IBM Security Trusteer Pinpoint Detect Integration Guide
IBM Security Verify Access 10.0.0.0IBM Security Access Manager 9.0.7.0 and aboveIBM Security Verify AccessExtension for IBM SecurityTrusteer Pinpoint DetectIntegration GuideOctober 2020
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideContentsPREFACE . 6IBM Knowledge Center . 6IBM Terminology website . 6Accessibility . 6Technical Training . 6Support information . 6Statement of Good Security Practices . 6Product name updates . 7INTRODUCING THE INTEGRATION . 8Introduction . 8Overview . 8Integration Product Version Information . 9Integration Package Download . 9Integration Components. 9Verify Access Reverse Proxy .9Verify Access Advanced Access Control (Authentication) .9Verify Access Advanced Access Control (Authorization) .10Pinpoint Detect Snippet Service .10Pinpoint API .10Component Interaction . 11Pinpoint API Recommendation Mapping . 12PLANNING THE INTEGRATION . 14DNS and Traffic Routing . 14Required information and where to get it . 15VERIFY ACCESS PRE-REQUISITE CONFIGURATION . 16Recommended initial setup for an integration test . 16INTEGRATION PACKAGE INSTALLATION . 17Installation. 17Validation . 18Policy Information Point .18 Copyright IBM Corporation 2015, 2020. All rights reserved.2
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideAttributes.18File Downloads .18Uninstallation . 19BASIC INTEGRATION CONFIGURATION . 20Obtain and store required certificates . 20Create and open a new certificate database .20Import certificates for the Trusteer PIP .20Configure AAC Authentication for CSID capture . 21Reverse Proxy: Configure for AAC . 23AAC: Configure path kickoff for authentication . 23Reverse Proxy: General Configuration . 23Configure local response redirect for login .23Modify junction matching configuration .23Allow Session Sharing across Virtual Host Junctions .24Reverse Proxy: Add snippets to login page . 24Reverse Proxy: Inject snippets into application pages. 24Load Snippets .24Inject snippets into application pages .25Trusteer PIP: Basic Configuration . 26PERFORM BASIC INTEGRATION TEST . 29Create Test Policy. 29Attach Test Policy. 30Add Resource.30Attach Test Policy and Publish .31Run Test . 31Test In-Session Recommendation . 32ADDITIONAL CONFIGURATION . 33Specifying Specific Pinpoint API version level . 33Enable Login Confirmation. 33When to use Login Confirmation .33Enabling Login Confirmation .33Login Confirmation Advanced topics .33Trusteer Recommendation Types and Reuse (Advanced) . 34AAC Policy Decision Cache . 34Returning Custom Content . 35 Copyright IBM Corporation 2015, 2020. All rights reserved.3
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideOptional: Upload static content to be returned .35Create an Obligation Definition.35Map Obligation Identifier to Redirect URL .36Optional: Enable internal redirects .36Update and re-publish policy .36CONFIGURING ACTION-SPECIFIC RECOMMENDATIONS . 37Reverse Proxy: Extract attributes from requests . 37Identify Attributes .37Configure Attribute Locations .38Set Attribute Data Type and Category .38AAC: Create custom PIP to format data . 38Write JavaScript code .39Create JavaScript PIP .40Testing . 40ADVANCED FUNCTIONALITY . 42Verify Access Proxies Snippet Traffic . 42Import certificates for the Reverse Proxy .42Reverse Proxy: Connect Pinpoint snippet server .43Support IP address change for snippet service .44Allow unauthenticated access.44Validation .44Forward Client IP address.45Alternative CSID handling . 45Verify Access is using built-in Reverse Proxy login form .45Verify Access is using a custom EAI authentication method .46Verify Access owns the CSID .46Application owns the CSID .48Alternative PUID handling . 48Verify Access is using Basic Users.48Verify Access is using External Users.49Application owns PUID .49Providing a User ID . 49Dynamic Snippet ID . 50Override default dynamic data attribute names . 51TROUBLESHOOTING . 52Advanced Access Control Logging . 52Use the audit options provided by the Trusteer PIP .52 Copyright IBM Corporation 2015, 2020. All rights reserved.4
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideEnabling Trace .52Viewing Trace .53Common Issues and Solutions . 54DPWWA1100W POST request larger than request-body-max-read .55TLS Version Issues.55APPENDIX. 57AAC: Create Trusteer Attributes . 57Create Attribute for Login Recommendation .57Create Attribute for In-Session Recommendation .58Create Action-Specific Recommendation Attributes. 58Install Trusteer PIP . 59Option 1: Verify Access v10.0.0.0 .59Option 2: Access Manager v9.0.7.x (or upgraded system) .60NOTICES . 61TRADEMARKS . 63 Copyright IBM Corporation 2015, 2020. All rights reserved.5
