Intellinx introduces a new dimension in combating internal fraud. By providing unparalleled visibility to end user activity on the application level (rather than on the network/system level), Intellinx enables internal auditors and fraud investigators to visually replay user actions screen by screen, keystroke by keystroke as if looking over the user’s shoulder. Configurable business rules track user behavior patterns, generating alerts on exceptions in real-time, allowing the internal auditor to immediately zoom-in on specific suspects and replay their actions. The alerts may be used also in a proactive approach by taking action in the operational systems, for example, automatically suspending a suspicious user in real-time. This can be achieved by integrating Intellinx with the operational system, whereas an alert generated by Intellinx initiates a “suspend user” action in the operational system.
Intellinx continuously records user activity across multiple applications across multiple platforms across the enterprise, generating a very detailed forensic audit trail. Using Intellinx online query the auditor can search, for example, for all the users who accessed a specific account number in a specific time frame across the enterprise. Investigating specific cases can be done also by applying new rules to historic recorded data after-the-fact.
Intellinx tracks user behavior patterns on the application level triggering alerts on suspicious events in real-time. For example, a bank’s clerk who excessively searches for high profile customer information according to customer name much more than other clerks can be detected in real-time by Intellinx business rules. In another example, a user who displayed 500 customer accounts on a specific day spending only a few seconds with each account, while on average he accesses only 100 customer accounts per day can be detected in real-time as well. The Intellinx alerts may be used also in a proactive approach for taking action in the operational systems. For example, an Intellinx alert may initiate a process in the operational system for automatic suspension of a suspicious user in real-time.
Intellinx provides full visibility to user activity generating a detailed audit trail of all user actions including queries and other read-only transactions that typically do not leave any traces in the corporate database or logs. This Intellinx audit trail can be used for on line search. If, for example, it becomes known that sensitive information of a specific customer was leaked outside the organization, the investigator can search for all the users who accessed this customer information in a specific timeframe across multiple applications across multiple platforms across the enterprise. For each one of the listed users the investigator can visually replay the screens that were used for accessing the customer information displaying the context in which the customer information was accessed.
The US FFIEC’s “Information Security Handbook”, a GLBA supplement, requires that “Financial institutions should take reasonable steps to ensure that sufficient data is collected from secure log files to identify and respond to security incidents and to monitor and enforce policy compliance.” This requirement poses a significant challenge for financial organizations since most of them do not maintain detailed logs of user access to sensitive data. Most organizations have only transaction level logs, maintaining information on which user accessed which transaction or screen and when. However, this level of information is insufficient, since the really meaningful information is missing, which is – what specific customer records and fields did the user access. Even organizations that have detailed logs usually miss the important part for GLBA compliance. The detailed logs are typically maintained only for update transactions and not for queries and other read-only transactions due to the high overhead that such logs normally cause. Developing a mechanism for generating a detailed log that would track all transactions including read-only transactions involves tremendous effort. To accomplish this task, thousands of the organization’s programs need to be changed.
Intellinx solves this problem out-of-the-box without changing any application code and with no overhead on the existing systems or network. By recording user activity on the application level, Intellinx generates a very detailed audit trail of user access to the corporate applications and data, enabling the organization to immediately comply with the GLBA requirement for a detailed audit trail.
The US HIPAA Security Rule requires healthcare organizations to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” (Section 164.312). This rule poses a significant challenge for healthcare organizations since most of them do not maintain detailed logs of user access to sensitive data. Most organizations have only transaction level logs, maintaining information on which user accessed which transaction or screen and when. However, this level of information is insufficient, since the really meaningful information is missing, which is – what specific customer records and fields the user accessed. Even organizations that have detailed logs usually miss the important part for HIPAA compliance. The detailed logs are typically maintained only for update transactions and not for queries and other read-only transactions due to the high overhead that such logs normally cause. Developing a mechanism for generating a detailed log that would track all transactions including read-only transactions involves tremendous effort. To accomplish this task, thousands of the organization’s programs need to be changed.
Intellinx solves this problem out-of-the-box without changing any application code and with no overhead on the existing systems or network. By recording user activity on the application level, Intellinx generates a very detailed audit trail of user access to the corporate applications and data, enabling the organization to immediately comply with the HIPAA requirement for a detailed audit trail.
