ObserveIT Customer presentation

2,351 views

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,351
On SlideShare
0
From Embeds
0
Number of Embeds
12
Actions
Shares
0
Downloads
180
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide
  • Today, I’ll be presenting ObserveIT’s solution for user activity monitoring.I’ll demonstrate how ObserveIT brings a new approach to auditing user actions.It’s not about more logs, it’s about a brand new kind of logging, which gives full coverage where existing logs fail.
  • A quick word about what is our product: The ObserveIT software solution works like a security camera on your servers.It does this via 2 primary features:First, it captures a video recording of every user action, which is bulletproof evidence of activityAnd secondly, it analyzes this video to extract details about exactly what took place, generating a detailed text audit log of the apps, windows, files, and urls accessed
  • We have a wide range of high-profile companies among our customers. Thiscovers a range of key industries, including Financial, Retail, Manufacturing, Utilities and Telecommunications
  • These customers are using ObserveIT for three main business purposes:Remote Vendor Monitoring – Keeping an eye on what 3rd party users are doing when they connect to your networkCompliance Accountability – Making sure that you can truly answer government / corporate compliancy questions: “Who did What?”Root Cause Analysis – Getting to the root of what caused system changes or downtime, and documenting every system processI’ll explore each of these in more detail after you see the product in action…
  • I want to highlight exactly why this concept of ‘security camera’ is so important, especially for monitoring remote users.Let’s consider an analogy.Consider a bank… On the left we have a branch office, on the right we have the banks servers.They both hold a lot of money… (The server holds a lot more, by the way)(click)Both of these parts of the bank have a method of access control. (Some are friendlier than others… Some are more effective than others… but it still is the same idea) We know exactly what that looks like in both cases.(click)But here is where the analogy breaks down. Because at the branch office, they back up the access control with security cameras. But on the servers, very often they do not.
  • The real issue, and the real reason we need a brand new approach to log analysis, came through loud and clear in the most recent Data Breach Investigations Report from the US Secret Service, Dutch High Tech Crime Division and Verizon, which analyzed thousands of data breaches worldwide.The most glaring statistic that jumped out of this report was that log analysis is successful at detecting data breaches only 1% of the time!!! That’s an outrageously low number.The report even went on to give an almost sarcastic view of the state of affairs: It’s good news, cuz we can only get better now! If it wasn’t so sad, it would be funny.
  • Why is it that log analysis is failing us, despite all our investments in log management infrastructure?Well, to put our finger on the issue, just ask yourself if you can discover what you did on your computer over the past 5 minutes….Check out Event Viewer… Can you retrace your steps?You get thousands of log entries, but nothing really points to what took place.Well, how can we expect log analysis tools to succeed where we ourselves can’t… even with a head start!
  • Often, we get the impression the SIEM tools are meant to overcome this problem.But that assumption is glossing over the ugly truth…
  • SA SIEM is only as good as the logs you feed it…If an app doesn’t produce a log for some action, then it just won’t appear in the SIEM audit log.There are many, many apps that don’t produce any logs at allor produce ugly debug logs that have audit value
  • So, as we saw when we looked at Event Viewer 2 minutes ago, it’s just not realistic to expect anyone or any audit software to be able to piece together the past based only on debug logs.The most obvious way to overcome this problem is to show, in the most straightforward way possible: “This is what the user did”….Here, he checked this checkbox…. That’s all! Nice and easy. That one click happened to generate 25 different sytstem log and config management triggers... None of which would tell us the simple truth! But seeing it happen makes it completely obvious.
