Fraud Detection with Risk Scoring in HP ArcSight ESM

Summary:

The document outlines methods for fraud detection using risk scoring in HP ArcSight ESM. It involves developing a FlexConnector to parse fixed-width text data from various sources like legacy systems or SAP databases, which are then analyzed for specific patterns such as high personal card transactions above $80 and low freight card transactions below $30. The process prioritizes accounts based on these findings into Alert, Suspicious, or Watched categories through active lists and correlation thresholds. Two methods for escalating account priorities are discussed: Method 1 uses simple rule filters, while Method 2 employs an active list reference. Additionally, the document explores cumulative scoring by summing scores from correlated financial application events, triggering actions based on predefined risk score thresholds. The article concludes with a call to further enhance these models through daily/weekly trend actions and leveraging software features like handling currencies, values, and custom fields for more sophisticated analysis.

Details:

This document discusses methods for fraud detection using risk scoring in HP ArcSight ESM. The process involves collecting financial data from various sources, such as legacy systems or SAP databases, which can be complex and require detailed documentation. To overcome this, a FlexConnector is developed to parse fixed-width text data programmatically. The article then discusses simple correlation thresholds for identifying fraudulent activities like high personal card transactions above $80 and low freight card transactions below $30. It addresses the challenge of investigating everything by prioritizing accounts that consistently violate limits, separating them into Alert, Suspicious, or Watched categories based on a methodology that uses active lists to compare events. The article introduces two methods for escalating accounts between priority levels: Method 1 uses simple rule filters which can be hard to maintain and method 2 employs an active list reference for easier updates and tidier rules. Lastly, the document explores cumulative scoring by adding up scores from correlated financial application events. This is achieved through a methodology where each event's score is looked up and added cumulatively to the account's total risk score, triggering actions based on predefined thresholds. This text appears to be a summary or overview of a presentation or document related to risk modeling and security analysis, possibly from a financial or technological context such as in the field of enterprise web services. Here's a breakdown of its main points: 1. **Introduction**: The document discusses methods for building simple correlation rules that identify potential risks by looking for specific violations. These rules are used to create an active list with scores, which is then compared and analyzed to flag accounts with the highest risk scores. 2. **Simple Risk Modeling**: This section explains how to use variables to calculate a revised risk score by adding the additional score from a lookup table (correlated event) to the old risk score from the cumulative active list. The process involves categorization, etc., and applies to simple correlation rules. 3. **Final Output**: The final step in this model is generating an output that highlights or alerts on accounts with high-risk scores. It also covers handling of null/zero values which can affect analysis accuracy. 4. **Cumulative Risk Scores**: This part introduces the concept of cumulative risk, where historical data and current evaluations are used to create a more comprehensive view of risks across multiple accounts. 5. **Escalating Accounts**: The document moves on to discuss how to identify "escalating accounts"—those with increasingly higher risk scores over time. Strategies for this include creating active lists, adding scores, and flagging alerts based on the highest-scoring accounts. 6. **Taking It Further**: This section suggests expanding upon basic risk modeling by incorporating daily/weekly trend actions to refresh statistics, analyze per-account behavior against trends, and utilize native features in software like handling currencies, values, and custom fields. The goal is to build more sophisticated risk models that adapt fluidly to changes in data or circumstances. 7. **Questions**: At the end of this summary, it's implied there might be a question-and-answer session where attendees can ask questions about the presented material or share feedback related to security for enterprise web services. Overall, the document provides a structured approach to risk management in complex environments using simple yet effective techniques that can be enhanced over time with more advanced analytics and automated tools.