Published on November 13, 2013
ObserveIT: User Activity Monitoring Mark Kreymer firstname.lastname@example.org June, 2013 Copyright © 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com
ObserveIT Software that acts like a security camera on your servers! Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic activity 2
700+ Enterprise Customers Healthcare / Pharma Financial Telco & Media Manufacturing Retail / Service Utilities / Logistics / Energy IT Services / Technology Government Gaming 3
Worldwide Presence France CG61 S2IH BOUYGUES TELECOM Societe Generale Groupama Asset Management (GAM) Spain Banco Espirito Santo S.A. CECA (Confederación Española de Cajas de Ahorros) BBVA Caja Madrid Canada Bell Canada Quebec Loto Bellin Treasury Services Ltd. Toronto Hydro Transat A.T. Inc. Atlantic Lottery Corporation (ALC) UK Germany Norway Estonia UK Payments Administration Ltd Sanofi Aventis VTS Estonian Security BlackRock HSH Nordbank Police Board QinetiQ Boehringer Ingelheim GmbH Switzerland Vocalink UK AGRAVIS Raiffeisen AG BCN Friends Provident Deutsche Telekom AG Bank Vontobel AG Hyperion Insurance Group Schweizerische Bundesbahnen (SBB) LCH.Clearnet Ltd. Luxemburg Swiss Federal Railway BSkyB Sky Network Service TELINDUS Luxmeburge ZKB Xtrakter Ltd Corner Banca SA Opal Telecom Ltd Banca del Sempione Talk Talk Technology (Carphone CPWN) Liechtenstein Banca Euromobiliare Suisse BNP Paribas Real Estate Advisory (UK) LGT FInancial Services BancaStato VTB Capital plc Baillie Gifford & Co. Italy Heritage Group LTD Vodafone (Italy) ELECTRONIC'S TIME SRL Allianz SPA ING Lease Italia S.p.A. UBI Banca Sistemi&Servizi Xerox s.p.a. Poland Podkarpacki OddziaB Wojewódzkiego Narodowego Funduszu Zdrowia z siedzib w Rzeszowie Elektrotim S.A. Inteligo Financial Services S.A. Czech Republic Hungary Greece GE Money Bank Wiz z Air hol Croatia Slovenia Cyprus T-Mobile Croatia OTP Zavarovalnica Triglav d.d Raiffeisen banka d.d. SEM Ltd Slovakia Tatra Banka a.s. South Korea Japan Mitsubishi Information USA Trend Micro Inc. Shumway Capital Partners, LLC Spoken Communications University Health Systems of Eastern Carolina Casino Arizona CDW Dimension Data Americas (USA) CSX Technology PGE - Portland General Electric Cisco (Webex) St. Jude Medical UPS Disney IBM Newegg Spring Branch Independent School District Sony British Petrolum (BP) SUNY Downstate Washington University Western Governors University Kroll Ontrack BNP Paribas StrataCare, LLC. Societe Generale (USA) MFS Investment Management Fort McDowell Enterprises CHARLES SCHWAB & CO Aastra Cost Plus World Market (CPWM) Samsung Networks Korea Yonsei Hospital GS Caltex Defense Acquisition Program Administration China Taiwan Trinidad & Tobago Bolivia Turkey PETROTRIN Telecel S.A. TIGO Chile Nexus Argentina Nuevo Banco del Chaco S.A. Angola Banco Nacional de Angola Chad MIC Chad, Ltd. TIGO South Africa Derivco (PTY) Ltd. Ubank MultiChoice Africa (Pty) Ltd. Clicks Group Ltd. Truworths, South Africa Tanzania MIC Tanzania, Ltd. TIGO Turkcell ANADOLU SIGORTA Vakifbank Yasar Factoring T.C. Ziraat Bankas1 Israel Qatar Taiwan Railways Administration, MOTC Taiwan Accreditation Foundation (TAF) Taiwan Mobile Ministry of Education China Construction Bank China Mobile Group Guangdong Co. ShinseiBank Tesco China China Foreign Exchange Trade System National Interbank Funding Center The Hong Kong Jockey Club DMX India HDFC Bank Ltd. iYogi HCL Wipro Excellence Nessua QFC Regulatory Authority Yes Court of the Crown Prince (CPC) Leumi Bank Financial Centre Authority Harel Insurance Hapoalim Bank United Arab Emirates Ayalon Insurance First Gulf Bank Australia Pelephone Metito Overseas Ltd. Woodside Energy Ltd Comverse AHI Carrier Fzc Australian Stock Exchange Zim NetstarLogicalis Clal Insurance Bezeq Visa Coca Cola Orange First International Bank Bank Discount Ministry of Interior Philippines Asian Development Bank Singapore BT Frontline Siemens Medical Singapore Post Singapura Finance UOB Shimano 4
Business challenges that ObserveIT addresses Remote Vendor Monitoring • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ Compliance & Security Accountability Root Cause Analysis & Documentation • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices 5