  • So, this is ObserveIT’s intuitive approach:Today, We have an IT Admin logging on to our servers, using generic ID’s such as ‘Administrator’ or ‘dba’clickAt the same time, Sam the Security Officer is asking: Who is doing What?clickAdding ObserveIT, the situation becomes much more clear.First of all, ObserveIT provides Shared-User Identification. So now, we know that this ‘Admin’ is really ‘Alex’clickNext, ObserveIT steps in with video recording of every user action, as looking over Alex’s shoulder while he is working. The result is a video recording that can easily be played back.clickAnd even more, ObserveIT then analyzes this video session… We extract all the details of what Alex did… The apps he ran, files he opened, and more.clickThese three pieces of information: user identification, video capture, and video metadata are then collected in a centralized audit databaseclickThis of course makes Sam very happy
  • By the way, ObserveIT does this for every access protocol or platform, including RDP, SSH, Citrix, VDIs and more…ClickAnd the video storage is highly optimized based on screenshot deltas, making for a very efficient storage and low database size requirements.
  • And that’s because the system logs are like fingerprints. They show the results of what took place, but not the actual actions!
  • So let’s dive in and see how ObserveIT overcomes these problems.
  • Point to the Server Diary TabPoint
  • Same with the Linux infraction…. We see all the system calls, and we can replay the full TTY screen I/O.
  • Now, I want to clarify that ObserveIT complements your existing SIEM or Log Management products…
  • Here’s a few examples even.Here we see ObserveIT logs, as presented within CA’s UARM product…
  • And here the ObserveIT logs are presented within Splunk.
  • There are 2 ways that you can deploy ObserveIT…
  • The first is the standard deployment according to the architecture that we’ve seen so far…An agent is installed on each server that is being monitored, which feeds log data to the management server.
  • A second deployment option is via a gateway server.If users are accessing your servers via a gateway, you can deploy a gateway-based agent only, which then captures the user actions that go through that gateway to each corporate server.
  • ObserveIT’s flexibility allows you to deploy both ways simultaneously… A gateway for full network coverage for all standard user access…Plus agents on specific sensitive servers that require more detailed audit
  • Note that each option has its benefits.One additional strength of ObserveIT is that you can utilize both scenarios simultaneously:Deploy a gateway for centralized access for all remote users…(thus capturing everything that they do, on every server)…And also deploy an agent on key production servers that require additional monitoring of all internal and direct access sessions.
  • Let’s take a look at the system architecture….
  • The central piece of the architecture is the Management Server, which collects activity monitoring info, analyzes it, and sends it on to the DB…
  • The info is coming from agents deployed on each server….
  • Let’s see in detail how that works…A user logs in to a server. That action wakes up the agent, which remains completely inactive when there is no current user login.Then, any user action will trigger the agent to capture log info… Actions can be mouse movement, keyboard typing, UI interaction, CLI commands, etc.In realtime, the agent captures the screen, and also extracts the textual metadata, and packages that up to deliver to the Mgmt Server.
  • In Unix, the process is quite similar, with the key differences being how the agent is bound to the session, and how the underlying system calls are captured.
  • So, let’s see a run-through of the ObserveIT’s most important features…
  • First off, as we’ve already seen, ObserveIT generates detailed user activity logs for all applications run.This includes apps that don’t have their own internal logging.
  • Each log entry includes rich metadata, which makes it easy to search, run reports and navigate within the log journals.
  • ObserveIT provides coverage across all types of user sessions: any network protocol, any user type, any platform.
  • Each log entry is tied to a video replay, for bulletproof evidence.Here we see what this looks like for a Windows user session…
  • … and in Unix, a similar video replay is also available, including summary of each user command.
  • ObserveIT uses secondary user credentials when a user logs on with a generic shared user account, such as ‘administrator’.This makes sure that each session can be associated with an actual person, not just a group or job function.
  • As each user logs on, you can present him with a policy message, to verify awareness of recording activity or other policy rules.
  • Session playback is available in real time, while the user is still logged on.
  • The report generator includes canned pre-built compliance reports…And these reports can be customized according to content inclusion and delivery options.
