Intellinx provides an agentless insider threat detection solution that records user interactions, analyzes behavior patterns in real-time, and generates alerts to stop fraud and leakage. The system profiles entities, tracks all user actions and queries, and detects anomalies without adding overhead to existing systems. Real-time alerts enable effective investigations while information is still fresh and act as a deterrent against insider threats.

1. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved Boaz Krelbaum Intellinx Ltd. Founder, CTO

2. Agenda Introduction The Paradigm Shift Solution Demonstration System Architecture The Compliance Angle Employee Privacy Summary © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

3. Intellinx was a part of Sabratec which had 2 product lines: Legacy integration solutions for enterprises worldwide since 1997 Intellinx - Fraud detection and Compliance since 2003 Software AG acquired Sabratec’s Legacy Integration business on January 2005 and Intellinx has become an independent entity - Intellinx Ltd. R&D in Israel, US headquarters in NYC, a worldwide chain of partners IBM US is a reseller of Intellinx Selected by Gartner as a “Cool Vendor”, Security and Privacy, 2006 About Intellinx © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

4. Types of Insider Threat Insider : Current or former employee or contractor Insider Fraud Insider uses IT to modify information for financial gain or for other personal purpose Information Leakage Insider uses IT to steal information for business advantage or for other purpose IT sabotage Insider uses IT in a way that is intended to cause harm to the organization or an individual. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

5. Top 10 Threats to Enterprise Security Source: IDC's 2007 Annual Security Survey of IT and security professionals © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

6. The ACFE (Association of Certified Fraud Examiners) 2008 survey Average Cost of Fraud - 7% of annual revenues 60% of all fraud involve employees 65% of fraud are detected by tipping or by accident The average scheme goes on for 24 months prior to detection Total estimated impact on the US economy: over $900 billion in fraud losses Insider Threat – A Critical Problem for Enterprises © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

7. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

8. Record and Replay Record all end user interaction with host Visual Replay of full user sessions Analyze Screen Content Automatic recognition of screens and fields “ Google like” search on screen content, e.g. Who accessed a specific customer account in a specific timeframe? Identify User Activity Events Continuous analysis of user activity Identify user transactions which may be comprised of several screens Analytic Engine Customizable rules track user behavior patterns triggering alerts in real-time New rules may be applied after-the-fact Case Management workbench support alert evaluation and case investigation Intellinx – Record, Analyze, Respond! © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

9. Intellinx Architecture Integrated Security & Fraud Solutions Switch 3270 / 5250 Intellinx Sensor Analyzer Intellinx Session Analyzer Screen/ Message Recording Session Reconstruction Event Analyzer Business Event Intellinx Reports MQSeries Files Host 1 z/OS z/OS solution: SW only install 98% zAAP eligible Doesn’t add to existing SW charges Sysplex aware High volume, low CPU % Can handle non-z/OS traffic Operates across VPN No other solution does Eliminates network distribution of SSL private keys for z/OS workloads Reduces risk Reduced complexity of deployment/ordering Reduced overhead & latency for real time analytics Leverages Mainframe security and audit of DB’s Queue REPLAY Actions Backlog Events Repository

10. Patent-Pending Agent-less network traffic sniffing No Impact on performance Highly scalable architecture Very short installation process (several hours), with no risk to normal IT operations Recordings stored in extremely condensed format Recording files are encrypted and digitally signed – potentially admissible in court when needed Intellinx Technology © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved Monitored Platforms: IBM Mainframe: 3270, MQ, LU0, LU6.2 IBM System i: 5250, MPTN Web: HTTP/ HTTPS Client/Server: TCP/IP, MQ Series, MSMQ, SMB VT100, SSH SQLNET (Oracle), DRDA (DB/2),TDS (MS SQL)

11. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

12. Why monitoring the Criminal Justice Systems? Scenario #1 – Information Leakage Warrant information was disseminated to an unauthorized person. How do you find out who accessed it? A State Police employee leaks information on planned arrests in a homicide case investigation to one of the suspects. How can you stop it in time? Scenario #2 – Providing Evidence to Court A request is received from a court to verify that a user did or did not use the system to perform his job duties. How can you provide the evidence? Scenario #3 – Investigation needs A vehicle with a certain tag may have been used in a homicide and law enforcement is searching to locate where vehicle was last seen. How do you find out? Scenario #4 – Privileged User planting a Logical Bomb A disgruntled programmer plants malicious code which sporadically deletes customer accounts. How do you reveal what he did? © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

13. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved Intellinx Rule Engine External Sources User Events Web Service Data File Data Base Fact Attributes Business Entities Rule Measures Alerts

14. Rule Examples © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved Access of a specific account What ? Access an account included in a White list/ Black list Access any account more than x times in an hour/day Search for accounts according to customer name more than x times in an hour/day How ? All the above – after hours When ? All the above from which department Where from ? Same user- id login from different terminals in the same time Time correlation Access customer sensitive data without customer call in the call center at the same time Add same address / beneficiary to different accounts by the same user Data correlation Sum of transfers of an account/ user exceeds x Aggregation Add beneficiary then transfer/withdraw money then delete beneficiary - all in 48 hours Process Change address then transfer/withdraw money then delete address - all in 48 hours Increase credit limit then transfer/withdraw money then decrease credit limit - all in 48 hours

15. Dynamic Profiling Dynamic definition of profiles for any entity: End-Users Accounts Customers Any other Entity Time Dimension: Hour, Day, Week, Month Sample Behavior Attributes: Working hours Number of transactions per day Total amounts of transfers per day Total amounts of deposits per day Number of dormant accounts accessed per day Number of changes to dormant accounts per day Number of account address changes per day Number of beneficiary changes per day Number of VIP queries per day Number of changes to account statement mailing frequency per week Number of credit limit changes per day © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

16. The Impacts of Real-Time Alerting Stop fraud before damages become enormous Enables effective investigation of reported cases, while information is still fresh The Key - The Deterrence Factor © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

17. The Deterrence Factor of Real-time Alerts © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved Security officers start calling on suspects First employee is laid off Rule implemented

18. Summary – The Intellinx Solution for Insider Threat Insider Fraud Intellinx provides: Audit trail, Profiling and Real-time Alerts Information Leakage Intellinx tracks all user actions including user queries and generates Real-time Alerts IT sabotage Intellinx tracks the activity of all users including privileged IT users ► No Agents ► No Overhead ► No Risk © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved

19. © Intellinx Ltd. All Rights Reserved.Intellinx Ltd. All Rights Reserved Thank You! [email_address] www.intellinx-sw.com