ObserveIT Customer presentation

Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.comwww.observeit.com

ObserveIT:User Activity MonitoringYour [email protected]

November 2011

Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com

ObserveIT - Software that acts like a security camera on your servers!

Video recording of all user activity Analysis of video to generate text audit logs

(even for apps that have no internal logging!)

3


400+ Enterprise Customers: Key IndustriesFinancial Telecommunications

IT Services

Retail / Service

Utilities / Public Services

Gaming

Healthcare / Pharma

Manufacturing

4


Business challenges that ObserveIT solves

Remote Vendor Monitoring

Compliance &Security Accountability

Root Cause Analysis & Documentation

5


Bank Branch Office Bank Computer Servers

They both hold money.

An Analogy

6

They both have Access Control.The branch also has security cameras. The servers do not.

Copyright © 2011 ObserveIT Ltd. – Commercially Confidential www.observeit.com7

Companies invest a lot in controlling user access. But once users gain access…

…there is little knowledge of who they are and what they do!


”

“ If there is one positive note, it’s that discovery through log analysis has dwindled down towards 0%, so things are only looking up from here.

Less than 1% of data breaches are discovered via log analysis.

” “


Check out Event Viewer on your computer:Can you ‘discover’ what you just did 5 minutes ago?

Don’t blame your log analysis tools for not finding something that you yourself can’t find (even with a head-start)!

• Thousands of log entries…• …lots of arcane technical details…• …But nothing actually shows what the user did!


I don’t have a log analysis problem…. I’ve got a SIEM

The picture isn’t quite as rosy as you think.

10


SIEM Tools have Blindspots (But don’t blame your SIEM!!!)

All these apps either:Don’t have any logs -OR-Only have technical debug logs

What logs do these apps produce?

Desktop Apps• Firefox / Chrome / IE• MS Excel / Word• Outlook• Skype

Remote / Virtualization• Remote Desktop• VMware vSphere

Text Editors• vi• Notepad

Admin Tools• Registry Editor• SQL Manager / Toad• Network Config

Blindspots are NOT an inherent problem in SIEM...…They are caused by what we feed the SIEM


Wouldn’t you rather be shown this?

Hey! The user clicked

this checkbox!!!


TODAYX with ObserveIT

Our intuitive approach

Corporate Server

Sam the Security Officer

Cool!WHO is doing WHAT on our servers???

ITAdmin

‘Admin‘ = Alex

Video Session

Recording

Video Capture

Shared-userIdentificatio

n

Video Analysis

Audit Report Database

List of apps, files, URLsaccessed

Named User Video Text Log Alex Play! App1, App2

Alex the Admin

Logs on as ‘Administrator’


TODAY

Our intuitive approach

Corporate Server

Sam the Security Officer

Cool!

ITAdmin

‘Admin‘ = Alex

Video Session

Recording

Video Capture

Shared-userIdentificatio

n

Video Analysis


List of apps, files, URLsaccessed

Named User Video Text Log Alex Play! App1, App2

Alex the Admin

Every Protocol!


Patent-pending video

storage:Low-footprint

with ObserveIT

X


System Logs are like Fingerprints

Both are valid…Both are important……But the video log goes right to the point!

They show the results/outcome of what took place

They show what exactly what took place!

User Audit Logs are like Video Recordings


LIVE DEMODemo Links

Powerpoint demo: Click here to show

Live hosted demo: http://demo.observeit.com

Internal demo: http://184.106.234.181:4884/ObserveIT

YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1

Korean: http://www.youtube.com/watch?v=k5wLbREixco&hd=1

Chinese: http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1

Japanese: http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1

French: http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1

http://demo.observeit.com/

http://184.106.234.181:4884/ObserveIT

http://www.youtube.com/watch?v=uSki27KvDk0&hd=1

http://www.youtube.com/watch?v=uSki27KvDk0&hd=1

http://www.youtube.com/watch?v=k5wLbREixco&hd=1

http://www.youtube.com/watch?v=k5wLbREixco&hd=1

http://www.youtube.com/watch?v=KVT-1dX_CoA&hd=1



http://www.youtube.com/watch?v=7uwXlHpLeTc&hd=1

http://www.youtube.com/watch?v=wC31aXpkGOg&hd=1


Business challenges & Customer use-cases

Remote / 3rd-Party Vendor Auditing

• Impact human behavior• Transparent SLA and billing• Eliminate ‘Finger pointing’