  • ObserveIT gives you the platform to fulfill your Compliancy regulations, without infringing on employee privacy.This is achieved via a number of security and privacy-ensuring features.Double passwords allow you to make sure that employee actions can not be viewed without the proper valid reason and process escalation.Policy rules within ObserveIT allow you to separate out private apps such as email and chat to not be recorded, or to focus recording ONLY on your sensitive business apps.And user messaging allows you to keep employees in the loop about exactly what is being recorded and what isn’t.
  • You have a variety of regulations that must be balanced: Privacy vs. CompliancyBoth must be upheld, without one affecting the other.
  • ObserveIT gives you the platform to fulfill your Compliancy regulations, without infringing on employee privacy.This is achieved via a number of security and privacy-ensuring features.Double passwords allow you to make sure that employee actions can not be viewed without the proper valid reason and process escalation.Policy rules within ObserveIT allow you to separate out private apps such as email and chat to not be recorded, or to focus recording ONLY on your sensitive business apps.And user messaging allows you to keep employees in the loop about exactly what is being recorded and what isn’t.
  • ObserveIT Customer presentation

    1. 1. ObserveIT:User Activity MonitoringYour NameYourEmail@observeit.comNovember 2011 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com www.observeit.com
    2. 2. ObserveIT - Software that acts like a security camera on your servers!  Video recording of all user activity   Analysis of video to generate text audit logs  (even for apps that have no internal logging!)3 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    3. 3. 400+ Enterprise Customers: Key Industries Manufacturing Financial Telecommunications Utilities / Public Services Healthcare / Pharma IT Services Retail / Service Gaming4 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    4. 4. Business challenges that ObserveIT solves Remote Vendor Compliance & Root Cause Analysis & Monitoring Security Accountability Documentation5 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    5. 5. An Analogy Bank Branch Office Bank Computer Servers They both hold money. They both have Access Control. The branch also has security cameras. The servers do not.6 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    6. 6. Companies invest a lot in controlling user access. But once users gain access… …there is little knowledge of who they are and what they do!7 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    7. 7. “ Less than 1% of data breaches are discovered ” via log analysis. “ If there is one positive note, it’s that discovery through log analysis has dwindled down towards 0%, so things are only looking up from here. ”8 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    8. 8. Check out Event Viewer on your computer: Can you ‘discover’ what you just did 5 minutes ago? • Thousands of log entries… • …lots of arcane technical details… • …But nothing actually shows what the user did! Don’t blame your log analysis tools for not finding something that you yourself can’t find (even with a head-start)!9 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    9. 9. I don’t have a log analysis problem…. I’ve got a SIEM The picture isn’t quite as rosy as you think.10 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    10. 10. SIEM Tools have Blindspots (But don’t blame your SIEM!!!) What logs do these apps produce? Desktop Apps Text Editors All these apps either: • Firefox / Chrome / IE • vi Don’t have any logs • MS Excel / Word • Notepad • Outlook -OR- • Skype Only have technical debug logs Admin Tools Remote / Virtualization • Registry Editor • Remote Desktop • SQL Manager / Toad • VMware vSphere • Network Config Blindspots are NOT an inherent problem in SIEM... …They are caused by what we feed the SIEM11 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    11. 11. Wouldn’t you rather be shown this?12 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    12. 12. Our intuitive approach Video Capture Video Shared-user Analysis Video Identification Session Recording List of ‘Admin‘ apps, files, UR = Alex Ls accessed Logs on as ‘Administrator’ IT Alex the Corporate Admin Server WHO is doing Cool! WHAT on our servers??? Audit Report Database Named User Video Text Log Alex Play! App1, App2 Sam the Security OfficerCopyright © 2011 ObserveIT Ltd. – Commercially Confidential 13 www.observeit.com
    13. 13. Our intuitive approach Video Capture Video Shared-user Every Protocol! Analysis Video Identification Session Recording List of apps, ‘Admin‘ files, URLs = Alex accessed IT Alex the Corporate Admin Server Cool! Audit Report Audit Report Database Database Patent-pending video storage: Named User Video Text Log Alex Low-footprint Play! App1, App2 Sam the Security OfficerCopyright © 2011 ObserveIT Ltd. – Commercially Confidential 14 www.observeit.com
