For the IT sector, due to the prevalence of online financial systems, the fight against fraudulent schemes is a priority. Many companies, taking many orders through their online store and other web services, receive not income, but a loss as a result of the actions of fraudsters. Antifraud systems are used to solve such problems, and WEB ANTIFRAUD v.3 is a vivid example of a product in this category.
Content
Introduction
As is often the case, the development of the class of anti-fraud systems was helped by the “starting impulse” in the form of the regulator's requirements. In 2003, the Visa payment system issued a standard for monitoring bank card transactions, which described the obligations of the system participants to check cases of loss, theft or unauthorized use of information on accounts and data of individual clients. In 2007-2008. Payment systems Visa and MasterCard have introduced a rule of transferring responsibility for fraudulent transactions with chip cards to issuing and acquiring banks which imposes certain obligations on money transfer operators in terms of identifying fraudulent transactions.
The second driving force behind the development and implementation of anti-fraud systems was attacks by cyber fraudsters on remote banking systems, as a result of which many individuals and legal entities lost their funds. Thus, antifraud-class systems help not only preserve client funds, but also reduce reputational risks.
The third reason for the development of the anti-fraud systems market was the development of various bonus programs, in which their new participants were entitled to certain preferences in the form of discounts on goods, services, etc. By registering many "left-handed" accounts, attackers could take advantage of discounts and offered bonuses many times. as a result, the company conducting the action not only could not earn, but also received losses.
Thus, anti-fraud systems, which started with components for monitoring the processing center, have become full-fledged solutions aimed at combating fraud in its various manifestations. The well-known anti-fraud system WEB ANTIFRAUD is also developing, and the next, third, version of this product has recently been released. Reviews of the first and second versions were presented. Let's consider what new functionality has appeared in this system.
Functionality WEB ANTIFRAUD
In previous versions of WEB ANTIFRAUD, the following modules were implemented: analysis of the device and browser from which the company's client connects, for anomalies; a subsystem for analyzing client behavior for atypical actions; a Trojan-fighting subsystem that protects the target resource from the impact of malicious elements. In the new version of WEB ANTIFRAUD, information on events registered by the information system has been added. Unlike incidents that are unambiguously attempted to deceive, events provide additional information to clarify the overall picture and understand the current level of risk of fraud. Examples of events are described below.
Risks of the environment from which the user comes
The standard set of devices for accessing an account is a computer and a smartphone. Additional devices may be available, but they are used much less often. Logging in from a new device is the risk of account hijacking. Therefore, information about the new device is added to events for further analysis.
Event in the WEB ANTIFRAUD v.3 system: login from a new device
WEB ANTIFRAUD “highlights” not only the use of a new device, but also related parameters such as information about the user's location, connection characteristics, etc.
Overview of the user in the WEB ANTIFRAUD v.3 system
Cleaning up cookies after a session can also be attributed to environmental risks: users rarely clear the contents of the storages themselves. If the cleanup was done manually, then this is also an event that needs attention.
Event in the WEB ANTIFRAUD v.3 system: clearing cookies - Identification of anomalies in languages, time, location
One of the methods of deception is "antidetect" - the use of browser emulators that imitate the use of different hardware platforms, device types, etc. WEB ANTIFRAUD detects potential signs of such emulators - for example, language mismatch: different browser parameters indicate different languages as the main ones. This can happen if, when changing the language in the browser, the replacement was not made in all places.
Event in the WEB ANTIFRAUD v.3 system: using the browser emulator
Much attention is paid to matching time zones. This includes matching the IP address and the browser (allows you to identify the use of a proxy), the names of the browser time zone and the IP address (must be identical - for example, "UTC +03: 00, Moscow, St. Petersburg"), settings for the transition to daylight saving time browser and IP addresses (may differ when using a proxy).
Event in the WEB ANTIFRAUD v.3 system: time zone mismatch
Also, the WEB ANTIFRAUD user can designate the countries from which his clients can be. If a user from another country tries to access the system, this fact is marked as an event.
Event in the WEB ANTIFRAUD v.3 system: access from a "different" country
For the convenience of analyzing actions in the section of user sessions, all visits for a given account, a set of pages, actions, incidents and events for each session are aggregated.
Information about user sessions displayed in the WEB ANTIFRAUD v.3 system
For the visited pages, visualization of user actions is available, including the display of all cursor movements or interaction with the touch screen, as well as filling out forms (with the replacement of the entered data with "*").
