dss itsec 2013 conference 07.11.2013 - observeit - monitoring everyone
DESCRIPTION
Presentation from one of the remarkable IT Security events in the Baltic States organized by “Data Security Solutions” (www.dss.lv ) Event took place in Riga, on 7th of November, 2013 and was visited by more than 400 participants at event place and more than 300 via online live streaming.TRANSCRIPT
Copyright © 2011 ObserveIT. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only. www.observeit.com
ObserveIT:User Activity Monitoring
Mark [email protected], 2013
2
ObserveIT - Software that acts like a security camera on your servers!
Video camera: Recordings of all user activity Summary of key actions: Alerts for problematic
activity
700+ Enterprise Customers
3
Retail / Service
GamingIT Services / Technology
Manufacturing
Healthcare / Pharma Financial
Utilities / Logistics / Energy
Government
Telco & Media
Government
Worldwide Presence
SwitzerlandBCNBank Vontobel AGSchweizerische Bundesbahnen (SBB)Swiss Federal RailwayZKBCorner Banca SABanca del SempioneBanca Euromobiliare SuisseBancaStato
USATrend Micro Inc.Shumway Capital Partners, LLCSpoken CommunicationsUniversity Health Systems of Eastern Carolina Casino ArizonaCDWDimension Data Americas (USA)CSX TechnologyPGE - Portland General ElectricCisco (Webex)St. Jude MedicalUPSDisneyIBMNeweggSpring Branch Independent School DistrictSonyBritish Petrolum (BP)SUNY DownstateWashington UniversityWestern Governors University Kroll OntrackBNP ParibasStrataCare, LLC.Societe Generale (USA)MFS Investment ManagementFort McDowell EnterprisesCHARLES SCHWAB & COAastraCost Plus World Market (CPWM)
BoliviaTelecel S.A. TIGO
ChileNexus
ArgentinaNuevo Banco del Chaco S.A.
AngolaBanco Nacional de Angola
AustraliaWoodside Energy LtdAustralian Stock ExchangeNetstarLogicalis
IndiaHDFC Bank Ltd.iYogiHCLWipro
UKUK Payments Administration LtdBlackRockQinetiQVocalink UKFriends ProvidentHyperion Insurance GroupLCH.Clearnet Ltd.BSkyB Sky Network ServiceXtrakter LtdOpal Telecom Ltd Talk Talk Technology (Carphone CPWN)BNP Paribas Real Estate Advisory (UK)VTB Capital plcBaillie Gifford & Co.Heritage Group LTD
CanadaBell CanadaQuebec LotoBellin Treasury Services Ltd.Toronto HydroTransat A.T. Inc.Atlantic Lottery Corporation (ALC)
Czech RepublicGE Money Bank
IsraelExcellence NessuaYesLeumi BankHarel InsuranceHapoalim BankAyalon InsurancePelephoneComverseZimClal InsuranceBezeqVisaCoca ColaOrangeFirst International BankBank DiscountMinistry of Interior
ChinaMinistry of EducationChina Construction BankChina Mobile Group Guangdong Co.ShinseiBankTesco ChinaChina Foreign Exchange Trade System National Interbank Funding CenterThe Hong Kong Jockey ClubDMX
South AfricaDerivco (PTY) Ltd.UbankMultiChoice Africa (Pty) Ltd.Clicks Group Ltd.Truworths, South Africa
TanzaniaMIC Tanzania, Ltd. TIGO
Trinidad & TobagoPETROTRIN
United Arab EmiratesFirst Gulf BankMetito Overseas Ltd.AHI Carrier Fzc
PhilippinesAsian Development Bank
SingaporeBT FrontlineSiemens Medical Singapore PostSingapura FinanceUOBShimano
South KoreaSamsung Networks KoreaYonsei HospitalGS CaltexDefense Acquisition Program Administration
QatarQFC Regulatory AuthorityCourt of the Crown Prince (CPC)Financial Centre Authority
TaiwanTaiwan Railways Administration, MOTCTaiwan Accreditation Foundation (TAF)Taiwan Mobile
PolandPodkarpacki OddziaB Wojewódzkiego Narodowego Funduszu Zdrowia z siedzib w RzeszowieElektrotim S.A.Inteligo Financial Services S.A.
SloveniaZavarovalnica Triglav d.dRaiffeisen banka d.d.
CroatiaT-Mobile CroatiaOTP
FranceCG61S2IHBOUYGUES TELECOMSociete GeneraleGroupama Asset Management (GAM)
GermanySanofi AventisHSH NordbankBoehringer Ingelheim GmbHAGRAVIS Raiffeisen AGDeutsche Telekom AG
Greecehol
HungaryWizz Air
NorwayVTS
TurkeyTurkcellANADOLU SIGORTAVakifbankYasar FactoringT.C. Ziraat Bankas1
SpainBanco Espirito Santo S.A.CECA (Confederación Española de Cajas de Ahorros)BBVACaja Madrid
ItalyVodafone (Italy)ELECTRONIC'S TIME SRLAllianz SPAING Lease Italia S.p.A.UBI Banca Sistemi&ServiziXerox s.p.a.
