ObserveIT:
User Activity Monitoring

Mark Kreymer
mark@observeit.com
June, 2013

Copyright © 2011 ObserveIT. All rights re...
ObserveIT Software that acts like a security camera on your servers!

 Video camera: Recordings of all user activity


...
700+ Enterprise Customers
Healthcare / Pharma

Financial

Telco & Media

Manufacturing

Retail / Service

Utilities / Logi...
Worldwide Presence
France
CG61
S2IH
BOUYGUES TELECOM
Societe Generale
Groupama Asset
Management (GAM)

Spain
Banco Espirit...
Business challenges that ObserveIT addresses

Remote Vendor
Monitoring
• Impact human behavior
• Transparent SLA and billi...
An Analogy
Bank Branch Office

Bank Computer Servers

Companies invest in access control
but once users gain access,
there...
Why?
Because system logs are built by DEVELOPERS for DEBUG!
Only 1% of data breaches are
(and not by SECURITY ADMINS for S...
Can you tell what
happened here?

Replay Video

Wouldn’t it be easier
with a ‘Replay Video’
button?

Video Replay shows
ex...
And many commonly used apps don’t even have their own logs!
• DESKTOP APPS
DESKTOP APPS
•
•
•
•

Firefox / Chrome / IE
MS ...
System Logs are like
Fingerprints
They show the results/outcome
System Logs areof what took place
like Fingerprints

User ...
Our Solution
1: Video Capture
Video
Session
Recording

‘Admin‘
= Alex

Logs on as ‘Administrator’
X X X

IT
Alex the
Admin...
Demo Links:
Live hosted demo: http://demo.observeit.com

YouTube demos:
English: http://www.youtube.com/watch?v=uSki27KvDk...
DEPLOYMENT SCENARIO OPTIONS
Standard Agent-based Deployment
•
•
•
•

Agent installed ObserveIT audit
Administrators access on each monitored machine

...
Gateway Jump-Server Deployment

Corporate Servers

SSH
PuTTY

(no agent installed)
MSTSC

Gateway
Server
Corporate Desktop...
Hybrid Deployment

Corporate Servers

SSH
PuTTY

(no agent installed)
MSTSC

Gateway
Server
Corporate Desktops

Internet

...
Gateway Jump-Server Deployment

Customer #1 Servers

SSH
PuTTY

(no agent installed)
MSTSC

Gateway
Server
Internet
Remote...
Citrix Published Apps Deployment

Published Apps

Citrix
Server

Remote
Access

ObserveIT
Agent

ObserveIT
Management Serv...
Upcoming SlideShare
Loading in …5
×

DSS ITSEC 2013 Conference 07.11.2013 - ObserveIT - Monitoring everyone

976 views
780 views

Published on

Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
976
On SlideShare
0
From Embeds
0
Number of Embeds
14
Actions
Shares
0
Downloads
13
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

