Level 27, 101 Collins Street
Melbourne, VIC 3000 Australia
Tel: +61 3 9653 9634
Fax: +61 3 9653 9644
www.fmtworldwide.com
FMT Octopus - Frequently Asked QuestionsAbout FMT Octopus
Installation and Setup
FMT Octopus Demo Server
Using FMT Octopus
FMT Octopus & other software
FMT Octopus is a high performance rules and decisioning engine designed as a middleware plug-in, a universal appliance or a stand-alone server.
Using a patented pre-processing filter, FMT Octopus can examine all requests coming to or from your web or application server. Based on this information, FMT Octopus can perform a variety of actions including (but not limited to) restricting user access, changing the content delivered to a user on the fly, redirecting to another page, logging details into a database, examining requests for malicious code and deny access, sending SMS or email alerts, checking the physical location of a user and comparing historical access data.
The possibilities are virtually endless – you are limited only by your imagination. Some example functions are listed below.
Challenge: The benefits associated with end-user device identification for fraud management and marketing analysis are well documented. Companies want to deploy this technology without long change request delays and application repackaging and testing.
Solution: FMT Octopus readily accesses detailed data on each user, including information that identifies repeat users from the same device. It requires no end-user registrations, downloads or installations. In addition, it enables third-party solution providers to implement their own scripts and device tagging applications without requiring changes to application code. This all translates into drastically reduced deployment time and IT resources required. Click here to read more.
Challenge: Online businesses want to introduce risk-based authentication into their applications without modifying the products via code changes.
Solution: FMT Octopus™ prevents fraud by challenging users with additional authentication when they perform high-risk transactions. If a customer performs specified activities (such as paying a large percentage of an account balance to a third-party beneficiary), FMT Octopus challenges the user's action in real time using a built-in two-factor authentication option (SMS, email, mobile phone, etc.). Alternatively, it can redirect to an organisation's existing two-factor methods. Click here to read more.
Challenge: E-commerce organisations require valuable information about the location of their online customers to make effective decisions in real time.
Solution: FMT Octopus™ enables e-businesses to determine from which countries their online customers are logging in. The software interoperates with geo location information vendors to determine which cities and countries users are located. Using this information, FMT Octopus can customise user experiences to enhance marketing, prevent fraud and ensure trade restriction compliance. Click here to read more.
Challenge: E-businesses must constantly verify information through third-party providers. Implementing the services must be quick, and accessing their data sources must be efficient, to mitigate risks and comply with regulatory requirements.
Solution: FMT Octopus™ easily integrates third-party data services, such as credit bureau, geo location and marketing data look-ups, as well as other data verification services. Its vendor-neutral integration platform significantly improves implementation timeframes and provides a single interface to connect, control and manage strategies for external data sources. Out of the box the solution also delivers a wealth of additional capabilities and has the advantage of application layer data visibility to give organisations a competitive advantage that differentiates them in the marketplace. Click here to read more.
Challenge: Many websites are vulnerable to attacks such as SQL injection, XPath injections and XSS (cross-site scripting).
Solution: FMT Octopus can detect when commands used for website attacks are likely to have been inserted into a browser request. This allows organisations to build up an instant defence capability and respond by logging the perpetrator's details and/or denying the request to access to an application.
Challenge: Many Web applications are vulnerable to cross-site request forgeries. These attacks allow fraudsters to maliciously execute transactions in place of legitimate online users simply by having real users visit a specially crafted website. The request against the vulnerable site comes from a real user's browser, which forwards any current session cookies correctly.
Solution: FMT Octopus can automatically and dynamically insert a second session identifier into all application pages and check this identifier whenever data is posted. This approach makes it impossible for the malicious site to determine the correct structure of a request.
Challenge: E-businesses require intelligence on customers mining their sites for data or conducting automated attacks.
Solution: FMT Octopus™ enables organisations to detect automated attempts to access a website. By timing how long users spend filling in forms, and by checking if they come in from the same IP addresses repeatedly without transacting, FMT Octopus determines if competitors or fraudsters are orchestrating automated attacks or attempting to mine a website for data.
Challenge: E-commerce organisations require intelligence relating to several users coming in from a single browser or IP address to prevent criminal activities.
Solution: FMT Octopus™ tracks many users coming in from a single location to help determine if identity theft has occurred. By knowing that one browser or IP address has been used to access a number of different accounts, organisations receive an early fraud warning. FMT Octopus also proves effective when the same device is used to access accounts where billing addresses are different.
Challenge: E-businesses must track one user coming in from many locations to prevent identity sharing.
Solution: FMT Octopus™ easily determines if several users are sharing the same password to access website information. Websites dependent on subscriptions can limit the number of locations accessing each account within a specified timeframe to prevent identity sharing.
