1 / 83

ObserveIT : User Activity Monitoring

ObserveIT : User Activity Monitoring. Your Full Name Here youremail@youremail.com. Month 2014. ObserveIT - Software that acts like a security camera on your servers!. Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic activity.

althea
Download Presentation

ObserveIT : User Activity Monitoring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ObserveIT:User Activity Monitoring Your Full Name Here youremail@youremail.com Month 2014

  2. ObserveIT - Software that acts like a security camera on your servers! • Video camera: Recordings of all user activity • Summary of key actions: Alerts for problematic activity

  3. 800+ Enterprise Customers Manufacturing Healthcare / Pharma Telco & Media Financial Utilities & Logistics Government Retail / Service IT Services IT Services Gaming Gaming

  4. 800+ Enterprise Customers Healthcare / Pharma

  5. 800+ Enterprise Customers Financial

  6. 800+ Enterprise Customers Telco & Media ARGENTINA

  7. 800+ Enterprise Customers Manufacturing

  8. 800+ Enterprise Customers Retail / Services

  9. 800+ Enterprise Customers Utilities / Logistics / Energy

  10. 800+ Enterprise Customers IT Services / Technology

  11. 800+ Enterprise Customers Government

  12. 800+ Enterprise Customers Gaming

  13. Business challenges that ObserveIT addresses Remote Vendor Monitoring Compliance & Security Accountability Root Cause Analysis & Documentation • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices

  14. An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t!

  15. Why? Because system logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS for SECURITY AUDIT) Only 1% of data breaches are discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ I don’t have this problem.I’ve got log analysis! “ The picture isn’t quite as rosy as you think. 15

  16. Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened

  17. Desktop Apps And many commonly used apps don’t even have their own logs! Desktop Apps Admin Tools Text Editors Remote & Virtual • Firefox / Chrome / IE • MS Excel / Word • Outlook • Skype • Registry Editor • SQL Manager • Toad • Network Config • vi • Notepad • Remote Desktop • VMware vSphere

  18. System Logs are like Fingerprints System Logs are like Fingerprints They show the results/outcomeof what took place User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point!

  19. Our Solution with ObserveIT’s 3 key features X TODAY 1: Video Capture ITAdmin Video Session Recording 2: Video Content Analysis ‘Admin‘ = Alex List of apps, files, URLs accessed Logs on as ‘Administrator’ X XX 3: Shared-user Identification Alex the Admin Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector UserVideoText LogAlex Play! App1, App2 Sam the Security Officer 19

  20. Demo Links: Powerpoint demo: Click here to show Live hosted demo:http://demo.observeit.com Internal demo:http://184.106.234.181:4884/ObserveIT YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1 Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1 Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1 French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1 Live Demo

  21. Business challenges & Customer use-cases Remote Vendor Monitoring Compliance & Security Accountability Root Cause Analysis & Documentation • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices

  22. But I like my SIEM tool! So do we!

  23. Add value • View ObserveIT users’ activity in SIEM • Direct link to the ObserveIT Video URL from the SIEM • Ability to correlate ObserveIT events with other system events • Ability to define rules/alerts based on ObserveIT user’s recorded events

  24. Current system log report not clear enough? Then link to the video replay! SIEM Platform OS and DB System Log Report Event… Event… Event… Video Player System Dashboard ObserveIT User Log Report Event… Event… Event… Simple & automated correlation rules: Timestamp + user + machine  Video Replay

  25. ObserveIT Video and Text Logs in CA UARM List of every app run Timeline view Breakdown by users and servers Click ‘Play the video!’ icon to view Detailed action listing

  26. ObserveIT Video and Text Logs in Arcsight Dashboard breakdown of user activity Each action can link to open a video replay Video replay of user actions, within the Arcsight console

  27. ObserveIT Video and Logs in Splunk – Activity Dashboard Search Window Dashboard breakdowns Click icon to launch video replay Detailed text logs of user actions

  28. ObserveIT Video and Logs in Splunk – Browse Sessions Search Window Session details (Windows) Session details (Unix) Click icon to launch video replay

