ObserveIT:
User Activity Monitoring
Your Full Name Here
youremail@youremail.com
Month 2014
Copyright © 2014 ObserveIT. All rights reserved.
All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.
www.observeit.com
ObserveIT Software that acts like a security camera on your servers!

 Video camera: Recordings of all user activity
 Summary of key actions: Alerts for problematic activity

2
800+ Enterprise Customers
Healthcare / Pharma
Financial
Telco & Media
Manufacturing
Retail / Service
Utilities & Logistics
IT Services
Government
Gaming
3
800+ Enterprise Customers
Healthcare / Pharma
4
800+ Enterprise Customers
Financial
5
800+ Enterprise Customers
Telco & Media
ARGENTINA
6
800+ Enterprise Customers
Manufacturing
7
800+ Enterprise Customers
Retail / Services
8
800+ Enterprise Customers
Utilities / Logistics / Energy
9
800+ Enterprise Customers
IT Services / Technology
10
800+ Enterprise Customers
Government
11
800+ Enterprise Customers
Gaming
12
Business challenges that ObserveIT addresses
Remote Vendor
Monitoring
• Impact human behavior
• Transparent SLA and billing
• Eliminate ‘Finger pointing’
Compliance &
Security Accountability
Root Cause Analysis &
Documentation
• Reduce compliance costs for
GETTING compliant and
STAYING compliant
• Satisfy PCI, HIPAA, SOX, ISO
• Immediate root-cause answers
• Document best-practices
13
An Analogy
Bank Branch Office
Bank Computer Servers
Companies invest in access control
but once users gain access,
there is little knowledge of
who they are and what they do!
(Even though 71% of data breaches
involve privileged user credentials)
They both hold money…
…They both have Access Control…
...Here they also have security cameras…
…Here, they don’t!
14
Why?
Because system logs are built by DEVELOPERS for DEBUG!
Only 1% of(and
datanot
breaches
are
by SECURITY
ADMINS for SECURITY AUDIT)
discovered by log analysis!
(Even in large orgs with established SIEM processes,
the number is still only 8%!)
“
“
“
“
I don’t have this problem.
I’ve got log analysis!
The picture isn’t quite as
rosy as you think.
15
Can you tell what
happened here?
Replay Video
Wouldn’t it be easier
with a ‘Replay Video’
button?
Video Replay shows
exactly what happened
16
And many commonly used apps don’t even have their own logs!
• DESKTOP APPS
DESKTOP APPS
•
•
•
•
Firefox / Chrome / IE
MS Excel / Word
Outlook
Skype
REMOTE & VIRTUAL
• Remote Desktop
• VMware vSphere
ADMIN TOOLS
•
•
•
•
Registry Editor
SQL Manager
Toad
Network Config
TEXT EDITORS
• vi
• Notepad
17
System Logs are like
Fingerprints
They show the results/outcome
what
took place
System Logs areoflike
Fingerprints
User Audit Logs are like
Surveillance Recordings
They show exactly what
took place!
“
“
Both are valid…
…But the video log goes right to the point!
18
Our Solution
1: Video Capture
Video
Session
Recording
‘Admin‘
= Alex
Logs on as ‘Administrator’
X X X
ITthe
Alex
Admin
2: Video Content Analysis
List of apps,
files, URLs
accessed
3: Shared-user Identification
Corporate
Server or Desktop
WHO is doing WHAT
on our network???
Cool! Now I know.
Audit Reporting DB &
SIEM Log Collector
User
Alex
Video
Play!
Text Log
App1, App2
Sam the
Security Officer
19
Demo Links:
Powerpoint demo: Click here to show
Live hosted demo: http://demo.observeit.com
Internal demo: http://184.106.234.181:4884/ObserveIT
YouTube demos:
English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1
Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1
Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1
French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1
LIVE DEMO
Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1
Business challenges & Customer use-cases
Remote Vendor
Monitoring
• Impact human behavior
• Transparent SLA and billing
• Eliminate ‘Finger pointing’
Compliance &
Security Accountability
Root Cause Analysis &
Documentation
• Reduce compliance costs for
GETTING compliant and
STAYING compliant
• Satisfy PCI, HIPAA, SOX, ISO
• Immediate root-cause answers
• Document best-practices
21
But I like my SIEM tool!
So do we!