The Sarbanes-Oxley Act (SOX) requires executives and auditors of publicly traded companies in the US to validate the accuracy and integrity of their financial reporting. Section 404 of the act requires that companies create and maintain effective internal controls to track financial processes. Using Intellinx business rules organizations are able to add controls for critical issues for SOX compliance including:
Section 404 of the act requires also companies to “provide reasonable assurance regarding prevention or timely detection of unauthorized acquisition, use or disposition of the registrant’s assets that could have a material effect on the financial statements”. In many corporations protecting digital assets such as customer information, trade secrets, M&A information or patient records is critical. The unauthorized disclosure of this information may have a negative impact on the company’s stock price and its financial performance. Thus, organizations are required to closely monitor the usage of those assets and be able to detect such events in real-time or near real-time. Intellinx tracks user behavior patterns triggering alerts on exceptions in real time and generates a very detailed audit trail of user access to corporate data enabling organizations to comply with this requirement of section 404.
The Basel 2 Accord requires financial institutions to calculate credit, market and operational risks, in order to ensure that they have enough capital reserves to cover risk exposures. As internal fraud is defined in the accord as one of the operational risks, Intellinx can help mitigating operational risks by addressing the threat of internal fraud as described in the answer to the first question above.
There are various solutions for detecting and preventing information leakage. Some solutions on the network level focus on detecting and blocking sensitive information leakage through emails or instant messages. Other solutions on the desktop level focus on detecting and blocking sensitive information leakage by printing it or saving it to a CD or disk-on-key. All these solutions address the threat after the fraudulent user has already gained access to the sensitive information and is now trying to transfer it outside the organization in various ways. One of the limitations of these approaches is that once the sensitive data is displayed on the user screen, there are ways for transferring this data which cannot be detected by these solutions; For example, the fraudulent user can simply write the information on paper or take pictures of the screen using a cell phone camera.
Intellinx, on the other hand, addresses this threat before it even occurs – when the user gains access to the sensitive information using applications on any platform. Intellinx allows the auditor to detect fraudulent users in action, regardless of the way they choose to transfer the data. The system’s business rules analyze the user behavior on the application level (rather than on the network/system level), generating instant alerts on suspicious events in real-time. These alerts may either be sent to the internal auditors or trigger automatic action, for example, by initiating a “suspend user” process in the operational system. In addition, Intellinx generates a very detailed audit trail of user access to the applications and data including read-access actions, enabling after-the-fact investigations. This granular forensic audit trail is highly valuable in case the leakage has already occurred, when the challenge is to find the fraudulent user.
Intellinx provides totally different capabilities than RACF and other mainframe security tools. While RACF and other mainframe security tools manage identities, roles and access levels to various system resources, they do not record user activity and do not track user behavior patterns for detecting fraudulent activities. These tools may collect logs of user access to system resources.
There are tools that analyze the RACF or SMF logs (such as Consul or Vanguard). These tools provide an audit trail on the transaction level, i.e. which user accessed which transaction and when. However, this audit trail is not detailed enough for investigating fraud and information leakage and for complying with various government regulations, since it does not include the customer records and field values accessed by the user, which is what really matters.
No, Intellinx does not record any activity that runs on the employee’s workstation such as email or instant messages that may contain private information. It only records interaction between the employee workstation and the business applications running on the corporate servers, such as accounting, inventory, purchasing, etc. These applications typically do not contain employees’ personal information. Access to the Intellinx data is usually granted only to internal auditors so the employee’s manager normally does not have any access to this data.
In several countries in Europe with higher awareness of employee privacy, it is recommended to coordinate the Intellinx implementation with the work council to jointly define the procedures of using Intellinx to ensure that no data relevant to the employee performance will be exposed.
Intellinx does not store the actual bitmap of the user screens but rather stores the intercepted raw network transmission from which it reconstructs the user screens when needed; hence it is very efficient regarding disk space. The data is condensed at a ratio of 1:10. Based on the experience of Intellinx customers using 3270 based applications the recorded data of one end-user of a whole day typically requires about 50KB – 60KB. So if, for example, your organization has 10,000 end-users, then the required disk space is approximately about 500MB – 600MB for recording one day of activity of the whole organization. If you store the data for 6 months (180 days), you need only about 90GB. This estimate includes the recorded screens. In addition to the recorded data the Intellinx database stores formatted data including field values that were identified in the user screens. Depending on the amount of fields identified in the screens, the disk space required for this formatted data may be similar to the recorded data, so the total of required disk space for this example may be approximately 180 GB.
In the case of client-server messages, the amount of disk space required depends on the volume of traffic. Similar to screen recording (3270, 5250, HTML), in which the screen bit map is not stored, in client-server monitoring Intellinx does not store the screen bit map, but rather the raw network transmissions in a condensed format.
