Luminet FAQ

Can Luminet help me fight internal fraud?

Luminet can help you fight internal fraud in several ways:

1. Luminet provides unparalleled visibility into user activity on the application level, rather than on the network or system level. This capability allows internal auditors and fraud investigators to visually replay user actions screen by screen, keystroke by keystroke, as if looking over the user's shoulder.
2. Configurable business rules track user behavior patterns, generating real-time alerts on exceptions. Once alerted, internal auditors can immediately zoom in on specific suspects and replay their actions. When Luminet is integrated with an operational system, an alert can even initiate a "suspend user" action in that system.
3. Luminet continuously records user activity across multiple applications and platforms, generating a detailed forensic audit trail. Using Luminet online query capabilities, auditors can search for all the users who accessed a specific account number in a specific timeframe across the enterprise. Auditors can also investigate specific cases by applying new rules to historic recorded data, after the fact.

How does Luminet detect and prevent information leaks?

Luminet detects and prevents information leaks by tracking user behavior patterns on the application level and then triggering real-time alerts on suspicious events. In addition to alerts, Luminet generates a detailed audit trail of all user actions, including queries and other read-only transactions that typically do not leave any traces in corporate databases or logs. This audit trail can be used for online search.

Here are some examples of what Luminet can do:

• Identify a bank clerk who excessively searches for high-profile customer information by customer name much more than other clerks.
• Spot a customer service rep who displays 500 customer accounts on a specific day, spending just a few seconds with each account, when he typically accesses only 100 customer accounts per day.
• Generate a real-time alert that initiates the automatic suspension of a suspicious user.
• Enable an investigator to search multiple applications and platforms for all of the users who accessed leaked information in a given timeframe. For each one of the listed users, the investigator can visually replay the screens that were used for accessing the customer information—and view the context in which the customer information was accessed.

How is Luminet different from other enterprise fraud management solutions?

Luminet is different from other enterprise fraud management solutions in one key way: It addresses threats before they occur rather than after a fraudulent user has gained access to the target information and is trying to transfer it out of the organization; e.g., via email, instant message, hardcopy, CD, or disk-on-key.

By contrast, Luminet catches threats before they occur—detecting fraudulent users in action as they gain access to information. Luminet business rules analyze user behavior on the application level (rather than on the network/system level), generating instant, real-time alerts on suspicious events. These alerts can be sent to internal auditors or trigger automatic actions; e.g., initiating a "suspend user" process in the operational system.

 

Compliance Questions

How can Luminet help with PCI DSS compliance?

What Is PCI DSS?

PCI DSS (Payment Card Industry Data Security Standard) is a U.S. industry standard maintained by the PCI Security Standards Council that dictates rules for handling sensitive cardholder data—both in-transit and in-storage. Because PCI DSS is an industry standard, there are no government penalties for violations. But businesses (credit card companies, merchants, and service providers) that fail to comply may be restricted in their use of credit card services.

PCI DSS Challenges

One of the toughest fraud prevention challenges of PCI DSS comes from section 10.2.1, which requires organizations to "implement automated audit trails for all system components to reconstruct all individual user accesses to cardholder data." In addition, section 10.2.2 requires that "all actions taken by any individual with root or administrative privileges" must be included in the audit trail.

Complying with this requirement poses a significant challenge for organizations that rely on both legacy and modern applications. Most of these applications do not include a logging mechanism that provides a complete history of user access to cardholder data. In many cases, logs include only update actions and not user queries and other read-only actions. An audit of all individual user access must include read-only activity in order to be complete.

Another common solution is log aggregation. Log aggregation relies on data provided by existing application logs, and if this information is insufficient then log aggregation will not help comply with section 10.2.

How Luminet Can Help with PCI DSS Compliance

Luminet enterprise fraud management software is built to capture user activity across multiple applications. It records activity in real time—screen by screen, keystroke by keystroke—creating an audit trail directly from the network. This audit trail includes both update and read-only actions for both regular and privileged users.

Luminet stores this information in a secure repository, from which you can conduct powerful full-text searches through current or recorded activity. These searches allow you to visually play back every screen and keystroke relevant to your audit.

Customizeable dashboards, graphs, and reports enable your internal auditors to see the big picture at a glance and zero in on activity that puts PCI DSS compliance at risk.

How can Luminet help with GLBA compliance?

What Is GLBA?

GLBA (Gramm-Leach-Bliley Act) is a U.S. law enacted in 1999 to protect the personal financial information of consumers that is held by financial institutions. Under GLBA, financial institutions are required to implement safeguards that provide information security, privacy, and data integrity.