Compliance &Security Accountability

• Reduce compliance costs• Eliminate audit blindspots• Satisfy PCI, HIPAA, SOX, ISO

Root Cause Analysis & Documentation

• Immediate root cause determination

• Documenting best-practices and corporate processes

21


3rd Party Vendor Auditing

• Instant Accountability!– Know exactly what 3rd party vendors are doing

• Impact human behavior–Do you speed when you know there are radar cameras?

• Transparent SLA and Billing Validation–No doubts about what was done and for how long

•No more ‘Finger pointing’–Quickly find and fix problems

22

3rd-Party Vendor Monitoring


Turnkey solution for auditing remote users

• Route 3rd party users – Video audit of every action

• Policy & Support Ticket Messaging – Impacting human behavior– SLA clarity

23

Remote Users

Internet

ObserveIT Video Audit

NOTE: PCI -DSS compliance regulations require that user activity be audited.

All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded.

3rd-Party Vendor Monitoring


ObserveIT Compliance Coverage

Compliance Requirements

• Assign unique ID to each person with computer access(ex: PCI Requirement 8)

• Track all access to network resources and sensitive data(ex: PCI Requirement 10)

• Maintain policies that addresses information security(ex: PCI Requirement 12)

ObserveIT Solution

• ObserveIT Secondary Identification

• ObserveIT Session Recording

• ObserveIT Policy Messaging

24

Compliance Accountability


But I like my SIEM tool!

So do we!

32


ObserveIT Video and Logs in CA UARM

33


ObserveIT Video and Logs in Splunk

34


DEPLOYMENT SCENARIO OPTIONS


Standard Agent-Based Deployment

Remote Users

ObserveIT Management

ServerDatabase

Server

Metadata Logs& Video Capture

User SessionAudit Data

ObserveIT Agents

LocalLogin

Desktop

RDP

SSH

ICA

Internet

36


Gateway Deployment (Agent-less)

Corporate Servers (no agent installed)

Corporate Desktops(no agent installed)

Terminal Server or Citrix Server

Published AppsPuTTY

ObserveIT Agent


Remote Users

RDP

VPN


ServerDatabase

Server


Internet

37

• Agent is deployed on gateway only. Records all sessions routed via that gateway.


Hybrid Deployment

Any Corporate Server(no agent installed)

Corporate Desktops(no agent installed)

Sensitive production servers (agent installed)

Terminal Server or Citrix Server

ObserveIT Agent


Remote and local users

RDP

VPN


ServerDatabase

Server


Internet

38

Direct login (not via gateway)

ObserveIT Agent

• Gateway agent audits all users routed via the gateway (no matter what target network resource)

• Additional agent deployment on sensitive production servers for more depth of coverage


SYSTEM ARCHITECTURE


ObserveIT Architecture

ObserveIT Agents

AD NetworkMgmt

ObserveIT Web Console

LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA



41


ObserveIT Agents

AD NetworkMgmt


LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA


ObserveIT Architecture:Management Server • ASP.NET application in IIS

• Collects all data delivered by the Agents• Analyzes and categorizes data, and sends to DB

Server• Communicates with Agents for config updates

42


ObserveIT Agents

AD NetworkMgmt


LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA


ObserveIT Architecture:Agent

• Installed on each monitored server• Agent becomes active only when user session starts• Data capture is triggered by user activity (mouse movement,

text typing, etc.). No recording takes place while user is idle• Communicates with Mgmt Server via HTTP on customizable

port, with optional SSL encryption• Offline mode buffers recorded info (customizable buffer size)• Watchdog mechanism prevents tampering

43


ObserveIT Architecture:How the Windows Agent Works

User logon wakes up the Agent

Real-time

Screen Capture

Metadata Capture

Synchronized capture via Active Process of OS

URLWindow TitleEtc.

