Transcript of Copyright © 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and...
- Slide 1
- Copyright 2011 ObserveIT. All rights reserved. All trademarks,
trade names, service marks and logos referenced herein belong to
their respective companies. This document is for informational
purposes only. www.observeit.com ObserveIT: User Activity
Monitoring Mark Kreymer mark@observeit.com June, 2013
- Slide 2
- ObserveIT - Software that acts like a security camera on your
servers! Video camera: Recordings of all user activity Summary of
key actions: Alerts for problematic activity 2
- Slide 3
- 700+ Enterprise Customers 3 Retail / Service Gaming IT Services
/ Technology Manufacturing Healthcare / Pharma Financial Utilities
/ Logistics / Energy Government Telco & Media Government
- Slide 4
- Worldwide Presence Switzerland BCN Bank Vontobel AG
Schweizerische Bundesbahnen (SBB) Swiss Federal Railway ZKB Corner
Banca SA Banca del Sempione Banca Euromobiliare Suisse BancaStato
USA Trend Micro Inc. Shumway Capital Partners, LLC Spoken
Communications University Health Systems of Eastern Carolina Casino
Arizona CDW Dimension Data Americas (USA) CSX Technology PGE -
Portland General Electric Cisco (Webex) St. Jude Medical UPS Disney
IBM Newegg Spring Branch Independent School District Sony British
Petrolum (BP) SUNY Downstate Washington University Western
Governors University Kroll Ontrack BNP Paribas StrataCare, LLC.
Societe Generale (USA) MFS Investment Management Fort McDowell
Enterprises CHARLES SCHWAB & CO Aastra Cost Plus World Market
(CPWM) Bolivia Telecel S.A. TIGO Chile Nexus Argentina Nuevo Banco
del Chaco S.A. Angola Banco Nacional de Angola Australia Woodside
Energy Ltd Australian Stock Exchange NetstarLogicalis India HDFC
Bank Ltd. iYogi HCL Wipro UK UK Payments Administration Ltd
BlackRock QinetiQ Vocalink UK Friends Provident Hyperion Insurance
Group LCH.Clearnet Ltd. BSkyB Sky Network Service Xtrakter Ltd Opal
Telecom Ltd Talk Talk Technology (Carphone CPWN) BNP Paribas Real
Estate Advisory (UK) VTB Capital plc Baillie Gifford & Co.
Heritage Group LTD Canada Bell Canada Quebec Loto Bellin Treasury
Services Ltd. Toronto Hydro Transat A.T. Inc. Atlantic Lottery
Corporation (ALC) Czech Republic GE Money Bank Israel Excellence
Nessua Yes Leumi Bank Harel Insurance Hapoalim Bank Ayalon
Insurance Pelephone Comverse Zim Clal Insurance Bezeq Visa Coca
Cola Orange First International Bank Bank Discount Ministry of
Interior China Ministry of Education China Construction Bank China
Mobile Group Guangdong Co. ShinseiBank Tesco China China Foreign
Exchange Trade System National Interbank Funding Center The Hong
Kong Jockey Club DMX South Africa Derivco (PTY) Ltd. Ubank
MultiChoice Africa (Pty) Ltd. Clicks Group Ltd. Truworths, South
Africa Tanzania MIC Tanzania, Ltd. TIGO Trinidad & Tobago
PETROTRIN United Arab Emirates First Gulf Bank Metito Overseas Ltd.
AHI Carrier Fzc Philippines Asian Development Bank Singapore BT
Frontline Siemens Medical Singapore Post Singapura Finance UOB
Shimano South Korea Samsung Networks Korea Yonsei Hospital GS
Caltex Defense Acquisition Program Administration Qatar QFC
Regulatory Authority Court of the Crown Prince (CPC) Financial
Centre Authority Taiwan Taiwan Railways Administration, MOTC Taiwan
Accreditation Foundation (TAF) Taiwan Mobile Poland Podkarpacki
OddziaB Wojewdzkiego Narodowego Funduszu Zdrowia z siedzib w
Rzeszowie Elektrotim S.A. Inteligo Financial Services S.A. Slovenia
Zavarovalnica Triglav d.d Raiffeisen banka d.d. Croatia T-Mobile
Croatia OTP France CG61 S2IH BOUYGUES TELECOM Societe Generale
Groupama Asset Management (GAM) Germany Sanofi Aventis HSH Nordbank
Boehringer Ingelheim GmbH AGRAVIS Raiffeisen AG Deutsche Telekom AG
Greece hol Hungary Wiz z Air Norway VTS Turkey Turkcell ANADOLU
SIGORTA Vakifbank Yasar Factoring T.C. Ziraat Bankas1 Spain Banco
Espirito Santo S.A. CECA (Confederacin Espaola de Cajas de Ahorros)
BBVA Caja Madrid Italy Vodafone (Italy) ELECTRONIC'S TIME SRL
Allianz SPA ING Lease Italia S.p.A. UBI Banca Sistemi&Servizi
Xerox s.p.a. Cyprus SEM Ltd Luxemburg TELINDUS Luxmeburge Slovakia
Tatra Banka a.s. Estonia Estonian Security Police Board Chad MIC
Chad, Ltd. TIGO Liechtenstein LGT FInancial Services Japan
Mitsubishi Information 4
- Slide 5
- Business challenges that ObserveIT addresses Remote Vendor
Monitoring Compliance & Security Accountability Compliance
& Security Accountability Root Cause Analysis &
Documentation 5 Impact human behavior Transparent SLA and billing
Eliminate Finger pointing Reduce compliance costs for GETTING
compliant and STAYING compliant Satisfy PCI, HIPAA, SOX, ISO
Immediate root-cause answers Document best-practices
- Slide 6
- Bank Branch OfficeBank Computer Servers They both hold money An
Analogy 6 They both have Access Control...Here they also have
security cameras Here, they dont! Companies invest in access
control but once users gain access, there is little knowledge of
who they are and what they do! (Even though 71% of data breaches
involve privileged user credentials)
- Slide 7
- 77 I dont have this problem. Ive got log analysis! The picture
isnt quite as rosy as you think. Only 1% of data breaches are
discovered by log analysis! (Even in large orgs with established
SIEM processes, the number is still only 8%!) Why? Because system
logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS
for SECURITY AUDIT)
- Slide 8
- 8 Wouldnt it be easier with a Replay Video button? Replay Video
Video Replay shows exactly what happened Can you tell what happened
here?
