1 / 44

ObserveIT : User Activity Monitoring

ObserveIT : User Activity Monitoring. Your Full Name Here youremail@youremail.com. Month 2014. ObserveIT - Software that acts like a security camera on your servers!. Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic activity.

webb
Download Presentation

ObserveIT : User Activity Monitoring

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ObserveIT:User Activity Monitoring Your Full Name Here youremail@youremail.com Month 2014

  2. ObserveIT - Software that acts like a security camera on your servers! • Video camera: Recordings of all user activity • Summary of key actions: Alerts for problematic activity

  3. Business challenges that ObserveIT addresses Remote Vendor Monitoring Compliance & Security Accountability Root Cause Analysis & Documentation • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices

  4. An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t!

  5. Why? Because system logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS for SECURITY AUDIT) Only 1% of data breaches are discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ I don’t have this problem.I’ve got log analysis! “ The picture isn’t quite as rosy as you think. 5

  6. Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened

  7. Desktop Apps And many commonly used apps don’t even have their own logs! Desktop Apps Admin Tools Text Editors Remote & Virtual • Firefox / Chrome / IE • MS Excel / Word • Outlook • Skype • Registry Editor • SQL Manager • Toad • Network Config • vi • Notepad • Remote Desktop • VMware vSphere

  8. System Logs are like Fingerprints System Logs are like Fingerprints They show the results/outcomeof what took place User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point!

  9. Our Solution with ObserveIT’s 3 key features X TODAY 1: Video Capture ITAdmin Video Session Recording 2: Video Content Analysis ‘Admin‘ = Alex List of apps, files, URLs accessed Logs on as ‘Administrator’ X XX 3: Shared-user Identification Alex the Admin Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector UserVideoText LogAlex Play! App1, App2 Sam the Security Officer 9

  10. Demo Links: Powerpoint demo: Click here to show Live hosted demo:http://demo.observeit.com Internal demo:http://184.106.234.181:4884/ObserveIT YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1 Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1 Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1 French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1 Live Demo

  11. Enhance your SIEM with User Activity Monitoring • View ObserveIT users’ activity in SIEM • Direct link to the ObserveIT Video URL from the SIEM • Ability to correlate ObserveIT events with other system events • Ability to define rules/alerts based on ObserveIT user’s recorded events

  12. Current system log report not clear enough? Then link to the video replay! SIEM Platform OS and DB System Log Report Event… Event… Event… Video Player System Dashboard ObserveIT User Log Report Event… Event… Event… Simple & automated correlation rules: Timestamp + user + machine  Video Replay

  13. ObserveIT Video and Text Logs in CA UARM List of every app run Timeline view Breakdown by users and servers Click ‘Play the video!’ icon to view Detailed action listing

  14. ObserveIT Video and Text Logs in Arcsight Dashboard breakdown of user activity Each action can link to open a video replay Video replay of user actions, within the Arcsight console

  15. ObserveIT Video and Logs in Splunk – Activity Dashboard Search Window Dashboard breakdowns Click icon to launch video replay Detailed text logs of user actions

  16. ObserveIT Video and Logs in Splunk – Browse Sessions Search Window Session details (Windows) Session details (Unix) Click icon to launch video replay

  17. ObserveIT Video and Logs in Splunk – Session details Click icon to launch video replay per action

  18. ObserveIT Video and Logs inLogRhythm

  19. ObserveIT Video and Text Logs in RSA enVision Metadata filtering Event listing

  20. Deployment Scenario Options

  21. Standard Agent-based Deployment • Agent installed on each monitored machine • Agent becomes active only when user session starts • Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle • Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption • Offline mode buffers recorded info (customizable buffer size) • Watchdog mechanism prevents tampering • Administrators access ObserveIT audit • ASP.NET application in IIS • Primary interface for video replay and reporting • Also used for configuration and admin tasks • Web console includes granular policy rules for limiting access to sensitive data • Data Storage • Microsoft SQL Server database (or optonal file-system storage) • Stores all config data, metadata and screenshots • All connections via standard TCP port 1433 • Mgmt Server receives session data from Agents • ASP.NET application in IIS • Collects all data delivered by the Agents • Analyzes and categorizes data, and sends to DB Server • Communicates with Agents for config updates ObserveIT Agents ObserveIT Web Console ICA SSH ObserveIT Management Server Database Server RDP Remote Users Metadata Logs & Video Capture LocalLogin AD SIEM NetworkMgmt BI Desktop • Open API and Data Integration • Standards-based • Simple integration

