ObserveIt - User Activity Monitoring Software

20 %
80 %
Information about ObserveIt - User Activity Monitoring Software
Science-Technology

Published on December 15, 2011

Author: ObserveIt_Amy

Source: authorstream.com

ObserveIT: User Activity Monitoring: ObserveIT: User Activity Monitoring Your Name YourEmail@observeit.com November 2011 Our Vision: Our Vision ObserveIT delivers innovative solutions that solve complex IT challenges in a surprisingly simple manner 2 ObserveIT - Software that acts like a security camera on your servers!: ObserveIT - Software that acts like a security camera on your servers! Video recording of all user activity Analysis of video to generate text audit logs (even for apps that have no internal logging!) 3 400+ Enterprise Customers: Key Industries: 400+ Enterprise Customers: Key Industries Financial Telecommunications IT Services Retail / Service Utilities / Public Services Gaming Healthcare / Pharma Manufacturing 4 Business challenges that ObserveIT solves: Business challenges that ObserveIT solves Remote Vendor Monitoring Compliance & Security Accountability Root Cause Analysis & Documentation 5 An Analogy: Bank Branch Office Bank Computer Servers They both hold money. An Analogy 6 They both have Access Control. The branch also has security cameras. The servers do not. PowerPoint Presentation: 7 Companies invest a lot in controlling user access. But once users gain access… …there is little knowledge of who they are and what they do ! PowerPoint Presentation: 8 ” “ If there is one positive note , it’s that discovery through log analysis has dwindled down towards 0% , so things are only looking up from here . Less than 1% of data breaches are discovered via log analysis. ” “ Check out Event Viewer on your computer: Can you ‘discover’ what you just did 5 minutes ago?: Check out Event Viewer on your computer: Can you ‘discover’ what you just did 5 minutes ago? 9 Don’t blame your log analysis tools for not finding something that you yourself can’t find (even with a head-start)! Thousands of log entries… …lots of arcane technical details… …But nothing actually shows what the user did! PowerPoint Presentation: I don’t have a log analysis problem…. I’ve got a SIEM The picture isn’t quite as rosy as you think. 10 SIEM Tools have Blindspots (But don’t blame your SIEM!!!): 11 SIEM Tools have Blindspots (But don’t blame your SIEM!!!) All these apps either: Don’t have any logs -OR- Only have technical debug logs What logs do these apps produce? Desktop Apps Firefox / Chrome / IE MS Excel / Word Outlook Skype Remote / Virtualization Remote Desktop VMware vSphere Text Editors vi Notepad Admin Tools Registry Editor SQL Manager / Toad Network Config Blindspots are NOT an inherent problem in SIEM... …They are caused by what we feed the SIEM PowerPoint Presentation: 12 Wouldn’t you rather be shown this? Hey! The user clicked this checkbox!!! PowerPoint Presentation: 13 TODAY X with ObserveIT Our intuitive approach Corporate Server Sam the Security Officer Cool! WHO is doing WHAT on our servers??? IT Admin ‘ Admin‘ = Alex Video Session Recording Video Capture Shared-user Identification Video Analysis Audit Report Database List of apps, files, URLs accessed Named User Video Text Log Alex Play! App1, App2 Alex the Admin Logs on as ‘Administrator’ PowerPoint Presentation: 14 TODAY Our intuitive approach Corporate Server Sam the Security Officer Cool! IT Admin ‘ Admin‘ = Alex Video Session Recording Video Capture Shared-user Identification Video Analysis Audit Report Database List of apps, files, URLs accessed Named User Video Text Log Alex Play! App1, App2 Alex the Admin Every Protocol! Audit Report Database Patent-pending video storage: Low-footprint with ObserveIT X System Logs are like Fingerprints: 15 System Logs are like Fingerprints Both are valid…Both are important… …But the video log goes right to the point! They show the results/outcome of what took place They show what exactly what took place! User Audit Logs are like Video Recordings Live Demo: Live Demo Demo Links Powerpoint demo: Click here to show Live hosted demo: http://demo.observeit.com Internal demo: http://184.106.234.181:4884/ObserveIT YouTube demos: English: http:// www.youtube.com/watch?v=uSki27KvDk0&hd=1 Korean: http:// www.youtube.com/watch?v=k5wLbREixco&hd=1 Chinese: http:// www.youtube.com/watch?v=KVT-1dX_CoA &hd=1 Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1 French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1 User Activity Monitoring: In Windows: User Activity Monitoring: In Windows 17 This ‘diary’ will list every user session, per server or per user Every session that took place, identified with user name server, client etc. Why was this user editing the ‘hosts’ file??? Just click the replay icon to view what happened! Clear indication of every app the user ran, and each window or action Audit coverage includes: Cloud-based apps System utilities Legacy Software Video Replay of everything the user did, starting at this exact point in time. User Activity Monitoring: In Linux: User Activity Monitoring: In Linux Clear indication: ‘Brad’ ran a script called ‘ innocentscript ’. This script includes a system call ‘ rm-rf ’. That rm command deleted 2 files: ‘ samplefile ’ and ‘ anotherfile ’. Audit log metadata shows underlying system calls Video Replay of