Inspiration
The SOAR market is expected to grow from USD 868 million in 2019 to USD 1,791 million in 2024, at a CAGR of 15.6%.Per a detailed study by Microsoft’s Enterprise Strategy Group (ESG), 76% of organizations report an increase which continues to keep growing. Cloud-based cybersecurity solutions trends towards decoupling software and infrastructure with cloud investments financially projected to grow from $257 billion to 305 billion in 2022. In isolation, these products may have high false positive rates and poor response prioritization, resulting in deafening alert noise. As a result, organizations report that 44% are never investigated. Part of the reason for these alerts to fall through the cracks is a massive shortage in security professionals. Drivers would include increasing cyber attacks, lack in availability of staff, stringent regulations and compliances, lack of centralized view on threats, and high number of false positives.
Google Drive 1 billion users in 2018, Microsoft OneDrive 415 million users, 2015 Apple iCloud - 800 million users in 2018, DropBox - 500 million users in 2016 and 14.3 million paid users in 2019
What it does
A.I.R.S.O.M.E. Soaring above the rest, to secure business success. It is a E2E domain solution for the finance industy looking at fraud detection, AML, and compliance with the ability to injest multiple data sources like IP addresses delivering enterprise value to companies all around the world.
Name is from the letters SOAR and SIER to form AIRSOME ==> (Automated Information Response Security Orchestration Managing Events)
SIEM security information and event management SOAR Security Orchestration, Automation, and Response
AIRSOME
A Automated I Information R Response S Security O Orchestration M Managing E Events
======================== AUTOMATION AirSome injests raw data collection from hardware and softwar sources like IOT network devices, VM servers, or domain controllers, firewalls, routers, switches, servers, mainframes, or IDS/IPS. Side-by-side deployment of Azure Sentinel with controlled migration of existing SIEM and 3rd party data sources. AirSome automates low-level manual processes with SIEM configurations to analyze network traffic in real time. AirSome's basic security monitoring with Microsoft's Azure Sentinel log collection of event log data from devices with Security Information Management (SIM) or a Log Management System (LMS) end to end. Collect data at scale with built-in data connectors, custom use cases, detecton rules, and a built-in reporting dashboard using machine learning to automatically remove suspected fraud accounts, and flag likely ones for review.
INFORMATION Streamlines processes and operations for monitoring information. Configure multi-homing for data sources with normalization, parsing, and aggregation of collected data via Sentinel workbooks. Geographic visualizations in a unified interface for continuous monitoring with tracking real-time data, event highlights, and threat lookups. configured by user logins and longitude, latitude IP address locations of financial transactions.Historical evidence for a complete threat story with advanced profiling with contextual log data like vulnerability scans, behavior analytics, identity information, user peer analytics, and user access analytics.
RESPONSE TO THREATS AirSome offers a single-view dashboard to plan, manage, monitor, and report incident response with endpoint detection to build risk resilience. Notifications and alerts after analyzing the data for anomalies and deviations and updates watchlists, and threat database with new information. Event correlation with security event management, SOC training, and logic rules. Statisical correlation graph data analysis to identify relationships like mule accounts, multiple fraudulent transactions , or money laundering. Response Bots with the Logic App to alleviate alert fatigue while improve effectiveness of operations using Artificial Intelligence (AI) and automations.
SECURITY Finding the unknown security threat with machine learning, log forensics, and threat chain analytics. Microsoft Azure's Gold Security software for the triaging, containment, and eradication of threats after validating security alerts with a 24/7 Security operations center response team and live-incident sync. Threat chains analytics for contextual intelligence for the complete threat story with context switching between SIEM and SOAR. IT Compliance to meet the privacy and security requirements of certain governments, markets, and customers to meet financial security laws and regulations.