- Slide 9
- And many commonly used apps dont even have their own logs! 9
DESKTOP APPS Firefox / Chrome / IE MS Excel / Word Outlook Skype
DESKTOP APPS Registry Editor SQL Manager Toad Network Config ADMIN
TOOLS vi Notepad TEXT EDITORS Remote Desktop VMware vSphere REMOTE
& VIRTUAL
- Slide 10
- 10 System Logs are like Fingerprints They show the
results/outcome of what took place They show exactly what took
place! User Audit Logs are like Surveillance Recordings Both are
valid But the video log goes right to the point! System Logs are
like Fingerprints
- Slide 11
- 11 TODAY X with ObserveITs 3 key features Our Solution
Corporate Server or Desktop Sam the Security Officer WHO is doing
WHAT on our network??? IT Admin Video Session Recording 1: Video
Capture 3: Shared-user Identification 2: Video Content Analysis
Audit Reporting DB & SIEM Log Collector List of apps, files,
URLs accessed User VideoText Log AlexPlay!App1, App2 Alex the Admin
Logs on as Administrator Cool! Now I know. Admin = Alex X X X
- Slide 12
- L IVE D EMO Demo Links: Live hosted demo:
http://demo.observeit.comhttp://demo.observeit.com YouTube demos:
English:
http://www.youtube.com/watch?v=uSki27KvDk0&hd=1http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Russian:
http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1
- Slide 13
- D EPLOYMENT S CENARIO O PTIONS
- Slide 14
- Standard Agent-based Deployment ObserveIT Agents AD Network
Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management
Server Database Server SIEMBI Remote Users RDP SSH ICA Metadata
Logs & Video Capture 14 Agent installed on each monitored
machine Agent becomes active only when user session starts Data
capture is triggered by user activity (mouse movement, text typing,
etc.). No recording takes place while user is idle Communicates
with Mgmt Server via HTTP on customizable port, with optional SSL
encryption Offline mode buffers recorded info (customizable buffer
size) Watchdog mechanism prevents tampering Agent installed on each
monitored machine Agent becomes active only when user session
starts Data capture is triggered by user activity (mouse movement,
text typing, etc.). No recording takes place while user is idle
Communicates with Mgmt Server via HTTP on customizable port, with
optional SSL encryption Offline mode buffers recorded info
(customizable buffer size) Watchdog mechanism prevents tampering
Mgmt Server receives session data from Agents ASP.NET application
in IIS Collects all data delivered by the Agents Analyzes and
categorizes data, and sends to DB Server Communicates with Agents
for config updates Mgmt Server receives session data from Agents
ASP.NET application in IIS Collects all data delivered by the
Agents Analyzes and categorizes data, and sends to DB Server
Communicates with Agents for config updates Data Storage Microsoft
SQL Server database (or optonal file-system storage) Stores all
config data, metadata and screenshots All connections via standard
TCP port 1433 Data Storage Microsoft SQL Server database (or
optonal file-system storage) Stores all config data, metadata and
screenshots All connections via standard TCP port 1433
Administrators access ObserveIT audit ASP.NET application in IIS
Primary interface for video replay and reporting Also used for
configuration and admin tasks Web console includes granular policy
rules for limiting access to sensitive data Administrators access
ObserveIT audit ASP.NET application in IIS Primary interface for
video replay and reporting Also used for configuration and admin
tasks Web console includes granular policy rules for limiting
access to sensitive data Open API and Data Integration
Standards-based Simple integration Open API and Data Integration
Standards-based Simple integration
- Slide 15
- Gateway Jump-Server Deployment 15 Gateway Server MSTSC PuTTY
ObserveIT Agent SSH Remote and local users Internet ObserveIT
Management Server Corporate Servers (no agent installed) Corporate
Desktops (no agent installed) Corporate Servers (no agent
installed)
- Slide 16
- Hybrid Deployment 16 Gateway Server MSTSC PuTTY ObserveIT Agent
SSH Remote and local users Internet ObserveIT Management Server
Corporate Servers (no agent installed) Corporate Desktops (no agent
installed) Sensitive production servers (agent installed) Direct
login (not via gateway)
- Slide 17
- Gateway Jump-Server Deployment 17 Remote and local users
Internet ObserveIT Management Server Customer #1 Servers (no agent
installed) Customer #2 Servers (no agent installed) Customer #3
Servers (no agent installed) Gateway Server MSTSC PuTTY ObserveIT
Agent SSH
- Slide 18
- Citrix Published Apps Deployment Citrix Server ObserveIT Agent
18 Published Apps Remote Access ObserveIT Management Server