TTY I/O What is this script that the user ran??? Intuitive identification of user + Policy messaging: Intuitive identification of user + Policy messaging 19 User is identified and informed of polices. Only now can s/he actually use the server User logs on as generic “administrator” Policy and status updates to each user exactly when they log in,ensure that policy standards are explicitly acknowledged Demand-Response of named user account credentials prior to granting access to system End-user monitoring: End-user monitoring 20 Application recording policies Double-password privacy safeguards prevent spying Determine what apps to record (include/exclude rules per app, per user, and per machine) Two passwords: One for Management. Second for union rep or legal council. Business challenges & Customer use-cases: Business challenges & Customer use-cases Remote / 3rd-Party Vendor Auditing Impact human behavior Transparent SLA and billing Eliminate ‘Finger pointing’ Compliance & Security Accountability Reduce compliance costs Eliminate audit blindspots Satisfy PCI, HIPAA, SOX, ISO Root Cause Analysis & Documentation Immediate root cause determination Documenting best-practices and corporate processes 21 3rd Party Vendor Auditing: 3 rd Party Vendor Auditing Instant Accountability! Know exactly what 3rd party vendors are doing Impact human behavior Do you speed when you know there are radar cameras? Transparent SLA and Billing Validation No doubts about what was done and for how long No more ‘Finger pointing’ Quickly find and fix problems 22 3 rd -Party Vendor Monitoring Turnkey solution for auditing remote users: Turnkey solution for auditing remote users Route 3 rd party users Video audit of every action Policy & Support Ticket Messaging Impacting human behavior SLA clarity 23 3 rd -Party Vendor Monitoring ObserveIT Compliance Coverage : ObserveIT Compliance Coverage Compliance Requirements Assign unique ID to each person with computer access (ex: PCI Requirement 8) Track all access to network resources and sensitive data (ex: PCI Requirement 10) Maintain policies that addresses information security (ex: PCI Requirement 12) ObserveIT Solution ObserveIT Secondary Identification ObserveIT Session Recording ObserveIT Policy Messaging 24 Compliance Accountability Reducing the costs of PCI-DSS Compliance: Upfront and on-going: Reducing the costs of PCI-DSS Compliance: Upfront and on-going Generating logs Provides coverage for apps that don’t have internal logs Log Completeness Ensures that ALL actions are captured in apps that already are being audited No need to perform costly follow-on audit for every feature Many application logs are technical in nature, but don’t truly show what the user did Gap Management Allows immediate deployment for new app modules Without Session Recording, deployment is often delayed months or years until a new audit can validate application deltas. Compliance Accountability 25 Objection: PCI is already covered: Objection: PCI is already covered ObserveIT reduces costs (drastically!) Remove PCI controls that are redundant, piece-meal and single-issue focused ObserveIT gives blanket coverage Very fast investigation to answer audit questions Save human resource costs and decrease time for audit resolution Get straight to the highest-value evidence Does a crime scene investigator ask for surveillance video footage or will he start with fingerprint analysis? System logs are like fingerprints (Showing secondary evidence of the results of what took place) ObserveIT is like a surveillance camera (Showing actual replay of exactly what took place) You must use both, but the security cameras truly tell the story, and should be the first line of investigation Auditors want exactly what culprit users wouldn’t want! If you were hacking, would you like a camera on your PC? (Definitely not!) And what about Event Viewer logs? (Well, ideally no, but it’s not that big a deal…) There are NO blindspots with the camera. Event Viewer doesn't really tell you what you did 26 Compliance Accountability Dr. Anton Chuvakin, Gartner Analyst and world-renowned PCI expert: Dr. Anton Chuvakin, Gartner Analyst and world-renowned PCI expert While getting compliant is easier than staying in compliance, even that initial assessment often takes months of work and thousands of dollars in products and services, as well as internal policy changes. Legacy applications as well as newer virtual and even cloud based applications, falling under PCI mandate, present additional challenges. The right solution for 'cracking the nut' where logging and monitoring are next to impossible is in making your own logs where none exist or making better logs where logs are inadequate. Technologies such as ObserveIT make it possible. “ ” Source: Observe PCI DSS: How to Audit Application Activity When Logs Don’t Help, Dr , Anton Chuvakin , 2011 Compliance Accountability 27 ObserveIT: PCI Compliance Mapping: ObserveIT: PCI Compliance Mapping PCI Requirement What ObserveIT Provides 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user Prior to enabling a user to initialize a session, ObserveIT can present a demand-response secondary credential dialog, thus preventing generic privileged userid login. ObserveIT records all human activity on monitored servers, both visually as well as with a textual metadata log. Any user action can be replayed to see exactly what occurred, who did it, and what resources where accessed and affected. 