510 likes | 1.14k Views
ObserveIT : User Activity Monitoring. Your Full Name Here youremail@youremail.com. Month 2014. ObserveIT - Software that acts like a security camera on your servers!. Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic activity.
E N D
ObserveIT:User Activity Monitoring Your Full Name Here youremail@youremail.com Month 2014
ObserveIT - Software that acts like a security camera on your servers! • Video camera: Recordings of all user activity • Summary of key actions: Alerts for problematic activity
Business challenges that ObserveIT addresses Remote Vendor Monitoring Compliance & Security Accountability Root Cause Analysis & Documentation • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices
An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t!
Why? Because system logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS for SECURITY AUDIT) Only 1% of data breaches are discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ I don’t have this problem.I’ve got log analysis! “ The picture isn’t quite as rosy as you think. 5
Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened
Desktop Apps And many commonly used apps don’t even have their own logs! Desktop Apps Admin Tools Text Editors Remote & Virtual • Firefox / Chrome / IE • MS Excel / Word • Outlook • Skype • Registry Editor • SQL Manager • Toad • Network Config • vi • Notepad • Remote Desktop • VMware vSphere
System Logs are like Fingerprints System Logs are like Fingerprints They show the results/outcomeof what took place User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point!
Our Solution with ObserveIT’s 3 key features X TODAY 1: Video Capture ITAdmin Video Session Recording 2: Video Content Analysis ‘Admin‘ = Alex List of apps, files, URLs accessed Logs on as ‘Administrator’ X XX 3: Shared-user Identification Alex the Admin Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector UserVideoText LogAlex Play! App1, App2 Sam the Security Officer 9
Demo Links: Powerpoint demo: Click here to show Live hosted demo:http://demo.observeit.com Internal demo:http://184.106.234.181:4884/ObserveIT YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1 Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1 Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1 French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1 Live Demo
Enhance your SIEM with User Activity Monitoring • View ObserveIT users’ activity in SIEM • Direct link to the ObserveIT Video URL from the SIEM • Ability to correlate ObserveIT events with other system events • Ability to define rules/alerts based on ObserveIT user’s recorded events
Current system log report not clear enough? Then link to the video replay! SIEM Platform OS and DB System Log Report Event… Event… Event… Video Player System Dashboard ObserveIT User Log Report Event… Event… Event… Simple & automated correlation rules: Timestamp + user + machine Video Replay
ObserveIT Video and Text Logs in CA UARM List of every app run Timeline view Breakdown by users and servers Click ‘Play the video!’ icon to view Detailed action listing
ObserveIT Video and Text Logs in Arcsight Dashboard breakdown of user activity Each action can link to open a video replay Video replay of user actions, within the Arcsight console
ObserveIT Video and Logs in Splunk – Activity Dashboard Search Window Dashboard breakdowns Click icon to launch video replay Detailed text logs of user actions
ObserveIT Video and Logs in Splunk – Browse Sessions Search Window Session details (Windows) Session details (Unix) Click icon to launch video replay
ObserveIT Video and Logs in Splunk – Session details Click icon to launch video replay per action
ObserveIT Video and Text Logs in RSA enVision Metadata filtering Event listing
Standard Agent-based Deployment • Agent installed on each monitored machine • Agent becomes active only when user session starts • Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle • Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption • Offline mode buffers recorded info (customizable buffer size) • Watchdog mechanism prevents tampering • Administrators access ObserveIT audit • ASP.NET application in IIS • Primary interface for video replay and reporting • Also used for configuration and admin tasks • Web console includes granular policy rules for limiting access to sensitive data • Data Storage • Microsoft SQL Server database (or optonal file-system storage) • Stores all config data, metadata and screenshots • All connections via standard TCP port 1433 • Mgmt Server receives session data from Agents • ASP.NET application in IIS • Collects all data delivered by the Agents • Analyzes and categorizes data, and sends to DB Server • Communicates with Agents for config updates ObserveIT Agents ObserveIT Web Console ICA SSH ObserveIT Management Server Database Server RDP Remote Users Metadata Logs & Video Capture LocalLogin AD SIEM NetworkMgmt BI Desktop • Open API and Data Integration • Standards-based • Simple integration
Gateway Jump-Server Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server
Hybrid Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users Direct login (not via gateway) ObserveIT Management Server
Gateway Jump-Server Deployment PuTTY MSTSC Customer #1 Servers(no agent installed) Customer #2 Servers(no agent installed) Customer #3 Servers(no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server
Citrix Published Apps Deployment Published Apps CitrixServer ObserveIT Agent Remote Access ObserveIT Management Server
ObserveIT Architecture:How the Windows Agent Works Synchronized capture via Active Process of OS Screen Capture Captured metadata & image packaged and sent to Mgmt Server for storage User action triggers Agent capture Real-time Metadata Capture User logon wakes up the Agent URL Window Title Etc.
