ObserveIT Customer presentation

ObserveIT:
User Activity Monitoring
Your Name
YourEmail@observeit.com

November 2011

Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
www.observeit.com

ObserveIT -
Software that acts like a security camera on your servers!

 Video recording of all user activity

 Analysis of video to generate text audit logs

(even for apps that have no internal logging!)

3 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com

400+ Enterprise Customers: Key Industries
Manufacturing Financial Telecommunications

Utilities / Public Services

Healthcare / Pharma

IT Services

Retail / Service

Gaming


Business challenges that ObserveIT solves

Remote Vendor Compliance & Root Cause Analysis &
Monitoring Security Accountability Documentation


An Analogy
Bank Branch Office Bank Computer Servers

They both hold money.
They both have Access Control.
The branch also has security cameras. The servers do not.


Companies invest a lot in controlling user access.
But once users gain access…
…there is little knowledge of
who they are and what they do!


“
Less than 1% of data
breaches are discovered

”
via log analysis.

“
If there is one positive note,
it’s that discovery through log analysis
has dwindled down towards 0%,
so things are only looking up from here.

”

Check out Event Viewer on your computer:
Can you ‘discover’ what you just did 5 minutes ago?

• Thousands of log entries…
• …lots of arcane technical details…
• …But nothing actually shows what the user did!

Don’t blame your log analysis tools for not
finding something that you yourself can’t
find (even with a head-start)!


I don’t have a log analysis
problem…. I’ve got a SIEM
The picture isn’t quite
as rosy as you think.


SIEM Tools have Blindspots (But don’t blame your SIEM!!!)

What logs do these apps produce?
Desktop Apps Text Editors All these apps either:
• Firefox / Chrome / IE • vi Don’t have any logs
• MS Excel / Word • Notepad
• Outlook
-OR-
• Skype Only have technical debug logs
Admin Tools
Remote / Virtualization • Registry Editor
• Remote Desktop • SQL Manager / Toad
• VMware vSphere • Network Config

Blindspots are NOT an inherent problem in SIEM...
…They are caused by what we feed the SIEM


Wouldn’t you rather be shown this?


Our intuitive approach

Video Capture

Video
Shared-user Analysis
Video
Identification Session
Recording
List of
‘Admin‘ apps, files, UR
= Alex Ls
accessed

Logs on as ‘Administrator’
IT
Alex the
Corporate
Admin
Server
WHO is doing
Cool!
WHAT on our
servers???
Audit Report
Database

Named User Video Text Log
Alex Play! App1, App2

Sam the
Security Officer

Copyright © 2011 ObserveIT Ltd. – Commercially Confidential 13
www.observeit.com

Our intuitive approach

Video Capture

Video
Shared-user Every Protocol! Analysis
Video
Identification Session
Recording
List of apps,
‘Admin‘ files, URLs
= Alex accessed

IT
Alex the
Corporate
Admin
Server

Cool!
Audit Report
Audit Report
Database
Database

Patent-pending
video storage:
Named User Video Text Log
Alex Low-footprint
Play! App1, App2

Sam the
Security Officer

Copyright © 2011 ObserveIT Ltd. – Commercially Confidential 14
www.observeit.com

System Logs are like Fingerprints
They show the results/outcome
of what took place

User Audit Logs are like Video Recordings
They show what exactly what
took place!

Both are valid…Both are important…
…But the video log goes right to the point!

Demo Links
Powerpoint demo: Click here to show

LIVE DEMO Live hosted demo: http://demo.observeit.com
Internal demo: http://184.106.234.181:4884/ObserveIT
YouTube demos:
English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1
Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1
Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1
French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1


Business challenges & Customer use-cases

Remote / 3rd-Party Compliance & Root Cause Analysis &
Vendor Auditing Security Accountability Documentation

• Impact human behavior • Reduce compliance costs • Immediate root cause
• Transparent SLA and billing • Eliminate audit blindspots determination
• Eliminate ‘Finger pointing’ • Satisfy PCI, HIPAA, SOX, ISO • Documenting best-practices and
corporate processes


3rd Party Vendor Auditing

• Instant Accountability!
– Know exactly what 3rd party vendors are doing
• Impact human behavior
– Do you speed when you know there are radar cameras?
• Transparent SLA and Billing Validation
– No doubts about what was done and for how long
• No more ‘Finger pointing’
– Quickly find and fix problems

3rd-Party Vendor Monitoring


Turnkey solution for auditing remote users

• Route 3rd party users
– Video audit of every action

Internet

Remote
Users

ObserveIT
Video
Audit

• Policy & Support Ticket Messaging
– Impacting human behavior
– SLA clarity
NOTE: PCI-DSS compliance regulations
require that user activity be audited.