10.2 Implement automated audit trails for all system components to reconstruct the following events: ObserveIT constantly monitors and records all user activity, including applications launched, UI interaction, system configuration, registry changes or any other user-initiated action, from login to logoff. ObserveIT records at the OS level and is agnostic to connection protocol. All access to ObserveIT logs themselves is also audited and recorded. 10.2.2 All actions taken by any individual with root or administrative privileges 10.2.3 Access to all audit trails 10.2.7 Creation and deletion of system-level objects. 10.3 Record … audit trail entries for all system components for each event By capturing a visual recording of every user action, a full audit trail is established for every system component modification or access. 10.4 Use time-synch technology ObserveIT records a timestamp for every screenshot within the user session and each associated metadata log entry. This allows for 100% correlation between the replayed sessions, and the presented metadata. Requirement 10: Track and monitor all access to network resources and cardholder data 28 ObserveIT: PCI Compliance Mapping: ObserveIT: PCI Compliance Mapping PCI Requirement What ObserveIT Provides 10.5 Secure audit trails so they cannot be altered ObserveIT stores screenshots and metadata as individual records in a SQL database. Any corporate database security protocols are automatically inherited. All DB records are protected by digital signature, and cannot be altered or deleted. Access to records is allowed only by the users that are defined as administrators. View-only administrator access is also possible, allowing for further secure auditing. 10.6 Review logs for all system components at least daily ObserveIT’s built-in compliance reports and customizable reports can be scheduled for automatic delivery on any time frame. Event activity can also be captured by any network management tool for system alerting based on user activity. 10.7 Retain audit trail history for at least one year ObserveIT's recorded sessions, attached metadata, and audit records are stored in a central and protected SQL database, where they are retained indefinitely. Requirement 10 (Continued) 29 ObserveIT: PCI Compliance Mapping: ObserveIT: PCI Compliance Mapping PCI Requirement What ObserveIT Provides 12.5 Assign to an individual or team the following information security management responsibilities: ObserveIT enables policy messaging, in which the user receives a message when initiating a login. Users must authorize that they have received and read the message. 12.5.1 Establish , document and distribute security policies and procedures 12.5.5 Monitor and control all access to data 12.6 Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security 12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures 12.8 If cardholder data is shared with services providers, maintain and implement policies and procedures to manage service providers All ObserveIT auditing features as specified in the above table is also applied to any remote service provider. Requirement 12: Maintain a policy that addresses information security 30 ObserveIT: PCI Compliance Mapping: ObserveIT: PCI Compliance Mapping PCI Requirement What ObserveIT Provides 6.3 Secure authentication, logging ObserveIT is a secure platform, with all data storage maintained in an SQL server that inherits all corporate security policies. All data is encrypted and digitally signed, and secure policy rules prevent any access to view or modify log data. Requirement 6 : Develop and maintain secure systems and applications Requirement 8: Assign unique ID to each person with computer access (In conjunction with CA-PUPM) PCI Requirement What ObserveIT Provides 8.1 Assign unique ID before giving access ObserveIT Identification Services requires that any privileged user access be accompanied with specific named-user login. 8.2 Tie passwords to id 8.4 Secure password during transmission 31 PowerPoint Presentation: But I like my SIEM tool! So do we! 32 ObserveIT Video and Logs in CA UARM: ObserveIT Video and Logs in CA UARM 33 ObserveIT Video and Logs in Splunk: ObserveIT Video and Logs in Splunk 34 Deployment Scenario Options: Deployment Scenario Options Standard Agent-Based Deployment: Standard Agent-Based Deployment Remote Users ObserveIT Management Server Database Server Metadata Logs & Video Capture User Session Audit Data ObserveIT Agents Local Login Desktop RDP SSH ICA Internet 36 Gateway Deployment (Agent-less): Gateway Deployment (Agent-less) Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Terminal Server or Citrix Server Published Apps PuTTY ObserveIT Agent User Session Audit Data Remote Users RDP VPN ObserveIT Management Server Database Server Metadata Logs & Video Capture Internet 37 Agent is deployed on gateway only. Records all sessions routed via that gateway. Hybrid Deployment: Hybrid Deployment Any Corporate Server (no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) Terminal Server or Citrix Server ObserveIT Agent User Session Audit Data Remote and local users RDP VPN ObserveIT Management Server Database Server Metadata Logs & Video