ObserveIT Architecture:How the Linux/Unix Agent Works User-mode executable that is bound to every secure shell or telnet session CLI I/O Capture Captured metadata & I/O packaged and sent to Mgmt Server for storage TTY CLI activity triggers Agent capture Real-time Metadata Capture User logon wakes up the Agent System Calls Resources Effected Etc.
Generate logs for every app(Even those with no internal logging!!) WHAT DID THE USER DO? A human-understandable list of every user action Cloud-based app: Salesforce.com System utilities: GPO, Notepad Legacy software: financial package
Video analysis generates intelligent text metadata for Searching and Navigation • ObserveIT captures: • User • Server • Date • App launched • Files opened • URLs • Window titles • Underlying system calls Launch video replay at the precise location of interest
Recording all protocols • Agnostic to network protocol and client application • Remote sessions and also local console sessions • Windows, Unix, Linux Telnet Windows Console(Ctrl-Alt-Del) Unix/Linux Console
Logs tied to Video recording: Windows sessions Audit Log USER SESSION REPLAY: Bulletproof forensics for security investigation Replay Window CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity PLAYBACK NAVIGATION: Move quickly between apps that the user ran
Logs tied to Video recording: Unix/Linux sessions Audit Log List of each user command Replay Window Exact video playback of screen
Privileged/Shared User Identification ObserveIT requires named user account credentials prior to granting access to system User logs on as generic “administrator” Each session audit is now tagged with an actual name: Login userid: administrator Actual user: Daniel Active Directory used for authentication
Policy Messaging Send policy and status updates to each user exactly when they log in to server NOTE: PCI-DSS compliance regulations require that user activity be audited. All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded. Capture optional user feedback or ticket # for detailed issue tracking Ensure that policy standards are explicitly acknowledged
Real-time Playback On-air icon launches real-time playback View session activity “live", while users are still active
Report Automation: Pre-built and custom compliance reports Schedule reports to run automatically for email delivery in HTML, XML and Excel Canned compliance audits and build-your-own investigation reports Design report according to precise requirements: Content Inclusion, Data Filtering, Sorting and Grouping
Double-password privacy assurance:Addresses employee privacy mandates Two passwords: One for Management. Second for union rep or legal counsel Textual audit logs can be accessed by compliance officers for security audits, but video replay requires employee rep authorization (both passwords) 39
API Interface Control ObserveIT Agent via scripting and custom DLLs within your corporate applications Start, stop, pause and resume recorded sessions based on custom events based on process IDs, process names or web URLs
Robust Security • Agent ↔ Server communication • AES Encryption - Rijndael • Token exchange • SSL protocol (optional) • IPSec tunnel (optional) • Database storage • Digital signatures on captured sessions • Standard SQL database inherits your enterprise data security practices • Watchdog mechanism • Restarts the Agent if the process is ended • If watchdog process itself is stopped, Agent triggers watchdog restart • Email alert sent on watchdog/agent tampering
Recording Policy Rules Determine what apps to record, whether to record metadata, and specify stealth-mode per user Granular include/exclude policy rules per server, user/user group or application to determine recording policy
Pervasive User Permissions • Granular permissions / access control • Define rules for each user • Specify which sessions the user may playback • Permission-based filtering affects all content access • Reports • Searching • Video playback • Metadata browsing • Tight ActiveDirectory integration • Manage permissions groups in your native AD repository • Access to ObserveIT Web Console is also audited • ObserveIT audits itself • Addresses regulatory compliance requirements
Thank You! Your Full Name youremail@youremail.com