Download to read offline
Uploaded byObserveIT
Data Protection Webinar
This document discusses how user activity monitoring can improve data protection by monitoring the activities of application users, administrators, and external vendors. It notes that most data breaches involve unauthorized access to applications containing sensitive data by business users, who outnumber IT administrators 20 to 1. Traditional security tools like firewalls, identity and access management, and data loss prevention software fall short for monitoring application users. The presentation promotes a user activity monitoring solution that records users' screens and activities, profiles their behavior, generates real-time alerts of anomalous behavior, and integrates with security information and event management systems.
More Related Content
Similar to Data Protection Webinar
Data Protection Webinar
- 1. IMPROVE DATA PROTECTION WITHUSER ACTIVITY MONITORING Presented by Matt Zanderigo
- 2.
- 3. WHO IS OBSERVEIT? HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital The leading provider of User Activity Monitoring for Application Users, Admins and External Vendors
- 4. Audit and Compliance WHAT’SBEING MONITORED Application Users __________________________________________ External Vendors __________________________________________ Privileged Users __________________________________________ SOX EU Data Protection Reform HIPPA Healthcare (PHI) data Customer (PII) data Employee data Company data Financial data Intellectual property Sales & marketing data
- 5. AT&T will pay$25 million after call- center workers sold customer data Morgan Stanley insider exposes rich clients' info online DATA EXPOSED THROUGH APPLICATIONS Ex-JPMorgan Employee Charged With Stealing Customer Data
- 6. APPS ARETHEWINDOWTO OUR MOSTSENSITIVEDATA: Healthcare (PHI) data Customer (PII) data Employee data Company data Financial data Intellectual property Sales & marketing data WHAT DOESTHEUSERSEE?
- 7. Maintain backend application systems,DBs, and infrastructure for business users Risks • Remote Access • Configuration Changes • Audit & Compliance IT Users Systems Front End Data Application User variety of applications everyday to drive business Risks • App Data Extraction • Shadow IT • Audit & Compliance Business Users TODAY’S RISK OF DATA EXPOSED THROUGH APPLICATIONS:
- 8. 95% BUSINESS USERS 5% IT USERS 84%ofInsider based breaches involve users with no admin rights BUSINESS USERS OUTNUMBER IT ADMINISTRATORS BY 20:1
- 9. HERE'S THE PROBLEM: Unifiedlogging for all apps _____________________________________________________ Access to view information _____________________________________________________ Shadow IT _____________________________________________________ Remote Workers Employee Turnover Layoffs Two weeks notice HR watch list
- 10. INTERNAL AUDITS Takes staff along time to review each log Reduced audit times by correlating events with view video-like playback in plain English DATA SECURITY Each log is different for each application Instantly detect changes in actual user behavior that warrant investigation Homegrown / Web app’s don’t produce logs Isolate users, systems and data in real-time and historically with detailed forensic data FORENSIC INVESTIGATIONS RELYING ON LOGS DOESN'T CUT IT
- 11. Firewall IDS IAM SIEM WHY DATA LOSSPREVENTION SOFTWARE FALLS SHORT SystemsFront End Data Application App Users Contractors IT Users DLP
- 12. Employee scanning unnecessarycustomer records in call center Employees viewing personal claims information for business claims clients Employee views the record of a patient not under their care Employee views the record of high profile customers (VIP) RISKY APP SCENARIOS
- 13. Record User Activity Video-like Playback User ActivityLogs Profile User Behavior Rule-Based Analytics Report & Audit Instant Notification Real-Time Drill Down Kill Sessions
- 14. ONE SCREEN CAPTUREISWORTH A THOUSAND LOGS RECORD USER ACTIVITY
- 15. REPORT & AUDIT CUTAUDITANDREPORTINGEFFORTSIN HALF
- 16. EVENT AND ACTIVITYAPI Real-time event and activity stream via Direct DB connection Support all user activities, alerts and system events Fully supported and documented API
- 17. LEARNABOUTINSIDERRISKS BEFORE THEYBECOME A REAL THREAT Real-time Alerts Who? Did what? On which computer? When? From which client? Setting Severity Notification Policies INSTANT NOTIFICATION
- 18. Window Title: Break-GlassScenario Are you sure you want to view another employee of the hospitals medical records?
- 19. Window Title: TradeConfirmation Are you sure you want to process ticket for trade #2334323?
- 20.
- 21. Application Name: FiservCase Management / Transaction Tracking
- 22. Application Name: ClaimCenter/ Claim Management
- 23. Window Title: CustomerOrder #
- 24. Visited URL: Facebook.com/ Pastebin
- 25.
- 26. INTEGRATION WITH SIEM NativeHP ArcSight integration via CEF file format Export alert data to SIEM (all formats)
- 27.
