Collecting Forensic Audit Trail of Authorized User Activities

A detailed audit trail of user access to sensitive corporate data has become a necessity for protecting the corporate brand and information assets. It is also required by government regulations, especially privacy regulations. While many organizations maintain access logs most are insufficient due to the following 3 limitations:

  1. The logs are missing record and field-level data
    Most existing logs only contain information at the transaction level, such as: Which users accessed which transaction at what time?
    Critical information is still missing, such as:
    -Which specific records and fields did the user access?
    -What did the user do with the data?

  2. There is no logging of read-only actions
    Most existing logs only record update activities. There is no record of times information is accessed without being changed. This information is very important for preventing and investigating information leakage and for privacy protection.

  3. The logs represent an incomplete view of activities
    Many logs are maintained in disparate systems or applications which make it difficult to find and correlate relevant information.

Legacy systems that were developed a decade or two ago and many newer systems were not designed for collecting detailed data access logs. Introducing a log mechanism to these applications typically requires adding a small logging component to each online program. In large enterprises that have up to tens of thousands of online programs, this can translate into hundreds of programmer-months, not including the overhead on the servers and additional maintenance required. The time, money and effort required for generating the detailed audit trail becomes exorbitant.

Intellinx solves this problem out-of-the-box without changing any application code and with no overhead on the existing systems or network. By recording and analyzing user activity on the application level, Intellinx generates a very detailed audit trail of user access to the corporate applications and data. This audit trail is invaluable for both real-time and post-event investigations. It enables the internal auditor to search, for example, for all the users who accessed a specific account number in a specific timeframe across any application across any platform in the enterprise. The auditor can zoom in on any user session retrieved by the query and replay the user's actions screen by screen, keystroke by keystroke.

The Intellinx business rules can be utilized for identifying specific business events and generating configurable logs of these specific events. For example, a business rule can be configured to identify the process of updating credit limit and generate a table in the Intellinx relational database with selected attributes of update credit limit actions that exceed a specific threshold.