Capture Internet 38 Direct login (not via gateway) ObserveIT Agent Gateway agent audits all users routed via the gateway (no matter what target network resource) Additional agent deployment on sensitive production servers for more depth of coverage Deployment Scenario Comparison: Deployment Scenario Comparison Deployment Option Pros Cons Gateway Fast deployment on central gateway Covers all access to every network resource for sessions that are routed via this gateway Doesn’t record any users with direct access to server (via local console login, or via direct RDP/SSH/etc. window Amount of textual metadata captured is less than for full agent deployment (ex: Agent on gateway does not see filename opened within RDP window) Full Deployment Agnostic to access method: Captures direct users as well as remote access users Agnostic to application type: Captures all VMware, shared apps, etc. Full detailed metadata capture, including lower level OS info (window titles, system calls, etc.) Agent-based monitor on each server Hybrid Best of both worlds Captures every action for users routed via gateway, no matter what network resource is accessed For sensitive resources, agent deployment provides even tighter audit control, with more log metadata plus coverage for every access method (direct + gateway-routed) 39 System Architecture: System Architecture ObserveIT Architecture: ObserveIT Architecture ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture User Session Audit Data 41 ObserveIT Architecture: Management Server: ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture ObserveIT Architecture: Management Server ASP.NET application in IIS Collects all data delivered by the Agents Analyzes and categorizes data, and sends to DB Server Communicates with Agents for config updates 42 ObserveIT Architecture: Agent: ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture ObserveIT Architecture: Agent Installed on each monitored server Agent becomes active only when user session starts Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption Offline mode buffers recorded info (customizable buffer size) Watchdog mechanism prevents tampering 43 ObserveIT Architecture: How the Windows Agent Works: ObserveIT Architecture: How the Windows Agent Works User logon wakes up the Agent Real-time Screen Capture Metadata Capture Synchronized capture via Active Process of OS URL Window Title Etc. Captured metadata & image packaged and sent to Mgmt Server for storage User action triggers Agent capture 44 ObserveIT Architecture: How the Linux/Unix Agent Works: ObserveIT Architecture: How the Linux/Unix Agent Works User logon wakes up the Agent Real-time CLI I/O Capture Metadata Capture User-mode executable that bound to every secure shell or telnet session System Calls Resources Effected Etc. Captured metadata & I/O packaged and sent to Mgmt Server for storage TTY CLI activity triggers Agent capture 45 ObserveIT Architecture: Web Console: ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture ObserveIT Architecture: Web Console ASP.NET application in IIS Primary interface for video replay and reporting Also used for configuration and admin tasks Web console includes granular policy rules for limiting access to sensitive data 46 ObserveIT Architecture: Database Server: ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture ObserveIT Architecture: Database Server Microsoft SQL Server database Stores all config data, metadata and screenshots All connections via standard TCP port 1433 47 ObserveIT Architecture: SIEM/BI Integration: ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture ObserveIT Architecture: SIEM/BI Integration Text metadata logs for all apps (including those with no internal logs) can be accessed by any SIEM collector BI systems can analyze and correlate based on specific user action Video replay of each action is correlated to the textual logs, giving more detailed evidence of activity 48 ObserveIT Architecture: System Integration: ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEM BI Remote Users RDP SSH ICA Metadata Logs & Video Capture ObserveIT Architecture: System Integration AD integration for user validation and user group policy management Network Mgmt integration for system alerts and updates based on user activity 49 Key Features: What makes ObserveIT great: Key Features: What makes ObserveIT great Generate logs for every app (Even those with no internal logging!!): Generate logs for every app (Even those with no internal logging!!) WHAT DID THE USER DO? A human-understandable list of every user action Cloud-based app: Salesforce.com System utilities: GPO, Notepad Legacy software: financial package 51 Video analysis generates intelligent text metadata for Searching and Navigation: Video analysis generates intelligent text metadata for Searching and Navigation ObserveIT captures User, Server, Date, App Launched, Files opened, URLs, window titles and underlying system calls ObserveIT captures: User Server Date App Launched Files opened URLs Window titles Underlying system calls Launch video replay at the precise location of interest 52 Recording Everything: Complete Coverage: Recording Everything: Complete Coverage Agnostic to network protocol and client application Remote sessions and also local console sessions Windows, Unix, Linux Telnet 