DSS ITSEC 2013 Conference 07.11.2013 - ObserveIT - Monitoring everyone

  1. 1. ObserveIT: User Activity Monitoring Mark Kreymer mark@observeit.com June, 2013 Copyright © 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com
  2. 2. ObserveIT Software that acts like a security camera on your servers!  Video camera: Recordings of all user activity    Summary of key actions: Alerts for problematic activity 2
  3. 3. 700+ Enterprise Customers Healthcare / Pharma Financial Telco & Media Manufacturing Retail / Service Utilities / Logistics / Energy IT Services / Technology Government Gaming 3
  4. 4. Worldwide Presence France CG61 S2IH BOUYGUES TELECOM Societe Generale Groupama Asset Management (GAM) Spain Banco Espirito Santo S.A. CECA (Confederación Española de Cajas de Ahorros) BBVA Caja Madrid Canada Bell Canada Quebec Loto Bellin Treasury Services Ltd. Toronto Hydro Transat A.T. Inc. Atlantic Lottery Corporation (ALC) UK Germany Norway Estonia UK Payments Administration Ltd Sanofi Aventis VTS Estonian Security BlackRock HSH Nordbank Police Board QinetiQ Boehringer Ingelheim GmbH Switzerland Vocalink UK AGRAVIS Raiffeisen AG BCN Friends Provident Deutsche Telekom AG Bank Vontobel AG Hyperion Insurance Group Schweizerische Bundesbahnen (SBB) LCH.Clearnet Ltd. Luxemburg Swiss Federal Railway BSkyB Sky Network Service TELINDUS Luxmeburge ZKB Xtrakter Ltd Corner Banca SA Opal Telecom Ltd Banca del Sempione Talk Talk Technology (Carphone CPWN) Liechtenstein Banca Euromobiliare Suisse BNP Paribas Real Estate Advisory (UK) LGT FInancial Services BancaStato VTB Capital plc Baillie Gifford & Co. Italy Heritage Group LTD Vodafone (Italy) ELECTRONIC'S TIME SRL Allianz SPA ING Lease Italia S.p.A. UBI Banca Sistemi&Servizi Xerox s.p.a. Poland Podkarpacki OddziaB Wojewódzkiego Narodowego Funduszu Zdrowia z siedzib w Rzeszowie Elektrotim S.A. Inteligo Financial Services S.A. Czech Republic Hungary Greece GE Money Bank Wiz z Air hol Croatia Slovenia Cyprus T-Mobile Croatia OTP Zavarovalnica Triglav d.d Raiffeisen banka d.d. SEM Ltd Slovakia Tatra Banka a.s. South Korea Japan Mitsubishi Information USA Trend Micro Inc. Shumway Capital Partners, LLC Spoken Communications University Health Systems of Eastern Carolina Casino Arizona CDW Dimension Data Americas (USA) CSX Technology PGE - Portland General Electric Cisco (Webex) St. Jude Medical UPS Disney IBM Newegg Spring Branch Independent School District Sony British Petrolum (BP) SUNY Downstate Washington University Western Governors University Kroll Ontrack BNP Paribas StrataCare, LLC. Societe Generale (USA) MFS Investment Management Fort McDowell Enterprises CHARLES SCHWAB & CO Aastra Cost Plus World Market (CPWM) Samsung Networks Korea Yonsei Hospital GS Caltex Defense Acquisition Program Administration China Taiwan Trinidad & Tobago Bolivia Turkey PETROTRIN Telecel S.A. TIGO Chile Nexus Argentina Nuevo Banco del Chaco S.A. Angola Banco Nacional de Angola Chad MIC Chad, Ltd. TIGO South Africa Derivco (PTY) Ltd. Ubank MultiChoice Africa (Pty) Ltd. Clicks Group Ltd. Truworths, South Africa Tanzania MIC Tanzania, Ltd. TIGO Turkcell ANADOLU SIGORTA Vakifbank Yasar Factoring T.C. Ziraat Bankas1 Israel Qatar Taiwan Railways Administration, MOTC Taiwan Accreditation Foundation (TAF) Taiwan Mobile Ministry of Education China Construction Bank China Mobile Group Guangdong Co. ShinseiBank Tesco China China Foreign Exchange Trade System National Interbank Funding Center The Hong Kong Jockey Club DMX India HDFC Bank Ltd. iYogi HCL Wipro Excellence Nessua QFC Regulatory Authority Yes Court of the Crown Prince (CPC) Leumi Bank Financial Centre Authority Harel Insurance Hapoalim Bank United Arab Emirates Ayalon Insurance First Gulf Bank Australia Pelephone Metito Overseas Ltd. Woodside Energy Ltd Comverse AHI Carrier Fzc Australian Stock Exchange Zim NetstarLogicalis Clal Insurance Bezeq Visa Coca Cola Orange First International Bank Bank Discount Ministry of Interior Philippines Asian Development Bank Singapore BT Frontline Siemens Medical Singapore Post Singapura Finance UOB Shimano 4
  5. 5. Business challenges that ObserveIT addresses Remote Vendor Monitoring • Impact human behavior • Transparent SLA and billing • Eliminate ‘Finger pointing’ Compliance & Security Accountability Root Cause Analysis & Documentation • Reduce compliance costs for GETTING compliant and STAYING compliant • Satisfy PCI, HIPAA, SOX, ISO • Immediate root-cause answers • Document best-practices 5