Visualization of user actions in the WEB ANTIFRAUD v.3 system - Other signs designated as events
WEB ANTIFRAUD reveals the use of browsers in incognito mode through deep technical analysis. Enabling this mode does not explicitly indicate the user's intention to evade tracking, but is an indirect indicator.
Event in the WEB ANTIFRAUD v.3 system: using the browser in incognito mode
The anti-fraud system determines the assignment of users' IP addresses to TOR networks. The classic use of the TOR network is for traffic proxying.
Event in the WEB ANTIFRAUD v.3 system: the use of TOR networks
Also WEB ANTIFRAUD determines the presence of an open developer console in the browser. This tool is often used to find out how a client's site is performing. This can be used, among other things, to prepare various attacks on the site (automation of requests, data interception). The updated version of WEB ANTIFRAUD also performs analysis of connections , including obtaining their fingerprints, allowing you to determine the use of VPN tunnels or similar tools. VPN can be used as a tool not only for organizing employee access, but also for hiding the real address of the computer from which the user visits the site.
Analysis of connections carried out by the WEB ANTIFRAUD v.3 system
Sometimes the connection is made from a different operating system than the one indicated in the browser. This often happens when using a proxy server, which is an indirect sign of a fraudulent attempt.
Event in the WEB ANTIFRAUD v.3 system: the difference between operating systems in the browser
Another potential sign of using a proxy server to access a resource is that the operating time of the device changes incorrectly. Most devices have an internal timer that starts at power up and is used to establish each connection to a site. If it changes in a way that cannot be put into logic, then this is a sign of using a proxy. For example, yesterday the operating time from the moment of switching on was 1 day, and tomorrow it is already 10 days.
Event in the WEB ANTIFRAUD v.3 system: incorrect device operation time
In addition to the browser and connection fingerprint, an operating system fingerprint has been added, which allows activities in different browsers to be combined on the same system. This add-on also allows you to detect anomalies in device behavior and prevent fraudulent activities.
Operating system fingerprint determined by the WEB ANTIFRAUD v.3 system when searching for linked accounts
The updated version of WEB ANTIFRAUD also includes session control, which protects it from being intercepted and transferred to another device. An attacker could transfer data from the user's browser storage to his browser to appear as a real user. For example, this could be the session number stored in cookies. Sites often trust this data and do not ask for additional checks. WEB ANTIFRAUD reports such cases of data transfer between different devices.
Event in the WEB ANTIFRAUD v.3 system: data transfer between different devices
Another new functionality of WEB ANTIFRAUD is protection against attacks with repeated old requests (replay attacks). Some sites or even anti-fraud systems can be deceived by repeating previously made requests with data that the site now considers trusted, thereby bypassing the protection. WEB ANTIFRAUD uses proven and reliable solutions to protect against replay attacks, which include the use of timestamps (short data life, at the time of the retry of the request by the attacker it will expire) and unique numbers (nonce - "number that can only be used once" ), requests with which can be sent only once. When you resend the same request, an event will be generated.
Event in the WEB ANTIFRAUD v.3 system: resending a request
In the third version of the WEB ANTIFRAUD system, the attention was also paid to users who had JavaScript disabled in their browser or who actively opposed the analysis of their activity. Now they can be seen in statistics and even a certain set of data about them is shown, which can be obtained, given the lack of operation of the system in question in the browsers of such users.
Event in the WEB ANTIFRAUD v.3 system: a user with disabled JavaScript
The system pays special attention to the so-called "antidetects". These, as mentioned above, are emulators, or modified browsers used to commit fraud. WEB ANTIFRAUD differs from analogues in that it conducts a thorough analysis of the technical properties of the browser and checks their compliance with standard values. Even with a small change in these properties, the system recognizes such a browser modification.
Incident in the WEB ANTIFRAUD v.3 system: antidetect detection
In the new version of the system, the compilation of the device fingerprint has been significantly improved, which has become more accurate and flexible at the same time. The more different parameters there are in the print, the more likely it is that one of them will change and, because of this, the entire print will change. The anti-fraud system detects minor changes in these parameters (for example, they can occur when the browser is refreshed) and merges the new fingerprint with the previously obtained one.
