DSS ITSEC 2013 Conference 07.11.2013 - ObserveIT - Monitoring everyone

67 %
33 %
Information about DSS ITSEC 2013 Conference 07.11.2013 - ObserveIT - Monitoring everyone

Published on November 13, 2013

Author: AndSor



Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” ( ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.

ObserveIT: User Activity Monitoring Mark Kreymer June, 2013 Copyright © 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.

ObserveIT Software that acts like a security camera on your servers!  Video camera: Recordings of all user activity    Summary of key actions: Alerts for problematic activity 2

700+ Enterprise Customers Healthcare / Pharma Financial Telco & Media Manufacturing Retail / Service Utilities / Logistics / Energy IT Services / Technology Government Gaming 3

Worldwide Presence France CG61 S2IH BOUYGUES TELECOM Societe Generale Groupama Asset Management (GAM) Spain Banco Espirito Santo S.A. CECA (Confederación Española de Cajas de Ahorros) BBVA Caja Madrid Canada Bell Canada Quebec Loto Bellin Treasury Services Ltd. Toronto Hydro Transat A.T. Inc. Atlantic Lottery Corporation (ALC) UK Germany Norway Estonia UK Payments Administration Ltd Sanofi Aventis VTS Estonian Security BlackRock HSH Nordbank Police Board QinetiQ Boehringer Ingelheim GmbH Switzerland Vocalink UK AGRAVIS Raiffeisen AG BCN Friends Provident Deutsche Telekom AG Bank Vontobel AG Hyperion Insurance Group Schweizerische Bundesbahnen (SBB) LCH.Clearnet Ltd. Luxemburg Swiss Federal Railway BSkyB Sky Network Service TELINDUS Luxmeburge ZKB Xtrakter Ltd Corner Banca SA Opal Telecom Ltd Banca del Sempione Talk Talk Technology (Carphone CPWN) Liechtenstein Banca Euromobiliare Suisse BNP Paribas Real Estate Advisory (UK) LGT FInancial Services BancaStato VTB Capital plc Baillie Gifford & Co. Italy Heritage Group LTD Vodafone (Italy) ELECTRONIC'S TIME SRL Allianz SPA ING Lease Italia S.p.A. UBI Banca Sistemi&Servizi Xerox s.p.a. Poland Podkarpacki OddziaB Wojewódzkiego Narodowego Funduszu Zdrowia z siedzib w Rzeszowie Elektrotim S.A. Inteligo Financial Services S.A. Czech Republic Hungary Greece GE Money Bank Wiz z Air hol Croatia Slovenia Cyprus T-Mobile Croatia OTP Zavarovalnica Triglav d.d Raiffeisen banka d.d. SEM Ltd Slovakia Tatra Banka a.s. South Korea Japan Mitsubishi Information USA Trend Micro Inc. Shumway Capital Partners, LLC Spoken Communications University Health Systems of Eastern Carolina Casino Arizona CDW Dimension Data Americas (USA) CSX Technology PGE - Portland General Electric Cisco (Webex) St. Jude Medical UPS Disney IBM Newegg Spring Branch Independent School District Sony British Petrolum (BP) SUNY Downstate Washington University Western Governors University Kroll Ontrack BNP Paribas StrataCare, LLC. Societe Generale (USA) MFS Investment Management Fort McDowell Enterprises CHARLES SCHWAB & CO Aastra Cost Plus World Market (CPWM) Samsung Networks Korea Yonsei Hospital GS Caltex Defense Acquisition Program Administration China Taiwan Trinidad & Tobago Bolivia Turkey PETROTRIN Telecel S.A. TIGO Chile Nexus Argentina Nuevo Banco del Chaco S.A. Angola Banco Nacional de Angola Chad MIC Chad, Ltd. TIGO South Africa Derivco (PTY) Ltd. Ubank MultiChoice Africa (Pty) Ltd. Clicks Group Ltd. Truworths, South Africa Tanzania MIC Tanzania, Ltd. TIGO Turkcell ANADOLU SIGORTA Vakifbank Yasar Factoring T.C. Ziraat Bankas1 Israel Qatar Taiwan Railways Administration, MOTC Taiwan Accreditation Foundation (TAF) Taiwan Mobile Ministry of Education China Construction Bank China Mobile Group Guangdong Co. ShinseiBank Tesco China China Foreign Exchange Trade System National Interbank Funding Center The Hong Kong Jockey Club DMX India HDFC Bank Ltd. iYogi HCL Wipro Excellence Nessua QFC Regulatory Authority Yes Court of the Crown Prince (CPC) Leumi Bank Financial Centre Authority Harel Insurance Hapoalim Bank United Arab Emirates Ayalon Insurance First Gulf Bank Australia Pelephone Metito Overseas Ltd. Woodside Energy Ltd Comverse AHI Carrier Fzc Australian Stock Exchange Zim NetstarLogicalis Clal Insurance Bezeq Visa Coca Cola Orange First International Bank Bank Discount Ministry of Interior Philippines Asian Development Bank Singapore BT Frontline Siemens Medical Singapore Post Singapura Finance UOB Shimano 4

