Slide 1

Copyright 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com ObserveIT: User Activity Monitoring Mark Kreymer mark@observeit.com June, 2013

Slide 2

ObserveIT - Software that acts like a security camera on your servers! Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic activity 2

Slide 3

700+ Enterprise Customers 3 Retail / Service Gaming IT Services / Technology Manufacturing Healthcare / Pharma Financial Utilities / Logistics / Energy Government Telco & Media Government

Slide 4

Worldwide Presence Switzerland BCN Bank Vontobel AG Schweizerische Bundesbahnen (SBB) Swiss Federal Railway ZKB Corner Banca SA Banca del Sempione Banca Euromobiliare Suisse BancaStato USA Trend Micro Inc. Shumway Capital Partners, LLC Spoken Communications University Health Systems of Eastern Carolina Casino Arizona CDW Dimension Data Americas (USA) CSX Technology PGE - Portland General Electric Cisco (Webex) St. Jude Medical UPS Disney IBM Newegg Spring Branch Independent School District Sony British Petrolum (BP) SUNY Downstate Washington University Western Governors University Kroll Ontrack BNP Paribas StrataCare, LLC. Societe Generale (USA) MFS Investment Management Fort McDowell Enterprises CHARLES SCHWAB & CO Aastra Cost Plus World Market (CPWM) Bolivia Telecel S.A. TIGO Chile Nexus Argentina Nuevo Banco del Chaco S.A. Angola Banco Nacional de Angola Australia Woodside Energy Ltd Australian Stock Exchange NetstarLogicalis India HDFC Bank Ltd. iYogi HCL Wipro UK UK Payments Administration Ltd BlackRock QinetiQ Vocalink UK Friends Provident Hyperion Insurance Group LCH.Clearnet Ltd. BSkyB Sky Network Service Xtrakter Ltd Opal Telecom Ltd Talk Talk Technology (Carphone CPWN) BNP Paribas Real Estate Advisory (UK) VTB Capital plc Baillie Gifford & Co. Heritage Group LTD Canada Bell Canada Quebec Loto Bellin Treasury Services Ltd. Toronto Hydro Transat A.T. Inc. Atlantic Lottery Corporation (ALC) Czech Republic GE Money Bank Israel Excellence Nessua Yes Leumi Bank Harel Insurance Hapoalim Bank Ayalon Insurance Pelephone Comverse Zim Clal Insurance Bezeq Visa Coca Cola Orange First International Bank Bank Discount Ministry of Interior China Ministry of Education China Construction Bank China Mobile Group Guangdong Co. ShinseiBank Tesco China China Foreign Exchange Trade System National Interbank Funding Center The Hong Kong Jockey Club DMX South Africa Derivco (PTY) Ltd. Ubank MultiChoice Africa (Pty) Ltd. Clicks Group Ltd. Truworths, South Africa Tanzania MIC Tanzania, Ltd. TIGO Trinidad & Tobago PETROTRIN United Arab Emirates First Gulf Bank Metito Overseas Ltd. AHI Carrier Fzc Philippines Asian Development Bank Singapore BT Frontline Siemens Medical Singapore Post Singapura Finance UOB Shimano South Korea Samsung Networks Korea Yonsei Hospital GS Caltex Defense Acquisition Program Administration Qatar QFC Regulatory Authority Court of the Crown Prince (CPC) Financial Centre Authority Taiwan Taiwan Railways Administration, MOTC Taiwan Accreditation Foundation (TAF) Taiwan Mobile Poland Podkarpacki OddziaB Wojewdzkiego Narodowego Funduszu Zdrowia z siedzib w Rzeszowie Elektrotim S.A. Inteligo Financial Services S.A. Slovenia Zavarovalnica Triglav d.d Raiffeisen banka d.d. Croatia T-Mobile Croatia OTP France CG61 S2IH BOUYGUES TELECOM Societe Generale Groupama Asset Management (GAM) Germany Sanofi Aventis HSH Nordbank Boehringer Ingelheim GmbH AGRAVIS Raiffeisen AG Deutsche Telekom AG Greece hol Hungary Wiz z Air Norway VTS Turkey Turkcell ANADOLU SIGORTA Vakifbank Yasar Factoring T.C. Ziraat Bankas1 Spain Banco Espirito Santo S.A. CECA (Confederacin Espaola de Cajas de Ahorros) BBVA Caja Madrid Italy Vodafone (Italy) ELECTRONIC'S TIME SRL Allianz SPA ING Lease Italia S.p.A. UBI Banca Sistemi&Servizi Xerox s.p.a. Cyprus SEM Ltd Luxemburg TELINDUS Luxmeburge Slovakia Tatra Banka a.s. Estonia Estonian Security Police Board Chad MIC Chad, Ltd. TIGO Liechtenstein LGT FInancial Services Japan Mitsubishi Information 4

