Monthly Archives: November 2014

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 2: Exporting data from TeaLeaf

Let’s get our hands dirty. First step in building fraud investigation and security analytics platform with TeaLeaf is making TeaLeaf’s data available for Splunk. Then Splunk will take care of all the deep security queries and specialized investigative dashboarding.

Disclaimer: all data you see on this site was autogenerated for demonstration purposes. It demonstrates concepts and ideas but does not shows any real names, IP addresses and any other information that matches real world events.

TeaLeaf comes with cxConnect for Data Analysis component.

TeaLeaf cxConnect

“Tealeaf cxConnect for Data Analysis is an application that enables the transfer of data from your Tealeaf CX datastore to external reporting environments. Tealeaf cxConnect for Data Analysis can deliver data in real-time to external systems such as event processing systems or enable that data to be retrieved in a batch mode. Extraction of customer interaction data into log files, SAS, Microsoft SQL Server or Oracle databases are supported. Data extraction jobs can be run on a scheduled or ad-hoc basis. Flexible filters and controls can be used to include or exclude any sessions or parts of sessions, according to your business reporting needs”.
Source: IBM TeaLeaf.

IBM TeaLeaf cxConnect hourly log extraction task

Although from my experience “real-time” claim is a long shot (at least I didn’t find a way to accomplish above in real-time), but I managed to do pretty successful regular, hourly, detailed TeaLeaf log exports.

cxConnect Daily extraction task

If you’d try to use cxConnect right off the bat for log exports and select all default options – you’ll end up with humongous set of files that will contain mountain data you don’t really need wasting your disk space. It took me quite a while to configure cxConnect to export data that i need and to make it not include data that i don’t need.

Within cxConnect “Configured Tasks” menu – you may create any scheduled task. For our purpose I’ve created two tasks – one is hourly and second is daily. […]

By |Enterprise Security, Splunk, TeaLeaf|Comments Off on IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 2: Exporting data from TeaLeaf

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 1: Introduction

IBM Tealeaf plus Splunk

IBM TeaLeaf is one of the leading customer experience management platforms from IBM.

IBM TeaLeaf is set of tools allowing enterprises to record all customer interactions with their Web Application portals with further capabilities of visual session replays. IBM TeaLeaf also offers a set of interfaces to design custom events, alerts, dashboards and visual reports.

TeaLeaf allows to define custom reporting dimensions that could be very specific to the given business needs.
Tracking clicks, conversions, customer struggles, optimizing sales funnels, analyzing mobile experiences, presenting any kind of data in a visually appealing way are only few of many available benefits that TeaLeaf offers.

As a consultant helping large brokerage and financial firm to manage firm-wide TeaLeaf deployment – I see another fast growing application for IBM TeaLeaf – financial fraud investigations, security analytics, forensic analysis and investigation of suspicious activities.

When corporate security departments receive suspicious activity reports and requests to investigate possible ATO (Account TakeOver – case where fraudsters buy on a black market set of valid customer credentials obtained by targeted phishing attacks for example) – they come to TeaLeaf to dig into raw data and do forensics investigations.

After finding necessary visitor hits or customer sessions data within TeaLeaf database, security investigators launch TeaLeaf RTV viewer to visually preview actual sessions that potentially involve fraudulent activity.

TeaLeaf allows searching for pieces of data by predefined metrics – IP address, browser OS, browser version, User Agent, text in request, text in response as well as via raw text data fragments possibly found within hit or session data.

TeaLeaf generally offers two ways to search for pieces of information – via it’s browser interface (“Search” menu option) or using RealiTea Viewer (RTV) – separate desktop application allowing to run raw searches via direct connections to TeaLeaf data repository (data canisters).
The main advantage of RTV is that it allows to run searches on currently active sessions (in other words with almost no delay in obtaining fresh traffic data) as well as it is quite fast. […]

By |Enterprise Security, Splunk, TeaLeaf|0
  • square_peg

When Machine Learning and Anomaly Detection Cannot Detect Fraud: Be careful what you invest into

As part of being professional consultant building client-specific fraud detection solutions I often witness product pitches by different vendors in a security / fraud detection space.

The recent wave of successful high profile cyberattacks and disastrous data leaks added new level of activity into search for the perfect fraud detection and early alerting solution.

With attackers changing their activity vectors, attack patterns and techniques on a daily basis this makes many legacy fraud detection tools to lose their efficiency and get outdated very quickly.

In the never ending quest to protect enterprise against fraud losses the ideas of Automated Anomaly Detection are picking up steam.

The way it generally works – anomaly detection system would establish baseline for certain predefined dimensions and system would then monitor (often in real time) for deviations from established baseline. Once sufficiently abnormal condition is detected – the alert is issued. Such system could operate pretty automatically and learn from historical and present data constantly updating it’s baselines as well as trigger thresholds. […]

By |Enterprise Security, Fraud, Splunk|0