Event in the WEB ANTIFRAUD v.3 system: changing the device fingerprint
Defining robots is another time consuming process performed by WEB ANTIFRAUD. They are determined by their technical characteristics and behavior. Not only out-of-the-box robots are subject to detection, but also those modified to protect against anti-fraud systems. The definition of robots by behavior becomes relevant when all such differences from a regular browser are hidden, but the logic of the program is still very different from the actions of an ordinary person. The algorithms incorporated in WEB ANTIFRAUD find these differences and successfully identify robots.
Incident in the WEB ANTIFRAUD v.3 system: detection of a robot program
Big changes have taken place in the dashboard. It added the following features: search, comments to accounts, detailed information about the user and his sessions, reports, data for integration, convenient switching between client campaigns.
General view of the dashboard
Reporting system in WEB ANTIFRAUD v.3
The system's capabilities have been updated in terms of searching for linked accounts. Individual campaigns (sites) are now linked into a common network. When searching for linked accounts, all accounts are now searched for among sites belonging to the same client.
Definition of linked accounts by the WEB ANTIFRAUD v.3 system
Finding linked accounts is useful for dealing with multiple account registrations by one person (for example, to collect bonuses on a site or prizes in a promotion) or with one person managing different accounts (for example, to manipulate funds on multiple accounts with nominee owners). Thus, identifying such links helps to combat money laundering and bonus hunting on promotional sites and bonus services. By setting a unique label in the browser, using fingerprints of the browser, operating system, connection, searching for connections by IP address, network address, as well as local and global IP addresses obtained from WebRTC, it is possible to link different accounts in different cases.
One example is the connection between clearing storages and using incognito mode in the browser: when in incognito mode, an instance of the browser is launched with clean storages (cookies, local storage, cache, and others). There are many other ways by which linked accounts are identified: change of IP address (deliberate use of a proxy on the device or an involuntary change as a result of rebooting the router or reconnecting the Internet connection); using different devices connecting to the Internet through one router; clearing storages along with changing the IP address; using a different browser on the same device; changing browser properties (for example, changing the value of User-Agent).
The last action additionally triggers an "emulator" type incident. It is worth mentioning separately about the tag, which serves as a reliable link between different accounts. It is easy to delete it by clearing the browser storage - but firstly, if the storage is manually cleared, the system will see it and create a corresponding event, and secondly, after clearing, this label will be automatically restored based on some indirect signs of the environment collected by the system.
WEB ANTIFRAUD architecture
The WEB ANTIFRAUD system consists of the following blocks, which allow it to be effective:
System Requirements WEB ANTIFRAUD
WEB ANTIFRAUD is provided by the vendor on a SaaS (software as a service) model, so there is no need for customers to purchase or rent computing power. All that is required from a company using this system is to connect the protected resource to WEB ANTIFRAUD and select an employee who will analyze the information that gets into the analytical panel. Connecting the system is very simple - adding JavaScript code to the significant pages of the site and connecting the backend of the site to the API of the system. WEB ANTIFRAUD does not require access to the internal infrastructure of the resource and to databases, which is important given the lack of trust in external resources on the part of many companies.
Conclusions
The updated version of WEB ANTIFRAUD has become much more effective in detecting fraudulent attempts. A deep technical analysis of the properties of users' devices, regardless of the platform, allows detecting fraudsters at the early stages of their operations and minimizing financial losses as a result of deceiving the organization - the owner of the resource. An important fact is that WEB ANTIFRAUD does not require either implementation in the customer's infrastructure or analysis of the input data; thus, the potential for information leakage through this system is eliminated. The development of architectural modules indicates that the manufacturer of the WEB ANTIFRAUD solution follows the main trends and adapts the product to them, allowing proactively identifying potential threats.
Advantages:
+ The emergence of the category of "events" allows you to get a clearer picture of what is happening and to assess the risk of fraud.
+ Deep technical analysis of connected devices.
+ Detailing of user actions for each session.
+ Intuitive dashboard.
+ Search for related accounts.
Disadvantages:
- Lack of round-the-clock technical support.
- Inability to integrate with the customer's SIEM system.