GLBA Challenges

Enacted more than a decade ago, GLBA continues to vex the financial services industry. The act was originally intended to provide greater protection for an individual's nonpublic PII (personally identifiable information) and to govern the manner in which that information is gathered, stored, and disclosed. The problem is that the information required to demonstrate compliance with GLBA is difficult to retrieve, correlate, and audit.

How Luminet Can Help with GLBA Compliance

Luminet enterprise fraud management software is built to capture user activity across multiple applications. It records user activity in real time—screen by screen, keystroke by keystroke—creating an audit trail (with both update and read-only actions) directly from the network. By providing 100 percent visibility into all user activity, Luminet helps you identify inappropriate access of PII. You can also use risk-based scoring capabilities to identify suspicious or nefarious behavior, and eliminate false positives.

Luminet stores all recorded information in a secure repository, from which you can conduct powerful full-text searches through current or recorded activity. These searches allow you to visually play back every screen and keystroke relevant to your audit.

Customizable dashboards, graphs, and reports enable your internal auditors to see the big picture at a glance and zero in on activity that puts GLBA compliance at risk.

How can Luminet help with HIPAA compliance?

What Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law enacted in 1996 that preserves the privacy and security of personal health records. HIPAA requires that organizations in the healthcare industry adhere to specific physical, administrative, and technical safeguards in order to prevent unauthorized access to and manipulation of electronically stored and transmitted health information.

HIPAA Challenges

Two HIPAA requirements are particularly challenging for healthcare providers:

• Section 164.302-318, which requires strict controls around the use and disclosure of electronic protected health information (PHI).
• Section 164.306 a1, which requires that providers "ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits."

These requirements are challenging for one key reason: Most applications, both legacy and modern, do not include a logging mechanism that provides a complete history of user access to cardholder data. In many cases, logs include only update actions and not user queries and other read-only actions. An audit of all individual user access must include read-only activity in order to be complete.

How Luminet Can Help with HIPAA Compliance

Luminet enterprise fraud management software is built to capture user activity across multiple applications. It records activity in real time—screen by screen, keystroke by keystroke—creating an audit trail directly from the network. This audit trail includes both update and read-only actions for both regular and privileged users.

Luminet stores this information in a secure repository, from which you can conduct powerful full-text searches through current or recorded activity. These searches allow you to visually play back every screen and keystroke relevant to your audit.

Customizable dashboards, graphs, and reports enable your internal auditors to see the big picture at a glance and zero in on activity that puts HIPAA compliance at risk.

How can Luminet help with SOX compliance?

What Is SOX?

SOX (Sarbanes-Oxley Act) is a U.S. law enacted to protect the financial information of public companies. SOX requires that companies ensure the integrity of data used in public financial statements. It holds CEOs and CFOs accountable for the accuracy of financial statements. And it specifies financial reporting responsibilities, including adherence to internal controls and procedures designed to ensure the validity of financial records. The Securities and Exchange Commission oversees SOX compliance.

SOX Challenges

One section, Section 404, is of particular interest to IT professionals. This section stipulates that certain controls be in place to validate the accuracy and integrity of financial data. But adding these controls can be challenging, particularly when the data is stored in multiple applications and legacy systems. What's more, traditional application logging, built into these systems, is unable to capture the information required to demonstrate compliance. For example, application logs fail to capture the activity around a given action (such as screens accessed by the user). Without this essential context, tracing fraudulent activities to a particular user or session is often impossible.

How Luminet Can Help with SOX Compliance

Luminet enterprise fraud management software captures privileged- and nonprivileged- user activity across multiple applications. It records the activity in real time—screen by screen, keystroke by keystroke—creating an audit trail directly from the network. There is no need to add any controls or change a single line of code.

By providing 100 percent visibility into all user activity, Luminet helps you identify inappropriate access of financial data. You can also use Luminet's risk-based scoring capabilities to identify suspicious or nefarious behavior, and eliminate false positives.

Customizable dashboards, graphs, and reports enable your internal auditors to see the big picture at a glance and zero in on activity that puts SOX compliance at risk.

How can Luminet help with Basel II and Basel III compliance?

What Are Basel II and Basel III?

Basel II

An international standard developed by the Basel Committee on Banking Supervision that requires financial institutions to maintain enough cash reserves to cover their operational risks.