All activity during this login session will
be recorded. Please confirm that you
are aware that you are being recorded.

3rd-Party Vendor Monitoring


ObserveIT Compliance Coverage

Compliance Requirements ObserveIT Solution

• Assign unique ID to each person • ObserveIT Secondary Identification
with computer access
(ex: PCI Requirement 8)

• Track all access to network • ObserveIT Session Recording
resources and sensitive data

• Maintain policies that addresses • ObserveIT Policy Messaging
information security
Compliance Accountability


But I like my SIEM tool!

So do we!


ObserveIT Video and Logs in CA UARM


ObserveIT Video and Logs in Splunk


DEPLOYMENT SCENARIO OPTIONS


Standard Agent-Based Deployment

ObserveIT
Agents

Internet ObserveIT
Management Database
Remote Server Server
Users

Metadata Logs
& Video Capture

Local
Login

Desktop User Session
Audit Data


Gateway Deployment (Agent-less) User Session
Audit Data

Corporate Servers
(no agent installed)
PuTTY Published Apps

Terminal Server
or Citrix Server ObserveIT Corporate Desktops
Agent (no agent installed)

Internet

Remote ObserveIT
Users
Management Database
Server Server

Metadata Logs
& Video Capture

• Agent is deployed on gateway
only. Records all sessions
routed via that gateway.


Hybrid Deployment User Session
Audit Data

• Gateway agent audits all users
routed via the gateway (no Any Corporate Server
matter what target network (no agent installed)
resource)

Terminal Server
or Citrix Server

Corporate Desktops
(no agent installed)
Internet
• Additional agent deployment
ObserveIT
Remote and local users
Agent
on sensitive production
servers for more depth of
coverage
Direct login
(not via gateway)
ObserveIT
Agent Sensitive production servers
(agent installed)

ObserveIT
Management Database
Server Server

Metadata Logs
& Video Capture


SYSTEM ARCHITECTURE


ObserveIT Architecture User Session
Audit Data

ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


ObserveIT Architecture:
Management Server • ASP.NET application in IIS
• Collects all data delivered by the Agents
• Analyzes and categorizes data, and sends to DB
Server
• Communicates with Agents for config updates

ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


• Installed on each monitored server
ObserveIT Architecture: • Agent becomes active only when user session starts
• Data capture is triggered by user activity (mouse
Agent movement, text typing, etc.). No recording takes place while
user is idle
• Communicates with Mgmt Server via HTTP on customizable
port, with optional SSL encryption
• Offline mode buffers recorded info (customizable buffer size)
• Watchdog mechanism prevents tampering
ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


How the Windows Agent Works

Synchronized capture via
Active Process of OS

Screen Captured metadata & image
Capture packaged and sent to Mgmt
Server for storage
Real-time

User action
triggers Agent Metadata
capture Capture
URL
User logon wakes Window Title
up the Agent Etc.


How the Linux/Unix Agent Works

User-mode executable that
bound to every secure shell
or telnet session

CLI I/O Captured metadata & I/O
Capture packaged and sent to
Mgmt Server for storage
Real-time

TTY CLI activity
triggers Agent Metadata
capture Capture
System Calls
User logon wakes Resources Effected
up the Agent Etc.


ObserveIT Architecture: • ASP.NET application in IIS
Web Console • Primary interface for video replay and reporting
• Also used for configuration and admin tasks
• Web console includes granular policy rules for
limiting access to sensitive data

ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


Database Server • Microsoft SQL Server database
• Stores all config data, metadata and screenshots
• All connections via standard TCP port 1433

ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


• Text metadata logs for all apps (including those with
SIEM/BI Integration no internal logs) can be accessed by any SIEM collector
• BI systems can analyze and correlate based on specific
user action
• Video replay of each action is correlated to the textual
logs, giving more detailed evidence of activity

ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


System Integration • AD integration for user validation and user group
policy management
• Network Mgmt integration for system alerts and
updates based on user activity

ObserveIT
Agents
ObserveIT
Web Console

ObserveIT
Management Database
Server Server
Remote
Users

Metadata Logs
& Video Capture

Local
Login

Network
Desktop AD SIEM BI
Mgmt


KEY FEATURES:
WHAT MAKES OBSERVEIT GREAT


Generate logs for every app
(Even those with no internal logging!!)

