Attachmate Roots Out Insider Fraud with New Software
July 13, 2010 Alex Woodie
Attachmate this month shipped Luminet, a powerful fraud-detection program that gives corporations Big Brother-like monitoring capability over their workers. The enterprise-strength product, which starts at around $100,000, captures every screen and records every keystroke made by users as they traverse applications running on midrange and mainframe IBM systems and open X64 systems alike, thereby picking up the trail of malicious users where traditional log-based security and auditing products leave off.
Hackers get all the glory and the headlines, but insider fraud is where the real money resides. Time and time again, reports by security experts find that malicious employees or other insiders are responsible for more than half–and sometimes up to 90 percent–of the cases where data or money has gone missing. In these situations, beefing up perimeter security by adding more intelligence devices on the network–such as intrusion prevention systems (IPS) and even security information and event management (SIEM) products–will provide little added protection, because the real threat is already inside–and has a valid user ID and password, to boot.
This is the gap that Attachmate hopes to fill with its Luminet product. The new product, which is an OEM version of the user monitoring product developed by the Israeli security software company Intellinx (which we covered in a February 2006 issue of this newsletter), effectively tracks every move that users make on an organization’s computer system.
Attempts to track user activity through traditional means–such as by sifting through transaction and server log files with an auditing tool–do help, but they don’t provide the level of detail that companies and regulations like HIPAA, PCI, and Sarbanes-Oxley demand today, says Mike Miller, director of business development for Attachmate.
“There’s a ‘last mile’ that’s really hard to get, which is exactly who’s doing what and when and in what sequence, and you can’t really get that from traditional means of looking at log files and transaction records,” Miller says. “It doesn’t give you that complete, holistic view of activity. So we saw the Intellinx technology as a way to address the additional need.”
‘Tivo’ for the mainframe
What makes the Intellinx and Luminet products particularly useful to large enterprises is the deep visibility into applications that run on “legacy” systems, like System i, System z, and DEC minis, as well as the capability to centralize and correlate user activity on these systems with newer applications. By tapping into the 5250, 3270, or VT100 data streams, the Luminet product is able to record every screen users visit and every keystroke they make, providing a valuable forensic tool. “It’s like Tivo for the mainframe,” Miller says.
Companies that run more modern applications that have tighter controls and auditing built into them may not need an additional product like Luminet. “But the legacy systems that were built a decade or two decades ago, just don’t align with all these modern auditing requirements,” Miller says.
Luminet’s cross-platform capability also maps well will the disparate systems and complex business processes that are in place at many organizations. Employees typically need to work with several applications to complete a given piece of work, particularly at larger companies that have grown through acquisitions, or have been around long enough to invest in several generations of IT equipment. (One hopes that nobody is investing in DEC minis anymore.)
This flipping back and forth between applications is a fact of life in big corporate environments, but it’s a nightmare to track. This, in turn, provides cover for ne’er-do-wells, Miller says.
“The malicious insider abuse–those folks who are trying to generate financial gain, either from data leakage or financial fraud–takes advantage of the fact that it’s a hodgepodge of applications, that it’s a disparate, complex business system, ,” he says. “They are often aware of what controls are in place and what controls are not in place, and they are able to get around those controls by jumping around and manipulating that business process.”
Luminet also detects the activities of non-malicious users who might be taking short-cuts to get their jobs done faster. These users might not be aware that they are breaking their company’s security policy, but the company may suffer from their activities nonetheless, through a bad audit.
Another area where Luminet can illuminate: read-only activity. “If you’re in a financial services environment, and you have somebody who’s systematically looking for dormant accounts–just looking at them, not modifying them–you’re not going to catch that with a traditional log file-based approach,” Miller says. This precursor to fraud can be detected with Luminet by using its heuristics engine to highlight user activity that deviates significantly from the norm. In this case, the software would send the administrator or fraud analyst an alert, immediately after the event occurs.
Evidence gathered by Intellinx has been used in court. Because the data housed in the software is encrypted and digitally signed, it can be introduced in court as valid evidence. That’s a big advantage over log files, Miller says. “So often with log files, they know what happened. But it’s not actionable as legal evidence. If it’s a log file, how many administrators theoretically could have accessed and modified it?” he asks.
Attachmate elected to enter into an OEM agreement with Intellinx, as opposed to becoming another reseller, because it hopes to further develop the product. For example, Attachmate may add support for more terminal emulation types, such as some of the obscure but important emulations used by airlines. Other ideas include bolstering its encryption and getting the product FIPS certified, which will enable Attachmate to sell it to government agencies and contractors.
Intellinx was originally developed by Sabratec, an Israeli developer of software for IBM platforms and other servers. When Sabratec was acquired by Software AG in January 2005, the company kept its ApplinX offering, but sold its Intellinx product to former Sabratec executives Orna Mintz-Dov and Boaz Krelbaum, who co-founded Intellinx. Mintz-Dov is the CEO, while Krelbaum is CTO.
Luminet is available now from Attachmate. The software runs on Windows, Unix, and Linux servers. Pricing varies widely, and ranges from about $100,000 to half a million dollars or more. For more information, visit www.attachmate.com.