In late July, the Scottish Daily Record reported that bank teller Janie Cameron stole £150,000 from the Royal Bank of Scotland over a two-year period, concealing the theft by generating fake transactions. With insider fraud like this on the rise, a growing number of solutions are now available from providers such as Actimize, Memento and Norkom Technologies to identify and prevent activity like Cameron’s.

The newest entrant in the market is Attachmate Luminet, an enterprise fraud management solution designed specifically to target insider fraud. “The insider fraud market opportunity is fairly new,” says Michael Miller, Attachmate’s director of business development and strategy. “There’s a large number of customers that haven’t yet gotten their hands around that challenge and are still struggling with it.”

And insider fraud, Miller says, is uniquely difficult to detect. “It’s mostly perpetrated by people who have legitimate access to the systems,” he says. “So unlike an outsider who’s trying to hack in, we’ve seen cases of trusted employees using their own credentials and their own access to business systems… for fraudulent purposes – and it’s really tricky to distinguish between the legitimate work and the illegitimate work.”

What’s more, Miller says, cases like Cameron’s are far from rare. “One example that we use quite often is a bank manager several years ago at Chase Bank who… slowly transferred small balances from hundreds of dormant accounts to a large number of accounts that he’d created – he was able to do this with his own access to the system: he didn’t have to hack in, he didn’t have to steal anybody else’s login – and systematically, over a year or two, he was able to siphon off a million dollars before it was detected.”

Miller says there’s a strong demand for solutions to the problem. “There seem to be pretty clear indicators globally that insider fraud is increasing, and it’s starting to cost firms more money,” he says. “So the pain is going up, and firms under [tough] economic conditions over the last couple of years are more and more sensitive to financial loss, loss of credibility in the market – any kind of negative business impact.”

What makes Luminet unique, Miller says, is that rather than analyzing log files after the fact, it records all user activity in real-time directly from the network. “We can apply real-time rules and analysis to that data, looking for patterns, looking for keywords, and we can fire off alerts immediately if we see things to flag,” he says.

And those alerts can be tied to comparatively complex, multi-factor rules. “You can say, ‘Give me an alert any time one of my call center employees is accessing dormant accounts after hours and twice as often as the average for everybody on that team,’” Miller says. “Something like that really narrows it down to where the alerts you’re getting really are anomalies – they’re not just standard behavior.”

Gartner Research distinguished analyst Avivah Litan says Luminet’s ability to monitor at the application level is a key strength. “Through a product called Intellinx that they’re OEMing, they can monitor native IBM traffic without having to have a log file send the traffic to the monitoring system… They can read and interpret IBM protocols, mainframe protocols, which none of the other vendors can do,” she says.

The next step for fraud management solutions like these, Litan says, will be to move beyond rule-based systems. “No one has built predictive models for employee fraud,” she says. “You can only catch what you know to look for – that’s the state of the art today – so no one’s going to be able to find the next SocGen trading scam if they haven’t thought of it yet… Hindsight is easy – it’s foresight that’s hard.”

And the range of threats will only increase over time. “As more information becomes electronic, more damage can be done electronically,” Litan says. “And the systems are getting much more complicated – there’s more information, more complexity, and it’s impossible for human beings to sort through all of that activity. You’ve really got to have the right radar systems knowing where to look and what to look for.”

Still, Litan says the simple act of deploying a fraud management solution can itself help to deter fraud. “As soon as the first guy is caught, somehow the word gets around the organization really quickly,” she says. “What I’ve heard from my clients is that as soon as the employees find out there are surveillance systems, it acts as a very big deterrent.”

Ultimately, Litan says, it’s surprisingly easy for most companies to justify the expense of deploying solutions like these. “Companies that put them in are shocked at what they find… Usually, they find enough fraud to pay for the whole system in six months,” she says.

Jeff Goldman is a frequent contributor to eSecurityPlanet. He lives and works in Southern California.
 
Follow eSecurityPlanet on Twitter @eSecurityP.