WHAT DID THE USER DO?
A human-understandable list
of every user action

Cloud-based app: Salesforce.com

System utilities: GPO, Notepad

Legacy software: financial package


Video analysis generates intelligent text metadata
for Searching and Navigation

ObserveIT captures:
• User
• Server
•ObserveIT captures
Date
• User,Launched
App Server, Date,
•App Launched, Files
Files opened
• URLs
opened, URLs, window
• Window underlying
titles and titles
• Underlyingcalls
system system calls

Launch video replay
at the precise
location of interest


Recording Everything: Complete Coverage

Telnet

Windows Console
(Ctrl-Alt-Del) Unix/Linux Console

• Agnostic to network protocol and client application
• Remote sessions and also local console sessions
• Windows, Unix, Linux


Logs tied to Video recording: Windows sessions
Audit Log USER SESSION REPLAY:
Bulletproof forensics for
security investigation
Replay Window

CAPTURES ALL ACTIONS:
Mouse movement, text
entry, UI interaction,
window activity

PLAYBACK NAVIGATION:
Move quickly between
apps that the user ran


Logs tied to Video recording: Unix/Linux sessions
Audit Log

List of each
user command

Replay Window

Exact video playback
of screen


Privileged/Shared User Identification

ObserveIT requires
named user account
User logs on as generic credentials prior to
“administrator” granting access to
system

Each session audit is now
tagged with an actual name:
Login userid: administrator
Actual user: Daniel

Active Directory used
for authentication


Policy Messaging

Send policy and status
NOTE: PCI-DSS compliance regulations updates to each user exactly
require that user activity be audited.
when they log in to server
All activity during this login session will
be recorded. Please confirm that you
are aware that you are being recorded.

Capture optional user
feedback or ticket # for
detailed issue tracking

Ensure that policy standards
are understood and explicitly
acknowledged


Real-time Playback

On-air icon launches
real-time playback

View session activity
“live", while users are
still active


Report Automation:
Pre-built and custom compliance reports
Schedule reports to run
automatically for email delivery
in HTML, XML and Excel

Canned compliance audits
and build-your-own
investigation reports

Design report according to precise
requirements: Content
Inclusion, Data Filtering, Sorting and
Grouping

Double-password privacy assurance:
Complies with employee privacy mandates
Two passwords:
One for Management.
Second for union rep or
legal council.

Textual audit logs to be accessed by
compliance officers for security
audits, but video replay requires
employee council authorization (both
passwords)


API Interface
Control ObserveIT Agent via
scripting and custom DLLs within
your corporate applications

Start, stop, pause and resume recorded
sessions based on custom events based on
process IDs, process names or web URLs


Robust Security

 Agent ↔ Server communication
• AES Encryption - Rijndael
• Token exchange
• SSL protocol (optional)
• IPSec tunnel (optional)
 Database storage
• Digital signatures on captured sessions
• Standard SQL database inherits your enterprise
data security practices
 Watchdog mechanism
• Restarts the Agent if the process is ended
• If watchdog process itself is stopped, Agent
triggers watchdog restart
• Email alert sent on any watchdog/agent
tampering


Recording Policy Rules

Determine what apps to
record, whether to record
metadata, and specify
stealth-mode per user

Granular include/exclude
policy rules per
server, user/user group or
application to determine
recording policy


Pervasive User Permissions
 Granular permissions /
access control
• Define rules for each user
• Specify which sessions the user may playback

 Permission-based filtering
affects all content access
• Reports
• Searching
• Video playback
• Metadata browsing

 Tight Active-Directory
integration
• Manage permissions groups in your native AD
repository

 Access to ObserveIT Web
Console is also audited
• ObserveIT audits itself

 Satisfies regulatory compliance
requirements


CUSTOMER SUCCESS STORIES


HIPAA Compliance Auditing

Business Environment
Industry: Medical Equipment Manufacturer
Solution: Compliance Report Automation (HIPAA) • Medical imaging products (MRI, CT, US, X-Ray) deployed at hospitals and
Company: Toshiba Medical Systems medical centers worldwide
• Customer support process requires remote session access to deployed
systems

Challenge
• Strict HIPAA compliance regulations must be enforced and demonstrable
• In addition, SLA commitments require visibility of service times and
durations

Solution
• ObserveIT deployed in a Gateway architecture
• All access routed via agent-monitored Citrix gateway
• Actual systems being accessed remain agent-less
• Toshiba achieved 24x7 SLA reports, including granular incident
summaries
• Automatic generation of HIPAA regulatory documentation, led to
reduced compliance costs and improved customer (hospital) satisfaction


PCI Compliance at a Market Transaction Clearinghouse

Industry: Financial Services
Solution: Compliance Report Automation (PCI) • A major clearinghouse must provide concrete PCI documentation

