Copyright © 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com

ObserveIT:User Activity Monitoring

Mark Kreymermark@observeit.comJune, 2013

2

ObserveIT - Software that acts like a security camera on your servers!

Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic

activity

700+ Enterprise Customers

3

Retail / Service

GamingIT Services / Technology

Manufacturing

Healthcare / Pharma Financial

Utilities / Logistics / Energy

Government

Telco & Media

Government

Worldwide Presence

SwitzerlandBCNBank Vontobel AGSchweizerische Bundesbahnen (SBB)Swiss Federal RailwayZKBCorner Banca SABanca del SempioneBanca Euromobiliare SuisseBancaStato

USATrend Micro Inc.Shumway Capital Partners, LLCSpoken CommunicationsUniversity Health Systems of Eastern Carolina Casino ArizonaCDWDimension Data Americas (USA)CSX TechnologyPGE - Portland General ElectricCisco (Webex)St. Jude MedicalUPSDisneyIBMNeweggSpring Branch Independent School DistrictSonyBritish Petrolum (BP)SUNY DownstateWashington UniversityWestern Governors University Kroll OntrackBNP ParibasStrataCare, LLC.Societe Generale (USA)MFS Investment ManagementFort McDowell EnterprisesCHARLES SCHWAB & COAastraCost Plus World Market (CPWM)

BoliviaTelecel S.A. TIGO

ChileNexus

ArgentinaNuevo Banco del Chaco S.A.

AngolaBanco Nacional de Angola

AustraliaWoodside Energy LtdAustralian Stock ExchangeNetstarLogicalis

IndiaHDFC Bank Ltd.iYogiHCLWipro

UKUK Payments Administration LtdBlackRockQinetiQVocalink UKFriends ProvidentHyperion Insurance GroupLCH.Clearnet Ltd.BSkyB Sky Network ServiceXtrakter LtdOpal Telecom Ltd Talk Talk Technology (Carphone CPWN)BNP Paribas Real Estate Advisory (UK)VTB Capital plcBaillie Gifford & Co.Heritage Group LTD

CanadaBell CanadaQuebec LotoBellin Treasury Services Ltd.Toronto HydroTransat A.T. Inc.Atlantic Lottery Corporation (ALC)

Czech RepublicGE Money Bank

IsraelExcellence NessuaYesLeumi BankHarel InsuranceHapoalim BankAyalon InsurancePelephoneComverseZimClal InsuranceBezeqVisaCoca ColaOrangeFirst International BankBank DiscountMinistry of Interior

ChinaMinistry of EducationChina Construction BankChina Mobile Group Guangdong Co.ShinseiBankTesco ChinaChina Foreign Exchange Trade System National Interbank Funding CenterThe Hong Kong Jockey ClubDMX

South AfricaDerivco (PTY) Ltd.UbankMultiChoice Africa (Pty) Ltd.Clicks Group Ltd.Truworths, South Africa

TanzaniaMIC Tanzania, Ltd. TIGO

Trinidad & TobagoPETROTRIN

United Arab EmiratesFirst Gulf BankMetito Overseas Ltd.AHI Carrier Fzc

PhilippinesAsian Development Bank

SingaporeBT FrontlineSiemens Medical Singapore PostSingapura FinanceUOBShimano

South KoreaSamsung Networks KoreaYonsei HospitalGS CaltexDefense Acquisition Program Administration

QatarQFC Regulatory AuthorityCourt of the Crown Prince (CPC)Financial Centre Authority

TaiwanTaiwan Railways Administration, MOTCTaiwan Accreditation Foundation (TAF)Taiwan Mobile

PolandPodkarpacki OddziaB Wojewódzkiego Narodowego Funduszu Zdrowia z siedzib w RzeszowieElektrotim S.A.Inteligo Financial Services S.A.

SloveniaZavarovalnica Triglav d.dRaiffeisen banka d.d.

CroatiaT-Mobile CroatiaOTP

FranceCG61S2IHBOUYGUES TELECOMSociete GeneraleGroupama Asset Management (GAM)

GermanySanofi AventisHSH NordbankBoehringer Ingelheim GmbHAGRAVIS Raiffeisen AGDeutsche Telekom AG

Greecehol

HungaryWizz Air

NorwayVTS

TurkeyTurkcellANADOLU SIGORTAVakifbankYasar FactoringT.C. Ziraat Bankas1

SpainBanco Espirito Santo S.A.CECA (Confederación Española de Cajas de Ahorros)BBVACaja Madrid

ItalyVodafone (Italy)ELECTRONIC'S TIME SRLAllianz SPAING Lease Italia S.p.A.UBI Banca Sistemi&ServiziXerox s.p.a.

CyprusSEM Ltd

LuxemburgTELINDUS Luxmeburge

SlovakiaTatra Banka a.s.