CyprusSEM Ltd
LuxemburgTELINDUS Luxmeburge
SlovakiaTatra Banka a.s.
EstoniaEstonian Security Police Board
ChadMIC Chad, Ltd. TIGO
Liechtenstein LGT FInancial Services
JapanMitsubishi Information
4
Business challenges that ObserveIT addresses
Remote Vendor Monitoring
Compliance &Security Accountability
Root Cause Analysis & Documentation
5
• Impact human behavior• Transparent SLA and billing• Eliminate ‘Finger pointing’
• Reduce compliance costs for GETTING compliant and STAYING compliant
• Satisfy PCI, HIPAA, SOX, ISO
• Immediate root-cause answers• Document best-practices
Bank Branch Office Bank Computer Servers
They both hold money…
An Analogy
6
…They both have Access Control…...Here they also have security cameras… …Here, they don’t!
Companies invest in access control
but once users gain access, there is little knowledge of
who they are and what they do!
(Even though 71% of data breaches involve privileged user credentials)
77
I don’t have this problem.I’ve got log analysis!“
“
The picture isn’t quite as rosy as you think.
“ “
Only 1% of data breaches are discovered by log analysis!
(Even in large orgs with established SIEM processes, the number is still only 8%!)
Why?
Because system logs are built by DEVELOPERS for DEBUG!
(and not by SECURITY ADMINS for SECURITY AUDIT)
8
Wouldn’t it be easier with a ‘Replay Video’
button?
Replay Video
Video Replay shows exactly what happened
Can you tell what happened here?
9
And many commonly used apps don’t even have their own logs!
• DESKTOP APPS
• Firefox / Chrome / IE• MS Excel / Word• Outlook• Skype
DESKTOP APPS
• Registry Editor• SQL Manager• Toad• Network Config
ADMIN TOOLS
• vi• Notepad
TEXT EDITORS
• Remote Desktop• VMware vSphere
REMOTE & VIRTUAL
10
System Logs are like FingerprintsThey show the results/outcome
of what took place
They show exactly what took place!
User Audit Logs are like Surveillance Recordings
Both are valid……But the video log goes right to the point!“
“System Logs are like
Fingerprints
11
TODAYXwith
ObserveIT’s 3
key features
Our Solution
Corporate Server or Desktop
Sam the Security Officer
WHO is doing WHAT on our network???
ITAdmin
Video Session
Recording
1: Video Capture
3: Shared-user Identification
2: Video Content Analysis
Audit Reporting DB & SIEM Log Collector
List of apps, files, URLsaccessed
User Video Text LogAlex Play! App1, App2
Alex the Admin
Logs on as ‘Administrator’
Cool! Now I know.
‘Admin‘ = Alex
X X X
LIVE DEMO
Demo Links:
Live hosted demo: http://demo.observeit.com
YouTube demos: English: http://www.youtube.com/watch?v=uSki27KvDk0&hd=1
Russian: http://www.youtube.com/watch?v=fzVhLfSb2nY&hd=1
DEPLOYMENT SCENARIO OPTIONS
Standard Agent-based Deployment
ObserveIT Agents
AD NetworkMgmt
ObserveIT Web Console
LocalLogin
Desktop
ObserveIT Management
Server
Database Server
SIEM BI
Remote Users
RDP
SSH
ICA
Metadata Logs& Video Capture
14
Agent installed on each monitored machine• Agent becomes active only when user session starts• Data capture is triggered by user activity (mouse movement, text typing,
etc.). No recording takes place while user is idle• Communicates with Mgmt Server via HTTP on customizable port, with
optional SSL encryption• Offline mode buffers recorded info (customizable buffer size)• Watchdog mechanism prevents tampering
Mgmt Server receives session data from Agents• ASP.NET application in IIS • Collects all data delivered by the Agents• Analyzes and categorizes data, and sends to DB Server• Communicates with Agents for config updates
Data Storage• Microsoft SQL Server database
(or optonal file-system storage)• Stores all config data, metadata and screenshots• All connections via standard TCP port 1433
Administrators access ObserveIT audit • ASP.NET application in IIS• Primary interface for video replay and reporting• Also used for configuration and admin tasks• Web console includes granular policy rules for limiting
access to sensitive data
Open API and Data Integration• Standards-based• Simple integration
Gateway Jump-Server Deployment
15
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Remote and local users
Internet
ObserveIT Management Server
Corporate Servers(no agent installed)
Corporate Desktops(no agent installed)
Corporate Servers (no agent installed)
Hybrid Deployment
16
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Remote and local users
Internet
ObserveIT Management Server
Corporate Servers(no agent installed)
Corporate Desktops(no agent installed)
Sensitive production servers (agent installed)
Direct login (not via gateway)
Gateway Jump-Server Deployment
17
Remote and local users
Internet
ObserveIT Management Server
Customer #1 Servers(no agent installed)
Customer #2 Servers(no agent installed)
Customer #3 Servers(no agent installed)
GatewayServer
MSTSC
PuTTY
ObserveIT Agent
SSH
Citrix Published Apps Deployment
CitrixServer
ObserveIT Agent
18
Published Apps
Remote Access
ObserveIT Management Server