Challenge
• Each audit report cycle was a major effort of log collection
• Audits were often judged incomplete when exact cause of
system change was unidentified

Solution
• Since deploying ObserveIT, audit reporting has become fully automated
• Zero audit rejects have occurred


Remote Vendor Monitoring at Coca-Cola

Industry: Food&Beverage Manufacturing
Solution: Remote Vendor Monitoring • Bottling and production line software for geographically diverse sites
Company: Coca-Cola • Centralized ERP platform for sales, fulfillment and compensation
• Many platforms supported by 3rd Party solution providers

“ As soon as vendors discovered
that all actions are being
Challenge
• Ensure 100% accountability for any system access violation
recorded, it became much • Eliminate downtime errors caused by inappropriate login usage
• Increase security of domain admin environment
easier to manage them.

Moti Landes
”
IT Infrastructure Manager and IT Div. CISO, Solution
Coca-Cola • ObserveIT deployed on all systems that are accessed via RDP by
remote vendors
• IT admins also monitored on sensitive domain admin servers
• As a result, Coca-Cola saw a significant decrease in system availability
issues caused by improper user actions


Medical Systems Remote Auditing

Industry: Medical Equipment Manufacturer
Solution: Remote Vendor Auditing • Corporate servers host business applications for both internal and
Company: Siemens Medical Instruments customer-facing solutions
• Servers are managed and accessed by various privileged user staff
members
• Access is also open to multiple external vendor contractors

“ Not only was ObserveIT able
to record every single user
Challenge
• Before ObserveIT, there was no practical way to log user activities on
session on the servers, the these servers.
recordings are also fully
indexed, allowing me to zoom
in on areas of interest.

Robert Ng,
Siemens
” Solution
• ObserveIT provides accountability of all internal and outsource vendor
admins
• Reporting and searching is used to focus on critical issues
• Fast deployment ensured quick and painless uptime:
“All we needed to do was to install a small agent on the servers to be
monitored and the recording starts immediately, without even requiring
any configuration and settings”


Customer Audits and ISO 27001 at BELLIN Treasury

Industry: Financial Software Services
Solution: Compliance Auditing • Hosted treasury software solutions deployed in 7 data centers
Company: Bellin Treasury worldwide for over 6,000 customers
• System support and development teams must access servers via RDP
• Customers demand precise audit validation on-demand

“ We enjoy showing off to our
customers that every user action
Challenge
• Proactively provide customers with evidence of bulletproof
audit trail process
is recorded. This increases • Satisfy the regulatory mandates of each of the customer environments
confidence all around. worldwide

Rick Beecroft,
”
Area Manager, Americas and Pacific Rim
Solution
BELLIN Treasury • ObserveIT deployed on all production servers worldwide
• One-time setup and hands-free operations keeps maintenance costs
down
• Customer satisifaction increased signficiantly
• Solution submitted as central part of ISO 27001 certification process


Remote Vendor Monitoring at LeumiCard

Solution: Remote Vendor Monitoring • LeumiCard’s highly-secured data center runs on several platforms, all
Company: LeumiCard with sensitive mission-critical applications.

“ This has dramatically
decreased the number of user
Challenge
• Operations and maintenance require system access by various
privileged internal users via RDP.
sessions on production • Corporate control reports require documentation of exactly what takes
machines. Users are more place on each production server, and to be able to explain why the
action was necessary.
likely to find an alternative
way to do their job via
secondary test servers, Solution
which means a reduced • Shared-account (administrator) users must provide secondary named-
user credentials from Active Directory
number of entries in my daily • User must acknowledge that s/he is aware that s/he is logging into a
control reports. production server.

”
Ofer Ben Artzy,
Manager of Infrastructure Systems
• Video recording captures a video replay of each user session.
• Daily email control reports are delivered automatically to each
manager, according to area of responsibility. Each of these managers
can then replay sessions that relate to their systems


ISO 27001 Compliance for Remote User Audits

Industry: Utilities / Construction
Solution: Compliance Report Automation (ISO 27001) • Large government and corporate customers demand ISO compliance
Company: Electrotim • Mission-critical ERP platform managed by an external service provider
• Corporate philosophy focuses on “safety, certainty and high standards”

“ Implementation has been
dictated to prevent problems
Challenge
• Compliance requirements call for monitoring and logging the activities
of all external users who access the network
with third parties having
access to our IT system.