Editor's Notes
- #4 With ObserveIT, you’re able to detect data misuse within sessions and visually see what the user is doing. So you‘ll know if users are “snooping” or viewing information they shouldn’t be like SS# and customer records, especially applications that do not generate logs. To do this, ObserveIT screen scrapes all activity and index the textual information on the screen, so you can setup alerts and generate reports to audit how users are interacting with important data as well as have a visual playback of exactly what each user did.
- #5 Discuss how ObserveIT can help your organization with information security. Companies like Cigna, Morgan Stanley and Xerox use ObserveIT for forensic investigations, internal audits and detecting data misuse within core apps. This is critical for users who have access to core applications, for privileged users who support the data storage infrastructure and external vendors. Protects PCI and PII data in critical platforms (e.x. Fiserv (Signature), Jack Henry (Synergy), Bloomberg, SAP through application user monitoring Tracks privileged accounts to see if users are viewing information they shouldn’t (customer records & third-party vendors like Cognizant & TCS) Meets compliance requirements by monitoring admin and third-party access to data (as required by FFIEC, SOX and PCI 3.0 ) Application User Monitoring: ObserveIT user activity monitoring provides visibility within applications so you have a complete audit trail and proactive detection of suspicious or out of policy user behavior. From large copy operations to exporting reports, you’re able to proactively investigate data extraction processes, unnecessary access to information and the usage of unauthorized cloud applications (e.g. Dropbox, WeTransfer, SnagIt). Privileged User Monitoring: ObserveIT provides a complete privileged user monitoring solution that integrates with the other key components of a privileged identity management solution. Compliance regulations put stringent requirements about the ability to audit and report on privileged user activity with the access they have to critical sets of data (PHI, PII, employee data, company data….) External Vendor Monitoring: External vendors are one of the highest risk user groups that companies have to hold accountable and audit for compliance regulations. Whether third-party contractors are accessing via jump servers, citrix, vpn or direct access, ObserveIT provides the audit, reporting and real-time analytics you need to leverage the benefit of contractors without sacrificing the security, compliance or control. Underpinning all of these use cases is audit and compliance. Having complete audit history of all user activity and real time detection of user threats is a key requirement for meeting today’s growing list of compliance needs.
- #6 Wealth mgmt and AT&T data breach = Morgan Stanley: 350,000 wealth-management clients Gained access to the records by finding a way to run reports in the bank's wealth management software. The executive said Marsh did not hack into the system, but used it in a way he wasn't authorized to. "He just figured out how to do something he shouldn't have been doing," the executive said. He would not say what software program was used to run the report. "He figured out how to run internal reports on our systems and he downloaded them," the executive said. The information included names and account numbers, as well as some asset value and transactional information. AT&T: Multiple data breaches that leaked hundreds of thousands of customer records, including names, phone numbers and some Social Security numbers.
- #7 Apps r window to data Window with healthcare, fiswrv and manu in each panel
- #8 Show house with bunch of different windows App front back end slide (risks scheduled time windows Number of users Less security aware Number of apps Can't limit apps (Alecto) use WebEx and join.me example of trying to setup simple call Key Challenges with apps:
- #10 Only 29% of data breaches resulted from system glitches Logging all apps (Time to correlate and review logs for security, audits and investigations) Takes staff a long time to review each log Each log is different for each application Homegrown app’s don’t produce logs View info Needed to allow third party access to Claims and other business process systems supporting PII Business applications. Access to specific systems is not granular enough to enforce segregated access to PI and CI claim information Shadow IT It is impossible to manually track the activities of thousands, or tens of thousands, of business users, as opposed to a few dozen administrators. Business users are generally less security-aware than IT administrators. This makes them easier targets than administrators for hackers attempting to obtain network login credentials using phishing and other social engineering techniques. It is impractical to limit the types of applications that business users run on their computers than it is to do so on servers with administrators. There are many reasonable scenarios in which business users will need to use such applications to do their jobs. The danger lies in the fact that these applications are also prime avenues for exposing sensitive or regulated data to third parties.
