Today, I’ll be presenting ObserveIT’s solution for user activity monitoring.I’ll demonstrate how ObserveIT brings a new approach to auditing user actions.It’s not about more logs, it’s about a brand new kind of logging, which gives full coverage where existing logs fail.
A quick word about what is our product: The ObserveIT software solution works like a security camera on your servers.It does this via 2 primary features:First, it captures a video recording of every user action, which is bulletproof evidence of activityAnd secondly, it analyzes this video to extract details about exactly what took place, generating a detailed text audit log of the apps, windows, files, and urls accessed
We have a wide range of high-profile companies among our customers. Thiscovers a range of key industries, including Financial, Retail, Manufacturing, Utilities and Telecommunications
These customers are using ObserveIT for three main business purposes:Remote Vendor Monitoring – Keeping an eye on what 3rd party users are doing when they connect to your networkCompliance Accountability – Making sure that you can truly answer government / corporate compliancy questions: “Who did What?”Root Cause Analysis – Getting to the root of what caused system changes or downtime, and documenting every system processI’ll explore each of these in more detail after you see the product in action…
I want to highlight exactly why this concept of ‘security camera’ is so important, especially for monitoring remote users.Let’s consider an analogy.Consider a bank… On the left we have a branch office, on the right we have the banks servers.They both hold a lot of money… (The server holds a lot more, by the way)(click)Both of these parts of the bank have a method of access control. (Some are friendlier than others… Some are more effective than others… but it still is the same idea) We know exactly what that looks like in both cases.(click)But here is where the analogy breaks down. Because at the branch office, they back up the access control with security cameras. But on the servers, very often they do not.
The real issue, and the real reason we need a brand new approach to log analysis, came through loud and clear in the most recent Data Breach Investigations Report from the US Secret Service, Dutch High Tech Crime Division and Verizon, which analyzed thousands of data breaches worldwide.The most glaring statistic that jumped out of this report was that log analysis is successful at detecting data breaches only 1% of the time!!! That’s an outrageously low number.The report even went on to give an almost sarcastic view of the state of affairs: It’s good news, cuz we can only get better now! If it wasn’t so sad, it would be funny.
Why is it that log analysis is failing us, despite all our investments in log management infrastructure?Well, to put our finger on the issue, just ask yourself if you can discover what you did on your computer over the past 5 minutes….Check out Event Viewer… Can you retrace your steps?You get thousands of log entries, but nothing really points to what took place.Well, how can we expect log analysis tools to succeed where we ourselves can’t… even with a head start!
Often, we get the impression the SIEM tools are meant to overcome this problem.But that assumption is glossing over the ugly truth…
SA SIEM is only as good as the logs you feed it…If an app doesn’t produce a log for some action, then it just won’t appear in the SIEM audit log.There are many, many apps that don’t produce any logs at allor produce ugly debug logs that have audit value
So, as we saw when we looked at Event Viewer 2 minutes ago, it’s just not realistic to expect anyone or any audit software to be able to piece together the past based only on debug logs.The most obvious way to overcome this problem is to show, in the most straightforward way possible: “This is what the user did”….Here, he checked this checkbox…. That’s all! Nice and easy. That one click happened to generate 25 different sytstem log and config management triggers... None of which would tell us the simple truth! But seeing it happen makes it completely obvious.
So, this is ObserveIT’s intuitive approach:Today, We have an IT Admin logging on to our servers, using generic ID’s such as ‘Administrator’ or ‘dba’clickAt the same time, Sam the Security Officer is asking: Who is doing What?clickAdding ObserveIT, the situation becomes much more clear.First of all, ObserveIT provides Shared-User Identification. So now, we know that this ‘Admin’ is really ‘Alex’clickNext, ObserveIT steps in with video recording of every user action, as looking over Alex’s shoulder while he is working. The result is a video recording that can easily be played back.clickAnd even more, ObserveIT then analyzes this video session… We extract all the details of what Alex did… The apps he ran, files he opened, and more.clickThese three pieces of information: user identification, video capture, and video metadata are then collected in a centralized audit databaseclickThis of course makes Sam very happy
By the way, ObserveIT does this for every access protocol or platform, including RDP, SSH, Citrix, VDIs and more…ClickAnd the video storage is highly optimized based on screenshot deltas, making for a very efficient storage and low database size requirements.