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuidePrefaceIBM Knowledge CenterThe information in this guide is complemented by the documentation available for IBM SecurityVerify Access on the IBM Knowledge Center EK 10.0.0/IBM Terminology websiteThe IBM Terminology website consolidates terminology for product libraries in one location. You canaccess the Terminology website at ogy.AccessibilityAccessibility features help users with a physical disability, such as restricted mobility or limitedvision, to use software products successfully. With this product, you can use assistive technologiesto hear and navigate the interface. You can also use the keyboard instead of the mouse to operate allfeatures of the graphical user interface.Technical TrainingFor technical training information, see the following IBM Education website athttp://www.securitylearningacademy.com/Support informationIBM Support provides assistance with code-related problems and routine, short duration installationor usage questions. You can directly access the IBM Software Support site athttp://www.ibm.com/support/homeStatement of Good Security PracticesIT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to ormisuse of your systems, including for use in attacks on others. No IT system or product should beconsidered completely secure and no single product, service or security measure can be completelyeffective in preventing improper use or access. IBM systems, products and services are designed tobe part of a comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOESNOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKEYOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. Copyright IBM Corporation 2015, 2020. All rights reserved.6
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideProduct name updatesThis publication was first established for IBM Security Access Manager. IBM Security AccessManager has since been superseded by IBM Security Verify Access. Similarly, this integration firstworked with Trusteer Pinpoint Criminal Detect (“CD”) capabilities which are now part of IBMSecurity Trusteer Pinpoint Detect.Wherever in this guide, any figures and graphics that contain or refer to IBM Security AccessManager, the use of IBM Security Verify Access is implied. For any reference to Trusteer CriminalDetect or CD, the use of IBM Security Trusteer Pinpoint Detect is implied. Copyright IBM Corporation 2015, 2020. All rights reserved.7
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideIntroducing the IntegrationIntroductionThis guide describes the steps that are required to integrate IBM Security Verify Access with IBMSecurity Trusteer Pinpoint Detect for protecting web applications. It makes use of an IBM-providedextension package published on the IBM Security App Exchange.OverviewThe main purpose of this integration is to combine the risk determinations of IBM Security TrusteerPinpoint Detect (Pinpoint Detect) with the access enforcement, multi-factor authentication, andsession management capabilities of IBM Security Verify Access (Verify Access).Verify Access has its own basic risk detection capabilities but applications that are sensitive, orsubject to increased risk, require the sophisticated capabilities of Pinpoint Detect.Verify Access can be used to allow a web application to enjoy the accurate risk determinations andsecurity protection of Pinpoint Detect, while reducing (or even removing) the need to modify the webapplication directly.Those who implement integration between Verify Access and Pinpoint Detect should consider thesepoints: There are many ways in which applications, Verify Access, and Pinpoint Detect can beintegrated. This guide describes a recommended and tested initial integration pattern whichcan form the foundation of a fully customized integration. Your deployment may requirevariation based on how sessions, user identifiers, and transaction data are handled by yourapplication. Pinpoint Detect deployment choices should follow the recommendations of the TrusteerDeployment team in the Trusteer lab. The use of integration between Verify Access andPinpoint Detect, to allow Verify Access to leverage Pinpoint Detect risk determinations,should not change this. Customers who have integrated Verify Access and Pinpoint Detect using other integrationpatterns (the use of a sub-domain or proxy mode for snippet traffic for example) do not haveto migrate. Other integration patterns, based on standard product capabilities, remainsupported. It is important that both Trusteer and Verify Access SMEs are part of the project, at leastinitially, to understand the required capabilities and discuss implementation options.It is assumed that the reader has a reasonable understanding of both Verify Access and PinpointDetect.IBM provides extensive documentation to customers for both products (although Pinpoint Detectdocumentation is available only to Pinpoint Detect customers). There are many capabilities in VerifyAccess and Pinpoint Detect which are beyond the scope of this document. Copyright IBM Corporation 2015, 2020. All rights reserved.8
