Three sentences summarizing the document:
The document discusses how user activity monitoring software from ObserveIT can help organizations prevent insider threats by collecting, detecting, and responding to suspicious user behavior and activity across employees, privileged users, third parties, and other user groups to gain visibility into potential insider risks before they become threats. ObserveIT provides real-time monitoring, user activity logs, session replay and shutdown, and integration with other security tools to help customers comply with regulations and secure systems like EHR platforms from insider data theft or misuse. The presentation includes examples of how ObserveIT has helped customers monitor privileged healthcare users and third party vendor access to detect policy violations and block negligent or malicious insider activities.
Prevent Insider Threats With User Activity Monitoring
1. Prevent Insider Threats With
User Activity Monitoring
Presented by Matt Zanderigo
Product Marketing Manager, ObserveIT
INSIDER THREATS: OUT OF
SIGHT, OUT OF MIND?
2. WHO ISOBSERVEIT?
HQ Boston, MA / R&D Tel Aviv, Israel
Founded 2006
1,200+ Customers Worldwide
$20M Invested by Bain Capital
The Leading Provider Of
User Activity Monitoring
To Prevent Insider Threats
3. Employee exposes rich clients'
information online
Call-center workers sold
customer data fined $25M
Employee charged with
stealing customer data
DBA account compromised
leaves 78.8M affected
Third-party credentials
stolen leaves 56M affected
Admin account compromised
exposed 11M Medical records
RECENTBREACHESINVOLVING INSIDERS
5. IT’SNOTA INFRASTRUCTURE PROBLEM
“We realized that infrastructure
monitoring alone was only giving
us half the picture.”
Snir Hoffman, InfoSec Architect
8. PRIVILEGED USER MONITORING
UNIX / LINUX
_____________________________________________________
Windows
_____________________________________________________
DBAs
_____________________________________________________
Network
_____________________________________________________
Help Desk
_____________________________________________________
Programmers
_____________________________________________________
WireShark PuTTY
Toad
RDPWinSCP
Reg EditorCMD PowerShell
DR JavaSSH
AD
SQL PLUS
10. AUDIT AND COMPLIANCE
Internal Audits /
Security Controls
__________________________________________
Annual, Quarterly or
Monthly
Regulatory
Compliance
__________________________________________
Security
Frameworks
__________________________________________
11. PREVENTING INSIDERTHREATSWITHOBSERVEIT
Collect
DetectRespond
• User Behavior Analytics
• Activity Alerting
• Visual Recording
• User Activity Logs
• Live Session Replay
• Shutdown Sessions
CLEAR PICTURE OF THE RISK USERS PRESENT
DETECT INSIDER
RISK BEFORE IT
BECOMES A THREAT
STOP USERS FROM
PUTTING YOUR
BUSINESS AT RISK
USERS
17. CUSTOMER EXAMPLES
Monitoring Privileged Users for
PCI/SOX
Monitoring privileged users with access
to over 60 PCI/SOX applications
Real-time monitoring of unauthorized
account creation and firewall changes
Integrated with Lieberman Password
Vault
Remove Vendor Access to ERP
Audit third-party ERP solution provider
Monitor internal IT administrators
activities
Deter negligent third-party activities
18. EHR System (EPIC) & PHI Servers
If an employee views the patient record
of another hospital employee
If a doctor, nurse, pharmacist, etc. views
the record of a patient not under their
care
If a doctor, nurse, pharmacist, etc. views
the record of a high profile patient (VIP)
Policy Quoting & Claims Handling
App data extraction (exporting
reports, large copy operations)
Unnecessarily accessing sensitive
files (view/open/save/export)
Business claims employees viewing
personal claims information
CUSTOMER EXAMPLES
Today we are going to talk about why User activity monitoring the most effective way to combat insider threats.
All five of this year largest breaches involved insiders
Morgan Stanley insider exposes rich clients' info online
AT&T fined $25 million after call-center workers sold customer data
Ex-JPMorgan Employee Charged With Stealing Customer Data
What did we learn from these?
Insiders already have credentialed access to network and services
Increased use of applications that can leak data (e.g. Web Email, Drop Box, WeTransfer)
Increased amount of data that leaves protected boundary / perimeter
Most security controls are looking at the perimeter trying to prevent outsiders from coming in.