Slide 5

Business challenges that ObserveIT addresses Remote Vendor Monitoring Compliance & Security Accountability Compliance & Security Accountability Root Cause Analysis & Documentation 5 Impact human behavior Transparent SLA and billing Eliminate Finger pointing Reduce compliance costs for GETTING compliant and STAYING compliant Satisfy PCI, HIPAA, SOX, ISO Immediate root-cause answers Document best-practices

Slide 6

Bank Branch OfficeBank Computer Servers They both hold money An Analogy 6 They both have Access Control...Here they also have security cameras Here, they dont! Companies invest in access control but once users gain access, there is little knowledge of who they are and what they do! (Even though 71% of data breaches involve privileged user credentials)

Slide 7

77 I dont have this problem. Ive got log analysis! The picture isnt quite as rosy as you think. Only 1% of data breaches are discovered by log analysis! (Even in large orgs with established SIEM processes, the number is still only 8%!) Why? Because system logs are built by DEVELOPERS for DEBUG! (and not by SECURITY ADMINS for SECURITY AUDIT)

Slide 8

8 Wouldnt it be easier with a Replay Video button? Replay Video Video Replay shows exactly what happened Can you tell what happened here?

Slide 9

And many commonly used apps dont even have their own logs! 9 DESKTOP APPS Firefox / Chrome / IE MS Excel / Word Outlook Skype DESKTOP APPS Registry Editor SQL Manager Toad Network Config ADMIN TOOLS vi Notepad TEXT EDITORS Remote Desktop VMware vSphere REMOTE & VIRTUAL

Slide 10

10 System Logs are like Fingerprints They show the results/outcome of what took place They show exactly what took place! User Audit Logs are like Surveillance Recordings Both are valid But the video log goes right to the point! System Logs are like Fingerprints

Slide 11

11 TODAY X with ObserveITs 3 key features Our Solution Corporate Server or Desktop Sam the Security Officer WHO is doing WHAT on our network??? IT Admin Video Session Recording 1: Video Capture 3: Shared-user Identification 2: Video Content Analysis Audit Reporting DB & SIEM Log Collector List of apps, files, URLs accessed User VideoText Log AlexPlay!App1, App2 Alex the Admin Logs on as Administrator Cool! Now I know. Admin = Alex X X X

Slide 12

L IVE D EMO Demo Links: Live hosted demo: http://demo.observeit.comhttp://demo.observeit.com YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1http://www.youtube.com/watch?v=uSki27KvDk0&hd=1 Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1

Slide 13

D EPLOYMENT S CENARIO O PTIONS

Slide 14

Standard Agent-based Deployment ObserveIT Agents AD Network Mgmt ObserveIT Web Console Local Login Desktop ObserveIT Management Server Database Server SIEMBI Remote Users RDP SSH ICA Metadata Logs & Video Capture 14 Agent installed on each monitored machine Agent becomes active only when user session starts Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption Offline mode buffers recorded info (customizable buffer size) Watchdog mechanism prevents tampering Agent installed on each monitored machine Agent becomes active only when user session starts Data capture is triggered by user activity (mouse movement, text typing, etc.). No recording takes place while user is idle Communicates with Mgmt Server via HTTP on customizable port, with optional SSL encryption Offline mode buffers recorded info (customizable buffer size) Watchdog mechanism prevents tampering Mgmt Server receives session data from Agents ASP.NET application in IIS Collects all data delivered by the Agents Analyzes and categorizes data, and sends to DB Server Communicates with Agents for config updates Mgmt Server receives session data from Agents ASP.NET application in IIS Collects all data delivered by the Agents Analyzes and categorizes data, and sends to DB Server Communicates with Agents for config updates Data Storage Microsoft SQL Server database (or optonal file-system storage) Stores all config data, metadata and screenshots All connections via standard TCP port 1433 Data Storage Microsoft SQL Server database (or optonal file-system storage) Stores all config data, metadata and screenshots All connections via standard TCP port 1433 Administrators access ObserveIT audit ASP.NET application in IIS Primary interface for video replay and reporting Also used for configuration and admin tasks Web console includes granular policy rules for limiting access to sensitive data Administrators access ObserveIT audit ASP.NET application in IIS Primary interface for video replay and reporting Also used for configuration and admin tasks Web console includes granular policy rules for limiting access to sensitive data Open API and Data Integration Standards-based Simple integration Open API and Data Integration Standards-based Simple integration

Slide 15

Gateway Jump-Server Deployment 15 Gateway Server MSTSC PuTTY ObserveIT Agent SSH Remote and local users Internet ObserveIT Management Server Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed)

Slide 16

Hybrid Deployment 16 Gateway Server MSTSC PuTTY ObserveIT Agent SSH Remote and local users Internet ObserveIT Management Server Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) Direct login (not via gateway)

Slide 17

Gateway Jump-Server Deployment 17 Remote and local users Internet ObserveIT Management Server Customer #1 Servers (no agent installed) Customer #2 Servers (no agent installed) Customer #3 Servers (no agent installed) Gateway Server MSTSC PuTTY ObserveIT Agent SSH

Slide 18

Citrix Published Apps Deployment Citrix Server ObserveIT Agent 18 Published Apps Remote Access ObserveIT Management Server