Continuous Transaction Monitoring (CTM) protects financial integrity, even when network security inevitably fails

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Everyone's seen the headlines. TJX. RSA. Playstation Network. Symantec. Major corporations with massive investments in network security reduced to public ridicule and expensive liability by hackers. Even governments aren't immune, as proven by online vigilantes like Wikileaks and Anonymous.

RELATED: Data breach quiz

It's no longer a question of if network security is going to be circumvented. It's a question of how often - and how much it's going to cost to clean up the mess. When that happens, how does a company ensure that its financial transactions - arguably its most essential digital resource - maintain their accuracy and integrity?

Ironically, financial transactions themselves carry the essential information that can make them impervious to attack, even when security measures fail. The solution comes from a relatively little-known but rapidly growing technology called Continuous Transaction Monitoring (CTM).

What Your Transactions Can Tell You

CTM automatically extracts key transaction information from ERP systems across the enterprise. This data is kept in a secure, independent data warehouse so consistent analyses can take place across disparate systems. These systems are often managed by an outside party to minimize the risk that a compromised user account can tamper with the CTM data.

CTM applies multiple forensic techniques to each transaction as it is executed. These ongoing, real-time analytics give line managers and senior executives plain-language insight into improper or fraudulent transactions, which in turn enables immediate response to complex, rapidly changing attack scenarios. Business process owners can connect high-level trends to the root cause underlying unexpected results without having to wait for reconciliations or audits.

The technology is used for a wide variety of financial needs, such as monitoring purchase cards or travel and expense programs for fraud or misuse, eliminating duplicate or improper payments, or tracking regulatory and corporate compliance.

However, CTM's advanced analytics also enable more sophisticated uses. In one example, a CFO wanted to connect the identification of high-risk vendors and suspicious transactions with the ability to recognize potential FCPA liability situations.

CTM's analytics recognized patterns that only occur at the transaction level so that seemingly unrelated events could be identified and rectified before they became crises. One manager rather than four now handles initial review and escalation for high-risk situations, and the company overall responds daily to FCPA risks that previously couldn't be identified until months after the fact - if ever.

Another company uses a nearly identical CTM platform for a very different purpose. This organization suspected that the same items were being purchased in similar quantities at significantly different prices. However, every purchasing manager was operating within corporate controls and policy. The company knew it was overspending, but it couldn't tell where or by how much.

Using CTM, this company now finds better deals before orders are executed. Every line item on a purchase order is automatically analyzed against similar SKUs - even ones originating in nominally incompatible systems. Opportunities to secure better prices get directed to purchasing managers automatically - before the purchase order is issued to the vendor. Equally important, the CFO receives ongoing reports into vendor contract compliance and areas where the company can negotiate better deals.

While CTM is not a network security technology, it provides an essential security function. Data is always at risk, whether accessed at the network, database or application level. However, the patterns behind improper transactions are consistent. Vendor numbers don't match. Multiple purchases at just under the allowed limit show intentional attempts to circumvent spending limits. The list of patterns that can be recognized once CTM analytics have been applied is almost limitless.

As a result, CTM protects transactions themselves, rather than the hardware, software or networks used to store and transport them. Data extraction and analysis take place on separate systems away from core ERP applications, which makes it very difficult for any criminal to access or alter the process. It doesn't matter if a hacker is using a fake identity, if a legitimate user's system has been compromised by spearfishing or social engineering, or if an intruder has gained access to sensitive systems. The improper transactions will be found and fixed before cash leaves the premises.

CTM vs. IDS and SIEM

Given that CTM acts much like an online burglar alarm, correlating suspicious events and activities and drawing attention to anomalies and unexpected results, it's inevitable that it gets compared to intrusion detection system (IDS) and security incident and event management (SIEM) applications. Any similarities, however, are superficial.

For example, IDS and SIEM measure traffic as it travels across the wire, typically with some degree of packet content inspection. All network traffic is monitored - up to 10,000,000 packets per second on a 10 Gigabit Ethernet network. As a result, IDS/SIEM applications focus on event-handling capacity.

By comparison, financial transaction rates number in the tens of millions per month. However, these transactions are significantly more multi-dimensional than network traffic - purchase orders have line items, journal entries roll up to sub-ledgers. The tradeoff between rates and data complexity dictates a different type of analytics. Concepts such as unusual amounts, similar addresses, character and word statistics and recurrence analysis are critical for financial transaction analyses.

IDS/SIEM applications are truly horizontal in nature. It's the same basic technology for financial service firms, government agencies or consumer goods manufacturers. In short, IDS/SIEM is an IT tool. It does what it's designed to do - recognize and stop a hack or attack in mid-stream. There's no mechanism to identify fraudulent transactions from authorized users accessing authorized servers and applications for malicious ends.

CTM looks specifically for authorized users - or intruders masquerading as authorized users - executing improper or unauthorized transactions. The goal is very different from stopping an attack in progress. Rather, the objective is to save the organization both time and money by stopping a suspicious business activity before it is completed.

CTM comes with significant out-of-the-box functionality for industry, regulatory and accounting best-practices. These core analytics do more than just baseline "normal" activity and identify that something might be wrong. CTM details why individual transactions and patterns of transactions don't make sense, from both an accounting and regulatory point of view.

However essential it might be, no network security program will ever be 100% effective, 100% of the time. Given this inevitability, CTM's real-time focus on financial transactions makes it a flexible, cost-effective means to protect against financial fraud, error and misuse. Its value is especially apparent when compared to building ever-higher online fences and more stringent network security requirements. CTM is something different - a powerful financial platform that also represents the final layer in the security puzzle.

Oversight Systems' software continuously analyzes transaction data to deliver real-time insights that drive smarter, faster decisions across the enterprise.

Read more about wide area network in Network World's Wide Area Network section.

• Tweet