New data suggests several large U.S. banks are grappling with call center wire fraud, but security information and event management (SIEM) vendors are trying to make the case that their products can help ward off such incidents.
The compliance-driven SIEM deployment is very useful from a security perspective and eventually users will go back to their [SIEM] vendor as they expand the use of it
Mark Nicolett, chief of security, privacy and risk research, Gartner Inc.
Call center wire fraud is a growing trend, vendors say, in which a cybercriminal steals account credentials, gains access to the victim’s personal information and then makes a physical call to a bank’s call center to drain the account.
The call center operator typically asks a few personal questions to verify the victim’s identity against information it has on file, but it doesn’t matter: An experienced cybercriminal can gain most of the victim’s personal information, including his or her Social Security number, by viewing the personal data in the victim’s online account portal.
The trend is being tracked by SIEM vendor ArcSight LLC, recently acquired by Hewlett-Packard Co. ArcSight said SIEM products can be extended to weed out that kind of savvy fraud. For now, most SIEM deployments focus on a few systems and a limited policy set, but Ryan Kalember, ArcSight’s director of marketing, said many SIEM systems can do more sophisticated correlation to detect anomalies and send out alerts.
“You can bring in events from other systems like Active Directory or identity management systems to enrich SIM events and look at things more from a people perspective,” Kalember said. “Watching for issues at the system and infrastructure layer doesn’t give the complete story anymore. If you’re not monitoring at the user layer and application layer, then you basically stand no chance.”
However, experts say extending the reach of SIEM systems in this way can sometimes add complexity and ultimately result in a wave of unwanted and unnecessary alerts. Some financial firms are taking a “walk before you run type approach,” while other firms are driven to deploy SIEM systems simply for compliance reasons, said Mark Nicolett, chief of security, privacy and risk research at Gartner Inc.
“The compliance-driven SIEM deployment is very useful from a security perspective and eventually users will go back to their [SIEM] vendor as they expand the use of it,” Nicolett said.
PCI DSS has been the biggest driver of SIEM deployments in the U.S., but many firms have already deployed technologies and processes to meet PCI DSS. With the standard not changing for three years, Nicolett said he’s starting to see a “shift toward more of a balanced focus on security and compliance.”
The market for SIEM products remains crowded, Nicolett said, with many vendors seeking to differentiate themselves by packaging certain capabilities that are suitable for a certain market. ArcSight’s product packages capabilities used at large banks and financial institutions with cash to spend, while smaller SIEM vendors, like Trigeo Network Security Inc., are successful catering their out-of-the-box SIEM capabilities to smaller banks and credit unions.
“The average Trigeo customer has over 200 correlations and the correlations are what give you the visibility in the appropriate context,” said Michelle Dickman, president and CEO of Post Falls, Idaho-based Trigeo. “It isn’t helpful to be alerted to stuff that isn’t meaningful. We’ve seen a lot of these SIEM implementations where they’re using 10% of what the product can do and a lot of it was that it was so burdensome to get the product up and running. ”
Dickman believes other rules and regulations will drive further adoption of SIEM systems: the North Electric Reliability Corp. (NERC) is fueling interest from energy firms, while the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act is driving interest from health care firms. In addition, smaller organizations are more willing to share information, she said. Trigeo recently launched an initiative to get its credit union customers to share correlation rules, expanding the rule sets for the SIEM appliance as well as communicate potential fraud activity.
Mike McDanell, IT supervisor and information security officer at Pasadena Federal Credit Union in Pasadena, Calif., said log aggregation has been able to help him mitigate threats before they become an issue. He has shared rules with other Trigeo users and recently applied a rule to mitigate an attack targeting a Microsoft vulnerability.
McDanell said he likes that the SIEM provides visibility down to the workstation level. He has set rules limiting the kinds of files the 40 employees can open, helping weed out common PDF and Microsoft Office file attacks.
“You can quickly tell who has too much time on their hands and are trying to access things they shouldn’t,” McDanell said. “It’s great to resolve issues before they become bigger problems.”