ObserveIT User Activity Monitoring

Transcription

1 KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 ObserveIT provides a comprehensive solution for monitoring user activity across the enterprise. The product operates primarily based on agents that can be deployed across a variety of platforms. It provides detailed user behavior analysis and live session response. by Martin Kuppinger mk@kuppingercole.com April 2015 Content 1 Introduction Product Description Strengths and Challenges Copyright... 6 Related Research #70,960 Leadership Compass Privilege Management #70,736 Advisory Note Privilege Management

2 1 Introduction Privilege Management deals with the most powerful IT users within your organization: your administrators and super users. Administrators in your windows environments, the admin users of your virtualization platform, your SAP super users or the DBAs of your database systems - to name only a few possible administrator types - are highly privileged users. The protection and monitoring of these accounts is traditionally weak for a number of reasons, including the fact that privileged accounts are typically not associated with a single person, which means that they are usually shared between several administrators. This is especially true for the master account of UNIX systems, the root account, which is still at the core of most UNIX-based administrative scenarios. In practice there is rarely a user life-cycle management scheme for privileged users in place and the danger of password leaks when internal admins leave the organization or the contract period of an external admin comes to an end has to be considered high. Without further measures there is no accountability of which person actually used an administrative account to perform a certain action or any evidence at all as to which operations have been performed, which devices have been accessed or which data has been copied, deleted or modified. Protecting the perimeter of an enterprise or a government agency, e.g. through the use of firewalls, is, today, a common approach to information security, but more and more organizations are realizing the danger of insider attacks, especially by highly privileged users like administrators. The fact that this is an actual danger to every company or institution has been proven by several well documented incidents as reported in the press recently, with the most prominent being Edward Snowden who was working as an administrator for the US National Security Agency (NSA). Understanding that actions performed even by a legitimate and trusted internal administrator can be a severe threat to an IT system and thus impose immediate business risks, no matter whether they are performed inadvertently or deliberately, should lead to suitable measures being taken as a key element for an organization s IT Security strategy. This includes the definition and implementation of appropriate processes for privileged user management and their enforcement. The key processes for Privileged User and Access Management include: Application onboarding, maintenance and offboarding: This covers the full life cycle of a target system integrated into a Privilege Management solution. This life cycle starts with the initial integration of the system, includes all changes to the system during its lifetime and the removal of the system after its decommissioning. Request for access: Administrative access using a privileged account usually requires some technical or business justification. To avoid uncontrolled access to the system an appropriate access request workflow has to be in place for the individual types of access requests. This includes ad hoc access, e.g. for immediate troubleshooting, scheduled access for planned tasks and regular access for maintenance purposes. Page 2 of 7

3 Approval: workflows for approving, challenging, or refusing access have to be in place as well. Access might be approved on a scheduled basis at a defined point in time and for a pre-defined duration or ad hoc for immediate access, if required. System access: The privileged access management system has to provide the actual access to the integrated system as requested and approved. Monitoring control and audit: Administrative access to critical systems requires appropriate audit measures. This includes monitoring all active administrative sessions, real-time access to individual current administrative sessions for supervisors and both the logging of typed key sequences and visual session recording and archiving of the collected information. Additionally automated process monitoring might be in place to detect and intercept undesirable actions within an administrative session. Mature Privilege Management solutions do not act as point solutions for access to individual critical systems but rather provide a unified Privilege Management platform for many critical systems which is integrated into overall IT Security and Identity and Access Management (IAM) strategies. The information gathered during the deployment of a Privilege Management system and its communication to connected systems might further be used in the analysis of an organization s overall Governance, Risk and Compliance (GRC) systems. To accomplish this, Privilege Management Systems have to provide appropriate interfaces and must adhere to the relevant standards (regarding file formats and communication protocols). The market for Privileged User Management products and Privileged Access Management products (usually referred to as Privilege Management or, in short, PxM due to the fact that the categorizations of the products vary between vendors) has developed very late in comparison with other sectors of IT security products. Nevertheless, as of now a large number of dedicated Enterprise IT Security vendors provide mature and enterprise-grade Privilege Management tools. The technological approaches of the products offered include: jump-host architectures implementing Privilege Management; transparent gateway and scanning appliances capturing, analyzing and recording network traffic; and security suites implementing Privilege Management architectures deploying serverside agent components. A comprehensive review of this market sector is available as the KuppingerCole document Leadership Compass Privilege Management. Within the Privilege Management market, there is a critical functional area around session monitoring, recording, and user behavior analytics that should ideally include real time response to sessions in case of policy violations. Page 3 of 7