Content
- Introduction
- Functionality WEB ANTIFRAUD
- WEB ANTIFRAUD architecture
- System Requirements WEB ANTIFRAUD
- Conclusions
Introduction
As is often the case, the development of the class of anti-fraud systems was helped by the “starting impulse” in the form of the regulator's requirements. In 2003, the Visa payment system issued a standard for monitoring bank card transactions, which described the obligations of the system participants to check cases of loss, theft or unauthorized use of information on accounts and data of individual clients. In 2007-2008. Payment systems Visa and MasterCard have introduced a rule of transferring responsibility for fraudulent transactions with chip cards to issuing and acquiring banks which imposes certain obligations on money transfer operators in terms of identifying fraudulent transactions.
The second driving force behind the development and implementation of anti-fraud systems was attacks by cyber fraudsters on remote banking systems, as a result of which many individuals and legal entities lost their funds. Thus, antifraud-class systems help not only preserve client funds, but also reduce reputational risks.
The third reason for the development of the anti-fraud systems market was the development of various bonus programs, in which their new participants were entitled to certain preferences in the form of discounts on goods, services, etc. By registering many "left-handed" accounts, attackers could take advantage of discounts and offered bonuses many times. as a result, the company conducting the action not only could not earn, but also received losses.
Thus, anti-fraud systems, which started with components for monitoring the processing center, have become full-fledged solutions aimed at combating fraud in its various manifestations. The well-known anti-fraud system WEB ANTIFRAUD is also developing, and the next, third, version of this product has recently been released. Reviews of the first and second versions were presented. Let's consider what new functionality has appeared in this system.
Functionality WEB ANTIFRAUD
In previous versions of WEB ANTIFRAUD, the following modules were implemented: analysis of the device and browser from which the company's client connects, for anomalies; a subsystem for analyzing client behavior for atypical actions; a Trojan-fighting subsystem that protects the target resource from the impact of malicious elements. In the new version of WEB ANTIFRAUD, information on events registered by the information system has been added. Unlike incidents that are unambiguously attempted to deceive, events provide additional information to clarify the overall picture and understand the current level of risk of fraud. Examples of events are described below.
Risks of the environment from which the user comes
The standard set of devices for accessing an account is a computer and a smartphone. Additional devices may be available, but they are used much less often. Logging in from a new device is the risk of account hijacking. Therefore, information about the new device is added to events for further analysis.
Event in the WEB ANTIFRAUD v.3 system: login from a new device
WEB ANTIFRAUD “highlights” not only the use of a new device, but also related parameters such as information about the user's location, connection characteristics, etc.
Overview of the user in the WEB ANTIFRAUD v.3 system
Cleaning up cookies after a session can also be attributed to environmental risks: users rarely clear the contents of the storages themselves. If the cleanup was done manually, then this is also an event that needs attention.
Event in the WEB ANTIFRAUD v.3 system: clearing cookies - Identification of anomalies in languages, time, location
One of the methods of deception is "antidetect" - the use of browser emulators that imitate the use of different hardware platforms, device types, etc. WEB ANTIFRAUD detects potential signs of such emulators - for example, language mismatch: different browser parameters indicate different languages as the main ones. This can happen if, when changing the language in the browser, the replacement was not made in all places.
Event in the WEB ANTIFRAUD v.3 system: using the browser emulator
Much attention is paid to matching time zones. This includes matching the IP address and the browser (allows you to identify the use of a proxy), the names of the browser time zone and the IP address (must be identical - for example, "UTC +03: 00, Moscow, St. Petersburg"), settings for the transition to daylight saving time browser and IP addresses (may differ when using a proxy).
Event in the WEB ANTIFRAUD v.3 system: time zone mismatch
Also, the WEB ANTIFRAUD user can designate the countries from which his clients can be. If a user from another country tries to access the system, this fact is marked as an event.
Event in the WEB ANTIFRAUD v.3 system: access from a "different" country
For the convenience of analyzing actions in the section of user sessions, all visits for a given account, a set of pages, actions, incidents and events for each session are aggregated.
Information about user sessions displayed in the WEB ANTIFRAUD v.3 system
For the visited pages, visualization of user actions is available, including the display of all cursor movements or interaction with the touch screen, as well as filling out forms (with the replacement of the entered data with "*").
Visualization of user actions in the WEB ANTIFRAUD v.3 system - Other signs designated as events
WEB ANTIFRAUD reveals the use of browsers in incognito mode through deep technical analysis. Enabling this mode does not explicitly indicate the user's intention to evade tracking, but is an indirect indicator.