22
Add value
• View ObserveIT users’ activity in SIEM
• Direct link to the ObserveIT Video URL from the SIEM
• Ability to correlate ObserveIT events with other
system events
• Ability to define rules/alerts based on ObserveIT
user’s recorded events
23
Current system log report not clear enough?
Then link to the video replay!
SIEM Platform
OS and DB System
Log Report
Video Player
Event…
Event…
Event…
System Dashboard
ObserveIT User
Log Report
Event…
Event…
Event…
Simple & automated correlation rules:
Timestamp + user + machine  Video Replay
24
ObserveIT Video and Text Logs in CA UARM
List of every app run
Timeline view
Breakdown by users
and servers
Detailed action listing
Click ‘Play the video!’
icon to view
25
ObserveIT Video and Text Logs in Arcsight
Dashboard
breakdown of user
activity
Each action can link to
open a video replay
Video replay of user actions,
within the Arcsight console
26
ObserveIT Video and Logs in Splunk – Activity Dashboard
Search Window
Dashboard breakdowns
Detailed text logs of
user actions
Click icon to launch
video replay
ObserveIT Video and Logs in Splunk – Browse Sessions
Search Window
Session details (Windows)
Session details (Unix)
Click icon to launch
video replay
ObserveIT Video and Logs in Splunk – Session details
Click icon to launch video replay
per action
ObserveIT Video and Logs in LogRhythm
ObserveIT Video and Text Logs in RSA enVision
Metadata filtering
Event listing
31
LIVE DEMO PART II: SIEM INTEGRATION
ObserveIT Compliance Coverage
for PCI, HIPAA, ISO27001, SOX, NERC/FERC
Compliance Requirements
ObserveIT Solution
• Assign unique ID to each person
with computer access
(ex: PCI Requirement 8)
ObserveIT Secondary Identification
• Track all access to network
resources and sensitive data
(ex: PCI Requirement 10)
ObserveIT Session Recording
• Maintain policies that address
information security
(ex: PCI Requirement 12)
ObserveIT Policy Messaging
33
Getting compliant is only the first step:
Reduce compliance costs now AND in the future
GET COMPLIANT:
•
All apps
–
•
•
Captures every user action, including
video replay
All platforms
–
–
•
Windows, Linux, Unix
VMs, Cloud, Remote access, Direct access
Satisfy auditor inquiries
–
–
Generate logs for apps that don’t have
internal logs
All actions
–
STAY COMPLIANT:
•
Stop the “re-correlation” cycle!
–
•
On-the-spot response
(No need to send requests back to
research team)
System changes ≠ SIEM correlation
realignment
Video Replay = Non-repudiation!
– Zero doubt surrounding audit
conclusiveness
34
Alerting via Network Management
• Same architectural concept as SIEM Integration
– Mainly for metadata integration
• Triggers system alerts or actions based on log activity
35
DEPLOYMENT SCENARIO OPTIONS
Standard Agent-based Deployment
•
•
•
•
Agent installed
each monitored
Administrators
access on
ObserveIT
audit machine
• Agent becomes active only when user session starts
• ASP.NET application in IIS
• Data capture is triggered by user activity (mouse movement, text typing,
Data
Storage
Mgmt
Serverinterface
receives
data
from
Agents
• Primary
forsession
video replay
and
reporting
etc.). No recording takes place while user is idle
ASP.NET
application
IIS • Microsoft
• Also
used forinconfiguration
and admin
tasks database
SQL Server
• Communicates with Mgmt Server via HTTP on customizable port, with
Collects
all data
delivered
by the
• Web
console
includes
granular
policy
rules for limiting
(orAgents
optonal
file-system
storage)
optional SSL encryption
Analyzesaccess
and categorizes
and sends
to DB data,
Servermetadata and screenshots
to sensitivedata,
data
•
Stores
all
config
• Offline mode buffers recorded info (customizable buffer size)
Communicates with Agents for
config
updates via standard TCP port 1433
• All
connections
• Watchdog mechanism
prevents
tampering
ObserveIT
Agents
ObserveIT
Web Console
ObserveIT
Management
Server
Remote
Users
Database
Server
Metadata Logs
& Video Capture
Local
Login
Desktop
AD
Network
Mgmt
SIEM
BI
Open API and Data Integration
• Standards-based
• Simple integration
37
Gateway Jump-Server Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Corporate Servers
(no agent installed)
ObserveIT
Management Server
38
Hybrid Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Direct login
(not via gateway)
Sensitive production servers
(agent installed)
ObserveIT
Management Server
39
Gateway Jump-Server Deployment
Customer #1 Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Internet
Remote and local users
Customer #2 Servers
(no agent installed)
ObserveIT
Agent
Customer #3 Servers
(no agent installed)
ObserveIT
Management Server
40
Citrix Published Apps Deployment
Published Apps
Citrix
Server
Remote
Access
ObserveIT
Agent
ObserveIT
Management Server
41
HOW AGENT WORKS
ObserveIT Architecture:
How the Windows Agent Works
Synchronized capture via
Active Process of OS
Screen
Capture
Real-time
User action
triggers Agent
capture
User logon wakes
up the Agent
Captured metadata & image
packaged and sent to Mgmt
Server for storage
Metadata
Capture
URL
Window Title
Etc.
