User Monitoring and Forensics

The Challenge of Generating a Forensic Audit Trail

A detailed audit trail of user access to sensitive corporate data has become a necessity for protecting the corporate brand and information assets. It is also required by government regulations, especially privacy regulations. While many organizations maintain access logs, most are insufficient due to the following limitations:

  • There is no logging of read-only actions. Most existing logs only record update activities, leaving out read-only activities. This information is very important for detecting fraudsters preparing for fraud and for protecting privacy and preventing information leakage.
  • Many logs provide information at the transaction level, e.g. which user accessed which transaction and when. However, they are missing the more important information, which is: which specific customer records and fields did the user access, and what did the user do with these records and fields.
  • The logs represent an incomplete view of activities. Many logs are maintained in disparate systems or applications which make it difficult to find and correlate relevant information.

Legacy systems that were developed a decade or two ago and many newer systems were not designed for collecting detailed data access logs. Introducing a log mechanism to these can translate into hundreds of programmer-months, not including the overhead on the servers and additional maintenance.

Intellinx Solution for User Monitoring

Intellinx provides an out-of-the-box solution for internal and external user monitoring without changing any application code and with no overhead on the existing systems or network. Utilizing patented network sniffing technology the Intellinx system records and analyzes user activity at the application level. The system reconstructs all user screens and keystrokes and generates a very detailed audit trail of user access to the corporate applications and data. This audit trail is invaluable for both real-time and post-event investigations.

The system provides a Google-like search on user recorded screens enabling investigators to search for all users who accessed a specific piece of information – name, number or any other text that appeared on any screen and visually replay their actions screen by screen. It allows, for example, searching for all users who accessed a specific customer account in a specific timeframe. This search can be performed on recorded data from a specific platform (e.g. Web) or on data recorded from several platforms (e.g. Mainframe, Client/Server, Web, AS/400, etc.). It allows the investigator to access a consolidated view of user activity in multiple applications from a single query screen. The auditor can zoom in on any user session retrieved by the query and replay the user’s screen flows and keystrokes.

In addition to network sniffing, the system can collect information in a variety of ways from databases, data warehouse, log files and other sources in real-time and batch. The data captured from various sources is stored in one centralized repository and is analyzed by the Intellinx business rule engine.

The recorded user behavior is analyzed by the Intellinx analytics engine which builds profiles of behavior for various entities (customers, employees, accounts, etc.). The profiles are used for detecting anomalies in user behavior near real-time.

The system provides a highly flexible, user-friendly web based user interface which presents the results of the analyzed information in dashboards, reports and charts.

The Intellinx Business Value

  • Holding all users accountable for all activity.
  • Providing the required information for behavior analysis which can serve as the basis for analytics investigations for detecting and preventing various types of fraud and information leakage.
  • Compliance with regulations that require complete audit trail and privacy protection.
  • Deterring potential fraudulent users by the awareness of their actions being recorded and analyzed in real-time.