Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com
ObserveIT:User Activity Monitoring
Your Full Name [email protected] 2014
2
ObserveIT - Software that acts like a security camera on your servers!
Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic
activity
Business challenges that ObserveIT addresses
Remote Vendor Monitoring
Compliance &Security Accountability
Root Cause Analysis & Documentation
3
• Impact human behavior• Transparent SLA and billing• Eliminate ‘Finger pointing’
• Reduce compliance costs for GETTING compliant and STAYING compliant
• Satisfy PCI, HIPAA, SOX, ISO
• Immediate root-cause answers• Document best-practices
Bank Branch Office Bank Computer Servers
They both hold money…
An Analogy
4
…They both have Access Control…...Here they also have security cameras… …Here, they don’t!
Companies invest in access control
but once users gain access, there is little knowledge of
who they are and what they do!
(Even though 71% of data breaches involve privileged user credentials)
55
I don’t have this problem.I’ve got log analysis!“
“
The picture isn’t quite as rosy as you think.
“ “
Only 1% of data breaches are discovered by log analysis!
(Even in large orgs with established SIEM processes, the number is still only 8%!)
Why?
Because system logs are built by DEVELOPERS for DEBUG!
(and not by SECURITY ADMINS for SECURITY AUDIT)
6
Wouldn’t it be easier with a ‘Replay Video’
button?
Replay Video
Video Replay shows exactly what happened
Can you tell what happened here?
7
And many commonly used apps don’t even have their own logs!
• DESKTOP APPS
• Firefox / Chrome / IE• MS Excel / Word• Outlook• Skype
DESKTOP APPS
• Registry Editor• SQL Manager• Toad• Network Config
ADMIN TOOLS
• vi• Notepad
TEXT EDITORS
• Remote Desktop• VMware vSphere
REMOTE & VIRTUAL
8
System Logs are like FingerprintsThey show the results/outcome
of what took place
They show exactly what took place!
User Audit Logs are like Surveillance Recordings
Both are valid……But the video log goes right to the point!“
“System Logs are like
Fingerprints
9
TODAYXwith
ObserveIT’s 3
key features
Our Solution
Corporate Server or Desktop
Sam the Security Officer
WHO is doing WHAT on our network???
ITAdmin
Video Session
Recording
1: Video Capture
3: Shared-user Identification
2: Video Content Analysis
Audit Reporting DB & SIEM Log Collector
List of apps, files, URLsaccessed
User Video Text LogAlex Play! App1, App2
Alex the Admin
Logs on as ‘Administrator’
Cool! Now I know.
‘Admin‘ = Alex
X X X
LIVE DEMO
Demo Links:
Powerpoint demo: Click here to show
Live hosted demo: http://demo.observeit.com
Internal demo: http://184.106.234.181:4884/ObserveIT
YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1
Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1
Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1
French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1
Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1
11
Enhance your SIEM with User Activity Monitoring
• View ObserveIT users’ activity in SIEM• Direct link to the ObserveIT Video URL from
the SIEM• Ability to correlate ObserveIT events with
other system events• Ability to define rules/alerts based on
ObserveIT user’s recorded events
12
Current system log report not clear enough? Then link to the video replay!
Simple & automated correlation rules: Timestamp + user + machine Video Replay
OS and DB System Log Report
Event…Event… Event…
ObserveIT User Log Report
Event…Event… Event…
System Dashboard
SIEM Platform
Video Player
13
ObserveIT Video and Text Logs in CA UARM
List of every app run
Timeline view
Breakdown by users and servers
Detailed action listing
Click ‘Play the video!’ icon to view
14
ObserveIT Video and Text Logs in Arcsight
Dashboard breakdown of user activity
Each action can link to open a video
replay
Video replay of user actions, within the Arcsight console
ObserveIT Video and Logs in Splunk – Activity Dashboard
Dashboard breakdowns
Detailed text logs of user actions
Click icon to launch video
replay
Search Window
ObserveIT Video and Logs in Splunk – Browse Sessions
Session details (Unix)
Session details (Windows)
Click icon to launch video
replay
Search Window
Standard Agent-based Deployment
ObserveIT Agents
AD NetworkMgmt
ObserveIT Web Console
LocalLogin
Desktop
ObserveIT Management
Server
Database Server
SIEM BI
Remote Users
RDP
SSH
ICA
Metadata Logs& Video Capture
21
Agent installed on each monitored machine• Agent becomes active only when user session starts• Data capture is triggered by user activity (mouse movement, text typing,
etc.). No recording takes place while user is idle• Communicates with Mgmt Server via HTTP on customizable port, with
optional SSL encryption• Offline mode buffers recorded info (customizable buffer size)• Watchdog mechanism prevents tampering
Mgmt Server receives session data from Agents• ASP.NET application in IIS • Collects all data delivered by the Agents• Analyzes and categorizes data, and sends to DB Server• Communicates with Agents for config updates
Data Storage• Microsoft SQL Server database
(or optonal file-system storage)• Stores all config data, metadata and screenshots• All connections via standard TCP port 1433
Administrators access ObserveIT audit • ASP.NET application in IIS• Primary interface for video replay and reporting• Also used for configuration and admin tasks• Web console includes granular policy rules for limiting
access to sensitive data
Open API and Data Integration• Standards-based• Simple integration
Gateway Jump-Server Deployment
22
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Remote and local users
Internet
ObserveIT Management Server
Corporate Servers(no agent installed)
Corporate Desktops(no agent installed)
Corporate Servers (no agent installed)
Hybrid Deployment
23
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Remote and local users
Internet
ObserveIT Management Server
Corporate Servers(no agent installed)
Corporate Desktops(no agent installed)
Sensitive production servers (agent installed)
Direct login (not via gateway)
Gateway Jump-Server Deployment
24
Remote and local users
Internet
ObserveIT Management Server
Customer #1 Servers(no agent installed)
Customer #2 Servers(no agent installed)
Customer #3 Servers(no agent installed)
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Citrix Published Apps Deployment
CitrixServer
ObserveIT Agent
25
Published Apps
Remote Access
ObserveIT Management Server
ObserveIT Architecture:How the Windows Agent Works
User logon wakes up the Agent
Real-time
Screen Capture
Metadata Capture
Synchronized capture via Active Process of OS
URLWindow TitleEtc.