43
ObserveIT Architecture:
How the Linux/Unix Agent Works
User-mode executable that
is bound to every secure
shell or telnet session
CLI I/O
Capture
Real-time
TTY CLI activity
triggers Agent
capture
User logon wakes
up the Agent
Captured metadata & I/O
packaged and sent to
Mgmt Server for storage
Metadata
Capture
System Calls
Resources Effected
Etc.
44
KEY FEATURES: WHAT MAKES OBSERVEIT GREAT
Generate logs for every app
(Even those with no internal logging!!)
WHAT DID THE USER DO?
A human-understandable list
of every user action
Cloud-based app: Salesforce.com
System utilities: GPO, Notepad
Legacy software: financial package
46
Video analysis generates intelligent text metadata
for Searching and Navigation
ObserveIT captures:
• User
• Server
• Date
• App launched
• Files opened
• URLs
• Window titles
• Underlying system calls
Launch video replay at the
precise location of interest
47
Recording all protocols
Telnet
Windows Console
(Ctrl-Alt-Del)
Unix/Linux Console
• Agnostic to network protocol and client application
• Remote sessions and also local console sessions
• Windows, Unix, Linux
48
Logs tied to Video recording: Windows sessions
Audit Log
USER SESSION REPLAY:
Bulletproof forensics for
security investigation
Replay Window
CAPTURES ALL ACTIONS:
Mouse movement, text entry, UI
interaction, window activity
PLAYBACK NAVIGATION:
Move quickly between apps that the
user ran
49
Logs tied to Video recording: Unix/Linux sessions
Audit Log
List of each
user command
Replay Window
Exact video playback
of screen
50
Privileged/Shared User Identification
ObserveIT requires named user
account credentials prior to granting
access to system
User logs on as generic
“administrator”
Each session audit is now
tagged with an actual name:
Login userid: administrator
Actual user: Daniel
Active Directory used
for authentication
51
Policy Messaging
NOTE: PCI-DSS compliance regulations
require that user activity be audited.
Send policy and status
updates to each user exactly
when they log in to server
All activity during this login session will
be recorded. Please confirm that you
are aware that you are being recorded.
Capture optional user
feedback or ticket # for
detailed issue tracking
Ensure that policy standards
are explicitly acknowledged
52
Real-time Playback
On-air icon launches
real-time playback
View session activity
“live", while users are
still active
53
Report Automation:
Pre-built and custom compliance reports
Schedule reports to run
automatically for email delivery
in HTML, XML and Excel
Canned compliance audits
and build-your-own
investigation reports
Design report according to
precise requirements: Content
Inclusion, Data Filtering,
Sorting and Grouping
54
Double-password privacy assurance:
Addresses employee privacy mandates
Two passwords:
One for Management. Second
for union rep or legal counsel
Textual audit logs can be accessed
by compliance officers for security
audits, but video replay requires
employee rep authorization
(both passwords)
55
API Interface
Control ObserveIT Agent via
scripting and custom DLLs
within your corporate
applications
Start, stop, pause and resume
recorded sessions based on custom
events based on process IDs, process
names or web URLs
56
Robust Security
• Agent ↔ Server communication
•
•
•
•
AES Encryption - Rijndael
Token exchange
SSL protocol (optional)
IPSec tunnel (optional)
• Database storage
•
•
Digital signatures on captured sessions
Standard SQL database inherits your enterprise
data security practices
• Watchdog mechanism
•
•
•
Restarts the Agent if the process is ended
If watchdog process itself is stopped, Agent
triggers watchdog restart
Email alert sent on watchdog/agent tampering
57
Recording Policy Rules
Determine what apps to
record, whether to record
metadata, and specify
stealth-mode per user
Granular include/exclude
policy rules per server,
user/user group or application
to determine recording policy
58
Pervasive User Permissions
• Granular permissions /
access control
• Define rules for each user
• Specify which sessions the user may playback
• Permission-based filtering
affects all content access
•
•
•
•
Reports
Searching
Video playback
Metadata browsing
• Tight Active Directory
integration
• Manage permissions groups in your native AD
repository
• Access to ObserveIT Web
Console is also audited
• ObserveIT audits itself
• Addresses regulatory