Challenge: Businesses conducting online commerce want to contact customers when specific events take place as a security measure.
Solution: FMT Octopus™ can add alerting features to existing applications based on preset criteria. This allows businesses to email or SMS customers when predetermined activities occur for early detection of fraudulent transactions and higher recovery levels from stolen funds.
Challenge: E-commerce organisations want to be alerted to a wide variety of activities to maximise revenue opportunities and minimise risks.
Solution: FMT Octopus™ automatically generates alerts when specified events take place within an application. Myriad alerts - such as when a customer buys a particular product or conducts a high-value transaction - can be instituted via both SMS and email.
Challenge: E-commerce organisations require dynamic advertising capability to increase revenue from customised content.
Solution: FMT Octopus™ enables businesses to alter application outputs and add content of their choice after analysing customers' past buying patterns. For example, this functionality can be used with an organisation's own targeted advertising rules or to send seasonal messages to users as they access a website.
Challenge: Online organisations need to access and maintain blacklists and whitelists for a wide variety of uses, including payment and delivery of products and services and to ensure legitimacy and compliance with legislative requirements.
Solution: FMT Octopus™ works with a wide variety of lists (e.g., OFAC Specially Designated Nationals, Politically Exposed Persons, Banned Company Owners) prior to transaction completion. Its rapid and powerful search capabilities are followed by a probability score that takes into account variables such as nicknames and known aliases. It also enables organisations to maintain blacklists and whitelists for IP addresses, account features, user names, etc., for alternative uses.
Challenge: Businesses conducting Internet commerce require an ability to store and access historical customer behaviour to help mitigate fraud.
Solution: FMT Octopus™ keeps a history of users' past behaviour to detect unusual patterns. For example, it determines a customer's preference for browser type, application features, shipping address, etc. With repeat website users, this information is used to detect anomalous activity and prevent fraud before it occurs.
Challenge: Online organisations must constantly detect and prevent new e-channel threats as they emerge.
Solution: With FMT Octopus™, businesses can access all e-channel data including browser type, device ID, posted data, language packs and IP address. Using this data directly or forwarding it to third-party analytics products enables organisations to identify and thwart today's and tomorrow's threats.
Challenge: Many e-businesses are buried in fraud analyst caseloads. They require additional means to detect fraud before a case management system is accessed or suspicious transactions conclude.
Solution: FMT Octopus™ moves some fraud detection rules to the front of an application to stop a session, implement a second-factor authentication or send an alert before a case management system triggers. It also provides significantly more data to these back-end systems, allowing for cases to be created with additional precision and diminishing false positive ratios. Caseload queues are significantly reduced and fraud detection and funds recovery are improved.
Challenge: Businesses must measure key performance data for a variety of reasons. Doing this quickly and effectively is the dilemma.
Solution: In addition to measuring individual page response times, FMT Octopus™ highlights performance issues and details submitted data that cause unfavourable situations to occur. In addition, it gives developers tools to locate troublesome application code and provides the root-cause data triggering each specific problem. Database administrators and software developers can use this information to optimise and improve application performance.
Challenge: Many applications are purchased as a packaged solution. Modifications are required, but businesses do not want to directly alter the product or implement code changes.
Solution: FMT Octopus™ can disable or add features to pre-packaged Web products by wrapping around an application. For example, an organisation may wish to add or remove links or perform additional validation. FMT Octopus easily handles customisation without touching the application's code.
Challenge: During testing, e-businesses are often unable to see all of the information moving between customer browsers and applications. Hidden fields may inadvertently be posted back and forth, resulting in security issues and impacting network and application performance.
Solution: FMT Octopus™ inspects all data travelling between browsers and applications during testing - not just the information an application developer selects from the data stream. It quickly and easily exposes all information during testing to help ensure an application complies with security, privacy and performance requirements.
Challenge: Organisations conducting e-commerce require data about their customers' log in details to help foil fraudulent activities. Quickly and easily capturing this information to stop transactions before they conclude is mandatory.
Solution: FMT Octopus™ uses land speed rules and identifies IP addresses to prevent fraud. With triangulation rules that calculate theoretical land speed between two locations over time, organisations can determine if a website user is moving faster than physically possible to detect a likely fraud scenario.
Challenge: Online organisations must access information in real time to reduce fraud and prevent espionage.
Solution: FMT Octopus™ improves security and stops espionage by checking incoming IP addresses against known compromised servers. It performs reverse Domain Name System (DNS) lookups with lists of compromised servers. This helps combat fraud and prevent botnet-driven access to a website.
Challenge: E-commerce organisations constantly battle to capture and access information.
Solution: FMT Octopus'™ database access rules can export information to a database for later use or analysis. These exports are fully user defined and can be easily altered and extended.