- #11 avoid relying on sys logs from applications and devices that typically contain hundreds or thousands of discrete events in obscure technical language, making it nearly impossible to determine what a user actually did. Your flying blind and existing tools don't work well or like they were intended Why existing tools don't work and security analytic tools are garbage (data source is logs) looking at system data instead of what users are doing and trying to infer their actions... And that Data protection solutions fall short (can't stop, won't stop DLP at data level is dead - nimrod RSA notes, at a network level it's not practical and cannot slow biz down Charlie and chocolate factory where they pick out bad eggs, but in reality (looking at size on network or files size determines all eggs are bad or not and it's all or nothing ) It’s Extremely Difficult To Know When Users Put Your Business At Risk …. Relying On Log Data… Only 1% of data breaches are discovered by the victimized organization’s log analysis and/or review process. Trustwave 2012 Global Security Report, February 2012 Time to correlate and review logs for security, audits and investigations Our customers find that we help them avoid relying on sys logs from applications and devices that typically contain hundreds or thousands of discrete events in obscure technical language, making it nearly impossible to determine what a user actually did. This is critical for Data Security, Internal Audits and Investigations. No Visibility, Staff hours, Opportunity Costs Inability to determine what happened in a timely manner Flying blind Log blind spots not generating enough data for apps (need to understand at a user level what's going on in order to properly protect data Reviewing log files (obsecure tech language - boston private challenge slide no info for viewing information (lack of certain data is huge blind spot Show how One OIT screen capture is worth a Thousand logs (thousands of events)
- #12 And that Data protection solutions fall short (can't stop, won't stop DLP at data level is dead - nimrod RSA notes, at a network level it's not practical and cannot slow biz down Charlie and chocolate factory where they pick out bad eggs, but in reality (looking at size on network or files size determines all eggs are bad or not and it's all or nothing ) Why existing tools don't work and security analytic tools are garbage (data source is logs) looking at system data instead of what users are doing and trying to infer their actions... Applications are the core of your business You protect them with firewalls, IDSs, access control, and monitor everything with SIEM THEN you give access to your users, like IT, Contractors, and regular application users And here in lies the problem. Your network isn’t the ONLY network your users access. That means outsiders can use your employees or contractors as a gateway to access those assets you protected so well. Your users are gateways of Risk
- #13 These are some examples of risky scenarios that will be detected: - Teller scanning many customer records while copying email addresses to the clipboard - SAP user running a report followed by a Printing or Email activity - Administrator viewing or changing a specific Registry Key name or value - Rapidly create a report of all customers viewed per rep – without an IT project!
- #14 Data Leakage Protection Solution How does the product work with accessing certain applications or files, or areas within an application – how granular can we get, etc Use for applications installed and also web-based applications
- #15 You’ll know what’s happening inside all of your applications– even applications that do not generate logs There is a huge benefit for reviewing alerts visually. When reviewing alerts in Slideshow mode, you can immediately understand critical User Context that is never available in log-based alerting systems: What other application data was the user exposed to? What other Windows or Applications were open? The State of the Windows taskbar including tray icons (is something missing or disabled?) On Unix/Linux: What were the previous commands that the user ran? What output they produced? How does the shell prompt look like? As we say: One screenshot is worth a thousand logs! Generate our own logs across all apps We capture all user activity regardless of where your users are or how they access applications, systems and data We capture this activity in a video-like format – you SEE exactly what the users are doing Video playback is great, but you can’t sit there and watch hours of videos, so we translate all user activity into User Activity Logs that you can search, report on and analyze
- #16 A dynamic report can automatically show all the sensitive data elements being viewed per user for each business application involved. In this mockup, John Smith viewed 2 customer records in Salesforce – and you can see the EXACT sensitive data that was viewed!
- #17 New APIs allow SIEM and other external systems to programmatically integrate with ObserveIT and receive both alerts, health events and user activity logs in real-time. This Security-Automation-Integration increases the efficiencies needed to manage the large scale of information – including integrating ObserveIT alerts into your Ticketing or Case Management systems
- #18 You’ll know if users are “snooping” or viewing information they shouldn’t be like SS# or customer records The Rule Editor is Simple yet Powerful. you can easily define new Alert Rules, duplicate and modify existing rules. Every rule can contain all risky aspects of your monitored users – so normally you need only ONE rule per scenario. You can define: WHO are the users involved, WHAT is the risky activity that they performed, ON WHICH COMPUTER, WHEN (week days, holidays, time of day?) and FROM WHICH CLIENT COMPUTER they are connected? A comprehensive list of possible User Activities provides a quick & easy way to define risky user behavior - such as: Specific applications or processes ran by the user Websites and URLs being visited, Executed SQL statements, Unix/Linux commands, arguments and command line switches being used – and much more! In addition, your alert-response process can be tailored by defining the severity of each rule, as well as the audience and timing of email notifications.
- #20 Show examples of data misuse Bank account Health records SAP SFDC
- #26 So far so good, but as security teams are not reviewing alerts all day long - there is a clear need for Instant Notifications when important alerts are triggered. A flexible Email Notification mechanism allowing you to get an immediate email for Important alerts, and periodic “Alert Digest” emails for alerts that are less critical to you. The list of recipients is fully configurable so you can decide who should be notified in each and every case.
- #27 Many of our customers use ObserveIT Monitor Log capabilities to integrate User Activity Logs into their favorite SIEM system. Therefore, alerts are also available as a log-feed that can be consumed by your SIEM – allowing you to consolidate and correlate ObserveIT User Activity Alerts with logs and alerts from other systems. In addition, As HP ArcSight is one of the market leading SIEM product and popular among our clients – we were asked to export our User Activity and Alert data ALSO in ArcSight CEF format – to allow an easier and better integration with ArcSight.