Why we should be concerned about the $1 theft

User journey analysis: The case of the missing dollar

Imagine that the head of security for one of the largest financial institutions in the country receives a call from their team that $500,000 is missing. After many hours of analyzing transactions, the team traces the missing money to an employee who also stole $1 six months earlier.

The employee in question made several $1 transactions to his own account on the company’s claims handling portal. Once the employee realized that no one was closely monitoring these transactions, they became increasingly brazen and began to embezzle larger sums. Eventually, greed got the better of them as they attempted to send $500,000, after which the security team discovered the incident and sprang into action.

This is a realistic example of an insurance company.

Insider Threat: What you can’t detect makes you vulnerable

Many of today’s threats to financial institutions around the world come not just from external threats, but from within. Or by external actors using stolen credentials of authenticated users. As a result, financial institutions are tightening their security to be vigilant for potential misuse or abuse by employees and contractors using their SaaS and custom applications.

Cybersecurity technology solutions enable the detection of malicious activity on networks, operating systems and devices. Malicious activity and fraud are mainly detected in two ways:

• Rule-based and signature-based detection that identifies potentially malicious behavior through rules and known bad indicators.
• Statistical volumetric frequency methods, also known as User Entity Behavior Analytics (UEBA).

These solutions have been effective at the network, endpoint, and access layers. But when it comes to the application layer, these methods of detection and response fall short. Assessing abnormal user behavior against average daily activities does not yield accurate results, as there is no such thing as “average” behavior.

For example, let’s take a manager at an insurance company: part of her days are spent handling claims and transferring money to customers’ accounts. On other days she prepares reports and towards the end of the quarter she spends a few days preparing a presentation of her department’s activities. Dawn doesn’t have your average day-to-day behavior, she does different things all the time.

So, how can we detect intentional abuse from within? We need to construct user journeys in business applications and learn the typical usage patterns of internal and external users.

User journey analysis for internal threat detection

User journey analysis does not look at a single activity from a single user. Instead, it analyzes sequences of activities of a particular user and forms a series of travel profiles that user undertakes in an application. Since users perform multiple actions in different sequences and time intervals, this method learns what is considered a “typical” user journey for each user. When an employee performs an action that falls outside these normative user journeys, he identifies the changed journey as an ‘outlier’.

Learn user journeys at scale to prevent threats

Let’s go back to the example we started with. By deploying user journey analytics, the insurance company would have seen instances of abnormal behavior for the employee crediting $1 to their account. This anomaly would have alerted potential malicious activity, narrowing the focus on the employee in question and enabling timely intervention.

Doron Hendler is co-founder and CEO of RevealSecurity.