Basel III

An international standard developed by the Basel Committee on Banking Supervision that builds on Basel I and II to strengthen the banking sector's ability to deal with financial stress. Basel III effectively triples the size of the capital reserves that the world's banks must hold against losses. The new rules will be phased in from January 2013 through January 2019.

Basel II and Basel III Challenges

Under Basel II and Basel III, organizations are required to monitor, assess, and constrain risk. Compliant banks must be able to ascertain risk within their internal systems, establish controls, and monitor systems on a day-to-day basis. These activities, which must be transparent and repeatable, are subject to scrutiny by auditors.

The challenge lies in obtaining an appropriate level of visibility across financial activity occurring at the application layer, and then tying that back to risk. All too often, the required data is overwhelmingly difficult to correlate or simply isn't captured by traditional logging systems. Beyond that, traditional logs have no way to link disparate actions to establish a risk profile for user behavior. Suspicious activity may occur over a period of time and across multiple systems, further obscuring linkages between fraudulent activities.

How Luminet Can Help with Basel II and III Compliance

Luminet enterprise fraud management software monitors all user activity across multiple systems in real time—24/7/365—giving financial institutions a unique way to assess and reduce operational risk as defined by Basel II, including internal fraud, business disruptions, and systems failures.

Luminet's powerful analytical engine can pinpoint suspicious behavior—based on business rules that you've defined—and generate real-time alerts related to questionable activity patterns. These alerts allow you to immediately zero in on anomalies, including disruptions to systems or performance levels.

Post-event analysis includes the ability to apply new rules to recorded information, which auditors can review in a screen-by-screen replay. In this way, they can gain critical contextual information and understand what actually occurred.

How can Luminet help with FISMA compliance?

What Is FISMA?

FISMA (Federal Information Security Management Act) is a U.S. law enacted in 2002 to protect the integrity, security, and availability of government systems from natural or manmade threats. The National Institute of Standards and Technology (NIST) regularly issues guidance on security best practices, develops information security standards (Federal Information Processing Standards), and provides guidelines (Special Publications in the 800-series) for non-national security federal information systems in support of FISMA. Noncompliance with FISMA is published publically by Congress in the form of agency scorecards. Poor FISMA compliance may result in a requirement to report before Congress and significant budget-related penalties may be applied.

FISMA Challenges

Several of FISMA's key provisions provide significant challenges for federal agencies and their affiliates, including mandates to:

• Continuously monitor systems.
• Document access controls and data access across all systems.
• Ensure the confidentiality, integrity, and availability of government data.
• Audit and report on their systems.

Here's the underlying problem: The data requiring protection is often housed in multiple legacy applications with inadequate logging information to support the security audit requirements of FISMA.

How Luminet Can Help with FISMA Compliance

Luminet enterprise fraud management software provides a number of capabilities that are key to supporting FISMA compliance. These capabilities include:

• 100% visibility into user activity
  Luminet captures user activity—screen by screen, keystroke by keystroke—across all applications. It also provides the ability to replay that activity to gain an "over the shoulder view" of what the user was doing. By providing this unique view into user actions, Luminet adds context to keystrokes—which enables you to take informed action.
• Complete audit trail
  Luminet can capture all user activity, including read-only/query access. This information in stored in a secure database, where it is available in the event that legal action is required.
• Searches across platforms and legacy systems
  Luminet supports monitoring across multiple application types, including mainframe, iSeries, web, and client/server. No desktop agents or host-side components are required.
• User-behavior analysis
  Luminet monitors, correlates, and profiles user behavior across multiple applications to detect suspicious patterns and pinpoint anomalies. These capabilities, in conjunction with activity alerts and risk-based scoring, provide actionable intelligence in near real time.

 

Technical Questions

Does Luminet invade employee privacy?

Luminet enterprise fraud management software does not invade employee privacy because does not record any activity that runs on the employee's workstation, including emails or instant messages that may contain private information. It records only interactions between the employee workstation and the business applications running on corporate servers, such as accounting, inventory, and purchasing. These applications do not typically contain personal employee information. Access to the Luminet data is usually granted only to internal auditors, so the employee's manager does not have access to this data.

We recommend that organizations in European countries with strict employee privacy rules coordinate the Luminet implementation with the work council. Together, the organization and the council can define the procedures for using Luminet to ensure that no data related to employee performance is exposed.

Do I need Luminet if I have RACF or other security tools on my mainframe?

The capabilities of Luminet enterprise fraud management software are different from those provided by RACF and other mainframe security tools, which manage identities, roles, and access levels to various system resources. Those tools might also collect logs of user access to system resources. They do not record user activity or track user behavior patterns for detecting fraudulent activities the way that Luminet does.