    14. 14. System Logs are like Fingerprints They show the results/outcome of what took place User Audit Logs are like Video Recordings They show what exactly what took place! Both are valid…Both are important… …But the video log goes right to the point!15 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    15. 15. Demo Links Powerpoint demo: Click here to show LIVE DEMO Live hosted demo: http://demo.observeit.com Internal demo: http://184.106.234.181:4884/ObserveIT YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1 Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1 Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1 French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    16. 16. Business challenges & Customer use-cases Remote / 3rd-Party Compliance & Root Cause Analysis & Vendor Auditing Security Accountability Documentation • Impact human behavior • Reduce compliance costs • Immediate root cause • Transparent SLA and billing • Eliminate audit blindspots determination • Eliminate ‘Finger pointing’ • Satisfy PCI, HIPAA, SOX, ISO • Documenting best-practices and corporate processes21 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    17. 17. 3rd Party Vendor Auditing • Instant Accountability! – Know exactly what 3rd party vendors are doing • Impact human behavior – Do you speed when you know there are radar cameras? • Transparent SLA and Billing Validation – No doubts about what was done and for how long • No more ‘Finger pointing’ – Quickly find and fix problems 3rd-Party Vendor Monitoring22 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    18. 18. Turnkey solution for auditing remote users • Route 3rd party users – Video audit of every action Internet Remote Users ObserveIT Video Audit • Policy & Support Ticket Messaging – Impacting human behavior – SLA clarity NOTE: PCI-DSS compliance regulations require that user activity be audited. All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded. 3rd-Party Vendor Monitoring23 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    19. 19. ObserveIT Compliance Coverage Compliance Requirements ObserveIT Solution • Assign unique ID to each person • ObserveIT Secondary Identification with computer access (ex: PCI Requirement 8) • Track all access to network • ObserveIT Session Recording resources and sensitive data (ex: PCI Requirement 10) • Maintain policies that addresses • ObserveIT Policy Messaging information security (ex: PCI Requirement 12) Compliance Accountability24 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    20. 20. But I like my SIEM tool! So do we!32 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    21. 21. ObserveIT Video and Logs in CA UARM33 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    22. 22. ObserveIT Video and Logs in Splunk34 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    23. 23. DEPLOYMENT SCENARIO OPTIONSCopyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    24. 24. Standard Agent-Based Deployment ObserveIT Agents Internet ObserveIT Management Database Remote Server Server Users Metadata Logs & Video Capture Local Login Desktop User Session Audit Data36 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    25. 25. Gateway Deployment (Agent-less) User Session Audit Data Corporate Servers (no agent installed) PuTTY Published Apps Terminal Server or Citrix Server ObserveIT Corporate Desktops Agent (no agent installed) Internet Remote ObserveIT Users Management Database Server Server Metadata Logs & Video Capture • Agent is deployed on gateway only. Records all sessions routed via that gateway.37 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    26. 26. Hybrid Deployment User Session Audit Data • Gateway agent audits all users routed via the gateway (no Any Corporate Server matter what target network (no agent installed) resource) Terminal Server or Citrix Server Corporate Desktops (no agent installed) Internet • Additional agent deployment ObserveITRemote and local users Agent on sensitive production servers for more depth of coverage Direct login (not via gateway) ObserveIT Agent Sensitive production servers (agent installed) ObserveIT Management Database Server Server Metadata Logs & Video Capture38 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    27. 27. SYSTEM ARCHITECTURECopyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    28. 28. ObserveIT Architecture User Session Audit Data ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt41 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    29. 29. ObserveIT Architecture: Management Server • ASP.NET application in IIS • Collects all data delivered by the Agents • Analyzes and categorizes data, and sends to DB Server • Communicates with Agents for config updates ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt42 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    30. 