Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Similar presentations


Presentation on theme: "Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies."— Presentation transcript:

1 Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. ObserveIT: User Activity Monitoring Your Full Name Here Month 2014

2 ObserveIT - Software that acts like a security camera on your servers!  Video camera: Recordings of all user activity  Summary of key actions: Alerts for problematic activity 2

3 Business challenges that ObserveIT addresses Remote Vendor Monitoring Compliance & Security Accountability Compliance & Security Accountability Root Cause Analysis & Documentation 3 Impact human behavior Transparent SLA and billing Eliminate ‘Finger pointing’ Reduce compliance costs for GETTING compliant and STAYING compliant Satisfy PCI, HIPAA, SOX, ISO Immediate root-cause answers Document best-practices

4 Bank Branch OfficeBank Computer Servers They both hold money… An Analogy 4 …They both have Access Control…...Here they also have security cameras… …Here, they don’t! Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials)

5 55 I don’t have this problem. I’ve got log analysis! “ “ The picture isn’t quite as rosy as you think. “ “ Only 1% of data breaches are discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) Why? Because system logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS for SECURITY AUDIT)

6 6 Wouldn’t it be easier with a ‘Replay Video’ button? Replay Video Video Replay shows exactly what happened Can you tell what happened here?

7 And many commonly used apps don’t even have their own logs! 7 DESKTOP APPS Firefox / Chrome / IE MS Excel / Word Outlook Skype DESKTOP APPS Registry Editor SQL Manager Toad Network Config ADMIN TOOLS vi Notepad TEXT EDITORS Remote Desktop VMware vSphere REMOTE & VIRTUAL

8 8 System Logs are like Fingerprints They show the results/outcome of what took place They show exactly what took place! User Audit Logs are like Surveillance Recordings Both are valid… …But the video log goes right to the point! “ “ System Logs are like Fingerprints

9 9 TODAY X with ObserveIT’s 3 key features Our Solution Corporate Server or Desktop Sam the Security Officer WHO is doing WHAT on our network??? IT Admin Video Session Recording 1: Video Capture 3: Shared-user Identification 2: Video Content Analysis Audit Reporting DB & SIEM Log Collector List of apps, files, URLs accessed User VideoText Log AlexPlay!App1, App2 Alex the Admin Logs on as ‘Administrator’ Cool! Now I know. ‘Admin‘ = Alex X X X

10 L IVE D EMO Demo Links: Powerpoint demo: Click here to showClick here to show Live hosted demo: Internal demo: YouTube demos: English: Korean: Chinese: Japanese: French: Russian:

11 Enhance your SIEM with User Activity Monitoring 11 View ObserveIT users’ activity in SIEM Direct link to the ObserveIT Video URL from the SIEM Ability to correlate ObserveIT events with other system events Ability to define rules/alerts based on ObserveIT user’s recorded events

12 Current system log report not clear enough? Then link to the video replay! 12 Simple & automated correlation rules: Timestamp + user + machine  Video Replay OS and DB System Log Report Event… ObserveIT User Log Report Event… System Dashboard SIEM Platform Video Player

13 ObserveIT Video and Text Logs in CA UARM 13 List of every app run Timeline view Breakdown by users and servers Detailed action listing Click ‘Play the video!’ icon to view

14 ObserveIT Video and Text Logs in Arcsight 14 Dashboard breakdown of user activity Each action can link to open a video replay Video replay of user actions, within the Arcsight console

15 ObserveIT Video and Logs in Splunk – Activity Dashboard Dashboard breakdowns Detailed text logs of user actions Click icon to launch video replay Search Window

16 ObserveIT Video and Logs in Splunk – Browse Sessions Session details (Unix) Session details (Windows) Click icon to launch video replay Search Window

17 ObserveIT Video and Logs in Splunk – Session details Click icon to launch video replay per action

18 ObserveIT Video and Logs in LogRhythm

19 ObserveIT Video and Text Logs in RSA enVision 19 Event listing Metadata filtering

20 D EPLOYMENT S CENARIO O PTIONS

21 Standard Agent-based Deployment ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEMBI Remote Users RDP SSH ICA Metadata Logs & Video Capture 21 Agent installed on each monitored machine Agent becomes active only when user session starts Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption Offline mode buffers recorded info (customizable buffer size) Watchdog mechanism prevents tampering Agent installed on each monitored machine Agent becomes active only when user session starts Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption Offline mode buffers recorded info (customizable buffer size) Watchdog mechanism prevents tampering Mgmt Server receives session data from Agents ASP.NET application in IIS Collects all data delivered by the Agents Analyzes and categorizes data, and sends to DB Server Communicates with Agents for config updates Mgmt Server receives session data from Agents ASP.NET application in IIS Collects all data delivered by the Agents Analyzes and categorizes data, and sends to DB Server Communicates with Agents for config updates Data Storage Microsoft SQL Server database (or optonal file-system storage) Stores all config data, metadata and screenshots All connections via standard TCP port 1433 Data Storage Microsoft SQL Server database (or optonal file-system storage) Stores all config data, metadata and screenshots All connections via standard TCP port 1433 Administrators access ObserveIT audit ASP.NET application in IIS Primary interface for video replay and reporting Also used for configuration and admin tasks Web console includes granular policy rules for limiting access to sensitive data Administrators access ObserveIT audit ASP.NET application in IIS Primary interface for video replay and reporting Also used for configuration and admin tasks Web console includes granular policy rules for limiting access to sensitive data Open API and Data Integration Standards-based Simple integration Open API and Data Integration Standards-based Simple integration