Event in the WEB ANTIFRAUD v.3 system: using the browser in incognito mode
The anti-fraud system determines the assignment of users' IP addresses to TOR networks. The classic use of the TOR network is for traffic proxying.
Event in the WEB ANTIFRAUD v.3 system: the use of TOR networks
Also WEB ANTIFRAUD determines the presence of an open developer console in the browser. This tool is often used to find out how a client's site is performing. This can be used, among other things, to prepare various attacks on the site (automation of requests, data interception). The updated version of WEB ANTIFRAUD also performs analysis of connections , including obtaining their fingerprints, allowing you to determine the use of VPN tunnels or similar tools. VPN can be used as a tool not only for organizing employee access, but also for hiding the real address of the computer from which the user visits the site.
Analysis of connections carried out by the WEB ANTIFRAUD v.3 system
Sometimes the connection is made from a different operating system than the one indicated in the browser. This often happens when using a proxy server, which is an indirect sign of a fraudulent attempt.
Event in the WEB ANTIFRAUD v.3 system: the difference between operating systems in the browser
Another potential sign of using a proxy server to access a resource is that the operating time of the device changes incorrectly. Most devices have an internal timer that starts at power up and is used to establish each connection to a site. If it changes in a way that cannot be put into logic, then this is a sign of using a proxy. For example, yesterday the operating time from the moment of switching on was 1 day, and tomorrow it is already 10 days.
Event in the WEB ANTIFRAUD v.3 system: incorrect device operation time
In addition to the browser and connection fingerprint, an operating system fingerprint has been added, which allows activities in different browsers to be combined on the same system. This add-on also allows you to detect anomalies in device behavior and prevent fraudulent activities.
Operating system fingerprint determined by the WEB ANTIFRAUD v.3 system when searching for linked accounts
The updated version of WEB ANTIFRAUD also includes session control, which protects it from being intercepted and transferred to another device. An attacker could transfer data from the user's browser storage to his browser to appear as a real user. For example, this could be the session number stored in cookies. Sites often trust this data and do not ask for additional checks. WEB ANTIFRAUD reports such cases of data transfer between different devices.
Event in the WEB ANTIFRAUD v.3 system: data transfer between different devices
Another new functionality of WEB ANTIFRAUD is protection against attacks with repeated old requests (replay attacks). Some sites or even anti-fraud systems can be deceived by repeating previously made requests with data that the site now considers trusted, thereby bypassing the protection. WEB ANTIFRAUD uses proven and reliable solutions to protect against replay attacks, which include the use of timestamps (short data life, at the time of the retry of the request by the attacker it will expire) and unique numbers (nonce - "number that can only be used once" ), requests with which can be sent only once. When you resend the same request, an event will be generated.
Event in the WEB ANTIFRAUD v.3 system: resending a request
In the third version of the WEB ANTIFRAUD system, the attention was also paid to users who had JavaScript disabled in their browser or who actively opposed the analysis of their activity. Now they can be seen in statistics and even a certain set of data about them is shown, which can be obtained, given the lack of operation of the system in question in the browsers of such users.
Event in the WEB ANTIFRAUD v.3 system: a user with disabled JavaScript
The system pays special attention to the so-called "antidetects". These, as mentioned above, are emulators, or modified browsers used to commit fraud. WEB ANTIFRAUD differs from analogues in that it conducts a thorough analysis of the technical properties of the browser and checks their compliance with standard values. Even with a small change in these properties, the system recognizes such a browser modification.
Incident in the WEB ANTIFRAUD v.3 system: antidetect detection
In the new version of the system, the compilation of the device fingerprint has been significantly improved, which has become more accurate and flexible at the same time. The more different parameters there are in the print, the more likely it is that one of them will change and, because of this, the entire print will change. The anti-fraud system detects minor changes in these parameters (for example, they can occur when the browser is refreshed) and merges the new fingerprint with the previously obtained one.
Event in the WEB ANTIFRAUD v.3 system: changing the device fingerprint
Defining robots is another time consuming process performed by WEB ANTIFRAUD. They are determined by their technical characteristics and behavior. Not only out-of-the-box robots are subject to detection, but also those modified to protect against anti-fraud systems. The definition of robots by behavior becomes relevant when all such differences from a regular browser are hidden, but the logic of the program is still very different from the actions of an ordinary person. The algorithms incorporated in WEB ANTIFRAUD find these differences and successfully identify robots.
