News

Joining Splunk as Senior Product Manager

gleb_esman_splunk-500xThis summer been full of great news in my personal career development.

I’ve been accepted as a speaker on Fraud/Security subjects at Splunk 2015 yearly users conference to talk about using Splunk in financial/banking industry to detect, alert and investigate advanced accounts takeover cyberattacks.

My Splunk 2015 conference session talk slides are here.

The session attracted plenty of interest from multiple financial organizations and banks and based on their detailed use cases and feedback Splunk is on a target to become powerful security solution to detect complicated fraud events.

In addition to that right before the conference I been made and accepted an offer from Splunk directly to join their team in a Senior Product Manager role within security organization overseeing development of anti-fraud products.

I really excited to be able to utilize all my past experience in security research and practical skills in building anti-fraud products.

This of course involved me moving from cold Canada to warm San Francisco Bay area.

With my new office to be located in San Francisco this is quite a change – yet I am seriously excited to be involved into making world’s greatest data analytics software even better!

Connect with me on LinkedIn
Gleb Esman is currently working as Senior Product Manager for Security/Anti-fraud solutions at Splunk leading efforts to build next generation security products covering advanced fraud cases across multiple industry verticals.
Contact Gleb Esman.

Predicting Unknown Threats: Detecting Human Emotions Through Machine Data Analytics

Detecting Human Emotions In DataWouldn’t it be nice if your SIEM would send a “possible insider threat!” alert when it detects that employee is in fearful, paranoid or even panicky emotional state while trying to access secure, confidential corporate documents repository?

Or receive real time “possible account takeover!” alert when it detects that currently logged in user is in deep anxiety or experiencing severely agitated emotional conditions while trying to initiate money transfer to an outside bank account?

This approach is used very successfully to detect potential threats by the world’s most secure airlines.
Trained security officers are able to see if passenger feels nervous or agitated or otherwise exhibits emotionally unusual behaviors and then follow up with further checks and investigation. On one occasion by interrogating the nervous passenger the actual bomb was found inside his luggage while the passenger mistakenly thought he had been hired to smuggle diamonds.detecting-threats-in-airport

The Step Up from User Behavior Analytics

With some creativity, knowledge of human psychology and analytics approach we can apply the same methods to today’s machine data generated by users, clients and employees of financial institutions, banks, governments facilities and corporations to prevent known and unknown attacks from outside as well as from inside of enterprise.

A while ago analyzing an account takeover cyber attack I’ve isolated a complete data set belonging to the attacker who’ve accessed another user account with legitimate credentials.

Attacker’s session activity was almost identical to legitimate user’s activity across all metrics:
Pages accessed, session duration, session hit length, browser user agent used, geographical region of originated IP address, order in which pages were accessed, approximately the same time of the date as legitimate user would use, etc…

(more…)

User Behavior Analysis with Splunk: Detecting Threats and Fraudulent Activity in the Ocean of Behaviors: Part 1 – Setting Alerts on User Session Risk Factors

User Behavior Analysis with SplunkBack in my days at IBM T.J. Watson Research Center where we were working on techniques to detect known and unknown malware, the fast growing challenge was the rising threat of malware’s abilities to become polymorphic.

Malicious snippets of code encrypted themselves and made it very difficult to apply conventional signature based detection techniques.

We’ve developed a tiny virtual machine in C language that was able to load malware code in real time and analyze it’s behavior without need to figure out how to decrypt it. Certain score metrics were assigned to keypoints and function calls and logic was put in place to trigger an alert if “risk” score exceeded certain heuristic threshold.

That technique allowed us to deliver top quality enterprise security solution (purchased by Symantec later on) that was capable of detecting previously unknown threats. That was more than 15 years ago.

While working with financial clients and technology companies today I can see that old behavior pattern analysis stays as strong as ever helping enterprises to discover new types of suspicious behaviors and investigate malicious activities with previously unknown patterns from previously unknown sources.

Industry leaders seems to agree that some of the recent high profile breaches could of been thwarted with properly configured behavior analysis SIEM system in place. (more…)

Traffic Ray: New Splunk App to visualize your HTTP WEB traffic for security and analytics needs

Update: Splunk approved and published Traffic Ray within official Splunk app repository here.

Traffic Ray is a real time Web traffic analytics Splunk App I built for web server administrators and web hosting service providers.

Traffic Ray leverages raw Apache log files to visualize incoming Web server traffic allowing to discover incoming IP activity patterns, detect malicious activity, view bandwidth consumption trends and gain insights into Web visitor’s origins and behaviors on a single dashboard. Ok, on two :).

Being a webmaster as well as Web hosting server administrator myself – I often wanted to get unobstructed, quick, visual, real time view into incoming Web traffic stats and patterns. While working with many different reporting and analytic solutions I found most of them to be either too convoluted, overly generic, suspiciously intrusive or unacceptably restrictive. I needed an easy ability to gain comprehensive server-wide Web traffic insights as well as ways to do quick drilldowns into specific IP address behavior patterns or specific Web site bandwidth consumption trends.
Also, quite often ill-behaving or outright malicious incoming Web traffic source causes server to send automated, generic, non-descriptive system alerts about excessive server loads, suspicious running processes and alike that would require further root cause analysis.

Before I had to rely on multiple tools to put together a big picture of events as well as login to system shell and manually search and grep through raw logs to discover culprits of suspicious activity – and that was time consuming and unpleasant process.

Now with Traffic Ray it is essentially one click step to grasp all the necessary and specific information about root causes and origins of suspicious activity on a single screen view. (more…)

Go to Top