Tools do exist for analyzing RACF or SMF logs (such as Consul or Vanguard). These tools provide an audit trail on the transaction level—for example, which user accessed which transaction and when. But this audit trail is not detailed enough for investigating fraud and information leakage or for complying with various government regulations. It does not include the data that really matters, such as the customer records and field values accessed by the user.

How much data storage is required to use Luminet?

Luminet enterprise fraud management software does not store the actual bitmap of the user screens. Instead, it stores the intercepted raw network transmission from which it reconstructs the user screens when needed—resulting in an efficient use of disk space.

The data is condensed at a ratio of 1:10. Based on the experience of Luminet customers using 3270 applications, the recorded data of one end-user in a day day typically requires about 50KB–60KB. So if your organization has 10,000 end-users, then the required disk space is approximately 500MB–600MB for one day of activity. If you store the data, including the recorded screens, for 6 months (180 days), you need only about 90GB. In addition to the recorded data, the Luminet database stores formatted data, including field values that were identified in the user screens. Depending on the number of fields identified in the screens, the disk space required for this formatted data may be similar to the recorded data. So the total of required disk space for this example may be approximately 180 GB.

In the case of client-server messages, the amount of disk space required depends on the volume of traffic. Like screen recording (3270, 5250, HTML), in client-server monitoring Luminet does not store the screen bit map. It stores the raw network transmissions in a condensed format.

Can Luminet monitor encrypted application activity?

Luminet enterprise fraud management software can monitor two common encryption configurations:

1. The encryption/decryption is performed on a gateway server and not on the host. In this case, Luminet can listen to the network transmissions between this gateway and the host, since it is not encrypted.
2. The encryption/decryption is performed on the host using SSL. In this case, Luminet must be supplied with the private key of the host in order to decrypt the encrypted traffic. It should be noted that the recorded data is encrypted and digitally signed by Luminet, so the data is protected once it is decrypted by Luminet.

How does Luminet affect application and network performance?

Luminet enterprise fraud management software does not affect application or network performance. It is installed on a separate server (running Linux, UNIX, or Windows) that is connected to a standard mirror port of the switch or a tap device. There is no need to install or change anything on the host or client software or hardware.

The way in which Luminet is connected to the network through a mirror port or a tap device is passive. This passive connection is one-way only—meaning Luminet can receive data but is unable to send any data to the network through this connection. Consequently, Luminet will not interfere with network traffic.

How does Luminet scale across my enterprise?

Built to be flexible and scalable, Luminet enterprise fraud management software provides a cost-effective solution to organizations with 500 employees as well as those with 100,000. It can be deployed in a wide range of configurations depending on organizational structure and needs. For example, it can be configured to support a central auditing and investigation group that audits all end-users. Or it can be configured to support decentralized groups of auditors and investigators, each monitoring a subset of users.

Luminet sensors (sniffers) can be deployed in several data centers and connected to one or more network switches in each data center. Each sensor server can listen to one or more protocols in one or more network switches.

The sensors can be configured to send data to one or more analyzer servers, which can be deployed in one or more data centers to assess data at the departmental/regional level or at the corporate level. The analyzers can store the captured and analyzed data in databases deployed in a variety of configurations. A local database can be deployed in each data center allowing for searches on local activity. A central database can be deployed for storing user activity across all data centers. A combination of local and central databases can be used in order to allow both local searches and cross data center searches.

Recorded data from different platforms can be handled according to the auditing needs of the organization. For example, AS/400 recorded data can be stored only in local databases, while mainframe recorded data can be stored both in local and central databases.

What applications and protocols can Luminet monitor?

Luminet enterprise fraud management software can monitor the following applications and protocols:

Monitored Applications

• IBM mainframe: 3270, MQ, LU0, and LU6.2
• IBM AS/400: 5250 and MPTN
• Unisys mainframe: T27
• Fujitsu mainframe: 6680
• Web: HTTP/HTTPS
• Client/Server: TCP/IP, MQ Series, MSMQ, and SMB
• UNIX: VT
• SWIFT, FIX, and ISO8583 (ATM)
• Database: Microsoft SQL Server
• FTP
• Other application-to-application protocols can be configured
• Oracle Forms 6.5 (client-server)
• Oracle Forms 10 (web-based)

Security Protocols

• SSL/TLS
• SSH
• AES encryption and digital certificates