  29. ObserveIT Video and Logs in Splunk – Session details Click icon to launch video replay per action

  30. ObserveIT Video and Logs inLogRhythm

  31. ObserveIT Video and Text Logs in RSA enVision Metadata filtering Event listing

  32. Live demo Part II: SIEM Integration

  33. ObserveIT Compliance Coveragefor PCI, HIPAA, ISO27001, SOX, NERC/FERC Compliance Requirements ObserveIT Solution ObserveIT Secondary Identification ObserveIT Session Recording ObserveIT Policy Messaging • Assign unique ID to each person with computer access(ex: PCI Requirement 8) • Track all access to network resources and sensitive data(ex: PCI Requirement 10) • Maintain policies that address information security(ex: PCI Requirement 12)

  34. Getting compliant is only the first step: Reduce compliance costs now AND in the future GET COMPLIANT: Satisfy auditor inquiries On-the-spot response (No need to send requests back to research team) Stop the “re-correlation” cycle! System changes ≠ SIEM correlation realignment Video Replay = Non-repudiation! Zero doubt surrounding audit conclusiveness STAY COMPLIANT: • All apps • Generate logs for apps that don’t have internal logs • All actions • Captures every user action, including video replay • All platforms • Windows, Linux, Unix • VMs, Cloud, Remote access, Direct access

  35. Alerting via Network Management • Same architectural concept as SIEM Integration • Mainly for metadata integration • Triggers system alerts or actions based on log activity

  36. Deployment Scenario Options

  37. Standard Agent-based Deployment • Agent installed on each monitored machine • Agent becomes active only when user session starts • Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle • Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption • Offline mode buffers recorded info (customizable buffer size) • Watchdog mechanism prevents tampering • Administrators access ObserveIT audit • ASP.NET application in IIS • Primary interface for video replay and reporting • Also used for configuration and admin tasks • Web console includes granular policy rules for limiting access to sensitive data • Data Storage • Microsoft SQL Server database (or optonal file-system storage) • Stores all config data, metadata and screenshots • All connections via standard TCP port 1433 • Mgmt Server receives session data from Agents • ASP.NET application in IIS • Collects all data delivered by the Agents • Analyzes and categorizes data, and sends to DB Server • Communicates with Agents for config updates ObserveIT Agents ObserveIT Web Console ICA SSH ObserveIT Management Server Database Server RDP Remote Users Metadata Logs & Video Capture LocalLogin AD SIEM NetworkMgmt BI Desktop • Open API and Data Integration • Standards-based • Simple integration

  38. Gateway Jump-Server Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server

  39. Hybrid Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users Direct login (not via gateway) ObserveIT Management Server

  40. Gateway Jump-Server Deployment PuTTY MSTSC Customer #1 Servers(no agent installed) Customer #2 Servers(no agent installed) Customer #3 Servers(no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server

  41. Citrix Published Apps Deployment Published Apps CitrixServer ObserveIT Agent Remote Access ObserveIT Management Server

  42. How Agent Works

  43. ObserveIT Architecture:How the Windows Agent Works Synchronized capture via Active Process of OS Screen Capture Captured metadata & image packaged and sent to Mgmt Server for storage User action triggers Agent capture Real-time Metadata Capture User logon wakes up the Agent URL Window Title Etc.

  44. ObserveIT Architecture:How the Linux/Unix Agent Works User-mode executable that is bound to every secure shell or telnet session CLI I/O Capture Captured metadata & I/O packaged and sent to Mgmt Server for storage TTY CLI activity triggers Agent capture Real-time Metadata Capture User logon wakes up the Agent System Calls Resources Effected Etc.

  45. Key Features:What makes ObserveIT great

  46. Generate logs for every app(Even those with no internal logging!!) WHAT DID THE USER DO? A human-understandable list of every user action Cloud-based app: Salesforce.com System utilities: GPO, Notepad Legacy software: financial package

  47. Video analysis generates intelligent text metadata for Searching and Navigation • ObserveIT captures: • User • Server • Date • App launched • Files opened • URLs • Window titles • Underlying system calls Launch video replay at the precise location of interest

  48. Recording all protocols • Agnostic to network protocol and client application • Remote sessions and also local console sessions • Windows, Unix, Linux Telnet Windows Console(Ctrl-Alt-Del) Unix/Linux Console

  49. Logs tied to Video recording: Windows sessions Audit Log USER SESSION REPLAY: Bulletproof forensics for security investigation Replay Window CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity PLAYBACK NAVIGATION: Move quickly between apps that the user ran

  50. Logs tied to Video recording: Unix/Linux sessions Audit Log List of each user command Replay Window Exact video playback of screen

More Related