ObserveIT : User Activity Monitoring. Mark Kreymer firstname.lastname@example.org. June, 2013. ObserveIT - Software that acts like a security camera on your servers!. Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic activity. 700+ Enterprise Customers.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
ObserveIT:User Activity Monitoring Mark Kreymer email@example.com June, 2013
ObserveIT - Software that acts like a security camera on your servers! • Video camera: Recordings of all user activity • Summary of key actions: Alerts for problematic activity
700+ Enterprise Customers Manufacturing Healthcare / Pharma Telco & Media Financial Utilities / Logistics / Energy Government Government Retail / Service Gaming IT Services / Technology
Worldwide Presence UK UK Payments Administration Ltd BlackRock QinetiQ Vocalink UK Friends Provident Hyperion Insurance Group LCH.Clearnet Ltd. BSkyB Sky Network Service Xtrakter Ltd Opal Telecom Ltd Talk Talk Technology (Carphone CPWN) BNP Paribas Real Estate Advisory (UK) VTB Capital plc Baillie Gifford & Co. Heritage Group LTD France CG61 S2IH BOUYGUES TELECOM SocieteGenerale Groupama Asset Management (GAM) Germany Sanofi Aventis HSH Nordbank BoehringerIngelheim GmbH AGRAVIS Raiffeisen AG Deutsche Telekom AG Norway VTS Estonia Estonian Security Police Board Poland Podkarpacki OddziaB Wojewódzkiego Narodowego Funduszu Zdrowia z siedzib w Rzeszowie Elektrotim S.A. Inteligo Financial Services S.A. Switzerland BCN Bank Vontobel AG Schweizerische Bundesbahnen (SBB) Swiss Federal Railway ZKB Corner Banca SA Banca del Sempione BancaEuromobiliare Suisse BancaStato Luxemburg TELINDUS Luxmeburge Spain BancoEspirito Santo S.A. CECA (Confederación Española de Cajas de Ahorros) BBVA Caja Madrid Czech Republic GE Money Bank Hungary Wiz z Air Greece hol Liechtenstein LGT FInancial Services Croatia T-Mobile Croatia OTP Cyprus SEM Ltd Slovenia ZavarovalnicaTriglavd.d Raiffeisenbankad.d. Italy Vodafone (Italy) ELECTRONIC'S TIME SRL Allianz SPA ING Lease Italia S.p.A. UBI BancaSistemi&Servizi Xerox s.p.a. Slovakia Tatra Banka a.s. Canada Bell Canada Quebec Loto Bellin Treasury Services Ltd. Toronto Hydro Transat A.T. Inc. Atlantic Lottery Corporation (ALC) South Korea Samsung Networks Korea Yonsei Hospital GS Caltex Defense Acquisition Program Administration Japan Mitsubishi Information USA Trend Micro Inc. Shumway Capital Partners, LLC Spoken Communications University Health Systems of Eastern Carolina Casino Arizona CDW Dimension Data Americas (USA) CSX Technology PGE - Portland General Electric Cisco (Webex) St. Jude Medical UPS Disney IBM Newegg Spring Branch Independent School District Sony British Petrolum (BP) SUNY Downstate Washington University Western Governors University Kroll Ontrack BNP Paribas StrataCare, LLC. SocieteGenerale (USA) MFS Investment Management Fort McDowell Enterprises CHARLES SCHWAB & CO Aastra Cost Plus World Market (CPWM) China Ministry of Education China Construction Bank China Mobile Group Guangdong Co. ShinseiBank Tesco China China Foreign Exchange Trade System National Interbank Funding Center The Hong Kong Jockey Club DMX Taiwan Taiwan Railways Administration, MOTC Taiwan Accreditation Foundation (TAF) Taiwan Mobile Trinidad & Tobago PETROTRIN Turkey Turkcell ANADOLU SIGORTA Vakifbank Yasar Factoring T.C. Ziraat Bankas1 Bolivia Telecel S.A. TIGO Chile Nexus Argentina Nuevo Banco del Chaco S.A. India HDFC Bank Ltd. iYogi HCL Wipro Angola BancoNacional de Angola Israel Excellence Nessua Yes Leumi Bank Harel Insurance Hapoalim Bank Ayalon Insurance Pelephone Comverse Zim Clal Insurance Bezeq Visa Coca Cola Orange First International Bank Bank Discount Ministry of Interior Qatar QFC Regulatory Authority Court of the Crown Prince (CPC) Financial Centre Authority Chad MIC Chad, Ltd. TIGO Philippines Asian Development Bank South Africa Derivco (PTY) Ltd. Ubank MultiChoice Africa (Pty) Ltd. Clicks Group Ltd. Truworths, South Africa United Arab Emirates First Gulf Bank Metito Overseas Ltd. AHI Carrier Fzc Singapore BT Frontline Siemens Medical Singapore Post Singapura Finance UOB Shimano Australia Woodside Energy Ltd Australian Stock Exchange NetstarLogicalis Tanzania MIC Tanzania, Ltd. TIGO
Business challenges that ObserveIT addresses Remote Vendor Monitoring Compliance & Security Accountability Root Cause Analysis & Documentation • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices
An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t!
Why? Because system logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS for SECURITY AUDIT) Only 1% of data breaches are discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ I don’t have this problem.I’ve got log analysis! “ The picture isn’t quite as rosy as you think. 7
Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened
Desktop Apps And many commonly used apps don’t even have their own logs! Desktop Apps Admin Tools Text Editors Remote & Virtual • Firefox / Chrome / IE • MS Excel / Word • Outlook • Skype • Registry Editor • SQL Manager • Toad • Network Config • vi • Notepad • Remote Desktop • VMware vSphere
System Logs are like Fingerprints System Logs are like Fingerprints They show the results/outcomeof what took place User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point!
Our Solution with ObserveIT’s 3 key features X TODAY 1: Video Capture ITAdmin Video Session Recording 2: Video Content Analysis ‘Admin‘ = Alex List of apps, files, URLs accessed Logs on as ‘Administrator’ X XX 3: Shared-user Identification Alex the Admin Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector UserVideoText LogAlex Play! App1, App2 Sam the Security Officer 11
Demo Links: Live hosted demo:http://demo.observeit.com YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1 Live Demo
Standard Agent-based Deployment • Agent installed on each monitored machine • Agent becomes active only when user session starts • Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle • Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption • Offline mode buffers recorded info (customizable buffer size) • Watchdog mechanism prevents tampering • Administrators access ObserveIT audit • ASP.NET application in IIS • Primary interface for video replay and reporting • Also used for configuration and admin tasks • Web console includes granular policy rules for limiting access to sensitive data • Data Storage • Microsoft SQL Server database (or optonal file-system storage) • Stores all config data, metadata and screenshots • All connections via standard TCP port 1433 • Mgmt Server receives session data from Agents • ASP.NET application in IIS • Collects all data delivered by the Agents • Analyzes and categorizes data, and sends to DB Server • Communicates with Agents for config updates ObserveIT Agents ObserveIT Web Console ICA SSH ObserveIT Management Server Database Server RDP Remote Users Metadata Logs & Video Capture LocalLogin AD SIEM NetworkMgmt BI Desktop • Open API and Data Integration • Standards-based • Simple integration
Gateway Jump-Server Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server
Hybrid Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users Direct login (not via gateway) ObserveIT Management Server
Gateway Jump-Server Deployment PuTTY MSTSC Customer #1 Servers(no agent installed) Customer #2 Servers(no agent installed) Customer #3 Servers(no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server
Citrix Published Apps Deployment Published Apps CitrixServer ObserveIT Agent Remote Access ObserveIT Management Server