Copyright  ©  2014  Splunk  Inc.  

Joe  Goldberg  Product  Marke@ng,  Splunk  

Splunk  for  An@-­‐Fraud,  TheG,  Abuse    

Disclaimer  

2  

During  the  course  of  this  presenta@on,  we  may  make  forward-­‐looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cau@on  you  that  such  statements  reflect  our  current  expecta@ons  and  

es@mates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  

please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presenta@on  are  being  made  as  of  the  @me  and  date  of  its  live  presenta@on.  If  reviewed  aGer  its  live  presenta@on,  this  presenta@on  may  not  contain  current  or  accurate  informa@on.  We  do  not  assume  any  obliga@on  to  update  any  forward-­‐looking  statements  we  may  make.  In  addi@on,  any  informa@on  about  our  roadmap  outlines  our  general  product  direc@on  and  is  subject  to  change  at  any  @me  without  no@ce.  It  is  for  informa@onal  purposes  only,  and  shall  not  be  incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obliga@on  either  to  develop  the  features  or  func@onality  described  or  to  

include  any  such  feature  or  func@onality  in  a  future  release.  

Fraud  is  Pervasive  and  Costly  

3  

•  High  annual  costs:  Merchants  $200-­‐250  billion;  banks  and  financial  ins@tu@ons  $12-­‐15  billion1  

•  Growing:  Online  fraud  revenue  loss  grew  85%  from  2003-­‐122    

•  Reputa@on/brand  damage  

•  External  &  internal  •  Types:  Account  takeover,  credit  card,  wire  

transfer,  an@-­‐money  laundering,  educa@on  loans,  insurance,  healthcare,  and  more  

•  No  industry  or  region  is  immune  •  Business  moving  online  has  made  it  worse  

1.  Forrester  Feb  2013  2.  CyberSource/Visa  2013  

Exis@ng  Fraud  Tools  Are  Limi@ng  

NARROW  VIEW  OF  FRAUD  

SCALE  AND  SPEED  ISSUES  

DIFFICULT  TO  DEPLOY;  LIMITED  ROI  

RIGID  AND  INFLEXIBLE  

Machine  Generated  Data  is  a  Defini@ve  Record  of  Human-­‐to-­‐Machine  and    

Machine-­‐to-­‐Machine  Interac@on  

5  

2013-­‐08-­‐09  16:21:38  10.11.36.29  98483  148  TCP_HIT  200  200  0  622  -­‐  -­‐  OBSERVED  GET  HTTP/1.1  0  "Mozilla/4.0  (compa@ble;  MSIE  6.0;  Windows  NT  5.1;  SV1;  .NET  CLR  2.0.50727;  www.neverbeenseenbefore.com    InfoPath.1;  MS-­‐RTC  LM  8;  .NET  CLR  1.1.4322;  .NET  CLR  3.0.4506.2152;  )  User  John  Doe,"      

[2013-­‐09-­‐04-­‐14.45.54.608000]  proc_source="B24A",    tmst_target="2013-­‐09-­‐04-­‐14.45.54.724000",  serv_id="ISS",    proc_input="MAST",  proc_target="B24H",  interface_acq="BNET_1",    interface_iss="02008",  cod_msg="1110",  oper_rrn="090448764439",    card_id="526430VS350Y2992",  oper_amount="000000008000",    oper_  currency="978",  oper_country="380",  term_id="00599307",    circuito="",  ser_merc="4722",  bin_acq="002111",    id_merc="329017246168",  prcode="003000",  ac@on_code="000",    approval_code  ="H8H766",  oper_  mod_input="1",  channel="O",    flag_dupl="Y",  flag_onus="N",  auth_rout_dst="INTFHI93",    auth_  rout_id="HISO_AUTH",  msg_subst="",  ndg="0000000078507391",    sta@on_acq="STA-­‐BNET-­‐MI1",  acceptor  =“  TRAWEL  SPA\\MILANO\  380",    tmst_ins="2013-­‐09-­‐04-­‐14.48.56.277466",  lpar="B"    