4 2 Product Description ObserveIT is one of a few specialized vendors that started in the area of Privileged Session Monitoring. Like all players in that particular of the Privilege Management market, ObserveIT extended its portfolio gradually to provide a more comprehensive feature set. The company now focuses on User Activity Monitoring for all types of sensitive users, including three major capabilities: Monitoring and recording of sessions in visual form, both command line and GUI sessions, and the creation of user activity logs from the recorded data; User behavior analytics, that detect and alert about abnormal or illegitimate activities of users or hijacked accounts; and Live session response, allowing interception and alteration of sessions at runtime based on both information collected with user behavior analytics or through external products such as SIEM (Security Information and Event Management) tools. Additionally, their focus has extended from solely the traditional coverage of administrators and operators to also supporting use cases of other application users of systems such as SAP and external service providers that operate applications. In the area of session monitoring and recording, or to use the term ObserveIT introduced Visual Endpoint Recording, ObserveIT can capture sessions across a variety of systems, supporting all major protocols such as RDP (Remote Desktop Protocol) including the Citrix variant, SSH, Telnet, direct logins to consoles etc. Due to the fact that ObserveIT works with an agent-based approach, information can also be collected locally, in contrast to a number of other solutions that are network- or gateway-based. ObserveIT s agent-based approach not only allows monitoring and subsequently session recording, it also creates user activity logs that translate all user actions into logs. These logs allows meaningful and efficient searches, thus customers can quickly jump to the right section in a recording when doing forensics. ObserveIT delivers a strong implementation in that feature area, allowing for efficient analysis of recorded sessions. These user activity logs include detailed information not available from other sources, including the applications, open windows, accessed URLS, text entry, etc. All that information can be easily searched, without even going to the recording. Based on that, a number of reports are available. Information can also be exported in common formats such as Microsoft Excel files or XML documents. The tool provides an integrated report generator, allowing the creation of preconfigured, customized reports. Based on the wealth of information collected, ObserveIT furthermore provides the ability to run rulebased user activity analytics and generate alerts in case of rule violations. Such rules can be configured to, e.g., identify access to uncommon applications, systems, or other resources; identify the execution of an unusual number of activities; or alert on activities outside the normal work hours. There is a broad variety of criteria available for such analysis. Page 4 of 7

5 Furthermore, information can be exported to other solutions such as SIEM tools or the upcoming Real Time Security Intelligence (RTSI) products which extend SIEM by adding big data analytics and other capabilities. As of now, ObserveIT does not support predictive, pattern-based analytics, but is limited to rule-based analytics. Pattern-based approaches for analytics, based on historical data, can autonomously identify unusual patterns and anomalies, instead of creating large set of rules for that purpose. While advanced RTSI solutions might do that analysis and provide results back, adding such analytical capabilities would add value to the ObserveIT product. Based on the rules, alerts can be created at runtime, notifying defined individuals about rule violations, so that they can take action. These actions include access to the video recordings of sessions, but also access to the detailed user activity log. Based on the integration with 3 rd party SIEM solutions or its own rule set, ObserveIT allows real time drill-down of sessions, instant communication with the user, and shutdown of sessions if required. Agents collect the information and forward it to the ObserveIT Application Server, which uses a database server in the backend. Analytics run at the application server component, which also integrates with Microsoft Active Directory and Network Management solutions, while Business Intelligence and SIEM solutions can directly interface with the database server. This architecture is quite simple. ObserveIT has a well-defined partner program for various groups of partners, including alliance and technology partners for technical integration, resellers and distributors, and managed service and consulting partners. 3 Strengths and Challenges ObserveIT provides a robust solution for Privileged Session Management and subsequent session analysis. The agent-based approach chosen by ObserveIT also allows collecting a variety of data on local systems, supporting the wealth of context information collected by ObserveIT in addition to the video recordings and also allowing monitoring of local sessions. However, this requires deployment of local agents which might be a hurdle in some scenarios. ObserveIT also has strong support for virtualized and shared desktop environments (Citrix, VDI, etc ) Overall, ObserveIT is a strong contender in the Privilege Management Market as well as the growing User Activity Monitoring market segment. The major challenge from our perspective is the lack of support for advanced pattern-based analytics. Aside from that, all major features we expect to see in that market segment are provided, making ObserveIT one of the solutions customers should evaluate when looking at these markets. Furthermore, ObserveIT can build on a strong, global partner ecosystem and provides support for a variety of platforms and systems, with many technology alliances providing out-of-the-box integration. Page 5 of 7

6 Strengths Robust and versatile solution for Privileged Session Management Strong session recording features including comprehensive context information Strong reporting capabilities based on user activity log information associated to videos Broad number of partners in all areas with global coverage Strong integration with backend systems such as SIEM solutions Real time analytics of sessions and alerting and interception capabilities Broad platform support across the enterprise (Desktop, server, Citrix, Jump server ) Challenges No support for advanced pattern-based analytics of user behavior Agent deployment required, however agents deliver strong functionality in session analysis Large scale deployments might become challenging due to centralized backend server architecture 4 Copyright 2015 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Page 6 of 7

7 The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Strasse Wiesbaden Germany Phone +49 (211) Fax +49 (211)