  22. Gateway Jump-Server Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server

  23. Hybrid Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users Direct login (not via gateway) ObserveIT Management Server

  24. Gateway Jump-Server Deployment PuTTY MSTSC Customer #1 Servers(no agent installed) Customer #2 Servers(no agent installed) Customer #3 Servers(no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server

  25. Citrix Published Apps Deployment Published Apps CitrixServer ObserveIT Agent Remote Access ObserveIT Management Server

  26. How Agent Works

  27. ObserveIT Architecture:How the Windows Agent Works Synchronized capture via Active Process of OS Screen Capture Captured metadata & image packaged and sent to Mgmt Server for storage User action triggers Agent capture Real-time Metadata Capture User logon wakes up the Agent URL Window Title Etc.

  28. ObserveIT Architecture:How the Linux/Unix Agent Works User-mode executable that is bound to every secure shell or telnet session CLI I/O Capture Captured metadata & I/O packaged and sent to Mgmt Server for storage TTY CLI activity triggers Agent capture Real-time Metadata Capture User logon wakes up the Agent System Calls Resources Effected Etc.

  29. Key Features:What makes ObserveIT great

  30. Generate logs for every app(Even those with no internal logging!!) WHAT DID THE USER DO? A human-understandable list of every user action Cloud-based app: Salesforce.com System utilities: GPO, Notepad Legacy software: financial package

  31. Video analysis generates intelligent text metadata for Searching and Navigation • ObserveIT captures: • User • Server • Date • App launched • Files opened • URLs • Window titles • Underlying system calls Launch video replay at the precise location of interest

  32. Recording all protocols • Agnostic to network protocol and client application • Remote sessions and also local console sessions • Windows, Unix, Linux Telnet Windows Console(Ctrl-Alt-Del) Unix/Linux Console

  33. Logs tied to Video recording: Windows sessions Audit Log USER SESSION REPLAY: Bulletproof forensics for security investigation Replay Window CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity PLAYBACK NAVIGATION: Move quickly between apps that the user ran

  34. Logs tied to Video recording: Unix/Linux sessions Audit Log List of each user command Replay Window Exact video playback of screen

  35. Privileged/Shared User Identification ObserveIT requires named user account credentials prior to granting access to system User logs on as generic “administrator” Each session audit is now tagged with an actual name: Login userid: administrator Actual user: Daniel Active Directory used for authentication

  36. Policy Messaging Send policy and status updates to each user exactly when they log in to server NOTE: PCI-DSS compliance regulations require that user activity be audited. All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded. Capture optional user feedback or ticket # for detailed issue tracking Ensure that policy standards are explicitly acknowledged

  37. Real-time Playback On-air icon launches real-time playback View session activity “live", while users are still active

  38. Report Automation: Pre-built and custom compliance reports Schedule reports to run automatically for email delivery in HTML, XML and Excel Canned compliance audits and build-your-own investigation reports Design report according to precise requirements: Content Inclusion, Data Filtering, Sorting and Grouping

  39. Double-password privacy assurance:Addresses employee privacy mandates Two passwords: One for Management. Second for union rep or legal counsel Textual audit logs can be accessed by compliance officers for security audits, but video replay requires employee rep authorization (both passwords) 39

  40. API Interface Control ObserveIT Agent via scripting and custom DLLs within your corporate applications Start, stop, pause and resume recorded sessions based on custom events based on process IDs, process names or web URLs

  41. Robust Security • Agent ↔ Server communication • AES Encryption - Rijndael • Token exchange • SSL protocol (optional) • IPSec tunnel (optional) • Database storage • Digital signatures on captured sessions • Standard SQL database inherits your enterprise data security practices • Watchdog mechanism • Restarts the Agent if the process is ended • If watchdog process itself is stopped, Agent triggers watchdog restart • Email alert sent on watchdog/agent tampering

  42. Recording Policy Rules Determine what apps to record, whether to record metadata, and specify stealth-mode per user Granular include/exclude policy rules per server, user/user group or application to determine recording policy

  43. Pervasive User Permissions • Granular permissions / access control • Define rules for each user • Specify which sessions the user may playback • Permission-based filtering affects all content access • Reports • Searching • Video playback • Metadata browsing • Tight ActiveDirectory integration • Manage permissions groups in your native AD repository • Access to ObserveIT Web Console is also audited • ObserveIT audits itself • Addresses regulatory compliance requirements

  44. Thank You! Your Full Name youremail@youremail.com

More Related