Captured metadata & image packaged and sent to Mgmt

Server for storage

User action triggers Agent

capture

44


ObserveIT Architecture:How the Linux/Unix Agent Works

User logon wakes up the Agent

Real-time

CLI I/OCapture

Metadata Capture

User-mode executable that bound to every secure shell

or telnet session

System CallsResources EffectedEtc.

Captured metadata & I/O packaged and sent to

Mgmt Server for storage

TTY CLI activity triggers Agent

capture

45


ObserveIT Agents

AD NetworkMgmt


LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA


ObserveIT Architecture:Web Console

• ASP.NET application in IIS• Primary interface for video replay and reporting• Also used for configuration and admin tasks• Web console includes granular policy rules for

limiting access to sensitive data

46


ObserveIT Agents

AD NetworkMgmt


LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA


ObserveIT Architecture:Database Server

• Microsoft SQL Server database• Stores all config data, metadata and screenshots• All connections via standard TCP port 1433

47


ObserveIT Agents

AD NetworkMgmt


LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA


ObserveIT Architecture:SIEM/BI Integration • Text metadata logs for all apps (including those with

no internal logs) can be accessed by any SIEM collector• BI systems can analyze and correlate based on specific

user action• Video replay of each action is correlated to the textual

logs, giving more detailed evidence of activity

48


ObserveIT Agents

AD NetworkMgmt


LocalLogin

Desktop


Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA


ObserveIT Architecture:System Integration

• AD integration for user validation and user group policy management• Network Mgmt integration for system alerts and

updates based on user activity

49


KEY FEATURES:WHAT MAKES OBSERVEIT GREAT


Generate logs for every app(Even those with no internal logging!!)

WHAT DID THE USER DO? A human-understandable list

of every user action

Cloud-based app: Salesforce.com

System utilities: GPO, Notepad

Legacy software: financial package

51


Video analysis generates intelligent text metadata for Searching and Navigation

ObserveIT captures User, Server, Date, App Launched, Files

opened, URLs, window titles and underlying

system calls

ObserveIT captures:• User• Server• Date• App Launched• Files opened• URLs• Window titles • Underlying system calls

Launch video replay at the precise

location of interest

52


Recording Everything: Complete Coverage

• Agnostic to network protocol and client application• Remote sessions and also local console sessions• Windows, Unix, Linux

Telnet

53

Unix/Linux ConsoleWindows Console

(Ctrl-Alt-Del)


Logs tied to Video recording: Windows sessions

Audit Log

Replay Window

PLAYBACK NAVIGATION: Move quickly between apps that the user ran

CAPTURES ALL ACTIONS:Mouse movement, text

entry, UI interaction, window activity

USER SESSION REPLAY: Bulletproof forensics for

security investigation

54


Logs tied to Video recording: Unix/Linux sessionsAudit Log

Replay Window

List of each user command

Exact video playback of screen

55


Privileged/Shared User Identification

User logs on as generic “administrator”

ObserveIT requires named user account credentials prior to granting access to

system

Active Directory used for authentication

Each session audit is now tagged with an actual name:Login userid: administrator

Actual user: Daniel

56


Policy Messaging

NOTE: PCI-DSS compliance regulations require that user activity be audited.

All activity during this login session will be recorded. Please confirm that you are aware that you are being recorded.

