We all know that the key to preventing data breachesand policy violationsis being able to identify and assess the right information. But that’s not always an easy task. Many organizations use a traditional data collection tool called SIEM (Security Information and Event Management) to get the job done.
What Is SIEM?
SIEM is a powerful engine that correlates and consolidates a broad range of security activity occurring across a network. It is powered by aggregating log data and correlating events. By pooling log information, the SIEM engine can help pinpoint security hotspots, consolidate security events into common-cause hierarchies, and perform root-cause analysis.
What SIEM Can and Cannot Do
While powerful, SIEM solutions are primarily focused on networks and systems, rather than the single most important source of internal fraud—people accessing sensitive application data. With SIEM, you can monitor only data that is available through log entries. But most logs track only update actions—not user queries and other read-only actions—so they are not equipped to address modern security requirements.
The Added Value of Luminet
Attachmate Luminet enterprise fraud management software can augment your SIEM product—adding the layer of detail and context to keystrokes you need to respond to data or policy breaches in high-volume, high-demand environments. Luminet is designed from the ground up to monitor people and how they interact with applications, providing an added dimension and depth to the view you get from your SIEM product.
By introducting Luminet into your SIEM environment, you can:
- Expand your view of user behavior across enterprise applications
The data captured with Luminet is processed using a behavioral-analytics engine and becomes a consumable event that is further processed by the traditional SIEM engine. For example, take one of your core business applications that is used daily by a variety of users. Some parts of the application reveal personal customer information, such as social security numbers. How can you tell if a user is surreptitiously copying those numbers down? In a traditional SIEM environment, that activity may not even be logged since no change took place. If it is logged, it may not necessarily be flagged as suspicious.
Luminet tracks your users’ application activity, even passive reading of screens, regardless of what may or may not be logged. All user behavior, across all parts of the application, is modeled into application usage patterns and deviations from that model are flagged by Luminet. When suspicious or deceptive behavior is flagged, it can be propagated to your SIEM environment for alerting, or perhaps correlation with other events. Deep-dive analysis can then be performed in the Luminet Investigation Center to cast the event into the context of the entire sequence of screens the user was moving through when the suspicious activity occurred, providing you with the intelligence you need to defeat insider threats.
- Enforce policies and facilitate compliance
When Luminet is integrated with your SIEM or other security tools (e.g., IDM or your trouble ticketing system), these systems become more than reporting tools. Depending on your policies and the capabilities of your SIEM product, you can configure Luminet to respond to incidents as they occur. For example, you can define robust rules and alerts that respond to suspicious activity in real time. What’s more, Luminet’s interactive tools help you clearly distinguish between legitimate and illegitimate activity by detecting the cross-channel patterns and trends of users across diverse departments and applications.
Luminet data can then be provided to your existing SIEM and consumed via your established central console to augment your real-time monitoring, event correlation, incident management, and reporting of user activity across multiple applications and multiple data channels. These functions can also help you demonstrate compliance with internal policies and controls as well as government regulations, such as SOX, HIPAA, GLBA, FISMA, and others.
- Analyze user behavior quickly and thoroughly
Navigating through a sea of disassociated, system-generated data can be as frustrating as having no data at all. Log files and alerts may be able to tell you what’s occurred at a high level, but without the ability to analyze those occurrences, you are missing the ground level details needed to take meaningful action.
Luminet makes it possible for you to drill into the security event logged by your SIEM engine and understand the details of the event and accompanying user activity. Together, the systems can perform high-level event consolidation and triage as well as highly sophisticated behavioral analysis that recognizes new trends, attacks, or violations. You can also manipulate and interact with real-time graphical information and drill down into historical details ranging from seconds to hours in the past. Sophisticated visualization tools like Luminet’s link analysis engine enable you to quickly identify patterns of behavior and activity that were previously invisible to your SIEM solution.
Comparing Luminet and SIEM
| |
Luminet |
SIEM |
| Monitoring Focus |
User Behavior — Application |
System & Security — Infrastructure |
| Capture Process |
Network, Log |
Log, Collector |
| Application Visibility |
100% |
Limited to Log/Collector |
| Correlation/Alerting/Reporting |
Yes |
Yes |
| Visual Session Replay |
Yes |
No |
| Application Impact |
None |
Log/Collector Agent |
| Alert Response |
Case Manager |
Incident Management |
| Mainframe (3270 Protocol) |
Yes |
Only System and Log Data |
| Value |
Fraud/Privacy/Misuse |
Vulnerability, Threat Prioritization |
Take Informed Action
By augmenting your SIEM solution with Luminet, you can:
The Luminet Investigation Center
Once new threats and security events are identified, you can use the powerful Luminet Investigation Center to collect facts and activities associated with a given investigation. You can also create reports and collate all the information into forensic cases. Luminet crystallizes the massive amounts of data you've captured into actionable intelligence.
- Supercharge your SIEM reporting.
- Improve the information you use to address IT controls across multiple regulations.
- Demonstrate your ability to better monitor, document, and report on security controls.
- Enhance the way you continually assess your compliance and security efforts.
- Help close the knowledge gap between what should be happening in your environment and what actually occurs.
Working together, Luminet and your SIEM solution can give give you a complete and accurate picture of who did what, and when—providing the intelligence you need to take informed action and defeat insider threats.
Learn More About Luminet Enterprise Fraud Management Software