ObserveIT:
User Activity Monitoring
Your Full Name Here
youremail@youremail.com
Month 2014
Copyright © 2014 ObserveIT. All rights reserved.
All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.
www.observeit.com
ObserveIT Software that acts like a security camera on your servers!

 Video camera: Recordings of all user activity
 Summary of key actions: Alerts for problematic activity

2
Business challenges that ObserveIT addresses
Remote Vendor
Monitoring
• Impact human behavior
• Transparent SLA and billing
• Eliminate ‘Finger pointing’
Compliance &
Security Accountability
Root Cause Analysis &
Documentation
• Reduce compliance costs for
GETTING compliant and
STAYING compliant
• Satisfy PCI, HIPAA, SOX, ISO
• Immediate root-cause answers
• Document best-practices
3
An Analogy
Bank Branch Office
Bank Computer Servers
Companies invest in access control
but once users gain access,
there is little knowledge of
who they are and what they do!
(Even though 71% of data breaches
involve privileged user credentials)
They both hold money…
…They both have Access Control…
...Here they also have security cameras…
…Here, they don’t!
4
Why?
Because system logs are built by DEVELOPERS for DEBUG!
Only 1% of(and
datanot
breaches
are
by SECURITY
ADMINS for SECURITY AUDIT)
discovered by log analysis!
(Even in large orgs with established SIEM processes,
the number is still only 8%!)
“
“
“
“
I don’t have this problem.
I’ve got log analysis!
The picture isn’t quite as
rosy as you think.
5
Can you tell what
happened here?
Replay Video
Wouldn’t it be easier
with a ‘Replay Video’
button?
Video Replay shows
exactly what happened
6
And many commonly used apps don’t even have their own logs!
• DESKTOP APPS
DESKTOP APPS
•
•
•
•
Firefox / Chrome / IE
MS Excel / Word
Outlook
Skype
REMOTE & VIRTUAL
• Remote Desktop
• VMware vSphere
ADMIN TOOLS
•
•
•
•
Registry Editor
SQL Manager
Toad
Network Config
TEXT EDITORS
• vi
• Notepad
7
System Logs are like
Fingerprints
They show the results/outcome
what
took place
System Logs areoflike
Fingerprints
User Audit Logs are like
Surveillance Recordings
They show exactly what
took place!
“
“
Both are valid…
…But the video log goes right to the point!
8
Our Solution
1: Video Capture
Video
Session
Recording
‘Admin‘
= Alex
Logs on as ‘Administrator’
X X X
ITthe
Alex
Admin
2: Video Content Analysis
List of apps,
files, URLs
accessed
3: Shared-user Identification
Corporate
Server or Desktop
WHO is doing WHAT
on our network???
Cool! Now I know.
Audit Reporting DB &
SIEM Log Collector
User
Alex
Video
Play!
Text Log
App1, App2
Sam the
Security Officer
9
Demo Links:
Powerpoint demo: Click here to show
Live hosted demo: http://demo.observeit.com
Internal demo: http://184.106.234.181:4884/ObserveIT
YouTube demos:
English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1
Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1
Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1
French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1
LIVE DEMO
Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1
Enhance your SIEM with User Activity Monitoring
• View ObserveIT users’ activity in SIEM
• Direct link to the ObserveIT Video URL from the SIEM
• Ability to correlate ObserveIT events with other
system events
• Ability to define rules/alerts based on ObserveIT
user’s recorded events
11
Current system log report not clear enough?
Then link to the video replay!
SIEM Platform
OS and DB System
Log Report
Video Player
Event…
Event…
Event…
System Dashboard
ObserveIT User
Log Report
Event…
Event…
Event…
Simple & automated correlation rules:
Timestamp + user + machine  Video Replay
12
ObserveIT Video and Text Logs in CA UARM
List of every app run
Timeline view
Breakdown by users
and servers
Detailed action listing
Click ‘Play the video!’
icon to view
13
ObserveIT Video and Text Logs in Arcsight
Dashboard
breakdown of user
activity
Each action can link to
open a video replay
Video replay of user actions,
within the Arcsight console
14
ObserveIT Video and Logs in Splunk – Activity Dashboard
Search Window
Dashboard breakdowns
Detailed text logs of
user actions
Click icon to launch
video replay
ObserveIT Video and Logs in Splunk – Browse Sessions
Search Window
Session details (Windows)
Session details (Unix)
Click icon to launch
video replay
ObserveIT Video and Logs in Splunk – Session details
Click icon to launch video replay
per action
ObserveIT Video and Logs in LogRhythm
ObserveIT Video and Text Logs in RSA enVision
Metadata filtering
Event listing
19
DEPLOYMENT SCENARIO OPTIONS
Standard Agent-based Deployment
•
•
•
•
Agent installed
each monitored
Administrators
access on
ObserveIT
audit machine
• Agent becomes active only when user session starts
• ASP.NET application in IIS
• Data capture is triggered by user activity (mouse movement, text typing,
Data
Storage
Mgmt
Serverinterface
receives
data
from
Agents
• Primary
forsession
video replay
and
reporting
etc.). No recording takes place while user is idle
ASP.NET
application
IIS • Microsoft
• Also
used forinconfiguration
and admin
tasks database
SQL Server
• Communicates with Mgmt Server via HTTP on customizable port, with
Collects
all data
delivered
by the
• Web
console
includes
granular
policy
rules for limiting
(orAgents
optonal
file-system
storage)
optional SSL encryption
Analyzesaccess
and categorizes
and sends
to DB data,
Servermetadata and screenshots
to sensitivedata,
data
•
Stores
all
config
• Offline mode buffers recorded info (customizable buffer size)
Communicates with Agents for
config
updates via standard TCP port 1433
• All
connections
• Watchdog mechanism
prevents
tampering
ObserveIT
Agents
ObserveIT
Web Console
ObserveIT
Management
Server
Remote
Users
Database
Server
Metadata Logs
& Video Capture
Local
Login
Desktop
AD
Network
Mgmt
SIEM
BI
Open API and Data Integration
• Standards-based
• Simple integration
21
Gateway Jump-Server Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Corporate Servers
(no agent installed)
ObserveIT
Management Server
22
Hybrid Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Direct login
(not via gateway)
Sensitive production servers
(agent installed)
ObserveIT
Management Server
23
Gateway Jump-Server Deployment
Customer #1 Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Internet
Remote and local users
Customer #2 Servers
(no agent installed)
ObserveIT
Agent
Customer #3 Servers
(no agent installed)
ObserveIT
Management Server
24
Citrix Published Apps Deployment
Published Apps
Citrix
Server
Remote
Access
ObserveIT
Agent
ObserveIT
Management Server
25
HOW AGENT WORKS
ObserveIT Architecture:
How the Windows Agent Works
Synchronized capture via
Active Process of OS
Screen
Capture
Real-time
User action
triggers Agent
capture
User logon wakes
up the Agent
Captured metadata & image
packaged and sent to Mgmt
Server for storage
Metadata
Capture
URL
Window Title
Etc.
