Marketplace Providers

Belleron

CAPTURE® – When all else fails

belleron-logo

Combatting Financial Crime at Scale

The CAPTURE® Platform is an unprecedented organized financial crime, terrorism and innovation executive-decision support and response system. The system is used in War Rooms and Boardrooms as the last line of defense when all else fails. The system provides trend intelligence about previously unknown, real-time massive attacks that operate beyond traditional system silos, peer groups, and accounts. The dashboard provides insights for executives, allowing them to pinpoint the exact impact of an attack without having to close the entire bank – instead, they can close only parts that are affected, before the attack becomes serious.

Overview

[ANALYTICS] Triggers

Different triggers need to be monitored inside and outside the bank. Triggers are coming out of all the existing data sources of the bank – the core banking systems, the compliance systems, the cyber-security systems, the anti-fraud systems, the locked vaults, session monitoring, firewalls, logging tools and logs of third-parties. All data avail- able within the bank is used to create analytics, without any thresholds or manipulation of the data, so that unnecessary alerts are avoided. Sample triggers are:  unusual devices  unusual web sessions  unusual merchant category code  unusual country of initiation CAPTURE® uses advanced technology to connect all integrated data sources in a supercharged modular way. So, all basic information is fed into one central system.

[RESPONSE] Adaptive Thresholds

Adaptive thresholds define expected anomalies at any given moment. The millions of time stamped cubes compare what’s normal and what’s abnormal behavior at a certain point in time. The CAPTURE® Platform needs to be able to do that properly with, for example, the comparison that one must make between December 24 and January 5. The CAPTURE® Platform uses adaptive thresholds to compare. The platform can compare all cubes in conjunction with day-to-day business reality. So, on December 24, the platform can track, easily, tens of millions of big transactions. However, on January 5, the platform tracks only few million big transactions. So, the plat- form compares what’s unfolding with what’s happening on the benchmark day. Adaptive thresholds look at what is a real anomaly or what is an anomaly given the moment in which it takes place.

[ANALYTICS] Segments

All triggers contain very valuable characteristic, categorized in segments. All triggers need to be segmented. So, there’re thousands of triggers available within the bank and they need to be monitored and put into “static and dynamic segments”. With these segments, the bank’s complete ecosystem can be analyzed in real-time. The fingerprint of these triggers encompasses a multitude of dynamic segments. That’s not all, however CAPTURE® is able to mine into static client data, which we call “static segments”. Examples of those segments are:  mobile device/Samsung S6 (dynamic segment)  Chrome web browser/Chrome 54.0.2840.98 (dynamic segment)  MCC/Florists (dynamic segment)  B-country/Russia (dynamic segment)  mortgage customer (static segment)  occupation (static segment)  last IP address range (static segment) So, the system is directly fed in real-time, or whenever the data is available, into the segmented data framework. Segments can include thousands of different areas, such as: the browser type, login type, bank products, etc.

[RESPONSE] Preventive Analytics

Then, the CAPTURE® Platform goes into the next process step. It knows what anomalies are unfolding because of the adaptive thresholds, with all the cubes’ information, and provides a full comparison. It needs to operate with autonomous artificial intelligence, like a self-driving car, with the ability to leverage or turn off very specific parts of the bank’s ecosystem when attacks are unfolding. That’s what we mean with “Preventive Analytics”. The CAPTURE® Platform uses adaptive thresholds to compare. The platform can compare all cubes in conjunction with day-to-day business reality. So, on December 24, the platform can track, easily, tens of millions of big transactions. However, on January 5, the platform tracks only few million big transactions. So, the plat- form compares what’s unfolding with what’s happening on the benchmark day. Adap- tive thresholds look at what is a real anomaly or what is an anomaly given the moment in which it takes place.