53 Unix/Linux Console Windows Console (Ctrl-Alt-Del) Logs tied to Video recording: Windows sessions: Logs tied to Video recording: Windows sessions Audit Log Replay Window PLAYBACK NAVIGATION: Move quickly between apps that the user ran CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity USER SESSION REPLAY: Bulletproof forensics for security investigation 54 Logs tied to Video recording: Unix/Linux sessions: Logs tied to Video recording: Unix/Linux sessions Audit Log Replay Window List of each user command Exact video playback of screen 55 Privileged/Shared User Identification: Privileged/Shared User Identification User logs on as generic “administrator” ObserveIT requires named user account credentials prior to granting access to system Active Directory used for authentication Each session audit is now tagged with an actual name: Login userid : administrator Actual user: Daniel 56 Policy Messaging: Policy Messaging NOTE: PCI-DSS compliance regulations require that user activity be audited. All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded. Send policy and status updates to each user exactly when they log in to server Capture optional user feedback or ticket # for detailed issue tracking Ensure that policy standards are understood and explicitly acknowledged 57 Real-time Playback: Real-time Playback On-air icon launches real-time playback View session activity “live", while users are still active 58 Report Automation: Pre-built and custom compliance reports: Report Automation: Pre-built and custom compliance reports Design report according to precise requirements: Content Inclusion, Data Filtering, Sorting and Grouping Canned compliance audits and build-your-own investigation reports Schedule reports to run automatically for email delivery in HTML, XML and Excel 59 Double-password privacy assurance: Complies with employee privacy mandates: Double-password privacy assurance: Complies with employee privacy mandates 60 Two passwords: One for Management. Second for union rep or legal council. Textual audit logs to be accessed by compliance officers for security audits, but video replay requires employee council authorization (both passwords) System Monitor Integration: System Monitor Integration Instant-replay from within your network management environment Microsoft SCOM, CA, IBM Tivoli, HP OpenView Real-time alerts On file access/deletion, Network share, Registry edit , RDP open connection, URL access etc. ObserveIT alert in CA ObserveIT alert in MS SCOM Click on alert to see ObserveIT video playback Trigger automatic email alert delivery 61 API Interface: API Interface Start, stop, pause and resume recorded sessions based on custom events based on process IDs, process names or web URLs Control ObserveIT Agent via scripting and custom DLLs within your corporate applications 62 Robust Security: Robust Security Agent ↔ Server communication AES Encryption - Rijndael Token exchange SSL protocol (optional) IPSec tunnel (optional) Database storage Digital signatures on captured sessions Standard SQL database inherits your enterprise data security practices Watchdog mechanism Restarts the Agent if the process is ended If watchdog process itself is stopped, Agent triggers watchdog restart Email alert sent on any watchdog/agent tampering 63 Recording Policy Rules: Recording Policy Rules Granular include/exclude policy rules per server, user/user group or application to determine recording policy Determine what apps to record, whether to record metadata, and specify stealth-mode per user 64 Pervasive User Permissions: Pervasive User Permissions Granular permissions / access control Define rules for each user Specify which sessions the user may playback Permission-based filtering affects all content access Reports Searching Video playback Metadata browsing Tight Active-Directory integration Manage permissions groups in your native AD repository Access to ObserveIT Web Console is also audited ObserveIT audits itself Satisfies regulatory compliance requirements 65 Customer Success stories: Customer Success stories HIPAA Compliance Auditing: HIPAA Compliance Auditing Industry: Medical Equipment Manufacturer Solution: Compliance Report Automation (HIPAA) Company: Toshiba Medical Systems Business Environment Medical imaging products (MRI, CT, US, X-Ray) deployed at hospitals and medical centers worldwide Customer support process requires remote session access to deployed systems Challenge Solution Strict HIPAA compliance regulations must be enforced and demonstrable In addition, SLA commitments require visibility of service times and durations ObserveIT deployed in a Gateway architecture All access routed via agent-monitored Citrix gateway Actual systems being accessed remain agent-less Toshiba achieved 24x7 SLA reports, including granular incident summaries Automatic generation of HIPAA regulatory documentation, led to reduced compliance costs and improved customer (hospital) satisfaction 67 PCI Compliance at a Market Transaction Clearinghouse: PCI Compliance at a Market Transaction Clearinghouse Business Environment Challenge Solution A major clearinghouse must provide concrete PCI documentation Each audit report cycle was a major effort of log collection Audits were often judged incomplete when exact cause of system change was unidentified Since deploying