There may be several scenarios:
Intellinx is installed on a separate Linux, UNIX or Windows server which is connected to a standard mirror port of the switch. Therefore there is no intervention whatsoever in the host or client software or hardware. The installation process is very short, typically just a few hours, and is totally risk-free. Once the system is installed, it can start recording all the screen communication immediately, allowing the internal auditors to perform a search. For example, the auditors can search for all the users who accessed a specific account number in a specific timeframe. Once the system is installed it collects user activity data. Business events and business rules may be defined at a later stage and be applied to the recorded data after-the-fact.
Intellinx is installed on a separate server (running Linux, UNIX or Windows) which is connected to a standard mirror port of the switch or a tap device. Therefore there is no need to install or change anything in the host or client software or hardware. Hence, there is no impact on the system or network performance.
The way in which Intellinx is connected to the network through a mirror port or a tap device is passive. By using this type of passive connection to the network there is no way that Intellinx can interfere with the network traffic; since this type of connection is one-way – Intellinx can only receive data but cannot send any data to the network through this connection.
Since Intellinx runs on a separate server and does not require any installation or changes in the organization infra structure it is very easy to install and test Intellinx. The installation process normally takes just a few hours, after which the system starts to record user activity across the enterprise. The recording and analyzing of user activity provides visual replay capabilities as well as online query enabling the auditor to search, for example, for all the users who accessed a specific account number in a specific time frame.
An on-site proof-of-concept typically takes about 3 days, in which the system is installed and connected to the network and several business events are defined. These business events are configured according to the organization’s specific requirements tracking user behavior patterns in the organization’s business applications and generating instant alerts on exceptions.
The Intellinx architecture is very flexible and scalable providing a cost effective solution to organizations with 500 employees as well as corporations with 100,000 employees. Intellinx can be deployed in a wide range of configurations according to the organization structure and needs. Intellinx may be configured to support a central auditing and investigation group that audits all end users as well as decentralized groups of auditors and investigators, each monitoring a subset of the users.
The Intellinx sensors (sniffers) can be deployed in several data centers connected to one or more network switches in each data center. Each sensor server may listen to one or more protocols in one or more network switches.
The sensors may be configured to send data to one or more analyzer servers. Analyzers may be deployed in one or more data centers analyzing data on the departmental/ regional level and/ or at the corporate level. The analyzers may store the captured and analyzed data in databases deployed in a variety of configurations. A local database may be deployed in each data center allowing for searches on local activity. A central database may be deployed for storing user activity across all data centers. A combination of local databases and a central database may be used in order to allow both local searches and cross data center searches.
Recorded data from different platforms can be handled differently according to the auditing needs of the organization. For example, AS/400 recorded data can be stored only in local databases, while mainframe recorded data can be stored both in local and central databases.
Since the sniffing is performed on the switches located close to the host, Intellinx records all user access to these host computers regardless of the user location – inside or outside the firewall.
Intellinx monitors the following platforms:
Intellinx servers run on the following platforms:
Intellinx client runs on Windows 7, 2008
Intellinx monitors thin-client applications and fat-client applications in a different way. For thin-client applications (3270, 5250, HTML) Intellinx reconstructs user screens based on the captured network transmissions and provides screen visual replay. In fat-client applications the screen displayed to the user is normally painted by the client application so it is impossible to reconstruct it based on the network transmissions alone.
Intellinx monitors user activity in client-server applications by recording the messages sent from the client to the server and from the server to the client. In order to analyze the content of the messages Intellinx allows you to import the layout structure of these messages from the application program (in Cobol, C, VB, etc.) to the Intellinx repository. You need to import the layouts only for the messages for which analysis is required. You can make the decision which messages will be analyzed at a later stage, and just let the system record everything and then decide after the fact which messages’ layouts you choose to import. In conjunction with the layout you need to specify how this message should be identified (e.g. message-type and/or transaction-type field, etc). Intellinx provides very powerful tools to edit the imported message layout enabling you to define messages with dynamic structures and complex redefinitions, but obviously it requires technical skills higher than those required for screen-based applications.
Intellinx provides search and display capabilities for the content of the messages, enabling the security officer to search on any field value that was indexed and display the messages and their fields’ content in the original sequence they occurred – client-to-server message, then server-to-client reply message and so on. Based on this display you are able to track end user activity, not as it was displayed on the screen but rather the data that was sent to and from the user machine. Intellinx business rules can analyze user activity and behavior patterns based on the fields in these messages similarly to the fields in screens.
Intellinx supports HTML based applications in a similar way to 3270 based applications:
Intellinx supports Applets in a similar way to the support of client-server applications. In this case the screen displayed to the user cannot be reconstructed based on the network traffic only, since the Applet which runs in the client browser generates the displayed content. Intellinx records the messages sent from the client applet to the server and from the server to the client applet. In order to analyze the content of the messages and identify the fields, the message layout can be imported from the server or client application code.