Triage fraudulent transactions with Cloud SOAR

As financial institutions get more digitized, so does the potential risk of sensitive data and system breaches in the shape of cyber frauds. Basically, the more digitized services financial institutions offer, the more vulnerable they become to cyber threats. And the reality is, financial institutions and banks remain a lucrative target for fraudsters; thus their risk for data breaches and cyber fraud is as high as ever.

Facing constant intrusion attempts, financial institutions are in dire need of adding cybersecurity technologies that can proactively face the risk of cyber attacks and stop cyber incidents in their tracks. But with so many cybersecurity technologies rising in the past couple of years, how can financial organizations determine which technology is suitable for their cybersecurity program?

What are the main security challenges financial institutions are facing?

Hackers and fraudsters have now gone past rudimentary means of attacking companies in the financial sector. They’ve devised targeting strategies with no recognizable patterns, which makes the containment costs all the more complex, and in the end, more expensive. In fact, one research project shows that in the past five years alone, the containment costs of security incidents have grown by 9.6%.

SOCs (Security Operations Centers) established by financial institutions are struggling with sophisticated cyber attacks mainly because of these reasons:

• Lack of skilled analysts

• Third-party risks

• The emergence of advanced threats

• Poor organization and connection between security tools

• Lack of automation implied in the security operations

Third-party risks, in particular, have created many vulnerabilities. Open banking allows developers to have access to the company’s network to create applications, which in return, create risks for the entire establishment.

Furthermore, the fact that financial institutions don’t have a connective tissue amongst security tools and SecOps teams means that their resources are poorly distributed. Analysts are wasting their time on false positives while the real risks are slipping by undetected. This increases the frustrations of the entire organization and prevents SOC and CSIRT from properly tackling cyber attacks.

How can financial institutions prevent fraud?

Financial institutions are already investing 40% more in breach containment and detection than they did five years ago. This means that financial institutions are well aware of just how fast the cyber threat landscape is evolving.

With reaction time and speed in mitigating cyber attacks becoming key differentiating factors in successfully tackling cyber frauds, SOCs are on the lookout for technologies with a capability to anticipate threats and act as connective tissue among all the security and anti-fraud tools - SOAR:

• Reducing incident-response and fraud-investigation time: One struggle that financial institutions face is that they can’t hire enough SOC operators and fraud analysts to meet the high number of cyber threats. By acting as connective tissue amongst security tools via orchestration and automation, SOAR allows SOCs to drastically reduce their response time to cyber threats and increases their chances of catching cyber fraud alerts before they become incidents. With SOAR, Financial Institutions can speed up convergent incidents, increasing their productivity tenfold.

• Automating workflow processes: SOAR automates a high number of repetitive SOC tasks, thus allowing analysts to free up much of their time to focus on higher-end tasks. This largely increases SOCs efficiency in operating workflow processes.

• Machine learning threat-hunting: Cloud SOAR has a machine-learning engine with the capacity of learning patterns from repeatable processes and recommending appropriate actions to terminate possible threats. This makes life for analysts much easier, as they have a much-needed helping hand, both in Cyber and Non-Cyber Use cases.

• Detecting false positives: Not every alert turns out to be an actual threat. In fact, most of the alerts generated in the SOCs turn out to be false positives and having to properly assess every one of them is a tedious, tiresome job.

With all kinds of different cyber fraud techniques present today, financial institutions must be equipped with a solution that is capable of responding to every sophisticated threat in real-time. Whether fraudsters are using key-loggers to steal sensitive credentials, inject code to corrupt sites, or devise malware schemes to drain accounts out of money and steal sensitive data, financial institutions simply can’t afford to drop the ball.

How Cloud SOAR helps fight anti-fraud

To show just how Cloud SOAR helps with the battle against cyber fraud, we will take the example of one of the oldest banks in Europe. The bank relies on Cloud SOAR’s monitoring software to detect and intervene when possible fraudulent transactions from external systems arise. Such transactions include:

• National Wire Transfers

• International Wire Transfers

• Prepaid Phone Card

• Prepaid Credit Cards

• Credit Cards

Once such possibly fraudulent transactions occur, anti-fraud analysts perform a preliminary pre-validation to test the validity of those transactions in order to identify possible false positives. The analysts then confirm the state of the transaction and forward any suspicious transactions to the Cloud SOAR platform through Cloud SOAR’s APIs. These transactions can also be sent via Syslog messages and emails.

Then, once Cloud SOAR receives these transactions, it stores them into its TRIAGE capability. Cloud SOAR then receives multiple important data regarding the transaction, both from transactional, risks, and operational perspectives. Cloud SOAR receives this information automatically from the Fraud Management System’s API and uses this information to perform enrichment of these transactions by using its playbooks. This is done with the goal of preventing these transactions to be converted into incidents.

Analysts then read this information, and upon analyzing all this data, they decide whether or not a transaction is fraudulent and should be converted into an incident. Cloud SOAR is operated by internal users during regular working hours and during non-business hours. It is also used by external outsourced users and third-party outsourcing contractors, thus allowing the bank to conduct this process 24/7/365.

The bank utilizes Cloud SOAR’s role-based access to assign different privileges to internal and external users according to the activities they are able to perform within this tool. By using the flexibility of Cloud SOAR to customize the flow, the bank color-coded different types of transactions. This allowed the bank to create a visual representation that helped the team coordinate better.

Cloud SOAR’s unique features for preventing cyber fraud

In the use case detailed above, we gave an in-depth explanation of how one bank relies on Cloud SOAR to prevent fraudulent transactions and improve its cybersecurity as a whole. Now, it’s important to underline the two most relevant capabilities that Cloud SOAR offers, which are unique to Cloud SOAR alone:

• Open Integration Framework: We believe in an interconnected world. Our competitors are closed to the outside world, limiting the ability to integrate, both for customers and partners. We have a different approach - with the Open Integration Framework (OIF), we want all vendors to integrate bi-directionally with us and everyone to be independent in creating integrations. Sumo Logic even integrates Mainframes for this particular type of use case.

• Triage: Triage is a key differentiator between Sumo Logic and the other competitors. It is a capability that allows users to handle suspicious events that require deeper analysis outside the context of an incident. Triage also helps analysts to reduce the number of false positives and other red flags raised by an elevated number of suspicious events that have to be inspected and can be achieved with different techniques of pre-processing based on automation, machine learning, correlation, and aggregation of events.

Bottom line is, financial institutions are dealing with an increasing amount of cyber threats, and by implementing a SOAR solution and integrating it with other security tools, they will have much better chances of intercepting cyber threats even before they become full-blown incidents.

What are the most common types of financial fraud?

Fraudsters resort to sophisticated techniques to target mainly banks, insurance companies, credit card vendors, offshore financial companies, stockbrokers, etc. Basically, any company in the financial industry that manages money is at risk of cyber attacks and financial fraud, and the most common types of financial fraud include:

• Spear-phishing

• Ransomware

• Insider threat

• DDoS

• Social Engineering

• ATM Malware

• Card fraud

• Bank domain hijacking

• Transactional frauds

Cyber attack authors turn to social engineering to inject financial malware to effectively empty out bank accounts and apply other data-breaching techniques that easily fly under the radar of SOCs, operating undetected until it’s already too late.

All of this means that financial institutions must deploy effective cybersecurity defenses, and unfortunately, applying mediocre security strategies without investing in proper cybersecurity technologies won’t cut it.