Security

ArcSight Repurposes Application to Fight Financial Fraud

Security company ArcSight has retooled one of their event-monitoring products and created an appliance designed to detect fraudulent bank and brokerage transactions.

ArcSight found that customers who were using its Enterprise Security Manager (ESM) product -- which has a correlation engine that is used to spot anomalous activity on networks such as a worm -- was being used by brokerages to detect stock scams, said Rick Caccia, vice president of product marketing.

The correlation engine takes data and then checks to see if it violates certain rules. Brokerages found the correlation engine also worked well when it was fed other data, such as application logs, trading positions and historical stock data.

The brokers were using the product to detect the so-called pump-and-dump scams, Caccia said. That's when fraudsters use various methods to artificially cause a stock price to rise and then sell off the shares before it falls.

It worked, and that caused ArcSight to look into how the correlation engine could be used for spotting other kinds of financial fraud. The result is a new product, FraudView.

FraudView, which is an appliance that banks and brokerages install alongside their back-end systems, looks at payment and transaction data and assigns it a risk score.

The bank or brokerage sets its own rules for what transactions will be allowed or rejected. FraudView does ship with a basic set of rules and triggers that would commonly be used, such as the U.S. government's requirement to report transfers of more than US$10,000, Caccia said. It is also capable of automatically creating new rules based on suspicious patterns.

The correlation engine in ESM was modified. Instead of looking at data such as IP (Internet Protocol) and MAC (Media Access Control) addresses, it looks at other data appropriate for financial transactions, Caccia said.

FraudView also has a pattern recognition engine, which can spy fraud trends within large sets of transactions. The appliance can also analyze data from other fraud detection systems.

In order to generate a risk score, FraudView looks at frequency of transactions, withdrawal limits and locations where cash is withdrawn in addition to other data, Caccia said. The analysis takes a second or two, he said.

Caccia said FraudView has been tested by some brokerages and banks. One U.S. bank deployed FraudView and soon after detected an attempted $1 million fraudulent wire transfer. Caccia said he can't reveal the bank's name, however.

FraudView will be priced on a per-account basis, Caccia said.

Subscribe to the Security Watch Newsletter

Comments