ObserveIT , audit reporting has become fully automated Zero audit rejects have occurred Industry: Financial Services Solution: Compliance Report Automation (PCI) 68 Remote Vendor Monitoring at Coca-Cola: Remote Vendor Monitoring at Coca-Cola Business Environment Bottling and production line software for geographically diverse sites Centralized ERP platform for sales, fulfillment and compensation Many platforms supported by 3 rd Party solution providers Challenge Solution Ensure 100% accountability for any system access violation Eliminate downtime errors caused by inappropriate login usage Increase security of domain admin environment ObserveIT deployed on all systems that are accessed via RDP by remote vendors IT admins also monitored on sensitive domain admin servers As a result, Coca-Cola saw a significant decrease in system availability issues caused by improper user actions Moti Landes IT Infrastructure Manager and IT Div. CISO, Coca-Cola As soon as vendors discovered that all actions are being recorded, it became much easier to manage them. “ ” Industry: Food&Beverage Manufacturing Solution: Remote Vendor Monitoring Company: Coca-Cola 69 Medical Systems Remote Auditing: Medical Systems Remote Auditing Industry: Medical Equipment Manufacturer Solution: Remote Vendor Auditing Company: Siemens Medical Instruments Business Environment Corporate servers host business applications for both internal and customer-facing solutions Servers are managed and accessed by various privileged user staff members Access is also open to multiple external vendor contractors Challenge Solution Before ObserveIT , there was no practical way to log user activities on these servers. ObserveIT provides accountability of all internal and outsource vendor admins Reporting and searching is used to focus on critical issues Fast deployment ensured quick and painless uptime: “All we needed to do was to install a small agent on the servers to be monitored and the recording starts immediately, without even requiring any configuration and settings” Robert Ng, Siemens Not only was ObserveIT able to record every single user session on the servers, the recordings are also fully indexed, allowing me to zoom in on areas of interest. “ ” 70 Customer Audits and ISO 27001 at BELLIN Treasury: Customer Audits and ISO 27001 at BELLIN Treasury Business Environment Hosted treasury software solutions deployed in 7 data centers worldwide for over 6,000 customers System support and development teams must access servers via RDP Customers demand precise audit validation on-demand Challenge Solution Proactively provide customers with evidence of bulletproof audit trail process Satisfy the regulatory mandates of each of the customer environments worldwide ObserveIT deployed on all production servers worldwide One-time setup and hands-free operations keeps maintenance costs down Customer satisifaction increased signficiantly Solution submitted as central part of ISO 27001 certification process Rick Beecroft, Area Manager, Americas and Pacific Rim BELLIN Treasury We enjoy showing off to our customers that every user action is recorded. This increases confidence all around. “ ” Industry: Financial Software Services Solution: Compliance Auditing Company: Bellin Treasury 71 Remote Vendor Monitoring at LeumiCard: Remote Vendor Monitoring at LeumiCard Challenge Solution Operations and maintenance require system access by various privileged internal users via RDP. Corporate control reports require documentation of exactly what takes place on each production server, and to be able to explain why the action was necessary. Shared-account (administrator) users must provide secondary named-user credentials from Active Directory User must acknowledge that s/he is aware that s/he is logging into a production server. Video recording captures a video replay of each user session. Daily email control reports are delivered automatically to each manager, according to area of responsibility. Each of these managers can then replay sessions that relate to their systems Ofer Ben Artzy, Manager of Infrastructure Systems This has dramatically decreased the number of user sessions on production machines. Users are more likely to find an alternative way to do their job via secondary test servers, which means a reduced number of entries in my daily control reports. “ ” Industry: Financial Services Solution: Remote Vendor Monitoring Company: LeumiCard Business Environment LeumiCard’s highly-secured data center runs on several platforms, all with sensitive mission-critical applications. 