ORCHESTRATION
In order for AirSome to function as an end-to-end cybersecurity infrastructure solution, there needs to be organizing of compatible financial products on premises, cloud, and virtual. By connecting and integrating multiple Microsoft Azure Sentinel tools like hunting queries, notebooks, and watchlists with financial intel. To try to fix security strategy or culture with human analysis with contextual data like vulnerability scans, user information, asset information, threat intelligence, endpoint detection and response with malware analysis, digital forensics, incident management, and in-person support. Forensic investigation leading to alerting the appropriate authorities. Pinpoint security breaches and enable organizations to investigate alerts with attack simulations to evaluate SOC readiness
MANAGING
Breaking down silos with an end-to-end platform-wide incident management to facilitate team collaboration, and visibility across entire organization reducing staff time requirements, and time to respond on cloud-based identity and access management service. It does this by collecting data, managing security, detecting, hunting, investigating, responding to cybersecurity threats!
EVENTS
AirSome employs cybersecurity case management that is based on incident response with custom reports with opening, and closing tickets improving financial efficiency. Respond with automation of integrated SOAR analysis reports and automated playbooks connected to Microsoft 365 Defender data and email with Office365, Microsoft Cloud App Security. User monitoring of specific Identities with forensics and incident response on Azure 365 Defender, Azure AD, Microsoft CoFinder for identity, Microsoft Cloud App Security. AirSome produces a post-incident forensic report with threat intelligence sharing with threat detection, incident response, and compliance support leading to remediation. Compliance with security controls on how data confidentiality is ensured by stakeholders, decision making, managing access to critical assets, and establishing financial laws and policies.
How we built it
- DATA CONNECTORS, PARSERS
- WORKBOOKS
- ANALYTIC RULES
- HUNTING QUERIES, NOTEBOOKS, WATCHLISTS
- PLAYBOOKS, LOGIC APP CONNECTORS
The honeypot and honeypot2 using IP Geo location API is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use. We had to configure it to data centre they're going to exist in an image is fine size, with log analytics workspace, and virtual machines. Setting it up with an external IP address API Goal was to enable ICMP to custom log with the Geo data into our log analytics workspace and destination host this is just our target VM with remote desktop that's being targeted the destination. It as interesting to see countries like China and Russia start attacking the machine IP address getting the geodata from it sending it to Azure mapping. Reading the RDP logs and security events
Financial Transactions (Payments)
AirSome reduces manual inspections against suspicious accounts detected by rules where fraudulent transactions are highlighted for bank review. Ex: credit card chargeback fraud, collusion to fix export bill purchase fees, and a finance company credit charges. There is a pattern with suspicious high risk companies in high dimensional data. We can use Azure machine learning connector for unsupervised learning like DBSCAN clustering, kernelized PCA, or Louvain communities.
Features include: Active Account Neighbor Info Total chargeback, $ Total Unsettled, $ Total Settled, # of transactions, # of settled transactions, # of unsettled transactions, # of banned credit card, #of active credit card, # of banned device, or # of normal device.
Analyze complex network of payment transactions, devices/phones and linked Accounts Find accounts that are connected to fraudulent transactions and/or devices If connection is strong enough, then AirSome shuts down those account to prevent further loss.
Good phone features include high call back phone, stable group, long term phone, many in-group connections, and a 3+ friend relation. Bad phone features include short call duration, empty stable groups, no call back phones, many rejected calls, and an average distance greater than 3 relations.
Cloud Telemetry Connecting Data Connectors
Geolocation analysis visualization
Map data to graph to account for high risk geography alerts with centralality like highly influential nodes. The global structure can provide valuable customer insights. The graph visualization component can show the original graph data on web browsers. This is useful for manual inspection against "suspicious" accounts (which are often detected by rules or machine learning models). Users can expand KQL queries by clicking particular nodes to see the related information like risk score for each person, phone, transaction, email, company employment , and investigation to find "Hiding in plain sight" fraud and atrribution. Entity matching for known good/bad list to block users looking at customer risk activity, attribution, and fraud potential. Relational commonality discovery and computation like common customers. Information propagation from neighbours or group of similar dealers focal node (dealer of high importance). Customers connected to lenders by loans, merchants connected via credit card transactions, or wire transfers. Examples include: Violating the anti-monopoly act by price fixing leading to unfair competition, collusion or illegal fixing of the specific credit premium rate in market share and price fixing to form a cartel indicted on charges of fraud, embezzlement, breach of fiduciary duty.