Send policy and status updates to each user exactly

when they log in to server

Capture optional user feedback or ticket # for detailed issue tracking

Ensure that policy standards are understood and explicitly

acknowledged

57


Real-time Playback

On-air icon launches real-time playback

View session activity “live", while users are

still active

58


Report Automation: Pre-built and custom compliance reports

Design report according to precise requirements: Content Inclusion,

Data Filtering, Sorting and Grouping

Canned compliance audits and build-your-own investigation reports

Schedule reports to run automatically for email delivery

in HTML, XML and Excel

59


Double-password privacy assurance:Complies with employee privacy mandates

60

Two passwords: One for Management.

Second for union rep or legal council.

Two passwords: One for Management.

Second for union rep or legal council.

Textual audit logs to be accessed by compliance officers for security audits, but video replay requires

employee council authorization (both passwords)

Textual audit logs to be accessed by compliance officers for security audits, but video replay requires

employee council authorization (both passwords)


API Interface

Start, stop, pause and resume recorded sessions based on custom events based on

process IDs, process names or web URLs

Control ObserveIT Agent via scripting and custom DLLs within

your corporate applications

62


Robust Security

Agent ↔ Server communication • AES Encryption - Rijndael• Token exchange• SSL protocol (optional)• IPSec tunnel (optional)

Database storage• Digital signatures on captured sessions• Standard SQL database inherits your enterprise

data security practices

Watchdog mechanism • Restarts the Agent if the process is ended• If watchdog process itself is stopped, Agent

triggers watchdog restart• Email alert sent on any watchdog/agent

tampering

63


Recording Policy Rules

Granular include/exclude policy rules per server, user/user

group or application to determine recording policy

Determine what apps to record, whether to record

metadata, and specify stealth-mode per user

64


Pervasive User Permissions

Granular permissions / access control• Define rules for each user• Specify which sessions the user may playback

Permission-based filtering affects all content access• Reports• Searching• Video playback • Metadata browsing

Tight Active-Directory integration• Manage permissions groups in your native AD

repository

Access to ObserveIT Web Console is also audited• ObserveIT audits itself

Satisfies regulatory compliance requirements

65


CUSTOMER SUCCESS STORIES


HIPAA Compliance Auditing

Industry: Medical Equipment ManufacturerSolution: Compliance Report Automation (HIPAA)Company: Toshiba Medical Systems

Business Environment• Medical imaging products (MRI, CT, US, X-Ray) deployed at hospitals and

medical centers worldwide• Customer support process requires remote session access to deployed

systems

Challenge

Solution

• Strict HIPAA compliance regulations must be enforced and demonstrable• In addition, SLA commitments require visibility of service times and

durations

• ObserveIT deployed in a Gateway architecture• All access routed via agent-monitored Citrix gateway • Actual systems being accessed remain agent-less• Toshiba achieved 24x7 SLA reports, including granular incident

summaries• Automatic generation of HIPAA regulatory documentation, led to

reduced compliance costs and improved customer (hospital) satisfaction

67


PCI Compliance at a Market Transaction Clearinghouse

Business Environment

Challenge

Solution

• A major clearinghouse must provide concrete PCI documentation

• Each audit report cycle was a major effort of log collection• Audits were often judged incomplete when exact cause of

system change was unidentified

• Since deploying ObserveIT, audit reporting has become fully automated• Zero audit rejects have occurred

Industry: Financial ServicesSolution: Compliance Report Automation (PCI)

68


Remote Vendor Monitoring at Coca-Cola

Business Environment• Bottling and production line software for geographically diverse sites• Centralized ERP platform for sales, fulfillment and compensation• Many platforms supported by 3rd Party solution providers

Challenge

Solution

• Ensure 100% accountability for any system access violation• Eliminate downtime errors caused by inappropriate login usage• Increase security of domain admin environment

• ObserveIT deployed on all systems that are accessed via RDP by remote vendors

• IT admins also monitored on sensitive domain admin servers• As a result, Coca-Cola saw a significant decrease in system availability

issues caused by improper user actions

Moti LandesIT Infrastructure Manager and IT Div. CISO, Coca-Cola

As soon as vendors discovered that all actions are being recorded, it became much easier to manage them.