72 ISO 27001 Compliance for Remote User Audits: ISO 27001 Compliance for Remote User Audits Business Environment Large government and corporate customers demand ISO compliance Mission-critical ERP platform managed by an external service provider Corporate philosophy focuses on “safety, certainty and high standards” Challenge Solution Compliance requirements call for monitoring and logging the activities of all external users who access the network ObserveIT was deployed on corporate servers and TS machines Combination of visual screenshots plus full indexing of text is used for easy searching Secure logging of all access to the system by remote connection Fast access to the logs during the examination of each incident Przemysław Jasiński IT Department Manager , Elektrotim Implementation has been dictated to prevent problems with third parties having access to our IT system. “ ” Industry: Utilities / Construction Solution: Compliance Report Automation (ISO 27001) Company: Electrotim 73 Remote Admin User Monitoring : Business Environment Challenge Solution Remote Admin User Monitoring Control access to system resources, including shared privileges between two merged corporate entities during period of merger Achieve common system management and visibility 2008: ObserveIT deployed to monitor and audit server activity during corporate merger 2009 : Successful visibility results from merger activity lead to system-wide deployment Payment transaction platform distributed across Europe Supporting 60,000 ATM machines Clearing 90,000,000 transactions per day Industry: Financial Services Solution: Remote Vendor Monitoring Company: VocaLink 74 Privileged User Auditing: Privileged User Auditing Business Environment Web-based system connects families with a range of health, social service and other federal and state support programs Deployed and managed on 93 servers and 91 workstations across 3 geographically separated data centers Challenge Solution The Center is dedicated to providing usability, ease of access and responsiveness, without compromising any aspects of data security or compliance. Given the sensitivity of personal heath records data and the internal and government regulations regarding data access compliance, The Center sought to augment its security with an auditing solution that would detail all data and server access Peace-of-mind from knowing exactly what developers and admins are doing Immediate fulfillment of compliance usage reports Faster response time to system faults Vinay Singh IT Operations Manager This is critical for keeping our servers up and running, and also to answer management’s needs to demonstrate compliance. “ ” Industry: Healthcare IT Solution: Privileged User Auditing Company: Center to Promote HealthCare Access We still need to document every server access by IT Admins and internal staff developers. “ ” 75 Reducing Errors Caused by 3rd Party Vendors: Reducing Errors Caused by 3 rd Party Vendors Isaac Milshtein Director, IT Operations, Pelephone Since we deployed ObserveIT, users are much more careful with their server activity. Knowing that your actions can be replayed has a remarkable effect. “ ” Industry: Telecommunications Solution: Root-Cause Analysis + Vendor Monitor Company: Pelephone Business Environment Challenge Solution 1200-server IT environment in 3 hosting centers Business applications (Billing, CRM, etc.) and Customer-facing applications (Revenue generating mobile services) Maintain QoS with multiple 3 rd party apps Track activities of privileged vendor access ObserveIT initially deployed on 5 internal business app servers, and resolves high-visibility outage on mission-critical app: Identified improper actions by outsource vendor. ObserveIT next is deployed on entire IT platform ObserveIT integrated into CA environment Multiple customer-facing outages solved Positive ROI via elimination of revenue losses from service outages Vendor billing decreased once they realized they were being recorded 76 Managed Services Monitoring at an IT Services Firm: Managed Services Monitoring at an IT Services Firm Business Environment Challenge Solution IT support vendor provides system management services for over 40 major Global 1000 clients Each customer has different connection protocol requirements (some via VNC, some via RDP, some via Citrix, etc.) After deploying ObserveIT on an outgoing gateway, all sessions on customer servers are recorded Since deployment, there have been fewer accusations from customers regarding system problems For the few issues that were raised, the vendor immediately provided recordings that proved that all actions were proper Industry: IT Services Solution: Managed Services Monitoring 77 Thank You!: Thank You! Employee Privacy Policy in Europe: Employee Privacy Policy in Europe How ObserveIT complies Balancing Employee Privacy vs. Audit Compliancy: Balancing Employee Privacy vs. Audit Compliancy Privacy Requirements Compliancy Requirements DPD 95/46/EC (EU) Human Rights Act  (UK) BDSG (Germany) CNIL (France) PCI-DSS ISO 27001 SOX FSA Separation of personal communications Secure Storage & Limited Access User Consent User Accountability Wide scope of activity logging 80 ObserveIT is fully compliant with privacy law: ObserveIT is fully compliant with privacy law Double-passwords ensure both audit completeness and employee privacy Management holds one password, employee council / union holds the second password Granular deployment allows textual audit logs to be accessed by compliance officers (without the second password), but video replay requires employee council authorization (both passwords) Policy Rules eliminate monitoring for private communications Include/Exclude granularity to capture only what is necessary for compliancy User policy messaging and consent validation Users indicate awareness of monitoring activity each time they log on to a monitored server 81 PowerPoint Presentation: 82 For more information...: For more information... See our Whitepaper on Employee Privacy issues: http://observeit-sys.com/Support/Whitepapers?req=privacy 83

