Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.

1. ObserveIT:
User Activity Monitoring
Mark Kreymer
mark@observeit.com
June, 2013
Copyright © 2011 ObserveIT. All rights reserved.
All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.
www.observeit.com

2. ObserveIT Software that acts like a security camera on your servers!
 Video camera: Recordings of all user activity


 Summary of key actions: Alerts for problematic activity
2

3. 700+ Enterprise Customers
Healthcare / Pharma
Financial
Telco & Media
Manufacturing
Retail / Service
Utilities / Logistics / Energy
IT Services / Technology
Government
Gaming
3

4. Worldwide Presence
France
CG61
S2IH
BOUYGUES TELECOM
Societe Generale
Groupama Asset
Management (GAM)
Spain
Banco Espirito Santo S.A.
CECA (Confederación
Española de Cajas de
Ahorros)
BBVA
Caja Madrid
Canada
Bell Canada
Quebec Loto
Bellin Treasury Services Ltd.
Toronto Hydro
Transat A.T. Inc.
Atlantic Lottery Corporation
(ALC)
UK
Germany
Norway
Estonia
UK Payments Administration Ltd
Sanofi Aventis
VTS
Estonian Security
BlackRock
HSH Nordbank
Police Board
QinetiQ
Boehringer Ingelheim GmbH
Switzerland
Vocalink UK
AGRAVIS Raiffeisen AG
BCN
Friends Provident
Deutsche Telekom AG
Bank Vontobel AG
Hyperion Insurance Group
Schweizerische Bundesbahnen (SBB)
LCH.Clearnet Ltd.
Luxemburg
Swiss Federal Railway
BSkyB Sky Network Service
TELINDUS Luxmeburge
ZKB
Xtrakter Ltd
Corner Banca SA
Opal Telecom Ltd
Banca del Sempione
Talk Talk Technology (Carphone CPWN) Liechtenstein
Banca Euromobiliare Suisse
BNP Paribas Real Estate Advisory (UK) LGT FInancial Services
BancaStato
VTB Capital plc
Baillie Gifford & Co.
Italy
Heritage Group LTD
Vodafone (Italy)
ELECTRONIC'S TIME SRL
Allianz SPA
ING Lease Italia S.p.A.
UBI Banca Sistemi&Servizi
Xerox s.p.a.
Poland
Podkarpacki OddziaB
Wojewódzkiego Narodowego
Funduszu Zdrowia z siedzib w
Rzeszowie
Elektrotim S.A.
Inteligo Financial Services S.A.
Czech Republic
Hungary
Greece
GE Money Bank
Wiz
z Air
hol
Croatia
Slovenia
Cyprus
T-Mobile Croatia
OTP
Zavarovalnica Triglav d.d
Raiffeisen banka d.d.
SEM Ltd
Slovakia
Tatra Banka a.s.
South Korea
Japan
Mitsubishi Information
USA
Trend Micro Inc.
Shumway Capital Partners, LLC
Spoken Communications
University Health Systems of Eastern Carolina
Casino Arizona
CDW
Dimension Data Americas (USA)
CSX Technology
PGE - Portland General Electric
Cisco (Webex)
St. Jude Medical
UPS
Disney
IBM
Newegg
Spring Branch Independent School District
Sony
British Petrolum (BP)
SUNY Downstate
Washington University
Western Governors University
Kroll Ontrack
BNP Paribas
StrataCare, LLC.
Societe Generale (USA)
MFS Investment Management
Fort McDowell Enterprises
CHARLES SCHWAB & CO
Aastra
Cost Plus World Market (CPWM)
Samsung Networks Korea
Yonsei Hospital
GS Caltex
Defense Acquisition
Program Administration
China
Taiwan
Trinidad &
Tobago
Bolivia
Turkey
PETROTRIN
Telecel S.A. TIGO
Chile
Nexus
Argentina
Nuevo Banco del
Chaco S.A.
Angola
Banco Nacional
de Angola
Chad
MIC Chad, Ltd. TIGO
South Africa
Derivco (PTY) Ltd.
Ubank
MultiChoice Africa (Pty)
Ltd.
Clicks Group Ltd.
Truworths, South Africa
Tanzania
MIC Tanzania, Ltd. TIGO
Turkcell
ANADOLU SIGORTA
Vakifbank
Yasar Factoring
T.C. Ziraat Bankas1
Israel
Qatar
Taiwan Railways
Administration, MOTC
Taiwan Accreditation
Foundation (TAF)
Taiwan Mobile
Ministry of Education
China Construction Bank
China Mobile Group Guangdong Co.
ShinseiBank
Tesco China
China Foreign Exchange Trade System
National Interbank Funding Center
The Hong Kong Jockey Club
DMX
India
HDFC Bank Ltd.
iYogi
HCL
Wipro
Excellence Nessua
QFC Regulatory Authority
Yes
Court of the Crown Prince (CPC)
Leumi Bank
Financial Centre Authority
Harel Insurance
Hapoalim Bank
United Arab Emirates
Ayalon Insurance
First Gulf Bank
Australia
Pelephone
Metito Overseas Ltd.
Woodside Energy Ltd
Comverse
AHI Carrier Fzc
Australian Stock Exchange
Zim
NetstarLogicalis
Clal Insurance
Bezeq
Visa
Coca Cola
Orange
First International Bank
Bank Discount
Ministry of Interior
Philippines
Asian Development Bank
Singapore
BT Frontline
Siemens Medical
Singapore Post
Singapura Finance
UOB
Shimano
4