“

”

Industry: Food&Beverage ManufacturingSolution: Remote Vendor MonitoringCompany: Coca-Cola

69


Medical Systems Remote Auditing

Industry: Medical Equipment ManufacturerSolution: Remote Vendor AuditingCompany: Siemens Medical Instruments

Business Environment• Corporate servers host business applications for both internal and

customer-facing solutions• Servers are managed and accessed by various privileged user staff

members • Access is also open to multiple external vendor contractors

Challenge

Solution

• Before ObserveIT, there was no practical way to log user activities on these servers.

• ObserveIT provides accountability of all internal and outsource vendor admins

• Reporting and searching is used to focus on critical issues• Fast deployment ensured quick and painless uptime:

“All we needed to do was to install a small agent on the servers to be monitored and the recording starts immediately, without even requiring any configuration and settings”

Robert Ng, Siemens

Not only was ObserveIT able to record every single user session on the servers, the recordings are also fully indexed, allowing me to zoom in on areas of interest.

“

”

70


Customer Audits and ISO 27001 at BELLIN Treasury

Business Environment• Hosted treasury software solutions deployed in 7 data centers

worldwide for over 6,000 customers• System support and development teams must access servers via RDP• Customers demand precise audit validation on-demand

Challenge

Solution

• Proactively provide customers with evidence of bulletproof audit trail process

• Satisfy the regulatory mandates of each of the customer environments worldwide

• ObserveIT deployed on all production servers worldwide• One-time setup and hands-free operations keeps maintenance costs

down• Customer satisifaction increased signficiantly• Solution submitted as central part of ISO 27001 certification process

Rick Beecroft,Area Manager, Americas and Pacific RimBELLIN Treasury

We enjoy showing off to our customers that every user action is recorded. This increases confidence all around.

“

”

Industry: Financial Software ServicesSolution: Compliance AuditingCompany: Bellin Treasury

71


Remote Vendor Monitoring at LeumiCard

Challenge

Solution

• Operations and maintenance require system access by various privileged internal users via RDP.

• Corporate control reports require documentation of exactly what takes place on each production server, and to be able to explain why the action was necessary.

• Shared-account (administrator) users must provide secondary named-user credentials from Active Directory

• User must acknowledge that s/he is aware that s/he is logging into a production server.

• Video recording captures a video replay of each user session. • Daily email control reports are delivered automatically to each

manager, according to area of responsibility. Each of these managers can then replay sessions that relate to their systems

Ofer Ben Artzy,Manager of Infrastructure Systems

This has dramatically decreased the number of user sessions on production machines. Users are more likely to find an alternative way to do their job via secondary test servers, which means a reduced number of entries in my daily control reports.

“

”

Industry: Financial ServicesSolution: Remote Vendor MonitoringCompany: LeumiCard

Business Environment• LeumiCard’s highly-secured data center runs on several platforms, all

with sensitive mission-critical applications.

72


ISO 27001 Compliance for Remote User Audits

Business Environment• Large government and corporate customers demand ISO compliance• Mission-critical ERP platform managed by an external service provider• Corporate philosophy focuses on “safety, certainty and high standards”

Challenge

Solution

• Compliance requirements call for monitoring and logging the activities of all external users who access the network

• ObserveIT was deployed on corporate servers and TS machines• Combination of visual screenshots plus full indexing of text is used for

easy searching• Secure logging of all access to the system by remote connection• Fast access to the logs during the examination of each incident

Przemysław JasińskiIT Department Manager, Elektrotim

Implementation has been dictated to prevent problems with third parties having access to our IT system.