30. • Installed on each monitored server ObserveIT Architecture: • Agent becomes active only when user session starts • Data capture is triggered by user activity (mouse Agent movement, text typing, etc.). No recording takes place while user is idle • Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption • Offline mode buffers recorded info (customizable buffer size) • Watchdog mechanism prevents tampering ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt43 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    31. 31. ObserveIT Architecture: How the Windows Agent Works Synchronized capture via Active Process of OS Screen Captured metadata & image Capture packaged and sent to Mgmt Server for storage Real-time User action triggers Agent Metadata capture Capture URL User logon wakes Window Title up the Agent Etc.44 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    32. 32. ObserveIT Architecture: How the Linux/Unix Agent Works User-mode executable that bound to every secure shell or telnet session CLI I/O Captured metadata & I/O Capture packaged and sent to Mgmt Server for storage Real-time TTY CLI activity triggers Agent Metadata capture Capture System Calls User logon wakes Resources Effected up the Agent Etc.45 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    33. 33. ObserveIT Architecture: • ASP.NET application in IIS Web Console • Primary interface for video replay and reporting • Also used for configuration and admin tasks • Web console includes granular policy rules for limiting access to sensitive data ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt46 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    34. 34. ObserveIT Architecture: Database Server • Microsoft SQL Server database • Stores all config data, metadata and screenshots • All connections via standard TCP port 1433 ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt47 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    35. 35. ObserveIT Architecture: • Text metadata logs for all apps (including those with SIEM/BI Integration no internal logs) can be accessed by any SIEM collector • BI systems can analyze and correlate based on specific user action • Video replay of each action is correlated to the textual logs, giving more detailed evidence of activity ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt48 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    36. 36. ObserveIT Architecture: System Integration • AD integration for user validation and user group policy management • Network Mgmt integration for system alerts and updates based on user activity ObserveIT Agents ObserveIT Web Console ObserveIT Management Database Server Server Remote Users Metadata Logs & Video Capture Local Login Network Desktop AD SIEM BI Mgmt49 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    37. 37. KEY FEATURES: WHAT MAKES OBSERVEIT GREATCopyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    38. 38. Generate logs for every app (Even those with no internal logging!!) WHAT DID THE USER DO? A human-understandable list of every user action Cloud-based app: Salesforce.com System utilities: GPO, Notepad Legacy software: financial package51 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    39. 39. Video analysis generates intelligent text metadata for Searching and Navigation ObserveIT captures: • User • Server •ObserveIT captures Date • User,Launched App Server, Date, •App Launched, Files Files opened • URLs opened, URLs, window • Window underlying titles and titles • Underlyingcalls system system calls Launch video replay at the precise location of interest52 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    40. 40. Recording Everything: Complete Coverage Telnet Windows Console (Ctrl-Alt-Del) Unix/Linux Console • Agnostic to network protocol and client application • Remote sessions and also local console sessions • Windows, Unix, Linux53 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    41. 41. Logs tied to Video recording: Windows sessions Audit Log USER SESSION REPLAY: Bulletproof forensics for security investigation Replay Window CAPTURES ALL ACTIONS: Mouse movement, text entry, UI interaction, window activity PLAYBACK NAVIGATION: Move quickly between apps that the user ran54 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    42. 42. Logs tied to Video recording: Unix/Linux sessions Audit Log List of each user command Replay Window Exact video playback of screen55 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    43. 43. Privileged/Shared User Identification ObserveIT requires named user account User logs on as generic credentials prior to “administrator” granting access to system Each session audit is now tagged with an actual name: Login userid: administrator Actual user: Daniel Active Directory used for authentication56 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    44. 44. Policy Messaging Send policy and status NOTE: PCI-DSS compliance regulations updates to each user exactly require that user activity be audited. when they log in to server All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded. Capture optional user feedback or ticket # for detailed issue tracking Ensure that policy standards are understood and explicitly acknowledged57 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    45. 