Financial fraud has a wide range of impact across a society.  Providers of financial services may incur the largest losses, but the users of financial services who become victims may be hit much harder.  Fraud victims range across the income scale, and even a small fraud can be catastrophic to a vulnerable member of a society.  The United Kingdom’s Annual Fraud Indicator 2012 report [1] estimated losses to the financial services sector at 3.5 billion.  This does not include identity fraud, which adds more than a billion to the number.


While analytics-based fraud detection has helped to stem the rapid growth of these losses, the attractiveness of the industry to fraudsters remains strong. Two criminal endeavors targeting the financial services sector, Operation High Roller and Project Blitzkrieg have been identified and researched by McAfee in 2012.  The analysis of these attacks show that their sophistication has grown significantly.


The McAfee SIEM aids the fraud analystin two ways: both by enabling the combination of transaction analysis withanalysis of network events, and also by bringing the products of McAfeeresearch to identify known bad actors around the world.


Combining Fraud Analysis with Network Analysis


Current research has shown that a successful way to improve the efficiency of fraud detection, seen as unusual activity in a system, is to combine it with other measures of unusual activity, such as on a network [2].    A useful example iscombining the output of a Benford test and the some of the built-in correlation rules that identify unusual activity on a network.


Benford’s Law, informally stated, says that in certain sets of numbers, the digits 1 through 9 are not equally likely tooccur.  The dollar amounts of checking account transactions are an example of such a set.  Fraud analysts use Benford’s law and some related formulas to identify transactions that cause the set to break the law,often indicating some form of financial fraud. Below is an example of how a Benford test is used.

benford law example.png

Source:Benford's Law: Applications for Forensic Accounting, Auditing,and Fraud Detection [3]


While the Benford Test is a powerful tool for fraud detection, it can be limited in the insight it provides.  If multiple spikes come out of a test, the fraud analyst may struggle to eliminate the ones that have a reasonable explanation, or may need additional context that the transaction amounts alone cannot provide.


The McAfee SIEM can provide correlation rules that identify unusual activity on a network by combining events from several sources such as OS logs, firewalls, databases,and even applications.  Built-in rules,shipped with the product, that are valuable for fraud analysis include:


  • Same User Logon from Different Geolocation
  • Same User Logon from Different Host
  • Same User Logon from Different IP
  • Successful database logons after repeated failed logons
  • Successful login after suspicious activity


These rules match up well to the records of recent attacks against financial institutions.


If the output of a Benford test is setup as a custom data source, and the transaction IDs are set up as a custom datatype, then spikes in the Benford test can be correlated with the network events raised by the McAfee SIEM.  This helps to both focus the response effort from security and fraud teams, and to add some needed context to the numerical data provided by fraud detection algorithms.


Combining Fraud Analysis with Threat Intelligence


McAfee is a company that lives and breathes security.  In addition to teams providing tools that reduce risk for a company, other teams focus on content that makes the tools more effective.  For detection of fraud, two important sources are the correlation rules created to combat specific pervasive threats, and the Global Threat Intelligence feed that identifies suspicious and malicious IP traffic based on a continuous big data analysis of worldwide traffic.


While a financial services company may have its own mature fraud detection program, any program can benefit from solid external intelligence.  It may fill in missing gaps, or it may supplement existing work and allow the group to better focus its efforts.  Companies that usethe McAfee SIEM can avail themselves of content teams who identify global threats and create correlation rules on the SIEM to detect them.  One examples is a recently published rule, “Project Blitzkrieg - Communication with Known Command and Control Server” to aid detection of a threat directed at the financial services sector.

In addition to correlation rules, the McAfee SIEM has a component called the Advanced Correlation Engine (ACE), whichis both unique and invaluable to enhancing fraud detection.  The ACE allow risk-based correlation, which goes beyond the power of real-time rule based correlation (tells you quickly what you want to know), and gives you a dynamic picture of the evolving risk atyour company (tells what you didn’t know). When the GTI feed is used as an input for a risk correlation manager,your organization can gauge how much traffic from Malicious Sources like botnets or other known bad actors is directed at your organization. 


GTI risk filter.png


Filter traffic so that only traffic with a malicious reputation is in the risk calculation.

GTI risk fields.png

Is inbound malicious traffic more important than outbound? 

You can configure the risk correlation manager to reflect business rules at your company.





Two important enhancements to fraud detection were outlined above: combining fraud analysis with network analysis and incorporating external intelligence. Each alone is a worthwhile effort for a fraud detection program; a company could choose to adopt both to gain even more benefits in its efforts to stem fraud losses.  Both leverage the unique capabilities and advantages of the McAfee SIEM.


Grant Babb

SIEM Product Manager




[1] National Fraud Authority, “AnnualFraud Report 2012”


[2] Stefan Hoyer, Halyna Zakhariya,Thorben Sandner, Michael H. Breitner, "Fraud Prediction and the Human Factor: An Approach to Include Human Behavior in an Automated Fraud Audit," hicss, pp.2382-2391, 2012 45th Hawaii International Conference onSystem Sciences, 2012


[3] Benford's Law: Applications for Forensic Accounting, Auditing, and Fraud Detection, Nigrini, Mark, John Wiley &Sons, 2012