Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Detecting Fraud with ArcSight ESM

Kerry_Matre ‎10-17-2013 02:06 PM - edited ‎06-09-2015 01:25 PM

HP ArcSight ESM has long been known to monitor for security incidents (DoS, SQL Injection, Malware) and to track high-risk users (insider threats, PII/IP Protection).  What you may not know, is that ArcSight ESM also proves very useful in identifying fraud.  Fraud can come from various sources, including online banking, compromised accounts, payments, internal fraud, and even daily debit card transactions.


When identifying and designing fraud-use cases, the key is to understand the existing manual investigation process, and what data and applications  you are using for those investigations. Once that is understood, you can outline the specific use cases and which Smart/Flex Connectors are needed and automate that manual process. HP ESP Global Services have followed this methodology at several financial institutions over the years with great success.


Our approach includes:


Workflow: Suspicious activity reporting—creating a common body of knowledge

Business Logic: Advanced analytics applied with cross-line of business logic

Data Integration: Connector infrastructure to gather data from disparate business systems


The systems we’ve worked with include traditional security information sources such as firewall, IDS, Antivirus and proxies in combination with internal application logs, customer transactions, DLP, email, DB, Mainframe, weblogs and CRM.  Transactions in the financial industry can come from online banking applications, ATM/Debit cards and data warehouses to name a few.


Fraud is a data and anomaly detection problem


ArcSight ESM can be configured to monitor online activity, debits and credits and automatic payments. It can also be cross referenced with customer context to identify normal patterns of behavior and alert on anomalous behavior.  Sample fraud detection alerts could be:

  • Customer travelling more than 500km/hour—based on IP addresses from current transaction and last transaction
  • Logging-in from known bad IP addresses and accessing multiple accounts
  • Customer using a new browser, new IP, new ISP or new OS
  • Large payments from a "typical" customer profile


Additionally, ArcSight ESM can be paired with the Threat Response Manager to automatically take action based on highly suspicious patterns.  It can integrate with firewall to add newly discovered bad IP addresses to the firewall deny list.  It can also integrate with online banking systems to automatically suspend customer accounts that show signs of being compromised.


The HP ESP Global Services solution provides functional use cases provided through collaborative sessions with enterprises to enable system capabilities, such as:


Statistical Profiling of Users and Computers

  • Profiling typical online activity and demonstrating how risk scores can be built against the baseline (e.g. page views, statement views, number of logins)
  • Profiling computer-related behavior (e.g. multiple IP accessing single account, geographic disparity of account access)
  • Alerting immediately on known risky behavior (e.g. mid-session changes to browser, OS, IP, accessing from known bad IP address)
  • Profiling account activity that adjusts risk scores based on risky behavior (e.g. new to bank, occupation = student)
  • Profiling account activity that adjusts risk scores based on typical money mule activity
  • Detecting anomalous customer account activity based on the trending of typical usage activity
  • Identifying insider threats based on real-world "headline news" attacks that have occurred, and could have been prevented
  • Monitoring of privileged accounts, unauthorized customer account modifications, and alerting of malicious activity
  • Detecting suspicious patterns of activities, based on fraudster attack patterns observed within the industry

Real-Time Risk Modeling

  • Real-time risk scoring, alerting, and dashboards for analyst interaction
  • Case management capability, including agent workflows, queue management and prioritization

Workflow and Analyst Interaction

  • Business users can create and test their own detection rules without affecting the production environment.
  • Rules can be real-time, based on profiles, and can alert or escalate a score.  Scores are completely configurable by business users.
  • Full reporting suite that allows for custom reports (or online dashboards) to be created across transaction and workflow metrics.
  • Ability to provide recommendations and continued learning to constantly improve rules, scoring model and workflows.


To learn more about the HP ESP Global Services and available solutions visit:

0 Kudos
About the Author


custom ATM machines
on ‎10-21-2013 08:02 AM

Online banking and ATM frauds are the major problem for banking instituion and should be able detect it and prevent it from happening. These type of technologies should be given more and more importance inorder to minimze these fruads and prevent this from happening again. 

on ‎10-21-2013 03:20 PM

Indeed @custom ATM machines(anon) we are hearing from our banking customers that ATM and online banking fraud are major issues, especially given customers growing preference for these distribution channels. We have also witnessed how SIEM technologies have proven valuable in keeping fraud at bay at least as a first line of defense. Also exciting is the development of Big Data-supported security intelligence. Integrating that into SIEM technologies, banks will be able to handle detection and protection of fraud with greater sophistication avoiding false positives etc, which are still major issues that hinder customer service. 


If interested, check out my earlier blog  that highlights how one of our bank customers have built their fraud detection system using ArcSight ESM.

Arun Shah
on ‎06-23-2015 03:27 AM

Can an ArcSight agent be installed on a Bank ATM / cash dispensing machine and have it push certain logs to the ArcSight server?

on ‎06-23-2015 09:20 AM

Arun -
An ArcSight SmartConnector (or Agent) can be installed on an operating system such as Windows 7/2008, Red Hat, CentOS, SuSE, Solaris, or AIX.


The answer is Yes, technically, if the Bank’s ATM is running on one of the operating systems listed above and there’s enough hardware to support the ArcSight SmartConnector.


I’d recommend installing an ArcSight SmartConnector in each region and configure the regional ATMs to send logs to the appropriate regional SmartConnector (or the smartconnector “pulls” logs from each atm…it just depends on the atm’s logging capabilities).

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all