Nordic bank fights money launderers with log analytics

The IT team at Lunar created an interface into its log analytics system for the bank's fraud investigators, which helped uncover specific data about questionable accounts.

A Danish bank's IT platform team gave business users a direct view into log analytics data, and helped stop suspected criminals from using accounts at the bank for illegal purposes.

Lunar, a digital financial services company based in Denmark, was founded in 2015. It has 200,000 customers in Nordic countries, including Sweden and Norway. In 2019, it was granted a digital banking license, allowing it to offer more services but also raising the cybersecurity stakes for its business.

Meanwhile, the IT team at Lunar had built a set of Kubernetes clusters on AWS to run the bank's approximately 150 microservices applications. As it designed and tested that infrastructure in 2017, the team used ElasticSearch and Kibana for monitoring but struggled with the complexity of the Elasticsearch query language. By the time it rolled out Kubernetes in production in 2018, the Lunar IT team had replaced the Elasticsearch system with log analytics tools from Humio.

"Doing things the way we were used to in a terminal was very appealing from a developer perspective," said Kasper Nissen, lead platform architect at Lunar. "We were shifting left, scaling microservices and trying to create an autonomous [developer] organization -- but that required tools developers actually wanted to use."

Kasper Nissen, LunarKasper Nissen

Humio also differed from Elasticsearch because it didn't require a data schema, or organization system, to sort logs as they were ingested. Instead, Humio operates without a predetermined schema, and uses streaming analytics to assess log data from various sources as it comes in, which makes searching for logs later flexible and easy to do, Nissen said.

"Without knowing [database] fields upfront, you can create [a search] and shape the logs as you need them," he said. "You can push logs into different repositories within Humio, but then create a unified view and alerts on top for specific target groups, like auditors."

Log analytics data helps police bust criminals

In 2020, groups using Humio expanded to include Lunar's fraud investigators, including the anti-money laundering team. The collaboration between that team and IT began mid-year, when senior anti-money laundering specialist Cathrin Zimakoff ran into one of the company's software engineers at their office coffee machine.

Zimakoff joined the company in June 2020, with a background in law enforcement. She knew IP addresses, among other data, would be helpful for police investigators in tracking down digital financial fraud. She asked the IT team if they could help her find that information.

"Every time a customer logs in to our app, we log the data around the specific [device] used, and also the IP address," Zimakoff said. "But from that thought ... to actually implementing it in daily work with a whole other department was a little journey we had to make."

The IT team found Humio's query language easy to use but knew inexperienced business users would need guidance. Nissen's team created a set of safe queries for Zimakoff's team, so they could track down suspicious behavior and forward that information to Danish police.

You can push logs into different repositories within Humio, but then create a unified view and alerts on top for specific target groups, like auditors.
Kasper NissenLead platform architect, Lunar

In late 2020, Humio engineers also stepped in to help Lunar create a graphical dashboard to display data for the fraud investigation teams. A series of widgets allowed them to add parameters to their queries and dynamically filter results.

When data from other financial security systems flags financial fraud, Zimakoff's team uses this dashboard to seek out specific information about the suspicious account's activities, such as which IP addresses it used for what transactions and when.

"With this, we speed up the investigation, by giving the police this data, which we can get more quickly than they can going through the legal process with warrants," Zimakoff said. "We can do that in two minutes."

At least one fraud ring was identified and its funds seized in January as the result of this work, but Zimakoff declined to disclose any further details about how the log analytics collaboration has contributed to specific investigations. The Humio system has been used in 50% to 70% of all fraud investigations since its inception, she said, but declined to specify how many investigations that represents.

Greenfield apps ease business collaboration

Lunar's IT team could theoretically have built a similar system using another log analytics product, but Humio's flexible query language has made it relatively easy to create a data visualization system a nontechnical user can interpret, Nissen said.

"[Our fraud investigators] come from different established banks and say they've never seen anything like it," he said.

Another key factor in the success of the project is that Lunar is a digital-native company without legacy apps to worry about as it investigates potential fraud, Zimakoff said.

"It's only possible because Lunar is a new digital bank, with a culture that embraces new ways of doing things and no old systems to modernize," she said.

Officials at Humio, which was acquired by IT security vendor CrowdStrike in February, stopped short of saying they will make this dashboard into a product offered to other customers. They did say it's under consideration.

"I'm not sure we'd create something this specific in relation to money laundering, but everything we build, we'd like to make generic," Humio chief revenue officer Morten Gram said.

Next Steps

FBI used encrypted Anom app in international crime bust

Dig Deeper on IT systems management and monitoring

Software Quality
App Architecture
Cloud Computing
Data Center