Business challenges that ObserveIT addresses Remote Vendor Monitoring • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ Compliance & Security Accountability Root Cause Analysis & Documentation • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices 5

An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t! 6

Why? Because system logs are built by DEVELOPERS for DEBUG! Only 1% of data breaches are (and not by SECURITY ADMINS for SECURITY AUDIT) discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ “ I don’t have this problem. I’ve got log analysis! The picture isn’t quite as rosy as you think. 7

Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened 8

And many commonly used apps don’t even have their own logs! • DESKTOP APPS DESKTOP APPS • • • • Firefox / Chrome / IE MS Excel / Word Outlook Skype REMOTE & VIRTUAL • Remote Desktop • VMware vSphere ADMIN TOOLS • • • • Registry Editor SQL Manager Toad Network Config TEXT EDITORS • vi • Notepad 9

System Logs are like Fingerprints They show the results/outcome System Logs areof what took place like Fingerprints User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point! 10

Our Solution 1: Video Capture Video Session Recording ‘Admin‘ = Alex Logs on as ‘Administrator’ X X X IT Alex the Admin 2: Video Content Analysis List of apps, files, URLs accessed 3: Shared-user Identification Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector User Alex Video Play! Text Log App1, App2 Sam the Security Officer 11

Demo Links: Live hosted demo: YouTube demos: English: Russian: LIVE DEMO


Standard Agent-based Deployment • • • • Agent installed ObserveIT audit Administrators access on each monitored machine • Agent becomes active only when user session starts • ASP.NET application in IIS • Data Storage Mgmt Data capture is triggered by userand reporting movement, text typing, Server receives video replay activity (mouse • Primary interface forsession data from Agents etc.). No recording takes place while user is idle ASP.NET application in IIS • Microsoft SQL Server database • Also used for configuration and admin tasks • Communicates with Mgmt Server via HTTP on customizable port, with CollectsWeb console includesthe Agents file-system limiting • all data delivered by granular policy rules for storage) (or optonal optional SSL encryption Analyzes and categorizes data,Stores all config data, metadata and screenshots access to sensitive dataand sends to DB Server • recorded info (customizable buffer size) • Offline mode buffers Communicates with Agents for config updates via standard TCP port 1433 • All connections • Watchdog mechanism prevents tampering ObserveIT Agents ObserveIT Web Console ObserveIT Management Server Remote Users Database Server Metadata Logs & Video Capture Local Login Desktop AD Network Mgmt SIEM BI Open API and Data Integration • Standards-based • Simple integration 14

Gateway Jump-Server Deployment Corporate Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Corporate Desktops Internet (no agent installed) ObserveIT Agent Remote and local users Corporate Servers (no agent installed) ObserveIT Management Server 15

Hybrid Deployment Corporate Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Corporate Desktops Internet (no agent installed) ObserveIT Agent Remote and local users Direct login (not via gateway) Sensitive production servers (agent installed) ObserveIT Management Server 16

Gateway Jump-Server Deployment Customer #1 Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Internet Remote and local users Customer #2 Servers (no agent installed) ObserveIT Agent Customer #3 Servers (no agent installed) ObserveIT Management Server 17

Citrix Published Apps Deployment Published Apps Citrix Server Remote Access ObserveIT Agent ObserveIT Management Server 18

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Infosecurity Magazine - Information Security & IT Security ...

Infosecurity Magazine is the award winning online magazine dedicated to the strategy, insight and technology of information security
Read more


Advertising Programmes Business Solutions +Google About Google © 2015 - Privacy - Terms ...
Read more

Archive News & Video for Thursday, 21 Nov 2013 |

Site Archive for Thursday, 21 Nov 2013. ... Chemtura to Attend Citi 2013 Basic Materials Conference in New York ... of Training Technologies at I/ITSEC ...
Read more

Irongeek's Information Security site with tutorials, ... Hello everyone. ... These are the videos from Louisville Infosec 2013 conference.
Read more

Simulation optimization

... Proceedings of the 2013 Winter Simulation Conference: ... Everyone attending the Winter ... since it requires concurrent monitoring and ...
Read more