Incident in the WEB ANTIFRAUD v.3 system: detection of a robot program
Big changes have taken place in the dashboard. It added the following features: search, comments to accounts, detailed information about the user and his sessions, reports, data for integration, convenient switching between client campaigns.
General view of the dashboard
Reporting system in WEB ANTIFRAUD v.3
The system's capabilities have been updated in terms of searching for linked accounts. Individual campaigns (sites) are now linked into a common network. When searching for linked accounts, all accounts are now searched for among sites belonging to the same client.
Definition of linked accounts by the WEB ANTIFRAUD v.3 system
Finding linked accounts is useful for dealing with multiple account registrations by one person (for example, to collect bonuses on a site or prizes in a promotion) or with one person managing different accounts (for example, to manipulate funds on multiple accounts with nominee owners). Thus, identifying such links helps to combat money laundering and bonus hunting on promotional sites and bonus services. By setting a unique label in the browser, using fingerprints of the browser, operating system, connection, searching for connections by IP address, network address, as well as local and global IP addresses obtained from WebRTC, it is possible to link different accounts in different cases.
One example is the connection between clearing storages and using incognito mode in the browser: when in incognito mode, an instance of the browser is launched with clean storages (cookies, local storage, cache, and others). There are many other ways by which linked accounts are identified: change of IP address (deliberate use of a proxy on the device or an involuntary change as a result of rebooting the router or reconnecting the Internet connection); using different devices connecting to the Internet through one router; clearing storages along with changing the IP address; using a different browser on the same device; changing browser properties (for example, changing the value of User-Agent).
The last action additionally triggers an "emulator" type incident. It is worth mentioning separately about the tag, which serves as a reliable link between different accounts. It is easy to delete it by clearing the browser storage - but firstly, if the storage is manually cleared, the system will see it and create a corresponding event, and secondly, after clearing, this label will be automatically restored based on some indirect signs of the environment collected by the system.
WEB ANTIFRAUD architecture
The WEB ANTIFRAUD system consists of the following blocks, which allow it to be effective:
- Device analysis unit. Based on an in-depth analysis of the devices from which users connect, various means of anonymization and fraud tools are identified: proxy servers, TOR-browser, robots, antidetects and others.
- Behavior analysis unit. By using this block, the system detects non-standard user behavior and compares it with the behavior of fraudsters. In this case, the behavior analysis unit does not require access to the entered information, which allows ensuring the confidentiality of transmitted data. The behavior analysis unit uses only metadata (for example, a letter or number is pressed, the speed of mouse clicks, etc.).
- Trojan search unit responsible for analyzing connected devices for the introduction of malicious code, as well as remote control of an infected device for the purpose of fraud.
- A block to search for linked accounts that can be used for fraud and even money laundering.
System Requirements WEB ANTIFRAUD
WEB ANTIFRAUD is provided by the vendor on a SaaS (software as a service) model, so there is no need for customers to purchase or rent computing power. All that is required from a company using this system is to connect the protected resource to WEB ANTIFRAUD and select an employee who will analyze the information that gets into the analytical panel. Connecting the system is very simple - adding JavaScript code to the significant pages of the site and connecting the backend of the site to the API of the system. WEB ANTIFRAUD does not require access to the internal infrastructure of the resource and to databases, which is important given the lack of trust in external resources on the part of many companies.
Conclusions
The updated version of WEB ANTIFRAUD has become much more effective in detecting fraudulent attempts. A deep technical analysis of the properties of users' devices, regardless of the platform, allows detecting fraudsters at the early stages of their operations and minimizing financial losses as a result of deceiving the organization - the owner of the resource. An important fact is that WEB ANTIFRAUD does not require either implementation in the customer's infrastructure or analysis of the input data; thus, the potential for information leakage through this system is eliminated. The development of architectural modules indicates that the manufacturer of the WEB ANTIFRAUD solution follows the main trends and adapts the product to them, allowing proactively identifying potential threats.
Advantages:
+ The emergence of the category of "events" allows you to get a clearer picture of what is happening and to assess the risk of fraud.
+ Deep technical analysis of connected devices.
+ Detailing of user actions for each session.
+ Intuitive dashboard.
+ Search for related accounts.
Disadvantages:
- Lack of round-the-clock technical support.
- Inability to integrate with the customer's SIEM system.