Przemysław Jasioski
IT Department Manager,
” Solution
Elektrotim • ObserveIT was deployed on corporate servers and TS machines
• Combination of visual screenshots plus full indexing of text is used for
easy searching
• Secure logging of all access to the system by remote connection
• Fast access to the logs during the examination of each incident


Remote Admin User Monitoring

Solution: Remote Vendor Monitoring • Payment transaction platform distributed across Europe
Company: VocaLink • Supporting 60,000 ATM machines
• Clearing 90,000,000 transactions per day

Challenge
• Control access to system resources, including shared privileges between
two merged corporate entities during period of merger
• Achieve common system management and visibility

Solution
• 2008: ObserveIT deployed to monitor and audit server activity during
corporate merger
• 2009: Successful visibility results from merger activity lead to
system-wide deployment


Privileged User Auditing

Industry: Healthcare IT
• Web-based system connects families with a range of health, social
Solution: Privileged User Auditing
service and other federal and state support programs
Company: Center to Promote HealthCare Access
• Deployed and managed on 93 servers and 91 workstations across 3
geographically separated data centers

“ This is critical for keeping our
servers up and running, and Challenge
also to answer management’s • The Center is dedicated to providing usability, ease of access and
needs to demonstrate responsiveness, without compromising any aspects of data security or
compliance. compliance.

“ ”
We still need to document
• Given the sensitivity of personal heath records data and the internal and
government regulations regarding data access compliance, The Center
sought to augment its security with an auditing solution that would detail
every server access by IT all data and server access
Admins and internal staff
developers. Solution

”
Vinay Singh
IT Operations Manager
• Peace-of-mind from knowing exactly what developers and admins are
doing
• Immediate fulfillment of compliance usage reports
• Faster response time to system faults


Reducing Errors Caused by 3rd Party Vendors

Industry: Telecommunications
Solution: Root-Cause Analysis + Vendor Monitor • 1200-server IT environment in 3 hosting centers
Company: Pelephone • Business applications (Billing, CRM, etc.) and Customer-facing
applications (Revenue generating mobile services)

“ Since we deployed
ObserveIT, users are much
more careful with their server
Challenge
• Maintain QoS with multiple 3rd party apps
• Track activities of privileged vendor access
activity. Knowing that your
actions can be replayed has a
remarkable effect. Solution

Isaac Milshtein
”
Director, IT Operations,
• ObserveIT initially deployed on 5 internal business app servers, and
resolves high-visibility outage on mission-critical app: Identified
improper actions by outsource vendor.
Pelephone • ObserveIT next is deployed on entire IT platform
• ObserveIT integrated into CA environment
• Multiple customer-facing outages solved
• Positive ROI via elimination of revenue losses from service outages
• Vendor billing decreased once they realized they were being recorded


Managed Services Monitoring at an IT Services Firm

Industry: IT Services
Solution: Managed Services Monitoring • IT support vendor provides system management services for over
40 major Global 1000 clients

Challenge
• Each customer has different connection protocol requirements
(some via VNC, some via RDP, some via Citrix, etc.)

Solution
• After deploying ObserveIT on an outgoing gateway, all sessions on
customer servers are recorded
• Since deployment, there have been fewer accusations from customers
regarding system problems
• For the few issues that were raised, the vendor immediately provided
recordings that proved that all actions were proper


Thank You!

www.observeit.com

Employee Privacy Policy
in Europe
How ObserveIT complies

www.observeit.com

Balancing Employee Privacy vs. Audit Compliancy

Privacy Requirements Compliancy Requirements

User Consent

Wide scope of
Separation of personal Secure Storage & User Accountability
activity logging
communications Limited Access

DPD 95/46/EC (EU) PCI-DSS
Human Rights Act (UK) ISO 27001
BDSG (Germany) SOX
CNIL (France) FSA


ObserveIT is fully compliant with privacy law

• Double-passwords ensure both audit completeness and
employee privacy
– Management holds one password, employee council / union holds the second password
– Granular deployment allows textual audit logs to be accessed by compliance officers
(without the second password), but video replay requires employee council
authorization (both passwords)

• Policy Rules eliminate monitoring for private
communications
– Include/Exclude granularity to capture only what is necessary for compliancy

• User policy messaging and consent validation
– Users indicate awareness of monitoring activity each time they log on to a monitored
server


For more information...

• See our Whitepaper on Employee Privacy issues:
http://observeit-sys.com/Support/Whitepapers?req=privacy


ObserveIT Customer presentation

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (12)

Ähnlich wie ObserveIT Customer presentation

Ähnlich wie ObserveIT Customer presentation (20)

ObserveIT Customer presentation

Hinweis der Redaktion