compliance requirements
59
CUSTOMER SUCCESS STORIES
HIPAA Compliance Auditing
Business Environment
• Medical imaging products (MRI, CT, US, X-Ray) deployed at
hospitals and medical centers worldwide
• Customer support process requires remote session access to
deployed systems
Industry: Medical Equipment Manufacturer
Solution: Compliance Report Automation (HIPAA)
Company: Toshiba Medical Systems
Challenge
• Strict HIPAA compliance regulations must be enforced and
demonstrable
• In addition, SLA commitments require visibility of service times
and durations
Solution
•
•
•
•
ObserveIT deployed in a Gateway architecture
All access routed via agent-monitored Citrix gateway
Actual systems being accessed remain agent-less
Toshiba achieved 24x7 SLA reports, including granular incident
summaries
• Automatic generation of HIPAA regulatory documentation, led
to reduced compliance costs and improved customer (hospital)
satisfaction
61
PCI Compliance at a Market Transaction Clearinghouse
Business Environment
• A major clearinghouse must provide concrete PCI documentation
Challenge
Industry: Financial Services
Solution: Compliance Report Automation (PCI)
• Each audit report cycle was a major effort of log collection
• Audits were often judged incomplete when exact cause of system
change was unidentified
Solution
• Since deploying ObserveIT, audit reporting has become fully
automated
• Zero audit rejects have occurred
62
Remote Vendor Monitoring at Coca-Cola
Business Environment
• Bottling and production line software for geographically
diverse sites
• Centralized ERP platform for sales, fulfillment and
compensation
• Many platforms supported by 3rd Party solution providers
Industry: Food&Beverage Manufacturing
Solution: Remote Vendor Monitoring
Company: Coca-Cola
Challenge
• Ensure 100% accountability for any system access violation
• Eliminate downtime errors caused by inappropriate login usage
• Increase security of domain admin environment
Solution
• ObserveIT deployed on all systems that are accessed via RDP by
remote vendors
• IT admins also monitored on sensitive domain admin servers
• As a result, Coca-Cola saw a significant decrease in system
availability issues caused by improper user actions
“
As soon as vendors discovered
that all actions are being
recorded, it became much
easier to manage them.
Moti Landes
IT Div. CISO
”
63
Medical Systems Remote Auditing
Business Environment
• Corporate servers host business applications for both internal
and customer-facing solutions
• Servers are managed and accessed by various privileged user
staff members
• Access is also open to multiple external vendor contractors
Industry: Medical Equipment Manufacturer
Solution: Remote Vendor Auditing
Company: Siemens Medical Instruments
Challenge
• Before ObserveIT, there was no practical way to log user activities
on these servers.
Solution
• ObserveIT provides accountability of all internal and outsource
vendor admins
• Reporting and searching is used to focus on critical issues
• Fast deployment ensured quick and painless uptime:
“All we needed to do was to install a small agent on the servers
to be monitored and the recording starts immediately, without
even requiring any configuration and settings”
“
Not only was ObserveIT able
to record every single user
session on the servers, the
recordings are also fully
indexed, allowing me to
zoom in on areas of interest.
Robert Ng,
Siemens
”
64
Customer Audits and ISO 27001 at BELLIN Treasury
Business Environment
• Hosted treasury software solutions deployed in 7 data centers
worldwide for over 6,000 customers
• System support and development teams must access servers
via RDP
• Customers demand precise audit validation on-demand
Industry: Financial Software Services
Solution: Compliance Auditing
Company: Bellin Treasury
Challenge
• Proactively provide customers with evidence of bulletproof
audit trail process
• Satisfy the regulatory mandates of each of the customer
environments worldwide
Solution
• ObserveIT deployed on all production servers worldwide
• One-time setup and hands-free operations keeps maintenance
costs down
• Customer satisifaction increased signficiantly
• Solution submitted as central part of ISO 27001 certification
process
“
We enjoy showing off to our
customers that every user
action is recorded. This
increases confidence all
around.
