TeaLeaf

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 3: Visualizing Trends and Patterns of Cyberattacks

Visualizing Cyber Attack TrendsOnce you got all the beautiful and rich traffic data exported from Tealeaf and imported in Splunk – the possibilities are virtually endless to create very powerful search and cross referencing analytics and security investigation tool.

Within my consulting work for a major financial services firm I’ve built a specialized Splunk App that allows using single dashboard to execute multiple searches and visualize results and trends by leveraging Tealeaf data.

In addition to that a number of custom searches and alerts were created to create summary indexes and automatically detect and alert on possible malware infections, notify about suspicious activity patterns and out of bound activities.

Before sharing more details about visualizing trends and malicious traffic patterns – here are few tips on general design of custom Splunk security analytic apps and dashboards with Splunk.

While I cannot offer image snapshots of the actual dashboard’s visuals used within financial firm due to obvious client’s security concerns, I can describe the general approach we took to overcome Tealeaf’s limitations with Splunk as well as number of important points on how to take the most advantage of Splunk as a security research tool. (more…)

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 2: Exporting data from TeaLeaf

TeaLeaf LogsLet’s get our hands dirty. First step in building fraud investigation and security analytics platform with TeaLeaf is making TeaLeaf’s data available for Splunk. Then Splunk will take care of all the deep security queries and specialized investigative dashboarding.

Disclaimer: all data you see on this site was autogenerated for demonstration purposes. It demonstrates concepts and ideas but does not shows any real names, IP addresses and any other information that matches real world events.

TeaLeaf comes with cxConnect for Data Analysis component.

ibm_tealeaf_with_splunk_for_security_and_fraud_01

TeaLeaf cxConnect

Tealeaf cxConnect for Data Analysis is an application that enables the transfer of data from your Tealeaf CX datastore to external reporting environments. Tealeaf cxConnect for Data Analysis can deliver data in real-time to external systems such as event processing systems or enable that data to be retrieved in a batch mode. Extraction of customer interaction data into log files, SAS, Microsoft SQL Server or Oracle databases are supported. Data extraction jobs can be run on a scheduled or ad-hoc basis. Flexible filters and controls can be used to include or exclude any sessions or parts of sessions, according to your business reporting needs“.
Source: IBM TeaLeaf.

ibm_tealeaf_with_splunk_for_security_and_fraud_02_hourly_task

IBM TeaLeaf cxConnect hourly log extraction task

Although from my experience “real-time” claim is a long shot (at least I didn’t find a way to accomplish above in real-time), but I managed to do pretty successful regular, hourly, detailed TeaLeaf log exports.

ibm_tealeaf_with_splunk_for_security_and_fraud_03_daily_task

cxConnect Daily extraction task

If you’d try to use cxConnect right off the bat for log exports and select all default options – you’ll end up with humongous set of files that will contain mountain data you don’t really need wasting your disk space. It took me quite a while to configure cxConnect to export data that i need and to make it not include data that i don’t need.

Within cxConnect “Configured Tasks” menu – you may create any scheduled task. For our purpose I’ve created two tasks – one is hourly and second is daily. (more…)

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 1: Introduction

IBM Tealeaf plus Splunk

IBM Tealeaf plus Splunk

IBM TeaLeaf is one of the leading customer experience management platforms from IBM.

IBM TeaLeaf is set of tools allowing enterprises to record all customer interactions with their Web Application portals with further capabilities of visual session replays. IBM TeaLeaf also offers a set of interfaces to design custom events, alerts, dashboards and visual reports.

TeaLeaf allows to define custom reporting dimensions that could be very specific to the given business needs.
Tracking clicks, conversions, customer struggles, optimizing sales funnels, analyzing mobile experiences, presenting any kind of data in a visually appealing way are only few of many available benefits that TeaLeaf offers.

As a consultant helping large brokerage and financial firm to manage firm-wide TeaLeaf deployment – I see another fast growing application for IBM TeaLeaf – financial fraud investigations, security analytics, forensic analysis and investigation of suspicious activities.

When corporate security departments receive suspicious activity reports and requests to investigate possible ATO (Account TakeOver – case where fraudsters buy on a black market set of valid customer credentials obtained by targeted phishing attacks for example) – they come to TeaLeaf to dig into raw data and do forensics investigations.

After finding necessary visitor hits or customer sessions data within TeaLeaf database, security investigators launch TeaLeaf RTV viewer to visually preview actual sessions that potentially involve fraudulent activity.

TeaLeaf allows searching for pieces of data by predefined metrics – IP address, browser OS, browser version, User Agent, text in request, text in response as well as via raw text data fragments possibly found within hit or session data.

TeaLeaf generally offers two ways to search for pieces of information – via it’s browser interface (“Search” menu option) or using RealiTea Viewer (RTV) – separate desktop application allowing to run raw searches via direct connections to TeaLeaf data repository (data canisters).
The main advantage of RTV is that it allows to run searches on currently active sessions (in other words with almost no delay in obtaining fresh traffic data) as well as it is quite fast. (more…)

Go to Top