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideIntegration Product Version InformationFunctionality documented in this guide is for the following product versions: IBM Security Verify Access 10.0.0.0 or above IBM Security Access Manager 9.0.7.0 or above IBM Security Trusteer Pinpoint Detect versions supporting the Pinpoint V5 API.Note: Previous versions of this integration supported the Pinpoint Detect V2, V3, and V4 API, but theV5 API response format is different enough such that that a new PIP version was built to support theV5 API. Any new deployment of Verify Access integration with Pinpoint Detect should use a versionof Pinpoint running the Pinpoint V5 API.Integration Package DownloadYou should always obtain the latest version of the integration package from IBM Security AppExchange. Here is a short link: https://ibm.biz/isvatrusteer.Integration ComponentsVerify Access Reverse ProxyThe Verify Access Reverse Proxy (a web reverse proxy) protects web applications and can beconfigured to perform the following tasks: Retrieve and enforce access decisions - which can be based on risk intelligence returned bythe Pinpoint API. Optionally, inject client-side JavaScript snippets for Pinpoint Detect into application pageswithout the need to modify the web application. Provide a Permanent User ID (PUID) to Pinpoint for consistent session and useridentification. Generate a unique Customer Session ID (CSID) for each user session (if necessary) Cache access decisions for a limited time to manage periodic re-evaluation Perform internal request redirection to display native web application error or status pagesto provide a consistent user experience throughout the application access.Verify Access Advanced Access Control (Authentication)The Authentication Service in Verify Access Advanced Access Control (AAC) provides customizableauthentication policies to be created. These are used to: Create an initial login policy which allows a Customer Session ID (CSID) from Pinpoint to beread via a Callback Handler on the login page. Create additional multi-factor authentication policies which are invoked when risk isdetected by Trusteer Copyright IBM Corporation 2015, 2020. All rights reserved.9
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideVerify Access Advanced Access Control (Authorization)The context-based access functionality in Verify Access Advanced Access Control (AAC) addsadvanced authorization capabilities.The Verify Access AAC Trusteer Policy Information Point (Trusteer PIP) allows AAC Policies toinitiate calls to the Pinpoint API, send session information, and request risk determinations. Oncethis integration component is configured, Verify Access AAC policies can be written which referencethe risk determinations returned by Pinpoint Detect.The Trusteer PIP supports retrieval of a risk determination at login time or at any point during asession when a sensitive action is being performed (updating contact information for example). TheTrusteer PIP also supports requesting a risk determination for application-specific actions such ascreating a new account, adding a payee, or triggering a financial transaction. For those Trusteerdeployments which use Trusteer Pinpoint login confirmation, the Trusteer PIP supports an optionwhere it will call the Pinpoint login confirmation API after a user completes a 2FA mandated becauseTrusteer returned a recommendation to authenticate.In addition to basic function, the PIP and Verify Access Policy can work together to provide: Retrieval of values from external sources via HTTP/REST, Database, fixed mapping, etc. forPinpoint API inputs such as action-specific data when these are not available in the clientrequest. Runtime selection of the Pinpoint API Snippet ID for cases where multiple applications aredeployed. Monitor-only mode where no 2FA access requirement is implemented, however the PinpointAPI is still invoked, creating Pinpoint alerts when Pinpoint API calls detect risks. Generation of a Verify Access audit record for each Pinpoint API call which can be forwardedto a remote syslog server, such as IBM QRadar, for further analysis and auditing.Pinpoint Detect Snippet ServiceThe Pinpoint Detect Snippet Service hosts the JavaScript snippets that are loaded to the end user'sbrowser and return data to Pinpoint for use in its risk analysis. The Snippet Service is also thedestination for the data gathered by the snippets.In the recommended integration pattern described in this document, access to the Snippet Serviceis NOT routed via the Verify Access proxy. An alternative deployment (where snippet traffic isproxied via the Verify Access Reverse Proxy) is described under Advanced Configuration.Pinpoint APIThe Pinpoint API is a RESTful API endpoint which clients can call in order to provide informationabout an active session and/or request a risk determination for a specific activity in the activesession.When Verify Access is integrated with Pinpoint Detect, the Trusteer PIP running in the Verify AccessAdvanced Access Control component manages all communication with the Pinpoint API. Copyright IBM Corporation 2015, 2020. All rights reserved.10