EstoniaEstonian Security Police Board

ChadMIC Chad, Ltd. TIGO

Liechtenstein LGT FInancial Services

JapanMitsubishi Information

4

Business challenges that ObserveIT addresses

Remote Vendor Monitoring

Compliance &Security Accountability

Root Cause Analysis & Documentation

5

• Impact human behavior• Transparent SLA and billing• Eliminate ‘Finger pointing’

• Reduce compliance costs for GETTING compliant and STAYING compliant

• Satisfy PCI, HIPAA, SOX, ISO

• Immediate root-cause answers• Document best-practices

Bank Branch Office Bank Computer Servers

They both hold money…

An Analogy

6

…They both have Access Control…...Here they also have security cameras… …Here, they don’t!

Companies invest in access control

but once users gain access, there is little knowledge of

who they are and what they do!

(Even though 71% of data breaches involve privileged user credentials)

77

I don’t have this problem.I’ve got log analysis!“ “

The picture isn’t quite as rosy as you think.

“ “

Only 1% of data breaches are discovered by log analysis!

(Even in large orgs with established SIEM processes, the number is still only 8%!)

Why?

Because system logs are built by DEVELOPERS for DEBUG!

(and not by SECURITY ADMINS for SECURITY AUDIT)

8

Wouldn’t it be easier with a ‘Replay Video’

button?

Replay Video

Video Replay shows exactly what happened

Can you tell what happened here?

9

And many commonly used apps don’t even have their own logs!

• DESKTOP APPS

• Firefox / Chrome / IE• MS Excel / Word• Outlook• Skype

DESKTOP APPS• Registry Editor• SQL Manager• Toad• Network Config

ADMIN TOOLS

• vi• Notepad

TEXT EDITORS• Remote Desktop• VMware vSphere

REMOTE & VIRTUAL

10

System Logs are like FingerprintsThey show the results/outcome

of what took place

They show exactly what took place!

User Audit Logs are like Surveillance Recordings

Both are valid……But the video log goes right to the point!“

“System Logs are like

Fingerprints

11

TODAYX with ObserveIT’s 3 key features

Our Solution

Corporate Server or Desktop

Sam the Security Officer

WHO is doing WHAT on our network???

ITAdmin

Video Session

Recording

1: Video Capture

3: Shared-user Identification

2: Video Content Analysis

Audit Reporting DB & SIEM Log Collector

List of apps, files, URLsaccessed

User Video Text LogAlex Play! App1, App2

Alex the Admin

Logs on as ‘Administrator’

Cool! Now I know.

‘Admin‘ = Alex

X X X

LIVE DEMO

Demo Links:

Live hosted demo: http://demo.observeit.com

YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1

Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1

DEPLOYMENT SCENARIO OPTIONS

Standard Agent-based Deployment

ObserveIT Agents

AD NetworkMgmt

ObserveIT Web Console

LocalLogin

Desktop

ObserveIT Management

Server

Database Server

SIEM BI

Remote Users

RDP

SSH

ICA

Metadata Logs& Video Capture

14

Agent installed on each monitored machine• Agent becomes active only when user session starts• Data capture is triggered by user activity (mouse movement, text typing,

etc.). No recording takes place while user is idle• Communicates with Mgmt Server via HTTP on customizable port, with

optional SSL encryption• Offline mode buffers recorded info (customizable buffer size)• Watchdog mechanism prevents tampering

Mgmt Server receives session data from Agents• ASP.NET application in IIS • Collects all data delivered by the Agents• Analyzes and categorizes data, and sends to DB Server• Communicates with Agents for config updates

Data Storage• Microsoft SQL Server database

(or optonal file-system storage)• Stores all config data, metadata and screenshots• All connections via standard TCP port 1433

Administrators access ObserveIT audit • ASP.NET application in IIS• Primary interface for video replay and reporting• Also used for configuration and admin tasks• Web console includes granular policy rules for limiting

access to sensitive data

Open API and Data Integration• Standards-based• Simple integration

Gateway Jump-Server Deployment

15

GatewayServer

MSTSC

PuTTY

ObserveIT Agent

SSH

Remote and local users

Internet

ObserveIT Management Server

Corporate Servers(no agent installed)

Corporate Desktops(no agent installed)

Corporate Servers (no agent installed)

Hybrid Deployment

16

GatewayServer

MSTSC

PuTTY

ObserveIT Agent

SSH

Remote and local users

Internet

ObserveIT Management Server

Corporate Servers(no agent installed)

Corporate Desktops(no agent installed)

Sensitive production servers (agent installed)

Direct login (not via gateway)

Gateway Jump-Server Deployment

17

Remote and local users

Internet

ObserveIT Management Server

Customer #1 Servers(no agent installed)

Customer #2 Servers(no agent installed)

Customer #3 Servers(no agent installed)

GatewayServer

MSTSC

PuTTY

ObserveIT Agent

SSH

Citrix Published Apps Deployment

CitrixServer

ObserveIT Agent

18

Published Apps

Remote Access

ObserveIT Management Server