Continuous Transaction Monitoring (CTM) protects financial integrity, even when network security inevitably fails

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Everyone's seen the headlines. TJX. RSA. Playstation Network. Symantec. Major corporations with massive investments in network security reduced to public ridicule and expensive liability by hackers. Even governments aren't immune, as proven by online vigilantes like Wikileaks and Anonymous.

RELATED: Data breach quiz

It's no longer a question of if network security is going to be circumvented. It's a question of how often - and how much it's going to cost to clean up the mess. When that happens, how does a company ensure that its financial transactions - arguably its most essential digital resource - maintain their accuracy and integrity?

Ironically, financial transactions themselves carry the essential information that can make them impervious to attack, even when security measures fail. The solution comes from a relatively little-known but rapidly growing technology called Continuous Transaction Monitoring (CTM).

What Your Transactions Can Tell You

CTM automatically extracts key transaction information from ERP systems across the enterprise. This data is kept in a secure, independent data warehouse so consistent analyses can take place across disparate systems. These systems are often managed by an outside party to minimize the risk that a compromised user account can tamper with the CTM data.

CTM applies multiple forensic techniques to each transaction as it is executed. These ongoing, real-time analytics give line managers and senior executives plain-language insight into improper or fraudulent transactions, which in turn enables immediate response to complex, rapidly changing attack scenarios. Business process owners can connect high-level trends to the root cause underlying unexpected results without having to wait for reconciliations or audits.

The technology is used for a wide variety of financial needs, such as monitoring purchase cards or travel and expense programs for fraud or misuse, eliminating duplicate or improper payments, or tracking regulatory and corporate compliance.

However, CTM's advanced analytics also enable more sophisticated uses. In one example, a CFO wanted to connect the identification of high-risk vendors and suspicious transactions with the ability to recognize potential FCPA liability situations.

CTM's analytics recognized patterns that only occur at the transaction level so that seemingly unrelated events could be identified and rectified before they became crises. One manager rather than four now handles initial review and escalation for high-risk situations, and the company overall responds daily to FCPA risks that previously couldn't be identified until months after the fact - if ever.

Another company uses a nearly identical CTM platform for a very different purpose. This organization suspected that the same items were being purchased in similar quantities at significantly different prices. However, every purchasing manager was operating within corporate controls and policy. The company knew it was overspending, but it couldn't tell where or by how much.

Using CTM, this company now finds better deals before orders are executed. Every line item on a purchase order is automatically analyzed against similar SKUs - even ones originating in nominally incompatible systems. Opportunities to secure better prices get directed to purchasing managers automatically - before the purchase order is issued to the vendor. Equally important, the CFO receives ongoing reports into vendor contract compliance and areas where the company can negotiate better deals.

While CTM is not a network security technology, it provides an essential security function. Data is always at risk, whether accessed at the network, database or application level. However, the patterns behind improper transactions are consistent. Vendor numbers don't match. Multiple purchases at just under the allowed limit show intentional attempts to circumvent spending limits. The list of patterns that can be recognized once CTM analytics have been applied is almost limitless.

As a result, CTM protects transactions themselves, rather than the hardware, software or networks used to store and transport them. Data extraction and analysis take place on separate systems away from core ERP applications, which makes it very difficult for any criminal to access or alter the process. It doesn't matter if a hacker is using a fake identity, if a legitimate user's system has been compromised by spearfishing or social engineering, or if an intruder has gained access to sensitive systems. The improper transactions will be found and fixed before cash leaves the premises.

CTM vs. IDS and SIEM

Given that CTM acts much like an online burglar alarm, correlating suspicious events and activities and drawing attention to anomalies and unexpected results, it's inevitable that it gets compared to intrusion detection system (IDS) and security incident and event management (SIEM) applications. Any similarities, however, are superficial.

For example, IDS and SIEM measure traffic as it travels across the wire, typically with some degree of packet content inspection. All network traffic is monitored - up to 10,000,000 packets per second on a 10 Gigabit Ethernet network. As a result, IDS/SIEM applications focus on event-handling capacity.

By comparison, financial transaction rates number in the tens of millions per month. However, these transactions are significantly more multi-dimensional than network traffic - purchase orders have line items, journal entries roll up to sub-ledgers. The tradeoff between rates and data complexity dictates a different type of analytics. Concepts such as unusual amounts, similar addresses, character and word statistics and recurrence analysis are critical for financial transaction analyses.

IDS/SIEM applications are truly horizontal in nature. It's the same basic technology for financial service firms, government agencies or consumer goods manufacturers. In short, IDS/SIEM is an IT tool. It does what it's designed to do - recognize and stop a hack or attack in mid-stream. There's no mechanism to identify fraudulent transactions from authorized users accessing authorized servers and applications for malicious ends.

CTM looks specifically for authorized users - or intruders masquerading as authorized users - executing improper or unauthorized transactions. The goal is very different from stopping an attack in progress. Rather, the objective is to save the organization both time and money by stopping a suspicious business activity before it is completed.

CTM comes with significant out-of-the-box functionality for industry, regulatory and accounting best-practices. These core analytics do more than just baseline "normal" activity and identify that something might be wrong. CTM details why individual transactions and patterns of transactions don't make sense, from both an accounting and regulatory point of view.

However essential it might be, no network security program will ever be 100% effective, 100% of the time. Given this inevitability, CTM's real-time focus on financial transactions makes it a flexible, cost-effective means to protect against financial fraud, error and misuse. Its value is especially apparent when compared to building ever-higher online fences and more stringent network security requirements. CTM is something different - a powerful financial platform that also represents the final layer in the security puzzle.

Oversight Systems' software continuously analyzes transaction data to deliver real-time insights that drive smarter, faster decisions across the enterprise.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

More about CPA AustraliaetworkLANPlaystationRSASymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Patrick Taylor, CEO of Oversight Systems

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place