22 Gateway Jump-Server Deployment 22 Gateway Server MSTSC PuTTY ObserveIT Agent SSH Remote and local users Internet ObserveIT Management Server Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed)

23 Hybrid Deployment 23 Gateway Server MSTSC PuTTY ObserveIT Agent SSH Remote and local users Internet ObserveIT Management Server Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) Direct login (not via gateway)

24 Gateway Jump-Server Deployment 24 Remote and local users Internet ObserveIT Management Server Customer #1 Servers (no agent installed) Customer #2 Servers (no agent installed) Customer #3 Servers (no agent installed) Gateway Server MSTSC PuTTY ObserveIT Agent SSH

25 Citrix Published Apps Deployment Citrix Server ObserveIT Agent 25 Published Apps Remote Access ObserveIT Management Server

26 H OW A GENT W ORKS

27 ObserveIT Architecture: How the Windows Agent Works User logon wakes up the Agent Real-time Screen Capture Metadata Capture Synchronized capture via Active Process of OS URL Window Title Etc. Captured metadata & image packaged and sent to Mgmt Server for storage User action triggers Agent capture 27

28 ObserveIT Architecture: How the Linux/Unix Agent Works User logon wakes up the Agent Real-time CLI I/O Capture CLI I/O Capture Metadata Capture User-mode executable that is bound to every secure shell or telnet session System Calls Resources Effected Etc. Captured metadata & I/O packaged and sent to Mgmt Server for storage TTY CLI activity triggers Agent capture 28

29 K EY F EATURES : W HAT MAKES O BSERVE IT GREAT

30 Generate logs for every app (Even those with no internal logging!!) WHAT DID THE USER DO? A human-understandable list of every user action WHAT DID THE USER DO? A human-understandable list of every user action 30 Legacy software: financial package System utilities: GPO, Notepad Cloud-based app: Salesforce.com

31 Video analysis generates intelligent text metadata for Searching and Navigation 31 ObserveIT captures: User Server Date App launched Files opened URLs Window titles Underlying system calls ObserveIT captures: User Server Date App launched Files opened URLs Window titles Underlying system calls Launch video replay at the precise location of interest

32 Recording all protocols Agnostic to network protocol and client application Remote sessions and also local console sessions Windows, Unix, Linux Telnet 32 Unix/Linux Console Windows Console (Ctrl-Alt-Del)

33 Logs tied to Video recording: Windows sessions Audit Log Replay Window 33 USER SESSION REPLAY: Bulletproof forensics for security investigation USER SESSION REPLAY: Bulletproof forensics for security investigation CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity PLAYBACK NAVIGATION: Move quickly between apps that the user ran PLAYBACK NAVIGATION: Move quickly between apps that the user ran

34 Logs tied to Video recording: Unix/Linux sessions 34 Audit Log Replay Window Exact video playback of screen List of each user command

35 Privileged/Shared User Identification 35 Active Directory used for authentication Each session audit is now tagged with an actual name: Login userid: administrator Actual user: Daniel Each session audit is now tagged with an actual name: Login userid: administrator Actual user: Daniel ObserveIT requires named user account credentials prior to granting access to system User logs on as generic “administrator”

36 Policy Messaging 36 Send policy and status updates to each user exactly when they log in to server Capture optional user feedback or ticket # for detailed issue tracking Ensure that policy standards are explicitly acknowledged

37 Real-time Playback 37 On-air icon launches real-time playback View session activity “live", while users are still active

38 Report Automation: Pre-built and custom compliance reports 38 Schedule reports to run automatically for delivery in HTML, XML and Excel Canned compliance audits and build-your-own investigation reports Design report according to precise requirements: Content Inclusion, Data Filtering, Sorting and Grouping

39 Double-password privacy assurance: Addresses employee privacy mandates 39 Two passwords: One for Management. Second for union rep or legal counsel Textual audit logs can be accessed by compliance officers for security audits, but video replay requires employee rep authorization (both passwords)

40 API Interface 40 Control ObserveIT Agent via scripting and custom DLLs within your corporate applications Start, stop, pause and resume recorded sessions based on custom events based on process IDs, process names or web URLs

41 Robust Security 41 Agent ↔ Server communication AES Encryption - Rijndael Token exchange SSL protocol (optional) IPSec tunnel (optional) Database storage Digital signatures on captured sessions Standard SQL database inherits your enterprise data security practices Watchdog mechanism Restarts the Agent if the process is ended If watchdog process itself is stopped, Agent triggers watchdog restart alert sent on watchdog/agent tampering

42 Recording Policy Rules 42 Determine what apps to record, whether to record metadata, and specify stealth-mode per user Granular include/exclude policy rules per server, user/user group or application to determine recording policy

43 Pervasive User Permissions 43 Granular permissions / access control Define rules for each user Specify which sessions the user may playback Permission-based filtering affects all content access Reports Searching Video playback Metadata browsing Tight Active Directory integration Manage permissions groups in your native AD repository Access to ObserveIT Web Console is also audited ObserveIT audits itself Addresses regulatory compliance requirements

44 Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. Thank You! Your Full Name


Download ppt "Copyright © 2014 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies."

Similar presentations


Ads by Google