Machine  Data  Contains  Cri@cal  Fraud  Insights  

6  

Sources  

Authen=ca=on  

Web  Proxy  

Card  Payment    System  

Referring  URL  

20130806041221.000000  Cap@on=ACME-­‐2975EB\JohnDoe  Descrip@on=User  account  Built-­‐in  account  for  administering  the  computer/domainDo\n=ACME-­‐2975EB  InstallDate=NULLLocalAccount  =  IP:  10.11.36.20    TrueName=Administrator  SID  =S-­‐1-­‐5-­‐21-­‐1715567821-­‐926492609-­‐725345543  500SIDType=1  Status=Degradedwmi_  type=UserAccounts  

Source  IP  User  Name  

Card  ID   Amount  

Source  IP  

Client  ID  

Merchant  ID  

7  

Example  Parerns  of  Fraud  in  Machine  Data  Type  of  Fraud   PaJern  of  fraud  Industry  

Financial  Services  

E-­‐tailing  

Healthcare  

Telecoms  

Online  educa@on  

Account  takeover   Many  transac@ons  between  $9-­‐10k  

Many  accounts  accessed  from  one  IP  

Physician  billing   Physician  billing  for  drugs  outside  their  exper@se  area  

Roaming  abuse   Excessive  roaming  on  partner  network  by  unlimited  use  customers  

Student  loan  fraud   Student  IP  in  “high-­‐risk”  country  and  student  absent  from  classes  &  assignments  

Account  takeover  

Splunk:  Machine  Data  Plavorm  For  Fraud  Use  Cases  

8  

 Machine  Data:  Any  Loca=on,  Type,  Volume  

Online  Services   Web  

server  

Servers  Malware  

GPS  Loca@on  

Storage  Desktops  

Networks  

Packaged  Applica@ons  

Custom  Applica@ons  Messaging  

Badge  records  Online  

Shopping  Cart  

Fraud  tools  

Databases/  transac@ons  Call  Detail  

Records  

Smartphones  and  Devices  

Authen@ca@ons  

On-­‐  Premises  

Private    Cloud  

Public    Cloud  

Answer  Any  Ques=on  

Developer  PlaRorm  

Report  and    analyze  

Custom    dashboards  

Monitor    and  alert  

Ad  hoc    search  

External  Lookups  Threat  feeds  

Asset    Info  

Employee  Info  

Data  stores  

Payment  Systems  

Any  amount,  any  loca@on,  any  source  

Schema-­‐on-­‐the-­‐fly  

Universal  indexing  

No    back-­‐end  RDBMS  

No  need    to  filter  data  

Mobile  

Why  Splunk  for  Fraud  Detec@on?  

FLEXIBLE  

SCALE  &  SPEED  

BROAD  VIEW        

FAST  VALUE;  COMPELLING  ROI  

9  

Supports  Needs  of  An@-­‐fraud  Teams  

Fraud  Inves@ga@ons  

Fraud  Analy@cs  and  Repor@ng  

Enhance  Exis@ng  Fraud  Tools  

Fraud  Monitoring  and  

Detec@on  

Fraud  Monitoring  and  Detec@on  

11  

"   Advanced  correla@ons  to  spot  parerns  of  fraud  

"   Baseline  and  then  detect  anomalies  that  might  be  fraud  

"   Real-­‐@me  searches  &  alerts  

"   Ini@ate  automated  remedia@on  

Referrer  strings  can  indicate  phishing  vic1ms  

Spot  outliers  

Fraud  Inves@ga@ons  

12  

"   Quickly  pivot  through  current  or  historical  data    –  Who,  what,  where,  when,  why  –  Need  all  the  original  data  in  one  

place  

"   If  fraud  found:  –  See  if  parern  exists  elsewhere  in  

the  data  –  Turn  parern  into  a  real-­‐@me  

search/alert  

"   May  be  a  “cold  case”  inves@ga@on  going  back  months  

Suspect C

Suspect A Suspect B

SrcIP = 41.67.128.1, user john doe, atm withdrawal, $4,500

ScrIP=41.77.333.1, user john doe, $20k loan application

Accomplice B

Accomplice A

ClientIP=41.65.222.1, user john doe, wire transfer, $9,999

January   February   March   April  

Suspect A

Fraud  Analy@cs  and  Repor@ng  

13  

"   Many  types  of  visualiza@ons  to  measure  and  manage  fraud  risk  

"   Easy  to  create  in  Splunk  –  List  of  new  possible  fraud  events  –  Informa@on  for  order  reviewer  –  Historical  reports  –  Fraud  trends  –  Execu@ve/auditor  dashboards  –  GeoIP  maps  –  Splunk  is  architected  for  ad  hoc  

