Splunk

Connecting the Dots: Tracking Identity of DDOS-for-Bitcoins criminal service operator with Maltego, Splunk and Domaintools

Tracking Identity of DDOS-for-Bitcoins criminal service operator-900xThis post will demonstrate the ways to investigate and track real identity of an anonymous website operator promoting and selling DDOS attacking services for Bitcoins.

I built a system consisting of Maltego visual link analysis tool powered by DomainTools and third party bitcoin intelligence database as data providers. Maltego was connected to bitcoin intelligence data to combine it with domaintools data for powerful, interactive visual link anlysis. (more…)

Joining Splunk as Senior Product Manager

gleb_esman_splunk-500xThis summer been full of great news in my personal career development.

I’ve been accepted as a speaker on Fraud/Security subjects at Splunk 2015 yearly users conference to talk about using Splunk in financial/banking industry to detect, alert and investigate advanced accounts takeover cyberattacks.

My Splunk 2015 conference session talk slides are here.

The session attracted plenty of interest from multiple financial organizations and banks and based on their detailed use cases and feedback Splunk is on a target to become powerful security solution to detect complicated fraud events.

In addition to that right before the conference I been made and accepted an offer from Splunk directly to join their team in a Senior Product Manager role within security organization overseeing development of anti-fraud products.

I really excited to be able to utilize all my past experience in security research and practical skills in building anti-fraud products.

This of course involved me moving from cold Canada to warm San Francisco Bay area.

With my new office to be located in San Francisco this is quite a change – yet I am seriously excited to be involved into making world’s greatest data analytics software even better!

Connect with me on LinkedIn
Gleb Esman is currently working as Senior Product Manager for Security/Anti-fraud solutions at Splunk leading efforts to build next generation security products covering advanced fraud cases across multiple industry verticals.
Contact Gleb Esman.

Predicting Unknown Threats: Detecting Human Emotions Through Machine Data Analytics

Detecting Human Emotions In DataWouldn’t it be nice if your SIEM would send a “possible insider threat!” alert when it detects that employee is in fearful, paranoid or even panicky emotional state while trying to access secure, confidential corporate documents repository?

Or receive real time “possible account takeover!” alert when it detects that currently logged in user is in deep anxiety or experiencing severely agitated emotional conditions while trying to initiate money transfer to an outside bank account?

This approach is used very successfully to detect potential threats by the world’s most secure airlines.
Trained security officers are able to see if passenger feels nervous or agitated or otherwise exhibits emotionally unusual behaviors and then follow up with further checks and investigation. On one occasion by interrogating the nervous passenger the actual bomb was found inside his luggage while the passenger mistakenly thought he had been hired to smuggle diamonds.detecting-threats-in-airport

The Step Up from User Behavior Analytics

With some creativity, knowledge of human psychology and analytics approach we can apply the same methods to today’s machine data generated by users, clients and employees of financial institutions, banks, governments facilities and corporations to prevent known and unknown attacks from outside as well as from inside of enterprise.

A while ago analyzing an account takeover cyber attack I’ve isolated a complete data set belonging to the attacker who’ve accessed another user account with legitimate credentials.

Attacker’s session activity was almost identical to legitimate user’s activity across all metrics:
Pages accessed, session duration, session hit length, browser user agent used, geographical region of originated IP address, order in which pages were accessed, approximately the same time of the date as legitimate user would use, etc…

(more…)

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 2: Exporting data from TeaLeaf

TeaLeaf LogsLet’s get our hands dirty. First step in building fraud investigation and security analytics platform with TeaLeaf is making TeaLeaf’s data available for Splunk. Then Splunk will take care of all the deep security queries and specialized investigative dashboarding.

Disclaimer: all data you see on this site was autogenerated for demonstration purposes. It demonstrates concepts and ideas but does not shows any real names, IP addresses and any other information that matches real world events.

TeaLeaf comes with cxConnect for Data Analysis component.

ibm_tealeaf_with_splunk_for_security_and_fraud_01

TeaLeaf cxConnect

Tealeaf cxConnect for Data Analysis is an application that enables the transfer of data from your Tealeaf CX datastore to external reporting environments. Tealeaf cxConnect for Data Analysis can deliver data in real-time to external systems such as event processing systems or enable that data to be retrieved in a batch mode. Extraction of customer interaction data into log files, SAS, Microsoft SQL Server or Oracle databases are supported. Data extraction jobs can be run on a scheduled or ad-hoc basis. Flexible filters and controls can be used to include or exclude any sessions or parts of sessions, according to your business reporting needs“.
Source: IBM TeaLeaf.

ibm_tealeaf_with_splunk_for_security_and_fraud_02_hourly_task

IBM TeaLeaf cxConnect hourly log extraction task

Although from my experience “real-time” claim is a long shot (at least I didn’t find a way to accomplish above in real-time), but I managed to do pretty successful regular, hourly, detailed TeaLeaf log exports.

ibm_tealeaf_with_splunk_for_security_and_fraud_03_daily_task

cxConnect Daily extraction task

If you’d try to use cxConnect right off the bat for log exports and select all default options – you’ll end up with humongous set of files that will contain mountain data you don’t really need wasting your disk space. It took me quite a while to configure cxConnect to export data that i need and to make it not include data that i don’t need.

Within cxConnect “Configured Tasks” menu – you may create any scheduled task. For our purpose I’ve created two tasks – one is hourly and second is daily. (more…)

IBM TeaLeaf + Splunk = Powerful fraud investigation and security analytics platform for financial firms. Part 1: Introduction

IBM Tealeaf plus Splunk

IBM Tealeaf plus Splunk

IBM TeaLeaf is one of the leading customer experience management platforms from IBM.

IBM TeaLeaf is set of tools allowing enterprises to record all customer interactions with their Web Application portals with further capabilities of visual session replays. IBM TeaLeaf also offers a set of interfaces to design custom events, alerts, dashboards and visual reports.

TeaLeaf allows to define custom reporting dimensions that could be very specific to the given business needs.
Tracking clicks, conversions, customer struggles, optimizing sales funnels, analyzing mobile experiences, presenting any kind of data in a visually appealing way are only few of many available benefits that TeaLeaf offers.

As a consultant helping large brokerage and financial firm to manage firm-wide TeaLeaf deployment – I see another fast growing application for IBM TeaLeaf – financial fraud investigations, security analytics, forensic analysis and investigation of suspicious activities.

When corporate security departments receive suspicious activity reports and requests to investigate possible ATO (Account TakeOver – case where fraudsters buy on a black market set of valid customer credentials obtained by targeted phishing attacks for example) – they come to TeaLeaf to dig into raw data and do forensics investigations.

After finding necessary visitor hits or customer sessions data within TeaLeaf database, security investigators launch TeaLeaf RTV viewer to visually preview actual sessions that potentially involve fraudulent activity.

TeaLeaf allows searching for pieces of data by predefined metrics – IP address, browser OS, browser version, User Agent, text in request, text in response as well as via raw text data fragments possibly found within hit or session data.

TeaLeaf generally offers two ways to search for pieces of information – via it’s browser interface (“Search” menu option) or using RealiTea Viewer (RTV) – separate desktop application allowing to run raw searches via direct connections to TeaLeaf data repository (data canisters).
The main advantage of RTV is that it allows to run searches on currently active sessions (in other words with almost no delay in obtaining fresh traffic data) as well as it is quite fast. (more…)

Go to Top