Their caught in the act

Caught Red Handed…. Using Splunk to Catch Retail Theft Rings

According to The National Retail Federation, retail theft costs U.S. companies $30 Billion a year, with “professional/habitual shoplifters” responsible for 10% ($3b) of all retail theft.  And the problem is only getting worse, with losses increasing at 7% year per year.

How can you defend yourself against these losses?

In this blog, we will discuss how you can use Splunk to monitor your DHCP data, and determine if people connected to your public wifi are increasing your risk.

Theft words heatmap

Splunk makes it easy to turn something as simple as a MAC address and/or hostname into a value fingerprint so you can identify a perpetrator in your midst.

Working in conjunction with our customer’s Loss Prevention team, we created a dashboard that can track in near real-time if an active shoplifting ring is operating within certain stores. We did this by tracking when the same MAC address discovered in multiple stores, during periods of known thefts.

Step 1: Who is in the Store?

First, we need to isolate DHCP Acks and requests from the guest wifi range. The point here is to weed out as much data as you can to make the search faster.

Then, if we capture a device as the src, we just call it the dest. The reason being it’s doesn’t matter who made the contact, we just need to know contact was made.  It also makes it easier going forward, as we can have one less column in our results.

Wrapping up, we do all our lookup correlation, Cidr range to store number, store number to City and State location or province, and then for lat/long data we correlate the location to a geocoordinate.

To make the data look nice we table it to ensure only what we want will be summary indexed.

Step 2:  Correlating known Thefts to Individuals

The dashboard we designed for the loss prevention team allows an investigator to input dates of known thefts they believe to be related. Some of the commonalities they might look for include, description of suspects, items stolen, or method items were removed from the store.  The goal is to find a common device among the cases.

Once the investigator finds a potential culprit they can refine their search by correlating the time the items were stolen, to the time the device was active and pinging a store access point. The goal is to isolate a MAC address that was present during multiple events.

Step 3:  You’re on the List!

Once a device has been found present at an unusually high number of known thefts it’s identified as a probable bad actor it goes on a list, and then an alert is created for that specific MAC address.

Step 4: Getting the Results to the Right People

With the alerting running every 5 minutes we can compare the suspicious MAC list, to MACs currently active in the stores.

If a suspicious MAC address is identified as active within a given store, a notification will be sent to the loss prevention team on-site and will alert them to watch for suspicious activity.

In summary:

Although it may be impossible to prevent all retail theft.  By leveraging Splunk, and working in conjunction with the Loss Prevention team, you can take proactive measures to prevent “professional/habitual shoplifters” from taking advantage of your organization.  Thus, potentially saving your organization millions in lost revenue.

About SP6

SP6 is a Splunk consulting firm focused on Splunk professional services including Splunk deployment, ongoing Splunk administration, and Splunk development. SP6 has a separate division that also offers Splunk recruitment and the placement of Splunk professionals into direct-hire (FTE) roles for those companies that may require assistance with acquiring their own full-time staff, given the challenge that currently exists in the market today.