45. Real-time Playback On-air icon launches real-time playback View session activity “live", while users are still active58 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    46. 46. Report Automation: Pre-built and custom compliance reports Schedule reports to run automatically for email delivery in HTML, XML and Excel Canned compliance audits and build-your-own investigation reports Design report according to precise requirements: Content Inclusion, Data Filtering, Sorting and Grouping59 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    47. 47. Double-password privacy assurance: Complies with employee privacy mandates Two passwords: One for Management. Second for union rep or legal council. Textual audit logs to be accessed by compliance officers for security audits, but video replay requires employee council authorization (both passwords)60 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    48. 48. API Interface Control ObserveIT Agent via scripting and custom DLLs within your corporate applications Start, stop, pause and resume recorded sessions based on custom events based on process IDs, process names or web URLs62 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    49. 49. Robust Security  Agent ↔ Server communication • AES Encryption - Rijndael • Token exchange • SSL protocol (optional) • IPSec tunnel (optional)  Database storage • Digital signatures on captured sessions • Standard SQL database inherits your enterprise data security practices  Watchdog mechanism • Restarts the Agent if the process is ended • If watchdog process itself is stopped, Agent triggers watchdog restart • Email alert sent on any watchdog/agent tampering63 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    50. 50. Recording Policy Rules Determine what apps to record, whether to record metadata, and specify stealth-mode per user Granular include/exclude policy rules per server, user/user group or application to determine recording policy64 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    51. 51. Pervasive User Permissions  Granular permissions / access control • Define rules for each user • Specify which sessions the user may playback  Permission-based filtering affects all content access • Reports • Searching • Video playback • Metadata browsing  Tight Active-Directory integration • Manage permissions groups in your native AD repository  Access to ObserveIT Web Console is also audited • ObserveIT audits itself  Satisfies regulatory compliance requirements65 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    52. 52. CUSTOMER SUCCESS STORIESCopyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    53. 53. HIPAA Compliance Auditing Business EnvironmentIndustry: Medical Equipment ManufacturerSolution: Compliance Report Automation (HIPAA) • Medical imaging products (MRI, CT, US, X-Ray) deployed at hospitals andCompany: Toshiba Medical Systems medical centers worldwide • Customer support process requires remote session access to deployed systems Challenge • Strict HIPAA compliance regulations must be enforced and demonstrable • In addition, SLA commitments require visibility of service times and durations Solution • ObserveIT deployed in a Gateway architecture • All access routed via agent-monitored Citrix gateway • Actual systems being accessed remain agent-less • Toshiba achieved 24x7 SLA reports, including granular incident summaries • Automatic generation of HIPAA regulatory documentation, led to reduced compliance costs and improved customer (hospital) satisfaction67 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    54. 54. PCI Compliance at a Market Transaction Clearinghouse Business EnvironmentIndustry: Financial ServicesSolution: Compliance Report Automation (PCI) • A major clearinghouse must provide concrete PCI documentation Challenge • Each audit report cycle was a major effort of log collection • Audits were often judged incomplete when exact cause of system change was unidentified Solution • Since deploying ObserveIT, audit reporting has become fully automated • Zero audit rejects have occurred68 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    55. 55. Remote Vendor Monitoring at Coca-Cola Business Environment Industry: Food&Beverage Manufacturing Solution: Remote Vendor Monitoring • Bottling and production line software for geographically diverse sites Company: Coca-Cola • Centralized ERP platform for sales, fulfillment and compensation • Many platforms supported by 3rd Party solution providers “ As soon as vendors discovered that all actions are being Challenge • Ensure 100% accountability for any system access violation recorded, it became much • Eliminate downtime errors caused by inappropriate login usage • Increase security of domain admin environment easier to manage them. Moti Landes ” IT Infrastructure Manager and IT Div. CISO, Solution Coca-Cola • ObserveIT deployed on all systems that are accessed via RDP by remote vendors • IT admins also monitored on sensitive domain admin servers • As a result, Coca-Cola saw a significant decrease in system availability issues caused by improper user actions69 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    56. 