An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t! 6
Why? Because system logs are built by DEVELOPERS for DEBUG! Only 1% of data breaches are (and not by SECURITY ADMINS for SECURITY AUDIT) discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ “ I don’t have this problem. I’ve got log analysis! The picture isn’t quite as rosy as you think. 7
Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened 8
And many commonly used apps don’t even have their own logs! • DESKTOP APPS DESKTOP APPS • • • • Firefox / Chrome / IE MS Excel / Word Outlook Skype REMOTE & VIRTUAL • Remote Desktop • VMware vSphere ADMIN TOOLS • • • • Registry Editor SQL Manager Toad Network Config TEXT EDITORS • vi • Notepad 9
System Logs are like Fingerprints They show the results/outcome System Logs areof what took place like Fingerprints User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point! 10
Our Solution 1: Video Capture Video Session Recording ‘Admin‘ = Alex Logs on as ‘Administrator’ X X X IT Alex the Admin 2: Video Content Analysis List of apps, files, URLs accessed 3: Shared-user Identification Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector User Alex Video Play! Text Log App1, App2 Sam the Security Officer 11
Demo Links: Live hosted demo: http://demo.observeit.com YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1 LIVE DEMO
DEPLOYMENT SCENARIO OPTIONS
Standard Agent-based Deployment • • • • Agent installed ObserveIT audit Administrators access on each monitored machine • Agent becomes active only when user session starts • ASP.NET application in IIS • Data Storage Mgmt Data capture is triggered by userand reporting movement, text typing, Server receives video replay activity (mouse • Primary interface forsession data from Agents etc.). No recording takes place while user is idle ASP.NET application in IIS • Microsoft SQL Server database • Also used for configuration and admin tasks • Communicates with Mgmt Server via HTTP on customizable port, with CollectsWeb console includesthe Agents file-system limiting • all data delivered by granular policy rules for storage) (or optonal optional SSL encryption Analyzes and categorizes data,Stores all config data, metadata and screenshots access to sensitive dataand sends to DB Server • recorded info (customizable buffer size) • Offline mode buffers Communicates with Agents for config updates via standard TCP port 1433 • All connections • Watchdog mechanism prevents tampering ObserveIT Agents ObserveIT Web Console ObserveIT Management Server Remote Users Database Server Metadata Logs & Video Capture Local Login Desktop AD Network Mgmt SIEM BI Open API and Data Integration • Standards-based • Simple integration 14
Gateway Jump-Server Deployment Corporate Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Corporate Desktops Internet (no agent installed) ObserveIT Agent Remote and local users Corporate Servers (no agent installed) ObserveIT Management Server 15
Hybrid Deployment Corporate Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Corporate Desktops Internet (no agent installed) ObserveIT Agent Remote and local users Direct login (not via gateway) Sensitive production servers (agent installed) ObserveIT Management Server 16
Gateway Jump-Server Deployment Customer #1 Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Internet Remote and local users Customer #2 Servers (no agent installed) ObserveIT Agent Customer #3 Servers (no agent installed) ObserveIT Management Server 17
Citrix Published Apps Deployment Published Apps Citrix Server Remote Access ObserveIT Agent ObserveIT Management Server 18
Infosecurity Magazine is the award winning online magazine dedicated to the strategy, insight and technology of information security
Advertising Programmes Business Solutions +Google About Google Google.com © 2015 - Privacy - Terms ...
Site Archive for Thursday, 21 Nov 2013. ... Chemtura to Attend Citi 2013 Basic Materials Conference in New York ... of Training Technologies at I/ITSEC ...
Irongeek's Information Security site with tutorials, ... Hello everyone. ... These are the videos from Louisville Infosec 2013 conference.
... Proceedings of the 2013 Winter Simulation Conference: ... Everyone attending the Winter ... since it requires concurrent monitoring and ...