Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Detecting Fraud with ArcSight ESM

Kerry_Matre ‎10-17-2013 02:06 PM - edited ‎06-09-2015 01:25 PM

HP ArcSight ESM has long been known to monitor for security incidents (DoS, SQL Injection, Malware) and to track high-risk users (insider threats, PII/IP Protection).  What you may not know, is that ArcSight ESM also proves very useful in identifying fraud.  Fraud can come from various sources, including online banking, compromised accounts, payments, internal fraud, and even daily debit card transactions.


When identifying and designing fraud-use cases, the key is to understand the existing manual investigation process, and what data and applications  you are using for those investigations. Once that is understood, you can outline the specific use cases and which Smart/Flex Connectors are needed and automate that manual process. HP ESP Global Services have followed this methodology at several financial institutions over the years with great success.

 digital hoodie.jpg

Our approach includes:


Workflow: Suspicious activity reporting—creating a common body of knowledge

Business Logic: Advanced analytics applied with cross-line of business logic

Data Integration: Connector infrastructure to gather data from disparate business systems


The systems we’ve worked with include traditional security information sources such as firewall, IDS, Antivirus and proxies in combination with internal application logs, customer transactions, DLP, email, DB, Mainframe, weblogs and CRM.  Transactions in the financial industry can come from online banking applications, ATM/Debit cards and data warehouses to name a few.


Fraud is a data and anomaly detection problem


ArcSight ESM can be configured to monitor online activity, debits and credits and automatic payments. It can also be cross referenced with customer context to identify normal patterns of behavior and alert on anomalous behavior.  Sample fraud detection alerts could be:

  • Customer travelling more than 500km/hour—based on IP addresses from current transaction and last transaction
  • Logging-in from known bad IP addresses and accessing multiple accounts
  • Customer using a new browser, new IP, new ISP or new OS
  • Large payments from a "typical" customer profile


Additionally, ArcSight ESM can be paired with the Threat Response Manager to automatically take action based on highly suspicious patterns.  It can integrate with firewall to add newly discovered bad IP addresses to the firewall deny list.  It can also integrate with online banking systems to automatically suspend customer accounts that show signs of being compromised.


The HP ESP Global Services solution provides functional use cases provided through collaborative sessions with enterprises to enable system capabilities, such as:


Statistical Profiling of Users and Computers

  • Profiling typical online activity and demonstrating how risk scores can be built against the baseline (e.g. page views, statement views, number of logins)
  • Profiling computer-related behavior (e.g. multiple IP accessing single account, geographic disparity of account access)
  • Alerting immediately on known risky behavior (e.g. mid-session changes to browser, OS, IP, accessing from known bad IP address)
  • Profiling account activity that adjusts risk scores based on risky behavior (e.g. new to bank, occupation = student)
  • Profiling account activity that adjusts risk scores based on typical money mule activity
  • Detecting anomalous customer account activity based on the trending of typical usage activity
  • Identifying insider threats based on real-world "headline news" attacks that have occurred, and could have been prevented
  • Monitoring of privileged accounts, unauthorized customer account modifications, and alerting of malicious activity
  • Detecting suspicious patterns of activities, based on fraudster attack patterns observed within the industry

Real-Time Risk Modeling

  • Real-time risk scoring, alerting, and dashboards for analyst interaction
  • Case management capability, including agent workflows, queue management and prioritization

Workflow and Analyst Interaction

  • Business users can create and test their own detection rules without affecting the production environment.
  • Rules can be real-time, based on profiles, and can alert or escalate a score.  Scores are completely configurable by business users.
  • Full reporting suite that allows for custom reports (or online dashboards) to be created across transaction and workflow metrics.
  • Ability to provide recommendations and continued learning to constantly improve rules, scoring model and workflows.


To learn more about the HP ESP Global Services and available solutions visit:

About the Author


custom ATM machines on ‎10-21-2013 08:02 AM

Online banking and ATM frauds are the major problem for banking instituion and should be able detect it and prevent it from happening. These type of technologies should be given more and more importance inorder to minimze these fruads and prevent this from happening again. 

Lisa_Chow on ‎10-21-2013 03:20 PM

Indeed @custom ATM machines(anon) we are hearing from our banking customers that ATM and online banking fraud are major issues, especially given customers growing preference for these distribution channels. We have also witnessed how SIEM technologies have proven valuable in keeping fraud at bay at least as a first line of defense. Also exciting is the development of Big Data-supported security intelligence. Integrating that into SIEM technologies, banks will be able to handle detection and protection of fraud with greater sophistication avoiding false positives etc, which are still major issues that hinder customer service. 


If interested, check out my earlier blog  that highlights how one of our bank customers have built their fraud detection system using ArcSight ESM.

Arun Shah on ‎06-23-2015 03:27 AM

Can an ArcSight agent be installed on a Bank ATM / cash dispensing machine and have it push certain logs to the ArcSight server?

Kerry_Matre on ‎06-23-2015 09:20 AM

Arun -
An ArcSight SmartConnector (or Agent) can be installed on an operating system such as Windows 7/2008, Red Hat, CentOS, SuSE, Solaris, or AIX.


The answer is Yes, technically, if the Bank’s ATM is running on one of the operating systems listed above and there’s enough hardware to support the ArcSight SmartConnector.


I’d recommend installing an ArcSight SmartConnector in each region and configure the regional ATMs to send logs to the appropriate regional SmartConnector (or the smartconnector “pulls” logs from each atm…it just depends on the atm’s logging capabilities).

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
February 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all