5. Business challenges that ObserveIT addresses
Remote Vendor
Monitoring
• Impact human behavior
• Transparent SLA and billing
• Eliminate ‘Finger pointing’
Compliance &
Security Accountability
Root Cause Analysis &
Documentation
• Reduce compliance costs for
GETTING compliant and
STAYING compliant
• Satisfy PCI, HIPAA, SOX, ISO
• Immediate root-cause answers
• Document best-practices
5

6. An Analogy
Bank Branch Office
Bank Computer Servers
Companies invest in access control
but once users gain access,
there is little knowledge of
who they are and what they do!
(Even though 71% of data breaches
involve privileged user credentials)
They both hold money…
…They both have Access Control…
...Here they also have security cameras…
…Here, they don’t!
6

7. Why?
Because system logs are built by DEVELOPERS for DEBUG!
Only 1% of data breaches are
(and not by SECURITY ADMINS for SECURITY AUDIT)
discovered by log analysis!
(Even in large orgs with established SIEM processes,
the number is still only 8%!)
“
“
“
“
I don’t have this problem.
I’ve got log analysis!
The picture isn’t quite as
rosy as you think.
7

8. Can you tell what
happened here?
Replay Video
Wouldn’t it be easier
with a ‘Replay Video’
button?
Video Replay shows
exactly what happened
8

9. And many commonly used apps don’t even have their own logs!
• DESKTOP APPS
DESKTOP APPS
•
•
•
•
Firefox / Chrome / IE
MS Excel / Word
Outlook
Skype
REMOTE & VIRTUAL
• Remote Desktop
• VMware vSphere
ADMIN TOOLS
•
•
•
•
Registry Editor
SQL Manager
Toad
Network Config
TEXT EDITORS
• vi
• Notepad
9

10. System Logs are like
Fingerprints
They show the results/outcome
System Logs areof what took place
like Fingerprints
User Audit Logs are like
Surveillance Recordings
They show exactly what
took place!
“
“
Both are valid…
…But the video log goes right to the point!
10

11. Our Solution
1: Video Capture
Video
Session
Recording
‘Admin‘
= Alex
Logs on as ‘Administrator’
X X X
IT
Alex the
Admin
2: Video Content Analysis
List of apps,
files, URLs
accessed
3: Shared-user Identification
Corporate
Server or Desktop
WHO is doing WHAT
on our network???
Cool! Now I know.
Audit Reporting DB &
SIEM Log Collector
User
Alex
Video
Play!
Text Log
App1, App2
Sam the
Security Officer
11

12. Demo Links:
Live hosted demo: http://demo.observeit.com
YouTube demos:
English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1
LIVE DEMO

13. DEPLOYMENT SCENARIO OPTIONS

14. Standard Agent-based Deployment
•
•
•
•
Agent installed ObserveIT audit
Administrators access on each monitored machine
• Agent becomes active only when user session starts
• ASP.NET application in IIS
•
Data Storage
Mgmt Data capture is triggered by userand reporting movement, text typing,
Server receives video replay activity (mouse
• Primary interface forsession data from Agents
etc.). No recording takes place while user is idle
ASP.NET application in IIS • Microsoft SQL Server database
• Also used for configuration and admin tasks
• Communicates with Mgmt Server via HTTP on customizable port, with
CollectsWeb console includesthe Agents file-system limiting
• all data delivered by granular policy rules for storage)
(or optonal
optional SSL encryption
Analyzes and categorizes data,Stores all config data, metadata and screenshots
access to sensitive dataand sends to DB Server
• recorded info (customizable buffer size)
• Offline mode buffers
Communicates with Agents for config updates via standard TCP port 1433
• All connections
• Watchdog mechanism prevents tampering
ObserveIT
Agents
ObserveIT
Web Console
ObserveIT
Management
Server
Remote
Users
Database
Server
Metadata Logs
& Video Capture
Local
Login
Desktop
AD
Network
Mgmt
SIEM
BI
Open API and Data Integration
• Standards-based
• Simple integration
14

15. Gateway Jump-Server Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Corporate Servers
(no agent installed)
ObserveIT
Management Server
15

16. Hybrid Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Direct login
(not via gateway)
Sensitive production servers
(agent installed)
ObserveIT
Management Server
16

17. Gateway Jump-Server Deployment
Customer #1 Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Internet
Remote and local users
Customer #2 Servers
(no agent installed)
ObserveIT
Agent
Customer #3 Servers
(no agent installed)
ObserveIT
Management Server
17

18. Citrix Published Apps Deployment
Published Apps
Citrix
Server
Remote
Access
ObserveIT
Agent
ObserveIT
Management Server
18