27
ObserveIT Architecture:
How the Linux/Unix Agent Works
User-mode executable that
is bound to every secure
shell or telnet session
CLI I/O
Capture
Real-time
TTY CLI activity
triggers Agent
capture
User logon wakes
up the Agent
Captured metadata & I/O
packaged and sent to
Mgmt Server for storage
Metadata
Capture
System Calls
Resources Effected
Etc.
28
KEY FEATURES: WHAT MAKES OBSERVEIT GREAT
Generate logs for every app
(Even those with no internal logging!!)
WHAT DID THE USER DO?
A human-understandable list
of every user action
Cloud-based app: Salesforce.com
System utilities: GPO, Notepad
Legacy software: financial package
30
Video analysis generates intelligent text metadata
for Searching and Navigation
ObserveIT captures:
• User
• Server
• Date
• App launched
• Files opened
• URLs
• Window titles
• Underlying system calls
Launch video replay at the
precise location of interest
31
Recording all protocols
Telnet
Windows Console
(Ctrl-Alt-Del)
Unix/Linux Console
• Agnostic to network protocol and client application
• Remote sessions and also local console sessions
• Windows, Unix, Linux
32
Logs tied to Video recording: Windows sessions
Audit Log
USER SESSION REPLAY:
Bulletproof forensics for
security investigation
Replay Window
CAPTURES ALL ACTIONS:
Mouse movement, text entry, UI
interaction, window activity
PLAYBACK NAVIGATION:
Move quickly between apps that the
user ran
33
Logs tied to Video recording: Unix/Linux sessions
Audit Log
List of each
user command
Replay Window
Exact video playback
of screen
34
Privileged/Shared User Identification
ObserveIT requires named user
account credentials prior to granting
access to system
User logs on as generic
“administrator”
Each session audit is now
tagged with an actual name:
Login userid: administrator
Actual user: Daniel
Active Directory used
for authentication
35
Policy Messaging
NOTE: PCI-DSS compliance regulations
require that user activity be audited.
Send policy and status
updates to each user exactly
when they log in to server
All activity during this login session will
be recorded. Please confirm that you
are aware that you are being recorded.
Capture optional user
feedback or ticket # for
detailed issue tracking
Ensure that policy standards
are explicitly acknowledged
36
Real-time Playback
On-air icon launches
real-time playback
View session activity
“live", while users are
still active
37
Report Automation:
Pre-built and custom compliance reports
Schedule reports to run
automatically for email delivery
in HTML, XML and Excel
Canned compliance audits
and build-your-own
investigation reports
Design report according to
precise requirements: Content
Inclusion, Data Filtering,
Sorting and Grouping
38
Double-password privacy assurance:
Addresses employee privacy mandates
Two passwords:
One for Management. Second
for union rep or legal counsel
Textual audit logs can be accessed
by compliance officers for security
audits, but video replay requires
employee rep authorization
(both passwords)
39
API Interface
Control ObserveIT Agent via
scripting and custom DLLs
within your corporate
applications
Start, stop, pause and resume
recorded sessions based on custom
events based on process IDs, process
names or web URLs
40
Robust Security
• Agent ↔ Server communication
•
•
•
•
AES Encryption - Rijndael
Token exchange
SSL protocol (optional)
IPSec tunnel (optional)
• Database storage
•
•
Digital signatures on captured sessions
Standard SQL database inherits your enterprise
data security practices
• Watchdog mechanism
•
•
•
Restarts the Agent if the process is ended
If watchdog process itself is stopped, Agent
triggers watchdog restart
Email alert sent on watchdog/agent tampering
41
Recording Policy Rules
Determine what apps to
record, whether to record
metadata, and specify
stealth-mode per user
Granular include/exclude
policy rules per server,
user/user group or application
to determine recording policy
42
Pervasive User Permissions
• Granular permissions /
access control
• Define rules for each user
• Specify which sessions the user may playback
• Permission-based filtering
affects all content access
•
•
•
•
Reports
Searching
Video playback
Metadata browsing
• Tight Active Directory
integration
• Manage permissions groups in your native AD
repository
• Access to ObserveIT Web
Console is also audited
• ObserveIT audits itself
• Addresses regulatory
compliance requirements
43
Thank You!
Your Full Name
youremail@youremail.com
Copyright © 2014 ObserveIT. All rights reserved.
All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.
www.observeit.com