56. Medical Systems Remote Auditing Business EnvironmentIndustry: Medical Equipment ManufacturerSolution: Remote Vendor Auditing • Corporate servers host business applications for both internal andCompany: Siemens Medical Instruments customer-facing solutions • Servers are managed and accessed by various privileged user staff members • Access is also open to multiple external vendor contractors “ Not only was ObserveIT able to record every single user Challenge • Before ObserveIT, there was no practical way to log user activities on session on the servers, the these servers. recordings are also fully indexed, allowing me to zoom in on areas of interest. Robert Ng, Siemens ” Solution • ObserveIT provides accountability of all internal and outsource vendor admins • Reporting and searching is used to focus on critical issues • Fast deployment ensured quick and painless uptime: “All we needed to do was to install a small agent on the servers to be monitored and the recording starts immediately, without even requiring any configuration and settings”70 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    57. 57. Customer Audits and ISO 27001 at BELLIN Treasury Business Environment Industry: Financial Software Services Solution: Compliance Auditing • Hosted treasury software solutions deployed in 7 data centers Company: Bellin Treasury worldwide for over 6,000 customers • System support and development teams must access servers via RDP • Customers demand precise audit validation on-demand “ We enjoy showing off to our customers that every user action Challenge • Proactively provide customers with evidence of bulletproof audit trail process is recorded. This increases • Satisfy the regulatory mandates of each of the customer environments confidence all around. worldwide Rick Beecroft, ” Area Manager, Americas and Pacific Rim Solution BELLIN Treasury • ObserveIT deployed on all production servers worldwide • One-time setup and hands-free operations keeps maintenance costs down • Customer satisifaction increased signficiantly • Solution submitted as central part of ISO 27001 certification process71 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    58. 58. Remote Vendor Monitoring at LeumiCard Business Environment Industry: Financial Services Solution: Remote Vendor Monitoring • LeumiCard’s highly-secured data center runs on several platforms, all Company: LeumiCard with sensitive mission-critical applications. “ This has dramatically decreased the number of user Challenge • Operations and maintenance require system access by various privileged internal users via RDP. sessions on production • Corporate control reports require documentation of exactly what takes machines. Users are more place on each production server, and to be able to explain why the action was necessary. likely to find an alternative way to do their job via secondary test servers, Solution which means a reduced • Shared-account (administrator) users must provide secondary named- user credentials from Active Directory number of entries in my daily • User must acknowledge that s/he is aware that s/he is logging into a control reports. production server. ” Ofer Ben Artzy, Manager of Infrastructure Systems • Video recording captures a video replay of each user session. • Daily email control reports are delivered automatically to each manager, according to area of responsibility. Each of these managers can then replay sessions that relate to their systems72 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    59. 59. ISO 27001 Compliance for Remote User Audits Business Environment Industry: Utilities / Construction Solution: Compliance Report Automation (ISO 27001) • Large government and corporate customers demand ISO compliance Company: Electrotim • Mission-critical ERP platform managed by an external service provider • Corporate philosophy focuses on “safety, certainty and high standards” “ Implementation has been dictated to prevent problems Challenge • Compliance requirements call for monitoring and logging the activities of all external users who access the network with third parties having access to our IT system. Przemysław Jasioski IT Department Manager, ” Solution Elektrotim • ObserveIT was deployed on corporate servers and TS machines • Combination of visual screenshots plus full indexing of text is used for easy searching • Secure logging of all access to the system by remote connection • Fast access to the logs during the examination of each incident73 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    60. 60. Remote Admin User Monitoring Business Environment Industry: Financial Services Solution: Remote Vendor Monitoring • Payment transaction platform distributed across Europe Company: VocaLink • Supporting 60,000 ATM machines • Clearing 90,000,000 transactions per day Challenge • Control access to system resources, including shared privileges between two merged corporate entities during period of merger • Achieve common system management and visibility Solution • 2008: ObserveIT deployed to monitor and audit server activity during corporate merger • 2009: Successful visibility results from merger activity lead to system-wide deployment74 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    61. 