”
Rick Beecroft,
Area Manager, Americas and Pacific Rim
65
Remote Vendor Monitoring at Visa (LeumiCard)
Business Environment
• LeumiCard’s highly-secured data center runs on several
platforms, all with sensitive mission-critical applications.
Challenge
• Operations and maintenance require system access by various
privileged internal users via RDP.
• Corporate control reports require documentation of exactly what
takes place on each production server, and to be able to explain
why the action was necessary.
Solution
• Shared-account (administrator) users must provide secondary
named-user credentials from Active Directory
• User must acknowledge that s/he is aware that s/he is logging into
a production server.
• Video recording captures a video replay of each user session.
• Daily email control reports are delivered automatically to each
manager, according to area of responsibility. Each of these
managers can then replay sessions that relate to their systems
Industry: Financial Services
Solution: Remote Vendor Monitoring
Company: LeumiCard
“
This has dramatically decreased
the number of user sessions on
production machines. Users are
more likely to find an alternative
way to do their job via secondary
test servers, which means a
reduced number of entries in my
daily control reports.
”
Ofer Ben Artzy,
Manager of Infrastructure Systems
66
ISO 27001 Compliance for Remote User Audits
Business Environment
• Large government and corporate customers demand ISO
compliance
• Mission-critical ERP platform managed by an external service
provider
• Corporate philosophy focuses on “safety, certainty and high
standards”
Industry: Utilities / Construction
Solution: Compliance Report Automation (ISO 27001)
Company: Electrotim
Challenge
• Compliance requirements call for monitoring and logging the
activities of all external users who access the network
Solution
• ObserveIT was deployed on corporate servers and TS machines
• Combination of visual screenshots plus full indexing of text is used
for easy searching
• Secure logging of all access to the system by remote connection
• Fast access to the logs during the examination of each incident
“
Implementation has been
dictated to prevent problems
with third parties having access
to our IT system.
”
Przemysław Jasiński
IT Department Manager
67
Remote Admin User Monitoring
Business Environment
• Payment transaction platform distributed across Europe
• Supporting 60,000 ATM machines
• Clearing 90,000,000 transactions per day
Industry: Financial Services
Solution: Remote Vendor Monitoring
Company: VocaLink
Challenge
• Control access to system resources, including shared privileges
between two merged corporate entities during period of merger
• Achieve common system management and visibility
Solution
• 2008: ObserveIT deployed to monitor and audit server activity
during corporate merger
• 2009: Successful visibility results from merger activity lead to
system-wide deployment
68
Remote Admin User Monitoring
Business Environment
• Web-based system connects families with a range of health,
social service and other federal and state support programs
• Deployed and managed on 93 servers and 91 workstations
across 3 geographically separated data centers
Industry: Healthcare IT
Solution: Privileged User Auditing
Company: Center to Promote HealthCare Access
Challenge
• The Center is dedicated to providing usability, ease of access
and responsiveness, without compromising any aspects of
data security or compliance.
• Given the sensitivity of personal heath records data and the
internal and government regulations regarding data access
compliance, The Center sought to augment its security with
an auditing solution that would detail all data and server
access
“
This is critical for keeping our
servers up and running, and also to
answer management’s
needs to demonstrate compliance.
Solution
• Peace-of-mind from knowing exactly what developers and
admins are doing
• Immediate fulfillment of compliance usage reports
• Faster response time to system faults
“
We still need to document every
server access by IT Admins and
internal staff developers.
”
”
Vinay Singh
IT Operations Manager
69
Reducing Errors Caused by 3rd Party Vendors
Business Environment
• 1200-server IT environment in 3 hosting centers
• Business applications (Billing, CRM, etc.) and Customer-facing
applications (Revenue generating mobile services)
Challenge
Industry: Telecommunications
Solution: Root-Cause Analysis + Vendor Monitor
Company: Pelephone
• Maintain QoS with multiple 3rd party apps
• Track activities of privileged vendor access
Solution
• ObserveIT initially deployed on 5 internal business app
servers, and resolves high-visibility outage on mission-critical
app: Identified improper actions by outsource vendor.
