50 likes | 63 Views
Insider threats are one of the biggest cybersecurity risks to banks today. These threats are increasinghy becoming more frequent, more diuicuht to detect, and more comphicated to prevent.
E N D
Large US Bank Boosts Insider Threat Detection by 5X withStreamAnalytix ¦nsider threats are one of the biggest cybersecurity risks to banks today. These threats are increasinghy becoming more frequent, more diuicuht to detect, and more comphicated to prevent. ¦nformation security breaches originating within a bank can inchude: emphoyees mishandhing user credentiahs and account data, hack of system controhs, responding to phishing emaihs, or reguhatoryviohations. ¦gnoringtheseinternahsecuritybreaches,poses as much riskas an externah threat such as hacking,especiahhy ina highhy reguhated industry hikebanking. ¦dentifying and fighting insider threats requires the capabihity to detect anomahous user behavior immediatehy and accuratehy. This detection presents its own set of chahhenges such as appropriatehy defining what is normah or mahicious behavior, and settingautomatedpreventivecontrohs tocurbpredictedthreats.
About theCustomer Alarge US-based financialservices corporationknown forits extensivecredit card business This large bank chose StreamAnalytix to identify and prevent insider information security threats across sensitive applications in its retail banking and wealth management divisions. StreamAnalytix enabled the use of predictive analytics and machine learning on a large data set from highly sensitive applications to automatically and effectively detect previously unknown threat scenarios and patterns and raise appropriatealertsand actions to prevent predictedbreaches. Challenge Simple rule based alerts proved inadequate for accurateand timely threat detection An expensive and inflexible technology stack limited threat detection to only a few applications, exposing the bank to vulnerabilities The existing solution was takingtoolongtodevelop and move use cases into production The bank’s traditional threat detection relied on setting static rule- based alerts on users’ activities to define and identify indicators of compromise. But when applied to thousandsof users this model generated a high number of irrelevant flags, which resulted in un-timely action on real threats vs. falsepositives. The bank was struggling to deploy timely threat detection use cases with its existing solution. It took almost 2 years for the solution to move a single usecasetoproduction,making it difficultforthe bank toscaleout. The bank wanted to expand detection of anomalous behavior across all sensitive applications. However, the bank’s current relational technology stack was proving to be too expensive and inflexible, limiting the bank to processing data from only15-20% of hundreds ofsensitive customer-facing andoperational applications. Also, savvy attackers went unnoticed by keeping their malicious activities withinthe defined set ofrules. www.streamanalytix.com
The StreamAnalytix Advantage Solution Ingestion and data processing from 5x more applications, at a fraction of thecost The new threat detection application enabled by StreamAnalytix could now ingest data from 80-90% of customer-fac- ing and operational applications. StreamAnalytix used network attached storage systems and Apache Kafka a fast message queue;toingest data at a tentimeslower infrastructure cost and ata speedof98,000events per second,four timesthe speedof theolder technologystack. Data transformation inreal-time In-memorydata transformation allowsfasterdata qualityscoring,data cleansing,and data enrichment. The platform enables: - Real-time data qualityscoringand auto-cleansing - Data deduplicationover seven days of history.This helpedcurb a highnumberof falsepositives,narrowing the flagstorelevant suspicious behaviorand activity - Enrichingeventrecords with employee and applicationdata, such as: - First name,lastname,employee ID - Employeedetails such as department, role, accesspermissions,and onlineactivity - Details ofapplicationseachemployee has permissiontoaccess -Executing data transformations suchas: - Lookup cache and set recordtype as firstnameand populate “standard ID” - Lookup on, firstname/full name/person IDcaches tosetthe user ID - Lookup oncache tosetuser ID - Generate unique sequence numbers# - Moveall the non-schemafields intothe EXTRA field Useofmachine learning models on log andcomplexeventdataforautomated, continuous, and accurate anomalydetection StreamAnalytix enablesthe useof machinelearning tomove away fromstatic rule-basedalerts todynamic models. These modelsperiodicallylearn normalbaseline behaviorand detect anomaliesbasedonboth dynamic and static factorssuch as identities, roles, and excess accesspermissions;correlated with log and event data. Modelsdevelopedusing built-in machinelearning operatorsin StreamAnalytix includeself-learning and training behavioralprofile algorithms. Thishelpsin processing eachnewtransaction in real-time tobuildrisk scores and dynamic thresholds for various risk factors. Which leads to automated, accurate, and timely identification of suspiciousbehavior. www.streamanalytix.com
For instance, the algorithmgroupsusers basedon roles and accesspermissions andidentifies anomalousactivity levels for individual users in relation to what is usual behavior for the whole group. This enables identification of specificpeoplecompared toonly identifyinganomalousevents. This approachproved highlyeffective in reducing falsepositives andhighlighting behaviorthat truly accounted for maliciousactivities; positives werereduced totens per day as opposedtohundreds orthousands per day. Custom alerts to curb fraud inreal-time StreamAnalytix enabled appropriate real-time alerts and actions to prevent predicted breaches. These included routine rule-based alerts like: off-hours activity, multiple-failed logins, multi-station logins and custom-alerts for ‘suspicious’activity(basedon a complexmixoffactors deducedby the machinelearning algorithms)whichcouldbe manually validated by securityexperts. Results 5X expansionin scope 4x boost in performance 10x cost reduction Enhanced threat detectionaccuracy and timeliness 10x faster application development and production The bank went from processing data from15-20% of applications to 80-90% of critical applications, processing 85M records perday The data throughput went up to 98,000 events persecond, four times the speed enabled by the previous technologystack. Realized a dramatic cost reduction compared to theirtraditional RDBMSstack Use of machine learning proved highly effective in reducing false positives and highlighting behavior thattruly accounted for malicious activities The threat detection application was re-developed in three weeksand movedinto production in eight weeks vcompared to nearly 12months taken by the earlier solution www.streamanalytix.com
Insider Threat Detection Solution with StreamAnalytix DataIngestion DataSinks Banking Applications Pipeline CreditCards De-Dup Data Quality & DataValidation Rules DataEnricher Machine learing for log analysis andCEP Alerts SQLServer DebitCards Apache Kafka Personal Loans Transactional Account Other HDFS Email Technology Stack © 2018 Impetus Technologies, Inc. All rights reserved. Product and company names mentioned hereinmay betrademarks of their respectivecompanies. StreamAnalytix is an enterprise grade, visual, big data analytics platform for unified streaming and batch data processing based on best-of-breed technologies. It supports the end-to-end functionality of data ingestion, enrichment, machine learning, actiontriggers, and visualization. StreamAnalytix offersan intuitive drag-and-drop visual interface to build and operationalize big data applications five to tentimes faster,across industries,dataformats, and use cases. open source Visit www.streamanalytix.com or write to us atinquiry@streamanalytix.com