GEOLocation Based Customer Profiles
IP geolocation APIs give access to dashboards visualizing employee location and access attempts with logs:
Identify a request’s country of origin, and block IPs coming from countries with high fraud activity
Identify proxies and web scrapers
Display the currency of the user’s location
Offer content based on the user’s location (or block content)
Movement, speed, and direction
Identify fraudulent activity
City, country, and regional location
Long / lat coordinates
Timezone details with everything timestamped
Currency (USD for US Dollar, as an example)
Internet service provider name
Security data including VPN, TOR, proxy
Geolocation feature checks for Credit Card Fraud purchases, the IP can tell the physical location that IP is connected from. If your card is registered in one country, and the purchase is made on the other side of the world, it could be possible identity theft based on IP geolocation data which is a common financial phishing scam for businesses. A DDOS attack is an attempt to overwhelm a hosting server to prevent them from providing service to website visitors. Cybercriminals do this with a flood of bots. IP geolocation APIs backed up on a CDN (Content Delivery Network) can identify where bad traffic is coming from during an ongoing DDoS attack visualized in a user-friendly graphic form for privileged AirSome users
Implement IP-Level Blacklisting
AirSome uses ipgeolocation.io API offer up-to-date databases of malicious IP addresses reported to be involved in fraudulent activity and allow you to filter them out with traffic filtering. Organizations can stop suspicious IP addresses (web crawlers, high risk geographies, or unauthorized access) from repeatedly attacking by adding them to their blacklists.
Account Detection
Suspicious Mule accounts with stolen accounts that transfers money illegally are flagged. AirSome can predict the fraud risk with objective variables, despite the bank accounts themselves having limited information (explanation variables). Features include relationships between accounts ( transaction patterns, family relationships)
Advertising/ Recommendation Frauds
Advertising/Recommendation fraud looks like a bank has many users, but in actuality it is controlled by one frauster.Airsome can be used to find the difference between organic reviews/follows vs. fake product product product. Features: # common products/brands followed/purchased, # products/brands not followed/purchased together, # hops between accounts, # timing between events # devices shared, or # payment instruments shared frauster.
AIRSOME office 356 workspace
Anti Money Laundering
A money laundering ring can be formed when money is transferred in a circle with layering where the criminals split the "dirty money" into smaller amounts, transfer it from account to account, eventually merge on AirSome.
FIBO (financial industry business ontology) is the Extraction for AML detection and prevention for the purpose of cutting through layers of synthetic identities to find money laundering source accounts, arger accounts, participating accounts or normal accounts.
can be automated with AirSome and Unsupervised Learning (clustering, anomalies). or Supervised Learning (rule/pattern extraction) using Subgraph or Relationship Discovery Combined with Graph Computation to find Diamonds of Money Laundering.
KSL Queries
Airsome's KSL representation of the transaction data makes queries intuitive and performant.Detects hidden relationships like paradise papers, to score suspicious fraud accounts executed in a short response time. Travarsal KSL queries make users possible to detect hidden relationships between accounts and their owners. KQL queries help businesses examine existing rules, as well as try and create new rules. Thee complex rules can score suspicious accounts (e.g. closeness to known fraud accounts) can be also expressed in graph queries and executed in very short response time. Anti money laundering KSL queries to find the circular money transfer over multiple intermediate steps, can be easily written and executed.
AI-Powered Financial Fraud Detection
AirSome's Approach to Fraud Prevention & AML Compliance includes detecting fraud in large financial institutions with the following machine learning algorithms:
PageRank to measure influence and transaction volumes Louvain to identify communities that frequently interact Jaccard to measure account similarity based on relationships
Built With
- azure
- microsoft
- powershell
- vm
Log in or sign up for Devpost to join the conversation.