  6. 6. An Analogy Bank Branch Office Bank Computer Servers Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials) They both hold money… …They both have Access Control… ...Here they also have security cameras… …Here, they don’t! 6
  7. 7. Why? Because system logs are built by DEVELOPERS for DEBUG! Only 1% of data breaches are (and not by SECURITY ADMINS for SECURITY AUDIT) discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) “ “ “ “ I don’t have this problem. I’ve got log analysis! The picture isn’t quite as rosy as you think. 7
  8. 8. Can you tell what happened here? Replay Video Wouldn’t it be easier with a ‘Replay Video’ button? Video Replay shows exactly what happened 8
  9. 9. And many commonly used apps don’t even have their own logs! • DESKTOP APPS DESKTOP APPS • • • • Firefox / Chrome / IE MS Excel / Word Outlook Skype REMOTE & VIRTUAL • Remote Desktop • VMware vSphere ADMIN TOOLS • • • • Registry Editor SQL Manager Toad Network Config TEXT EDITORS • vi • Notepad 9
  10. 10. System Logs are like Fingerprints They show the results/outcome System Logs areof what took place like Fingerprints User Audit Logs are like Surveillance Recordings They show exactly what took place! “ “ Both are valid… …But the video log goes right to the point! 10
  11. 11. Our Solution 1: Video Capture Video Session Recording ‘Admin‘ = Alex Logs on as ‘Administrator’ X X X IT Alex the Admin 2: Video Content Analysis List of apps, files, URLs accessed 3: Shared-user Identification Corporate Server or Desktop WHO is doing WHAT on our network??? Cool! Now I know. Audit Reporting DB & SIEM Log Collector User Alex Video Play! Text Log App1, App2 Sam the Security Officer 11
  12. 12. Demo Links: Live hosted demo: http://demo.observeit.com YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1 LIVE DEMO
  13. 13. DEPLOYMENT SCENARIO OPTIONS
  14. 14. Standard Agent-based Deployment • • • • Agent installed ObserveIT audit Administrators access on each monitored machine • Agent becomes active only when user session starts • ASP.NET application in IIS • Data Storage Mgmt Data capture is triggered by userand reporting movement, text typing, Server receives video replay activity (mouse • Primary interface forsession data from Agents etc.). No recording takes place while user is idle ASP.NET application in IIS • Microsoft SQL Server database • Also used for configuration and admin tasks • Communicates with Mgmt Server via HTTP on customizable port, with CollectsWeb console includesthe Agents file-system limiting • all data delivered by granular policy rules for storage) (or optonal optional SSL encryption Analyzes and categorizes data,Stores all config data, metadata and screenshots access to sensitive dataand sends to DB Server • recorded info (customizable buffer size) • Offline mode buffers Communicates with Agents for config updates via standard TCP port 1433 • All connections • Watchdog mechanism prevents tampering ObserveIT Agents ObserveIT Web Console ObserveIT Management Server Remote Users Database Server Metadata Logs & Video Capture Local Login Desktop AD Network Mgmt SIEM BI Open API and Data Integration • Standards-based • Simple integration 14
  15. 15. Gateway Jump-Server Deployment Corporate Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Corporate Desktops Internet (no agent installed) ObserveIT Agent Remote and local users Corporate Servers (no agent installed) ObserveIT Management Server 15
  16. 16. Hybrid Deployment Corporate Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Corporate Desktops Internet (no agent installed) ObserveIT Agent Remote and local users Direct login (not via gateway) Sensitive production servers (agent installed) ObserveIT Management Server 16
  17. 17. Gateway Jump-Server Deployment Customer #1 Servers SSH PuTTY (no agent installed) MSTSC Gateway Server Internet Remote and local users Customer #2 Servers (no agent installed) ObserveIT Agent Customer #3 Servers (no agent installed) ObserveIT Management Server 17
  18. 18. Citrix Published Apps Deployment Published Apps Citrix Server Remote Access ObserveIT Agent ObserveIT Management Server 18

×