Challenge: Determining the likelihood of risk is a challenge all e-businesses face. Allowing legitimate transactions to complete while stopping fraudulent activities is the tightrope they walk.
Solution: FMT Octopus™ implements an unlimited number of risk scorecards that can be evaluated throughout the life of a session. It also monitors subsequent access to the same account to effectively determine the risk profile of each customer.
Challenge: Customising the look and feel of a website to affect users' experiences can help increase customer acquisition, retention and loyalty. How can organisations do this with otherwise static applications?
Solution: FMT Octopus™ can automatically change branding elements affecting a static application. This can be driven dynamically from data captured in real time, allowing businesses to alter the look and feel of applications not designed for this purpose.
Challenge: Businesses must write rules based on massive amounts of data. Trolling through mounds of information to constantly make sub-second intelligent decisions is a challenge. Speed and precision in deployment of rules across a variety of data sources and formats is key.
Solution: FMT Octopus is easy to configure and instantly delivers a fully extendable rules engine. Rules are graphically configured as decision trees and can be tested on an integrated test server. Fully version controlled, the solution can accept input from a large number of data sources and formats (including HTTP, SOAP, XML, CSV and mainframe dumps) to make smarter, real-time contextual decisions.
FMT Octopus has been designed to be very high performance and extremely scalable. Recent testing at an IBM innovation centre showed that FMT Octopus could process 8.4 million transactions per hour. The ruleset tested included database lookups and insertion, regular expressions, math functions, conditional statements and third party data access.
FMT Worldwide insist on a stress test in your specific environment to ensure that hardware, networks, databases and rulesets are configured to produce the least possible impact on your customers.
No, all organizations with an online presence will benefit significantly from FMT Octopus, including those in the financial services, airlines, telecommunications, insurance, retail, manufacturing, government and others.
FMT Octopus is very competitively priced, but pricing will depend on your specific business needs, environment and components required.
Request a quote today.
Because FMT Octopus must be integrated into your web server, you should have a good technical background and thorough knowledge of your web server and operating system. Installation and initial setup is typically performed by developers and/or system administrators.
It typically takes a couple of hours to install and set up.
Any operating system with JDK 1.4 or greater installed. This includes Microsoft Windows (2000, 2003, 2008, XP, Vista), Mac OS 10+, Linux including RedHat, Ubuntu, Suse and Fedora, IBM i5/OS, zOS, AIX, and Sun Solaris.
Yes. All you need to do is install the Universal Appliance version of FMT Octopus as a proxy server.
Visit the Technical Information page to see which version is correct for your environment.
Yes, you just need to install the Universal Appliance on a machine you have access to and that is exposed to the internet.
Yes, absolutely, FMT Octopus works well in a distributed environment. You will achieve the best results with a load balancer with session affinity, but shared sessions also work.
FMT Octopus can use any JDBC 2.0 compliant database. You simply need the driver. JDBC 2.0 compliant databases include (but are not limited to) DB2, Oracle, MySQL, PostgreSQL, Jetty, Ingress, Informix and others.
If you are installing the J2EE or JSR168 version, then you must restart your web server as you are modifying the web application specification. You are not required to restart your web server if you are running the Universal Appliance.
Contact us to request a copy of the demo server.
Because FMT Octopus will be integrated into your web server, you should have a good technical background and thorough knowledge of your web server and operating system. Installation and initial setup is typically performed by developers and/or system administrators.
No, though having an understanding of what HTTP sessions, requests and responses are, along with understanding of basic programming concepts such as variables, loops and conditions will help immensely.
The best way to familiarize yourself with FMT Octopus is to read the following documents;
all are available with the demo server.
1. "How to Show" guide. This guide can be found in the demonstration folder after installing the demo server. 2. "How to Try" guide. This guide is available from the download page where you downloaded the demo server. 3. "Product Reference" guide. This is the full product reference available from the root folder after installing the demo server. It is also available on the home page of the administration console after you log in. Refer to the Installation and Configuration chapter.
The demo server runs on port 80, which means you must shut down any other applications using this port. This includes some versions of Skype and any web servers.
If you are using Windows, you may have IIS installed which may interfere with running the demo server. To turn off IIS, go to your Control Panel -> Administrative Tools and open Internet Information Services. Navigate to the Default Website, and click the "Stop" button. Turning off IIS will not affect you unless you are running a web server, which you will not be able to access during the evaluation of the demo server. When you have finished with the demo server, you can turn IIS on again by following the above instructions and clicking the "Start" button.
It is likely that you are using a proxy server to browse the internet. You will not be able to access the console through the proxy server.