analy@cs  

Fraud Events by Time and Domain

Suspicious physician transactions

Enhance  Exis@ng  Fraud  Tools    A  single  pane  of  glass  for  fraud      

14  

Web fraud

Credit card fraud

Visits to fraud IPs

Internal teller fraud

POS fraud

Trading fraud

Events by Fraud Tool

"   Collect  data  from  exis@ng  point  fraud  tools:  –  Provide  a  single  transac@on/event  an  

aggregate  risk  score  –  Enable  consolidated  risk  repor@ng  to  

see  overall  risk  posture  and  trends  

Session  ID Web  fraud  risk  score

Credit  card  risk  score

Threat  Intel  risk  score

Splunk  Total

1234567 0 2 0 27654321 6 9 15 301231789 1 2 0 3

Sample  Splunk  Summary  Index

Splunk  for  Fraud  Detec@on  Across  Ver@cals  

15  

Financial  Services   Mobile  /  Wireless   eCommerce     Online  Educa=on  

“Fraud  is  the  daughter  of  greed.”  ―  Jonathan  Gash,  The  Great  California  Game    

Customer  Examples  

16  

Cash  Wire  Transfer  Company  

17  

Loss  3.62%  

 

Stopped  81.97%  

Recovered  14.41%  

Actual  Loss  

Stopped  

Recovered  

$0.00  $5,000,000.00  $10,000,000.00  $15,000,000.00  $20,000,000.00  $25,000,000.00  $30,000,000.00  $35,000,000.00  

Splunk  Alone  

Splunk  &  Other  methods  

Other  Detec@on  methods  

Payment  Amount     AJempted    

Stopped   Released   Recovered   Net  Loss  

 Total     $33.5  MM     $27.5  MM     $  6  MM     $5  MM     $1  MM    

Splunk  Detected     $  15  MM     $13  MM     $  2  MM     $  1.7  MM     $  0.2  MM    

•  A8empted:  payments  created  or  released    •  Stopped:  payments  didn’t  leave  the  bank    •  Released:  payments  were  out  of  the  bank  •  Recovered:  payments    were  recalled  back  •  Net  loss:  payments  were  cashed  out    

Online  Marketplace  

18  

"   Etsy  needed  a  faster  way  to  iden@fy  fraud  and  account  takeovers  "   With  Splunk,  fast,  automated  fraud  detec@on  and  preven@on  

–  Use  Splunk  to  iden@fy  indicators  of  account  takeovers  in  real-­‐@me  –  Automa@cally  lock  accounts  that  appear  to  be  compromised  –  Weave  Splunk  data  into  customer  service  tools  so  CSRs  can  also  see  

indicators  of  fraud  –  Use  Splunk  for  fraud,  security,  compliance,  IT  Ops,  and  app  mgmt.  

“We  use  data  and  Splunk  to  help  make  Etsy  a  safer  place  to  conduct  business.  And  we  are  barely  scratching  the  surface  of  Splunk!”  

Nick  Galbreath,  Director  of  Engineering  

Top  5  Online  University    

19  

"   Challenge:  Needed  solu@on  to  detect  fraudulent  student  loans    –  Difficult  to  iden@fy  fraudulent  loans  and  arendance  ac@vity  

"   Enter  Splunk:  Significant  cost  savings  in  reduced  loan  fraud  –  Cross-­‐check  students  with  loans  against  classroom  ac@vity  to    

iden@fy  fraudsters  –  Stopped  $10s  of  millions  of  fraudulent  funds  from  distribu@on  –  Reputa@on  and  Dept  of  Educa@on  accredita@on  maintained  –  Single  tool  for  fraud,  compliance,  cybersecurity,  IT  Opera@ons,  and  

Classroom  Ops    

Loss  Preven@on  at  Retail  Chain  

20  

Loss  Preven@on  at  Retail  Chain  

Q&A  

THANK  YOU