61. Privileged User Auditing Business Environment Industry: Healthcare IT • Web-based system connects families with a range of health, social Solution: Privileged User Auditing service and other federal and state support programs Company: Center to Promote HealthCare Access • Deployed and managed on 93 servers and 91 workstations across 3 geographically separated data centers “ This is critical for keeping our servers up and running, and Challenge also to answer management’s • The Center is dedicated to providing usability, ease of access and needs to demonstrate responsiveness, without compromising any aspects of data security or compliance. compliance. “ ” We still need to document • Given the sensitivity of personal heath records data and the internal and government regulations regarding data access compliance, The Center sought to augment its security with an auditing solution that would detail every server access by IT all data and server access Admins and internal staff developers. Solution ” Vinay Singh IT Operations Manager • Peace-of-mind from knowing exactly what developers and admins are doing • Immediate fulfillment of compliance usage reports • Faster response time to system faults75 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    62. 62. Reducing Errors Caused by 3rd Party Vendors Business Environment Industry: Telecommunications Solution: Root-Cause Analysis + Vendor Monitor • 1200-server IT environment in 3 hosting centers Company: Pelephone • Business applications (Billing, CRM, etc.) and Customer-facing applications (Revenue generating mobile services) “ Since we deployed ObserveIT, users are much more careful with their server Challenge • Maintain QoS with multiple 3rd party apps • Track activities of privileged vendor access activity. Knowing that your actions can be replayed has a remarkable effect. Solution Isaac Milshtein ” Director, IT Operations, • ObserveIT initially deployed on 5 internal business app servers, and resolves high-visibility outage on mission-critical app: Identified improper actions by outsource vendor. Pelephone • ObserveIT next is deployed on entire IT platform • ObserveIT integrated into CA environment • Multiple customer-facing outages solved • Positive ROI via elimination of revenue losses from service outages • Vendor billing decreased once they realized they were being recorded76 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    63. 63. Managed Services Monitoring at an IT Services Firm Business Environment Industry: IT Services Solution: Managed Services Monitoring • IT support vendor provides system management services for over 40 major Global 1000 clients Challenge • Each customer has different connection protocol requirements (some via VNC, some via RDP, some via Citrix, etc.) Solution • After deploying ObserveIT on an outgoing gateway, all sessions on customer servers are recorded • Since deployment, there have been fewer accusations from customers regarding system problems • For the few issues that were raised, the vendor immediately provided recordings that proved that all actions were proper77 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    64. 64. Thank You! Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com www.observeit.com
    65. 65. Employee Privacy Policyin EuropeHow ObserveIT complies Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com www.observeit.com
    66. 66. Balancing Employee Privacy vs. Audit Compliancy Privacy Requirements Compliancy Requirements User Consent Wide scope of Separation of personal Secure Storage & User Accountability activity logging communications Limited Access DPD 95/46/EC (EU) PCI-DSS Human Rights Act (UK) ISO 27001 BDSG (Germany) SOX CNIL (France) FSA80 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    67. 67. ObserveIT is fully compliant with privacy law • Double-passwords ensure both audit completeness and employee privacy – Management holds one password, employee council / union holds the second password – Granular deployment allows textual audit logs to be accessed by compliance officers (without the second password), but video replay requires employee council authorization (both passwords) • Policy Rules eliminate monitoring for private communications – Include/Exclude granularity to capture only what is necessary for compliancy • User policy messaging and consent validation – Users indicate awareness of monitoring activity each time they log on to a monitored server81 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    68. 68. 82 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com
    69. 69. For more information... • See our Whitepaper on Employee Privacy issues: http://observeit-sys.com/Support/Whitepapers?req=privacy83 Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com

    ×