And that’s because the system logs are like fingerprints. They show the results of what took place, but not the actual actions!
So let’s dive in and see how ObserveIT overcomes these problems.
Point to the Server Diary TabPoint
Same with the Linux infraction…. We see all the system calls, and we can replay the full TTY screen I/O.
Now, I want to clarify that ObserveIT complements your existing SIEM or Log Management products…
Here’s a few examples even.Here we see ObserveIT logs, as presented within CA’s UARM product…
And here the ObserveIT logs are presented within Splunk.
There are 2 ways that you can deploy ObserveIT…
The first is the standard deployment according to the architecture that we’ve seen so far…An agent is installed on each server that is being monitored, which feeds log data to the management server.
A second deployment option is via a gateway server.If users are accessing your servers via a gateway, you can deploy a gateway-based agent only, which then captures the user actions that go through that gateway to each corporate server.
ObserveIT’s flexibility allows you to deploy both ways simultaneously… A gateway for full network coverage for all standard user access…Plus agents on specific sensitive servers that require more detailed audit
Note that each option has its benefits.One additional strength of ObserveIT is that you can utilize both scenarios simultaneously:Deploy a gateway for centralized access for all remote users…(thus capturing everything that they do, on every server)…And also deploy an agent on key production servers that require additional monitoring of all internal and direct access sessions.
Let’s take a look at the system architecture….
The central piece of the architecture is the Management Server, which collects activity monitoring info, analyzes it, and sends it on to the DB…
The info is coming from agents deployed on each server….
Let’s see in detail how that works…A user logs in to a server. That action wakes up the agent, which remains completely inactive when there is no current user login.Then, any user action will trigger the agent to capture log info… Actions can be mouse movement, keyboard typing, UI interaction, CLI commands, etc.In realtime, the agent captures the screen, and also extracts the textual metadata, and packages that up to deliver to the Mgmt Server.
In Unix, the process is quite similar, with the key differences being how the agent is bound to the session, and how the underlying system calls are captured.
So, let’s see a run-through of the ObserveIT’s most important features…
First off, as we’ve already seen, ObserveIT generates detailed user activity logs for all applications run.This includes apps that don’t have their own internal logging.
Each log entry includes rich metadata, which makes it easy to search, run reports and navigate within the log journals.
ObserveIT provides coverage across all types of user sessions: any network protocol, any user type, any platform.
Each log entry is tied to a video replay, for bulletproof evidence.Here we see what this looks like for a Windows user session…
… and in Unix, a similar video replay is also available, including summary of each user command.
ObserveIT uses secondary user credentials when a user logs on with a generic shared user account, such as ‘administrator’.This makes sure that each session can be associated with an actual person, not just a group or job function.
As each user logs on, you can present him with a policy message, to verify awareness of recording activity or other policy rules.
Session playback is available in real time, while the user is still logged on.
The report generator includes canned pre-built compliance reports…And these reports can be customized according to content inclusion and delivery options.
ObserveIT gives you the platform to fulfill your Compliancy regulations, without infringing on employee privacy.This is achieved via a number of security and privacy-ensuring features.Double passwords allow you to make sure that employee actions can not be viewed without the proper valid reason and process escalation.Policy rules within ObserveIT allow you to separate out private apps such as email and chat to not be recorded, or to focus recording ONLY on your sensitive business apps.And user messaging allows you to keep employees in the loop about exactly what is being recorded and what isn’t.
You have a variety of regulations that must be balanced: Privacy vs. CompliancyBoth must be upheld, without one affecting the other.
ObserveIT gives you the platform to fulfill your Compliancy regulations, without infringing on employee privacy.This is achieved via a number of security and privacy-ensuring features.Double passwords allow you to make sure that employee actions can not be viewed without the proper valid reason and process escalation.Policy rules within ObserveIT allow you to separate out private apps such as email and chat to not be recorded, or to focus recording ONLY on your sensitive business apps.And user messaging allows you to keep employees in the loop about exactly what is being recorded and what isn’t.