• ObserveIT next is deployed on entire IT platform
• ObserveIT integrated into CA environment
• Multiple customer-facing outages solved
• Positive ROI via elimination of revenue losses from service
outages
• Vendor billing decreased once they realized they were being
recorded
“
Since we deployed ObserveIT,
users are much more careful with
their server activity. Knowing
that your actions can be replayed
has a remarkable effect.
”
Isaac Milshtein
Director, IT Operations
70
Managed Services Monitoring at an IT Services Firm
Business Environment
• IT support vendor provides system management services for
over 40 major Global 1000 clients
Industry: IT Services
Solution: Managed Services Monitoring
Challenge
• Each customer has different connection protocol requirements
(some via VNC, some via RDP, some via Citrix, etc.)
Solution
• After deploying ObserveIT on an outgoing gateway, all
sessions on customer servers are recorded
• Since deployment, there have been fewer accusations from
customers regarding system problems
• For the few issues that were raised, the vendor immediately
provided recordings that proved that all actions were proper
71
Thank You!
Your Full Name
youremail@youremail.com
Copyright © 2014 ObserveIT. All rights reserved.
All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.
www.observeit.com
EMPLOYEE PRIVACY POLICY:
HOW OBSERVEIT COMPLIES WITH STRICT PRIVACY LAWS
Meeting Dual Requirements
Privacy Requirements
Compliancy Requirements
User Consent
Separation of personal
communications
Secure Storage &
Limited Access
US
Federal Law: Electronic Communications
Privacy Act
State Laws: ex: California Workplace
Surveillance Labor Code
User Accountability
Wide scope of
activity logging
PCI-DSS
ISO 27001
SOX
FSA
Internal Corporate Compliance
EU and European National Laws
DPD 95/46/EC (EU)
Human Rights Act (UK)
BDSG (Germany)
CNIL (France)
74
How to answer both needs:
1.
2.
3.
Inform users of recording policy
Only monitor what must be monitored
Protect recordings from unnecessary replay
75
1. Inform users of recording policy
• Users are aware of WHAT and WHY as soon as they log in
NOTE: PCI-DSS compliance regulations
require that user activity be audited.
All activity during this login session will
be recorded. Please confirm that you
are aware that you are being recorded.
76
2. Only monitor what must be monitored
• Granular control of what is recorded
– Ex 1: Record NOTHING EXCEPT activity within SAP application
– Ex 2: Record EVERYTHING EXCEPT Skype and personal email app
Determine what apps to record
(include/exclude rules per app, per
user, and per machine)
77
3. Protect recordings from unnecessary replay
• ‘4-eyes’ double-password privacy safeguards
– Management holds one password, legal council / union rep holds the second password
– Security Auditor can review list of applications run, but CANNOT replay video of user
sessions!
– To replay video, legal council or union rep must consent and add password
Two passwords:
One for Management. Second
for union rep or legal council.
Video replay is locked without
union/legal approval
78
For more information...
• See our Whitepaper on Employee Privacy issues:
http://observeit-sys.com/Support/Whitepapers?req=privacy
79
IDENTITY THEFT DETECTION
80
The Identity Theft Problem
Majority of data breaches involve
stolen credentials or guessable
credentials.
Majority of data breaches are
discovered externally.
(customers, law enforcement, fraud detection,
press, WikiLeaks)
ObserveIT’s Identity Theft Detection
The Idea:
End users help detect identity theft.
Bob
UID:Bob from BobsPC
is OK!
Hey Bob,
Bob’s Was
PC this really you?
Bob’s Credentials
Don’t fly solo: Bring end
users into the
identity theft detection loop.
How it works: Yes
No
Notify user each time someone logs in using his
credentials
from somewhere other than his PC.
Bob’s Home PC
(Similar to method used by Facebook, Gmail, Salesforce, etc.)
Bob’s Credentials
Some Server
Check the whitelist:
UID Client
Bob BobsPC
Bob BobsHomePC
UID:Bob from BobsHomePC
from NotBobsPC
is NOTUID:Bob
OK!
is NOT OK!
After all, they know best if it was really them!
Not Bob
Not Bob’s PC
Bob’s CredentialsHey Sam,
Can weHey
add Sam,
UID:Bob from BobsHomePC
You need to investigate!
to the whitelist?
Yes
No
Sam the
Secuirty Manager
What it looks like
Email notification to end user
Whitelist pairing by Administrator
ID Theft Alert
sentAlert
to Administrator
System
revew by Administrator
04/03/2012
PROD-APACHE
CorpNet
Bonnie
Never