SEATTLE – What's in a name? A lot, actually, when you're trying to make sense of the thousands of entries compiled each day by the software keeping track of who's coming and going on your Internet site. That was the biggest challenge faced by Ken Kinloch and his colleagues at BECU in recent days as they implemented the new Corillian Fraud Detection System at the $5.2 billion credit union. BECU is one of about 25 credit unions and banks signed up to use the system, which centers on Web log analysis designed to identify potential phishing behaviors and similar activities before an attack is launched, as well as to detect and investigate them after they occur. "The significant challenge for us was getting the logs from our Web server farm to a central location with a naming convention that makes sense and then transporting that data to Corillian to run their logic against it," says Kinloch, a network and security analyst at BECU. They ended up going with a script "that Corillian was kind enough to help direct us to," Kinloch says, adding that BECU decided to go with the system in the first place in part because of its relationship with Corillian, which provides Internet banking services to the big credit union. "It's also a very unique solution. I haven't seen anything like it anywhere else," Kinloch says. Client institutions can submit their Web logs daily to the Corillian Fraud Detection System, which can then automatically analyze a multi-million line log in minutes using rules that identify a broad range of Web site attacks and other suspicious behaviors, the Oregon-based company says. Those would include successful and unsuccessful attempts by hackers attacking the Web site, trying to exploit vulnerabilities in the Web server and Web applications, and those using tools commonly deployed by phishers, says Jim Maloney, chief security executive at Corillian. It also looks for activity from countries listed by the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) and access from known illegitimate network and geographic locations. "What happens is that we can see activities that could be leading to a phishing attack. That could be a phisher visiting a legitimate site to see how it's laid out, what the graphics are, the flow . We can see the initial reconnaissance in our Web logs, as well as the rest of the life cycle, the building and testing and then the launching of the e-mails and the responses and the return visits," Maloney says. When such activity is noted, the ISP that's hosting the site is informed, Maloney says, "and they're usually very happy to take it down. They usually don't even know it's happening." The fraud detection system, which is available to Corillian and non-Corillian Internet banking clients alike, was built over the past three years using knowledge the company has accumulated from building Internet banking sites for more than 50 clients, Maloney says, ranging from 20,000-member credit unions to top-10 banks. "We've been looking at this traffic for some time now, and it's given us a sense of what's legitimate behavior and what isn't," Maloney says, adding that the new system already shut down phishing attacks at one top-10 bank within 30 days after it was deployed. The system also continues to develop from the original 100 to 110 different kinds of cyber attacks it was designed to deal with, Maloney says, and "we're being very careful to write more-generalized rules to deal with behaviors rather than specific signatures, so we don't have to send out updates weekly focusing on very specific attacks." Maloney also warns that the industry is now seeing smaller institutions becoming more of a focus for such nefarious activities, which he says takes place for two reasons. "The first is the obvious. Because that's where the money is," the Corillian security chief says. "The other is that financial institutions of all sizes hold within their systems one of the most complete descriptions of identity you can find. "Our research shows that they're not going just for money, but for identity theft reasons as well. They can leverage this information in some fashion, like selling it to someone else for fake passports, to make large purchases or take out large loans, long after the initial attack occurs." Kinloch says he hasn't seen any evidence yet of pre-phishing behavior in the BECU logs and he hopes it stays that way. "I like this system because it's proactive rather than reactive," the BECU network and security analyst says, "and it fits in with our whole concept of using industry best practices for defense. We use other logging utilities, too, but they're mostly from the system level, such as our Web service and operating system logs. This new fraud detection system fits in very nicely with that and gives us a more complete picture." So who looks at all those reports? "That would be me," Kinloch says. "I do a lot of reading. The nice thing is that with this system I'm able to get through the reports rather quickly and find trends and other things that are of interest to us." -
|Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