Add a comment

Related presentations

Related pages

ObserveIT | The World's #1 Insider Threat Management Software

ObserveIT helps more than 1,200 enterprise ... The World's #1 Insider Threat Management Software ... Identify abnormal user behavior and malicious activity.
Read more

User Activity Monitoring Software | ObserveIT

Detect negligent behavior and abusive activity that otherwise goes unnoticed . User activity monitoring is a key part of ObserveIT’s insider threat solution.
Read more

Observeit - Wikipedia, the free encyclopedia

ObserveIT is a User Activity Monitoring software company. ObserveIT provides insider threat security solutions to more than 1,200 customers in over 70 ...
Read more

Securing Your UAM Solution Datasheet - ObserveIT | Insider ...

OBSERVEIT!!!SECURING!YOUR!USER!ACTIVITY!MONITORING!SOLUTION! 3! USERTAMPERSWITHTHESERVERUSIDEACTIVITYDATA. Aprivilegedadministrator!might!attempt!to!delete ...
Read more

ObserveIT | LinkedIn

Specialties. Windows, Unix and Linux Session Recording Software, User Activity Monitoring, User Activity Auditing, Auditing Software, IT Security ...
Read more

ObserveIT User Activity Monitoring

Our solutions alerts when we detect abnormal and suspicious user activity providing both an actual video replay of ... ObserveIT User Activity Monitoring
Read more

ObserveIT - User Activity Monitoring Solution

... User Activity Monitoring Solution. ObserveIT is a pioneer in user activity monitoring and is the world’s only provider of security software that ...
Read more

ObserveIT - Google+

ObserveIT is the only security software company that provides tailored analytics, alerting and visual forensics to identify when users are putting your ...
Read more

User Activity Monitoring - Wikipedia, the free encyclopedia

... User Activity Monitoring (UAM) ... with the help of dedicated software that analyzes exactly what the user does during their session, ...
Read more

ObserveIT | The world's #1 User Activity Monitoring ...

ObserveIT Enterprise for User Activity Monitoring: ... suspicious or malicious user activity ... ISVs can integrate ObserveIT into their software ...
Read more