“ ”

Industry: Utilities / ConstructionSolution: Compliance Report Automation (ISO 27001)Company: Electrotim

73



Challenge

Solution

Remote Admin User Monitoring

• Control access to system resources, including shared privileges between two merged corporate entities during period of merger

• Achieve common system management and visibility

• 2008: ObserveIT deployed to monitor and audit server activity during corporate merger

• 2009: Successful visibility results from merger activity lead to system-wide deployment

• Payment transaction platform distributed across Europe• Supporting 60,000 ATM machines • Clearing 90,000,000 transactions per day

Industry: Financial ServicesSolution: Remote Vendor MonitoringCompany: VocaLink

74


Privileged User Auditing

Business Environment• Web-based system connects families with a range of health, social

service and other federal and state support programs• Deployed and managed on 93 servers and 91 workstations across 3

geographically separated data centers

Challenge

Solution

• The Center is dedicated to providing usability, ease of access and responsiveness, without compromising any aspects of data security or compliance.

• Given the sensitivity of personal heath records data and the internal and government regulations regarding data access compliance, The Center sought to augment its security with an auditing solution that would detail all data and server access

• Peace-of-mind from knowing exactly what developers and admins are doing

• Immediate fulfillment of compliance usage reports• Faster response time to system faults

Vinay SinghIT Operations Manager

This is critical for keeping our servers up and running, and also to answer management’sneeds to demonstrate compliance.

“

”

Industry: Healthcare ITSolution: Privileged User AuditingCompany: Center to Promote HealthCare Access

We still need to document every server access by IT Admins and internal staff developers.

“

”

75


Reducing Errors Caused by 3rd Party Vendors

Isaac Milshtein Director, IT Operations, Pelephone

Since we deployed ObserveIT, users are much more careful with their server activity. Knowing that your actions can be replayed has a remarkable effect.

“

”

Industry: TelecommunicationsSolution: Root-Cause Analysis + Vendor MonitorCompany: Pelephone


Challenge

Solution

• 1200-server IT environment in 3 hosting centers• Business applications (Billing, CRM, etc.) and Customer-facing

applications (Revenue generating mobile services)

• Maintain QoS with multiple 3rd party apps• Track activities of privileged vendor access

• ObserveIT initially deployed on 5 internal business app servers, and resolves high-visibility outage on mission-critical app: Identified improper actions by outsource vendor.

• ObserveIT next is deployed on entire IT platform• ObserveIT integrated into CA environment• Multiple customer-facing outages solved • Positive ROI via elimination of revenue losses from service outages• Vendor billing decreased once they realized they were being recorded

76


Managed Services Monitoring at an IT Services Firm


Challenge

Solution

• IT support vendor provides system management services for over 40 major Global 1000 clients

• Each customer has different connection protocol requirements (some via VNC, some via RDP, some via Citrix, etc.)

• After deploying ObserveIT on an outgoing gateway, all sessions on customer servers are recorded

• Since deployment, there have been fewer accusations from customers regarding system problems

• For the few issues that were raised, the vendor immediately provided recordings that proved that all actions were proper

Industry: IT ServicesSolution: Managed Services Monitoring

77


Thank You!


Employee Privacy Policy in EuropeHow ObserveIT complies


Balancing Employee Privacy vs. Audit Compliancy

Privacy Requirements Compliancy Requirements

DPD 95/46/EC (EU)Human Rights Act (UK)BDSG (Germany)CNIL (France)

PCI-DSSISO 27001SOXFSA

Separation of personal communications

Secure Storage & Limited Access

User Consent

User Accountability Wide scope of activity logging

80


ObserveIT is fully compliant with privacy law

• Double-passwords ensure both audit completeness and employee privacy– Management holds one password, employee council / union holds the second password– Granular deployment allows textual audit logs to be accessed by compliance officers

(without the second password), but video replay requires employee council authorization (both passwords)

• Policy Rules eliminate monitoring for private communications– Include/Exclude granularity to capture only what is necessary for compliancy

• User policy messaging and consent validation– Users indicate awareness of monitoring activity each time they log on to a monitored

server

81



For more information...

• See our Whitepaper on Employee Privacy issues: http://observeit-sys.com/Support/Whitepapers?req=privacy

83

http://observeit-sys.com/Support/Whitepapers?req=privacy

Documents

ObserveIT Customer presentation