Captured metadata & image packaged and sent to Mgmt
Server for storage
User action triggers Agent
capture
27
ObserveIT Architecture:How the Linux/Unix Agent Works
User logon wakes up the Agent
Real-time
CLI I/OCapture
Metadata Capture
User-mode executable that is bound to every secure
shell or telnet session
System CallsResources EffectedEtc.
Captured metadata & I/O packaged and sent to
Mgmt Server for storage
TTY CLI activity triggers Agent
capture
28
Generate logs for every app(Even those with no internal logging!!)
WHAT DID THE USER DO?
A human-understandable list of every user action
30
Legacy software: financial package
System utilities: GPO, Notepad
Cloud-based app: Salesforce.com
Video analysis generates intelligent text metadata for Searching and Navigation
31
ObserveIT captures:• User• Server• Date• App launched• Files opened• URLs• Window titles • Underlying system
calls
Launch video replay at the precise location of interest
Recording all protocols
• Agnostic to network protocol and client application• Remote sessions and also local console sessions• Windows, Unix, Linux
Telnet
32
Unix/Linux ConsoleWindows Console
(Ctrl-Alt-Del)
Logs tied to Video recording: Windows sessions
Audit Log
Replay Window
33
USER SESSION REPLAY:
Bulletproof forensics for security investigation
CAPTURES ALL ACTIONS:Mouse movement, text entry,
UI interaction, window activity
PLAYBACK NAVIGATION: Move quickly between apps
that the user ran
34
Logs tied to Video recording: Unix/Linux sessions
Audit Log
Replay Window
Exact video playback of
screen
List of each user command
Privileged/Shared User Identification
35
Active Directory used for
authentication
Each session audit is now tagged with an
actual name:Login userid: administrator
Actual user: Daniel
ObserveIT requires named user account credentials prior to granting access to system
User logs on as generic
“administrator”
Policy Messaging
NOTE: PCI-DSS compliance regulations require that user activity be audited.
All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded.
36
Send policy and status updates to each user
exactly when they log in to server
Capture optional user feedback or ticket # for detailed issue tracking
Ensure that policy standards are explicitly
acknowledged
Real-time Playback
37
On-air icon launches real-time
playback
View session activity “live",
while users are still active
Report Automation: Pre-built and custom compliance reports
38
Schedule reports to run automatically for email delivery in HTML, XML
and Excel
Canned compliance audits and build-your-
own investigation reports
Design report according to precise requirements: Content Inclusion, Data
Filtering, Sorting and Grouping
Double-password privacy assurance:Addresses employee privacy mandates
39
Two passwords: One for Management.
Second for union rep or legal counsel
Textual audit logs can be accessed by compliance
officers for security audits, but video replay requires
employee rep authorization (both passwords)
API Interface
40
Control ObserveIT Agent via scripting and custom
DLLs within your corporate applications
Start, stop, pause and resume recorded sessions based on
custom events based on process IDs, process names or
web URLs
41
Robust Security
• Agent ↔ Server communication • AES Encryption - Rijndael• Token exchange• SSL protocol (optional)• IPSec tunnel (optional)
• Database storage• Digital signatures on captured sessions• Standard SQL database inherits your
enterprise data security practices
• Watchdog mechanism • Restarts the Agent if the process is
ended• If watchdog process itself is stopped,
Agent triggers watchdog restart• Email alert sent on watchdog/agent
tampering
Recording Policy Rules
42
Determine what apps to record, whether to record metadata, and specify stealth-mode
per user
Granular include/exclude policy rules per server,
user/user group or application to determine
recording policy
43
Pervasive User Permissions
• Granular permissions / access control• Define rules for each user• Specify which sessions the user may
playback
• Permission-based filtering affects all content access• Reports• Searching• Video playback • Metadata browsing
• Tight Active Directory integration• Manage permissions groups in your native AD
repository
• Access to ObserveIT Web Console is also audited• ObserveIT audits itself
• Addresses regulatory compliance requirements
Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com
Thank You!
Your Full [email protected]