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration GuideComponent InteractionThe following diagram shows the integration between the user’s client device, Verify Access,Pinpoint Detect and the web application protected by Verify Access:Figure 1 Trusteer Pinpoint Detect – Verify Access communication flow1. The user accesses public resources within a protected application. The traffic is proxied viathe Verify Access Reverse Proxy.2. The user attempts to access a protected resource within the protected application. VerifyAccess returns its login page. This has the login page snippet imbedded and also a callbackhandler to receive a session ID (CSID) from Pinpoint.3. The snippet code is executed in the browser. The snippet loads detection and collectionJavaScript. These requests are made directly to the Pinpoint snippet servers.4. The Pinpoint JavaScript code collects data and sends it to the Pinpoint snippet servers.5. When the callback handler receives the CSID from Pinpoint, it adds the CSID to a hiddeninput in the login page.6. The user submits authentication data to Verify Access. Authentication validation iscompleted in Verify Access. The CSID is populated to the user's Verify Access credentialalong with a Permanent User ID (PUID) associated with the user's account.7. A Verify Access AAC policy is invoked which refers to the Pinpoint login recommendation.The Trusteer PIP is called to provide this recommendation and it calls out to the PinpointAPI to obtain a risk determination. The call includes the CSID and PUID.8. The Pinpoint API looks up the session using the CSID and associates the provided PUID withthe session. It returns a risk determination which includes a recommendation. Thisrecommendation is returned to the AAC Policy Engine. Copyright IBM Corporation 2015, 2020. All rights reserved.11
IBM Security Verify Access Extension for IBM Security Trusteer Pinpoint DetectIntegration Guide9. Verify Access AAC Policy is evaluated. The Policy may permit access, deny access, or triggeradditional (multi-factor) authentication. If additional authentication is required, this must beperformed before the policy will grant access.10. Once the policy grants access, Verify Access requests the user-requested protected pagefrom the protected web application.11. The web application returns the requested page response.12. Verify Access forwards
security protection of Pinpoint Detect, while reducing (or even removing) the need to modify the web application directly. Those who implement integration between Verify Access and Pinpoint Detect should consider these points: There are many ways in which applications, Verify Access, and Pinpoint Detect can be integrated.
Copying the Trusteer Endpoint Protection ID 73 Sending Trusteer Rapport Log Files to Trusteer 74 8. Keeping Trusteer Rapport Updated 75 . Customers of banks or other financial institutions that offer Trusteer Rapport for free download as a security tool to protect the onlineuse of financial accounts.
This sends Trusteer Support the relevant information from their computer such as Trusteer Rapport logs and configurations, which assist Trusteer Support in solving the issue. To submit a problem, follow the instructions below:
Stopping Rapport when the browser is open can cause a crash. From the Windows Start menu, select Programs Trusteer Endpoint Protection Stop Trusteer Endpoint Protection. A security confirmation message appears. The message displays an image of some characters for you to type.
1 Holding the coil away from the approximate target location, press and hold the Pinpoint button to enable Pinpoint The Pinpoint Indicator cross‑hairs will appear on the display The Pinpoint button The Pinpoint Indicator cross‑hairs 2 Keeping the coil parallel to the ground, sweep the coil
Zero Day protection for Operation High Roller: Trusteer's proven approach to financial fraud prevention Trusteer takes a different approach to preventing infection using technology called Algorithm Inspection. Because financial malware is complex software, it is substantially more difficult to change its algorithm than its file footprint.
Modi ed IBM IBM Informix Client SDK 4.10 03/2019 Modi ed IBM KVM for IBM z Systems 1.1 03/2019 Modi ed IBM IBM Tivoli Application Dependency Discovery Manager 7.3 03/2019 New added IBM IBM Workspace Analyzer for Banking 6.0 03/2019 New added IBM IBM StoredIQ Suite 7.6 03/2019 New added IBM IBM Rational Performance Test Server 9.5 03/2019 New .
IBM 360 IBM 370IBM 3033 IBM ES9000 Fujitsu VP2000 IBM 3090S NTT Fujitsu M-780 IBM 3090 CDC Cyber 205 IBM 4381 IBM 3081 Fujitsu M380 IBM RY5 IBM GP IBM RY6 Apache Pulsar Merced IBM RY7
Overall plan delivery to date: 56% (against target 90%) Since the last sitting of the Committee two reports have been finalised and four reviews are awaiting final management sign off. Follow Up reports that have been finalised since the last Committee sitting are reported in Appendix 4. All ‘limited’ assurance reviews go before CMT for full consideration. 3.6 2020/21 AUDITS ONGOING AS AT .
