The Fraud Examiner

Monitoring Authorized User Activities: The Importance of a Sound Forensic Audit Trail

July 2012 

Sponsored by Attachmate Luminet®

attachmate-logo.jpgAccording to a recent study on Insider Threat conducted by the Ponemon Institute, organizations suffer an average of more than 52 incidents of insider fraud annually. Traditional security controls, such as application logging, are often powerless in these situations. When malicious insiders with legitimate reasons for accessing applications, querying databases, and changing system configurations alter, destroy or obfuscate records, institutions are often left powerless to determine what actually happened. As a result, a detailed audit trail of user access to sensitive corporate data has become a necessity for protecting your corporate brand and information assets. It is also required by an increasing number of government regulations and especially privacy regulations. 

While many organizations maintain access logs most are insufficient due to the following 3 limitations:

  1. The logs are missing record and field-level data, and focus solely on a given transaction.  

    The reality is that most existing logs only contain information at the transaction level, such as: Which users accessed which transaction at what time? In these cases, critical information is still missing. Vital questions such as “Which specific records and fields did the user access?’ and “What did the user do with the data?” go unanswered. 


  2. Main existing systems fail to log read-only actions, leaving gaps in the records. 

    Most existing logs only record update activities. This leaves critical information about what was viewed, queried or simply accessed out of audit trail entirely. In these cases, there is often no record of the times information was accessed without being changed. This information is extremely important for preventing and investigating information leakage and data theft. Another area where this absence of information reveals significant gaps is in demonstrating access to private or privileged information. 

  3. If available, logs represent an incomplete view of activities that is often “hidden” across multiple systems and difficult to correlate.  

    The reality is that many logs are maintained in disparate systems or applications that don’t “talk” to each other. This makes it difficult to find and correlate relevant information—or respond quickly to an audit request. This reality often aids the malicious insider in obscuring their activity.

Sign In

Not a member? Click here to Join Now and access the full page.