[ANALYTICS] Cubes

Cubes bring a time dimension to the triggers and segments. Each time-stamped cube is created from one or more triggers related to individual segments, and serves to aggregate both frequency and financial value over time to detect emerging trends. Every combination of triggers and segment contains multiple cubes representing activity over various periods: from the last minute and the last five minutes…all of the way up to the last 24 hours. Millions of these cubes are combined to provide powerful insights, enabling us to visualise specific vulnerabilities as events unfold. At their most granular they inform a rapid but appropriate response when a suspected attack begins to accelerate; whilst the larger time periods and wider aggregations allow us to avoid missing the slow buildup that is often indicative of the early phases of an attack, reveal transient or isolated anomalies and give a concise, accurate view of any developing threat as it escalates. Example Cubes CAPTURE® keeps track of:  in the last 2 hours, more than 5.000 transactions via an unusual web sessions through Chrome 54.0.2840.98 were executed  in the last 15 minutes, more than 4.500.000 EUR was transferred towards an unusual B-country Russia  over the last 4 hours, more then 20.000 online transactions were performed via an unusual devide Samsung S6.

[RESPONSE] Fuses

Fuses are circuit breakers used to close only the parts of the bank’s system that are compromised, but never the entire bank. With these analytics, the platform can make the right decisions to stop certain isolated corrupted processes. We all know the fuses in our houses that are used as electricity circuit breakers. We have the main and specific groups. Basically, what traditional old fashioned homes used to have were two fuses. One for the ground floor and another for the second floor. That’s basically what’s still happening with most banks, quite amazingly. If something happens, banks turn off the entire online banking website ecosystem or the entire mobile banking ecosystem. In our vision, banks want to isolate that to just one room or one machine in a room. So, each item has its own very specific fuse. For example, it means that if banks see anomalies of people with a Hungarian nationality using one browser X then they must be able to turn off only the browser X for Hungar- ians using those bank products. Banks should be able to turn off very specific fuses.

Features

Belleron builds upon it’s established position as an Advanced Persisting Threats (APT) company. We have been successfully fighting APT for years, by installing defense systems, such as cyber-security systems, anti-fraud systems and compliance systems. As threats get more sophisticated and better funded, attackers take more time and they attack in more advanced, massive and difficult-to-detect ways. Most banks make tremendous effort to prevent security breaches, identity theft, financial fraud, money laundering, terrorist financing, and other risk-sensitive customer activities.

The main vulnerability of their protection systems is that they:

  • Operate based on preventing “outside evil” from getting inside
  • Are organized in stovepipes
  • Do not cover scenarios in which they are internally compromised

The only conclusion to be made is that banks must start to anticipate threats that are unknown to them. Innovative banking requires more intelligent defense, providing the last line of defense when all else fails.

The bank defense systems are all concentrated on capital gain. Criminals attack a bank to win money. However, in our experience terrorists do not have capital gain as their main objective; instead they strive for disruption. What they want to create is disbe- lief, fear and panic. They want to kill your bank… Not by stealing money but by making sure that the public will stop using the services of your bank. So, it’s disruption and loss of credibility that the terrorists are trying to create; however, all the existing defense systems are related to financial crime for capital gain – not financial terrorism.

By installing all these APT defense systems, at Belleron we have seen all the available information and analyzed every threat for many years. We saw that, in every case, only the top of the information iceberg was used in these systems. That’s perfect for individual fraud, regardless the size; however, for massive attacks, these systems can’t prevent chaos.

Preventive real-time analytics are the Holy Grail when it comes to massive and difficult-to-detect terrorist attacks on banks and managing intelligent responses during the time of an attack unfolding. Today’s bank defense systems come with many limitations. Bank executives do not know how to respond when the attacks unfold.

They lack the executive decision support systems needed combatting unknown threats into measured responses. Below are four simple examples of fundamental issues that cause protection challenges.

  • Most banks don’t track fraud cases under $100, because investigating it will cost a lot more than the $100 itself. However, if these frauds are unfolding and there’s 10,000 of these $100 fraud cases then these systems won’t spot this because they do not look at them nor see them as a main threat.
  • Most banks don’t even monitor the information combined in a central environment on a very generic level, and, therefore, the “triggers” revealing the massive attack can’t be identified!
  • Even if a central real-time combined information system is in place, banks are not able to work with such a system.They should be able to create “anomalies” with “adaptive thresholds” and “preventive analytics”, so that they can contain or block potentially unfolding attacks before they become a massive attack.
  • But, that’s just the beginning, banks must make sure that the combined information system continues learning from what it’s monitoring. They must create smaller and smaller “fuse boxes”, so that, whenever a massive and difficult-to-detect attack unfolds, the impact on the bank is brought to a bare minimum, with very specific appropriate and effective responses to stop the attack.

Resources

Get In Touch