8 28-Apr-15 Detection Methods Peer group anomalies Homogeneous peer groups Historic behavior patterns anomalies Profiling of user, account, customer or other entities Excessive links between a user and certain accounts/ customers In Call center links are normally random Specific suspicious scenarios Address change followed by re-issuing a credit card Correlate HR information with user activity Similar address to customer and employee Correlate user activity with known external fraud cases Excessive access of a user to external fraud of credit cards before fraud occurred Application Honey Pots Open higher permissions to suspicious users and monitor closely their activity
12 28-Apr-15 Monitored Environment Mainframe Network Switch Existing Data Sources Databases Reference Log Files Web Server Client/ Server AS 400 External Users eBusiness customers Internal Users Database Server Business User Privileged IT User tables Intellinx Functions Search Engine Investigation Center & Case Manager Data Collector & Consolidator Visual Audit Trail Analyzed Data Analytic Engine Intellinx – General Architecture Intellinx Users Visual replay Google like search Reports Google like search Alerts Cases Profiles Auditors Compliance Officers Fraud Investigators
13 28-Apr-15 Scalability Enterprise Operational Environment Internal Web Server Network Switch Message Queue Application Server Mainframe Application Server Application Server Intellinx Sensor Intellinx Analyzer Intellinx Backlog Database Intellinx Distributed Environment USAUKHong Kong HTTP Traffic Client/Server Traffic Terminal Emulation Traffic MQ Traffic API Data
58 28-Apr-15 Internal fraud examples: Credit Card Back Office Detection Rules Customer Management Address change and card re-issue in x days (e.g. 5 days) Change in customer's mailing status (mailing stopped or redirected) More than x blocked accounts unblocked in one day Data Theft VIP account browsing Other employee account browsing More than x accounts viewed in 1 day total credit limit more than $Y User following same customer for a period of time Credit Management Credit limit change after working hours Credit limit increase by X% or more Credit limit increase for more than $X More than one credit limit increase in one month for the same account New credit card that will not be sent to customer (but collected from company) Change in credit card bank account to employee's bank account Postponing of credit card billing date Card re-issue requested within 10 days of an address change Employee's Accounts Merchant bank account similar to employee bank account New loan to employee's credit card or bank account Change in employee's account by the employee
60 28-Apr-15 Proactive Detection Intellinx Rules for Detecting “Borrowing” Co-Workers Credentials Same User-ID logged-in twice from different IPs at the same time Several User-IDs logged-in consecutively from the same IP User logged-in without scanning his badge earlier through the physical entry system Abnormal after working hours activity
61 28-Apr-15 Information Leakage Demo Sensitive information pertaining to account number has been leaked to an external source sometime between April 16 th and 23 rd of Who Accessed the Sensitive Information?
63 28-Apr-15 Profiling of Call Center Agents Mainframe – Sensitive Web Application Call Center Representatives Customer Information Call-Center
65 28-Apr-15 There has been indication that Mainframe program TRAN023 has been performing strange database activity which cannot be explained by reviewing its source code. Internal Sabotage What's Wrong with this Program?
67 28-Apr-15 External Fraud Examples
68 28-Apr-15 ATM Rules Two ATM/Credit Cards transactions on physical POS that are geographically distant, within a short period of time Two ATM failed pins events that are in geographically distant locations, within a short period of time ATM/cc transaction out of profile, based on amount, day of month, day of week, time of day, geography Many consecutive transactions on a specific ATM in out of profile time of day, frequency of transactions Small amount ATM transaction that is out of profile Many "cancelled" ATM transactions on the same ATM within a short period of time ATM transaction type that is out of profile (irregular "balance check" for example)
69 28-Apr-15 Regulatory Compliance
70 28-Apr-15 PCI - Requirement 10 Automated audit trails for reconstructing: All individual user accesses to cardholder data All actions taken by any individual with root or administrative privileges Privacy Regulations – HIPAA, GLBA, EU Directive 95/46 Detailed logging: Who? Did What? To which data? When? Where from? How? Read access included in the audit trail Sarbanes-Oxley / Basel II Add effective controls to sensitive processes that affect the financial reports Add Compensating controls for: Tracking privileged users activity Ensuring segregation of duties Monitoring Change Management FACTA Identity Theft Red Flags Real-time alerts on identity theft indicators Intellinx for Regulatory Compliance
71 28-Apr-15 Intellinx for Compliance with AML and KYC Capture account and customer activity across multiple channels: Online activity of employees in the corporate applications Back office processes Customer activity in Internet Banking applications ATM activity transmitted in ISO8583 protocol Inter banking activity transmitted in FIX, SWIFT and other protocols. Comprehensive profiling at the account, customer and branch level Real-time and off-line alerts Investigation workbench and case management Flexible reporting
72 28-Apr-15 AML rules
88 28-Apr-15 Protecting Employees and Customers Privacy Intellinx does not record any activity that runs on the employee's workstation but only access to the business applications Only authorized users are allowed to access the Intellinx system. The system can be configured to monitor specific applications or users only, while other information is filtered out and dropped. Specific fields and screens which contain highly sensitive data can be masked so the auditor using Intellinx cannot view them. Every access to the Intellinx system and every action performed within the system is logged allowing detailed audit of which user performed which action. Fields identifying a user identity (e.g. user-id or terminal-id) can be hidden by the system when a visual replay is performed.
89 28-Apr-15 What Customers Say about Intellinx Equifax, Tony Spinelli, Chief Security and Compliance Officer “Information security is a cornerstone of our business and, as a company, we are committed to placing the highest standards on data protection.” “Intellinx enables us to enhance our security monitoring capability by providing a reporting platform that allows our fraud investigators to visually replay screen data of both current and historical transactions and receive real-time alerts on suspicious events.” State of Delaware, Ms. Peggy Bell, Executive Director, Delaware Criminal Justice Information System (DELJIS): “The Intellinx results have been bigger than even we expected: Overwhelmingly jaw dropping successful The logging system performed fantastically better than expected Turn around time with Intellinx system was fabulous Breach investigation time decreased by more than 90% Potential threats to officer and public safety are reduced.”
90 28-Apr-15 Summary Keep end-users accountable by - A visual forensic audit trail including user queries Become proactive in enterprise fraud by - User profiling based on true user behavior analysis Real-time Alerts Conduct after-the-fact investigations by Applying new rules to pre-recorded data Comply with key requirements of government regulations Exceptional out-of-the-box value – Full recording and cross-platform search ► No Agents ► No Overhead ► No Risk The Intellinx Unique Business Value