud management. It’s an unprecedented richness of capabilities, all packaged in a single, integrated solution. We believe that modern fraud and compliance challenges require the flexibility to apply the right blend of capabilities to each problem, and to adapt easily, without being constrained to a specific use case, payment type, or analytical technique. With Counter Fraud Management, you get an vast array of analytical and investigative tools [ shown in slide ], working together in a common framework and data model, and can mix-and-match them to apply to any fraud or compliance (financial crime) use case. Start with one use case or fraud typology (AML, wire, ach, check, debit, internal, claims, etc) and expand to others. Extend across multiple use cases, users, transactions, data, or servers. Reduce implementation risk by deploying operational benchmarks, use cases and templates harvested from across the vast IBM ecosystem. Leverage our professional services fraud practice as a partner to evolve your roadmap, align with your strategies, and apply their expertise to implement and tailor solutions to your business. Notably: -- Single SKU for the entire counter fraud offering, priced based on the size of the business they are protecting from fraud . It will be unique to each industry. So for each industry, you get all you need in terms of capacity, to implement the protection you want to put in place for that industry; all of the analytics, all of the case management, all of the analysis tools in one offering. Let me emphasize, this is not a loose collection of capabilities and offerings. This is a single INTEGRATED solution, with a single price point. Currently we have Four value priced, industry-specific offerings for Banking/Financial Crimes, Insurance, Healthcare and Government (*) Prevent/Cyber components are sold separately, but designed to work together with CFM. Some Big Data exploratory tools are also sold separately, but work together with CFM when required to handle very large volumes or varieties of data.
- We talked about the different layers of defense provided by Trusteer to prevent cyber-attacks and credential theft. Trusteer is extremely effective in preventing malware attacks, spotting phishing attempts, and proactively eliminating sources of fraudulent activity. [ CLICK to get green box] And the next line of defense is to counter any threats that get through the front door by looking at multiple types of payment transactions and customer behavior. [ CLICK to connect them ] When we connect the two, we make both of them more effective. Trusteer sends accurate fraud risk indicators to Counter Fraud Management to further strengthen accuracy of detection and investigation. [ CLICK to show feedback loop] CFM can then send confirmed fraud indicators back to Trusteer to inform future decisions about that customer or device. Summary: Both solutions are effective on their own, but IBM believes that a smarter approach is to connect the cyber and transactional fraud dimensions.
- Lets discuss some examples where combining cyber and fraud tools helps increase effectiveness and lower false positives When looking at the full range of data and capabilities, each solution contributes insight and data towards a better decision. Trusteer can flag fraud risk (which may or may not result in actual fraud, but does increase the likelihood), and CFM can look at the actual transactions and highlight anomalous transactions as truly higher risk. Smarter Counter fraud combines Account compromise history (malware/phishing) Device risk (device ID, locations, proxy usage, remote access tools, mobile fraud risk like Jailbreak) All from Trusteer With: 3. user/account activity information (e.g. change of password, address, or beneficiary) 4. Anomalous transactions across all channels. To create a higher quality risk assessment that flags truly high risk transactions. Layering in security intelligence from QRadar, Guardium, ISAM…as well as web session information from Tealeaf can provided added benefit.
- Another mobile scenario: Credentials stolen or purchased in underground Fraudster goes to mobile app (where Trusteer SDK may be embedded) Fraudster logs in with stolen credentials using phone (if SDK in place, we have a unique device ID for this phone), Trusteer can see its a new device and/or unusual location, including mobile intelligence like if the device is jailbroken Fraudster accesses check images via phone and submits new large deposit a check via mobile banking app with cash out We know there’s a risk, so can trigger a check fraud alert and investigate appropriately. Solution Trusteer Mobile Risk Engine is really powerful as a way to see at the device level if someone has taken over the device, but it is a *probability* not a certainty, which means there are false positives. Combining the information from Trusteer (e.g. jailbroken or rooted device, rogue app, new device ID, geo-location, etc) with the payments and user/account information in CounterFraud allows us to make smarter decisions.
- A Basic Scenario: Trusteer PinPoint Malware Detection Sees Malware on the Device Trusteer detects malware on the device. Credentials may or may not have been compromised, but… This is a definitive risk, so client can choose to block immediate high risk transactions (e.g. large int’l wire on business acct) This information can also be passed to Counter Fraud so that other activity on the account can be seen in context For instance, several days or weeks later, unusual activity for that account may receive a higher risk score/scrutiny The cyber information helps inform risk models It also helps inform investigations into fraud that is triggered/suspected from other channels. Seeing the potential nexus of fraud and cyber intelligence gives investigators additional insight into what happened, and allows them to identify patterns that can be built into rules and models for future. Set SLAs to manage account activity and/or trigger alerts accordingly Solution Trusteer Pinpoint monitors for malware. But how should we treat transactions that happen downstream? Combining the information from Trusteer with the payments and user/account information in CounterFraud allows us to make smarter decisions.
- Another ATO scenario (Phishing): Credentials phished (not stolen via malware) Fraudster goes to online banking website Fraudster logs in with stolen credentials and looks like good customer…but… Trusteer knows credentials were phished, some some risk, Fraudster transacts (e.g. change password) Depending how much time has passed since the phishing attack, its not clear yet if we should block the transaction based on the device data or transaction data alone But when we look at the cyber and payment data together, it’s clear there is a risk Set SLAs to manage account activity and/or trigger alerts accordingly Solution Trusteer Rapport monitors for phishing. But how should we treat transactions that happen downstream? Combining the information from Trusteer with the payments and user/account information in CounterFraud allows us to make smarter decisions.
- How Cyber Data + Counter Fraud Together Help Stop New Account Fraud: Credentials purchased in underground Fraudster goes to online banking website Fraudster uses stolen credentials to set up a new account Trusteer Pinpoint ATO knows the device is new, proxy has some risk, location/time is unusual By itself this information isn’t definitive, so its passed to Counter Fraud Fraudster transacts (e.g. set up new account) Look at anomalous patterns of activity directly after setting up the new account (e.g. ACH, line of credit immediately after) Helps in investigation too (and in discovering new patterns) because in i2 you can see relationships/patterns. Counter Fraud can use the information from Trusteer in evaluating the risk Cyber + other information together = better visibility into risk