3 out of 4 Security professionals say they Can’t distinguish between legitimate business use and abuse
Crowd-based research in cooperation with the 260,000+ member Information Security Community
3 out of 4 Security professionals say they Can’t distinguish between legitimate business use and abuse
Crowd-based research in cooperation with the 260,000+ member Information Security Community
Increased use of applications that can leak data (e.g. Web Email, Drop Box, WeTransfer)
Increased amount of data that leaves protected boundary / perimeter
Fraud
SoD violations
Financial Systems
ERP
CRM
Call Centers
Custom Apps
Data Leaks
“Snooping”
Customer data
PII /PHI / PCI
Employee Turnover / New Hires
HR Watch list
Layoffs
Two weeks notice
Remote Workers
IP Theft
E-mail and instant messaging
Thumb drive
Exporting & Printing Reports
Large copy paste operations
Sharing sensitive files on P2P networks
Unauthorized Changes
Entitlement changes
Creation of Local Accounts
Password resets
Abusing Privileges
Admin / “Root” logins
Lateral Movement
‘rm’ ‘cp’ with ‘sudo’
Creating “backdoors”
‘leapfrog’ logins
Unnecessary Access
Unauthorized access
Unsecure ‘shell’
Unapproved ‘setuid’
Handing out root privileges like after-dinner mints
Monitoring Privileged Users is a key part of a Privileged Identity Management initiative. Let’s explore the three major components of Privileged Identity Management:
Provisioning & Governance
Controlling the complete lifecycle of who has access to your critical systems is critical and that is where provisioning comes in. The ability to report on who has access to these systems is where governance solutions come in.
Password Vaults
We all know how important protecting privileged account passwords is and this is where Password Vaults come in. We all know how dangerous it is when privileged users are using sticky notes to remember admin passwords for shared accounts.
User Monitoring
Controlling who has access is absolutely a critical need. And protecting the passwords is also critically important, but they both lack the ability to monitor and auditing what users actually do this access and passwords they have. Further, password vaults introduce increased complexity and single points of failure and because of this are often only deployed to protect a select number of servers.
ObserveIT fills a critical missing component required to meet compliance regulations, detecting and stopping data breaches, and deterring careless and malicious activity and monitoring all Privildeged users with the ability to extend this visibility easily to your entire user population.
Integrations
ObserveIT integrates with provisioning and Passwords Vaults to provide monitoring of all user activity and behavior across the entire lifecyle of your privileged users.
--click to next slide---
Consultants seem the same as IT Services (DT, KPMG, Accenture, TATA) – IT Services is Consulting per project
IT Outsourcing (Dell, IBM, Wipro, Fujitsu) – Outsourcing the Staffing of Bodies for long term contracts
Managed Service Providers (CSC, IBM,
Keep off shore as it is a very common use case.
Keep Contractors as a general. Just change the IT Services to Managed Services
Abnormal Remote Access
Using shared accounts through Terminal Services, Citrix and GoToMyPC
“leapfrog” to a more restricted machine
VPN. RDP, Telnet, SSH during non-business hours
Unauthorized Changes
Configuration files
Entitlement changes
Domain Admin rights
su or sudo commands
Creation of Local Accounts
DROP TABLE or DROP INDEX command
Password resets
Unscheduled Tasks
Installing applications (TeamViewer)
Installing “backdoors
“Snooping” or viewing information they shouldn’t be
Data exfiltration
Exporting reports
large copy operations
It’s Hard to distinguish Abuse from legitimate use
3 out of 4 Security professionals say they Can’t distinguish between legitimate business use and abuse
ObserveIT is a software only solution that is simple to deploy, operate and maintain:
Our Agents are simple to install and do not require you to reboot on install or on upgrade
We provide coverage for desktops, server, Jump-servers, VDI/Citrix and remote access
All reporting, analysis and visual session replay is accessed via our web based Console
All data (videos and user activity logs) are stored in a Database Server and provides easy integration into BI and SIEM/Log Management
-- Click to Next Slide ---
“ObserveIT provides unparalleled visibility into what our privileged users are doing within our sensitive systems”
– Michael Holder, Global Head of IAM
“ObserveIT directly minimizes the risks associated with employee activity over a full range of our applications. Its full video recording and direct-access keyword search are amazing and unique.”
– Diego Hernan Pizolli, CISO
And these are just 4 examples of the over 1,200 customer we have using ObserveIT everyday to identify and manage their user-based risk
--click to next slide--