You will need to turn off the proxy server for internal addresses:- To turn off the proxy server in Internet Explorer: Select Tools -> Internet Options -> Connections -> LAN Settings and then tick "Bypass proxy server for local addresses". If your computer is on a VPN, you will need to select that VPN from the list and do the same. To turn off the proxy server in Firefox: Select Tools-> Options -> (for a Mac, choose Firefox -> Preferences) Advanced -> Network then click the "Settings" button. Click the "No Proxy" checkbox, or click the Manual proxy configuration and ensure that "localhost" is in the "No proxy for" textbox.
Note: Evaluating the demo server against your own application requires some technical knowledge to install and integrate. If you are non-technical and do not fully understand the instructions in the "How to Try" guide, please contact a technical staff member within your organization to help you.
If you are running a J2EE application, you can easily evaluate the demo server against your own application. All you need to do is copy the rules engine JAR file and configuration file, create a HOME directory for FMT Octopus, set some relevant properties, edit your web.xml file and restart your application. Full instructions are provided in the How to Try guide provided with the demo server. If you are running a non-J2EE application, you will need to download the Universal Appliance demo version. To do this, you will require two Windows PC's. One to install the appliance on, the other to access the console and test the application. Full instructions are given in the in the "How to Try" guide.
Yes, but you will need the Universal Appliance version of the demo server. You will require two Windows PCs to evaluate the appliance. Full instructions are available in the "How to try" guide.
Typically a three day certification course provides a thorough understanding of the product.
No, though having an understanding of what HTTP sessions, requests and responses are, along with understanding of basic programming concepts such as variables, loops and conditions will help immensely. If you need to connect to a database, knowing how to do this along with an understanding of basic SQL will also help. Topics such as these will be covered in the three day certification course.
Analytics is not provided in the core functionality.
If your existing database is JDBC 2.0 compliant, then yes. You simply need to ensure that your database is accessible by Octopus and the driver is installed.
Absolutely. FMT Octopus provides a test server for you to evaluate your rules before deployment.
There is an in-built tracer that allows you to capture performance information.
No, FMT Octopus is typically installed to fail open. However, this setting is configurable.
There are two ways that FMT Octopus can be used in a Web Services environment. It can operate as an inline filter, just as it would for a normal HTTP request intercept.
Alternatively, it can be configured to act as a Web Service itself by installing a SOAP servlet and placing the filter in front of it. This servlet will always provide a valid SOAP response regardless of the input provided to it.
Yes. Contact us for more information if you require this functionality.
Yes. The Product Reference Guide has detailed information and documentation on building your own extensions with Java.
No, however, if you have any databases on the console server used by FMT Octopus, the computer must be on and the databases running.
The rules are pushed out as XML files, alongside the extensions and any data files as a proprietary deployment process. You can enable encryption which will provide a secure link between the console and rules engine.
More information is provided in your Product Reference Guide.
No, you do not need to restart your web application server after deploying new rules.
Yes, though this is not frequently done as FMT Octopus is typically used to perform real-time decisions.
The best method of integration depends very much on your specific environment as the three FMT Octopus Rules engine
deployment options cover a multitude of data sources and architectures. For example, ability to
interact with application session data, ability to create session data, access to all incoming
and outgoing HTTP request information, full support for preprocessing XML data as used by SOA,
Web Service and AJAX-based applications, import/export of data in numerous formats including
CSV, XML and XLS, and data processing for non web-based applications.
A network firewall is a very different tool to FMT Octopus as a Web Application Firewall.
While traditional firewalls prevent access to forbidden network services, they don't block access selectively based on the content of data received. A web application firewall actually examines the content for suspicious or malicious code after passing through your firewall and can either clean the data before allowing it to progress, or deny access to your application. Because FMT Octopus is positioned in such a way that it can see all request data before it is received by your server, it can easily examine it for malicious code and deny access or clean the request data before it arrives at your application.
IBM Tivoli Security Management is a large framework dealing with identity and access management, data and information security, and physical security.
FMT Octopus does not perform these functions, however, it adds an extra layer on top of existing security policies to further enhance and control web applications. Security is not an issue to be complacent about – using FMT Octopus in conjunction with Tivoli Security Management is recommended.
Rational AppScan is a product designed to allow developers to scan their code for web application vulnerabilities.
FMT Octopus does not scan developer’s code, but accesses request information in real-time and checks for malicious content. If malicious content is discovered, you may choose to prevent the request from reaching the application, or clean the content before allowing the request to progress. So the application would not be exposed to these vulnerabilities, and security policies can be put in place outside your code base. |
What they say about FMT
FMT named a Cool Vendor in Secure Business Enablement, 2007
"FMT Octopus has shown that innovation and simplicity of vision go hand in hand."
2 Minute Demonstrations
|
What is FMT Octopus?
Product Information
2 Minute Demos
FAQ
Contact an Expert
© 2010 FMT Worldwide Pty Ltd. All rights reserved.