OBSERVEIT TECHNICAL INFORMATION FOR SALES TEAM. Created by Alex Ellis Pre-Sales Engineer - 2/26/14

Transcription

1 OBSERVEIT TECHNICAL INFORMATION FOR SALES TEAM Created by Alex Ellis Pre-Sales Engineer - 2/26/14

2 Contents Core Message:... 2 How the agent works for Windows (Desktop/Workstation/Windows Server/Windows Terminal Server/Citrix Server)... 2 Overhead for Windows Agent (Desktop/workstation/Windows Server/Windows Terminal Server/Citrix Server)... 2 How the agent works for Unix/Linux... 3 Overhead for Linux Agent... 3 Use Cases... 3 Architecture... 4 The flow of activity and communication between the components... 5 Deployment... 5 Agent Versus Agentless Deployment... 5 Security... 6 Competitive Analysis Cyber-Ark... 6 Competitive Analysis Spector SIEM and Log Management Integration... 7 Ticketing System Integration... 7 Important Links for s... 8 Competitive Comparison... 8 Whitepapers... 8 Brochures and Factsheets... 9 POC... 9 Glossary

3 OBSERVEIT TECHNICAL INFROMATION FOR SALES TEAM Core Message: ObserveIT captures a detailed textual log and visual recording of every user action in areas where a company feels it useful to track user activities. Reporting is generated in plain English and the details include the files opened, windows viewed and specific UI activity, which are then tied to precise video that delivers forensic evidence. How the agent works for Windows (Desktop/Workstation/Windows Server/Windows Terminal Server/Citrix Server) The ObserveIT Windows Agent is a software component that is installed on any Windows-based operating system (server or desktop) that you wish to record. The Windows Agent is a user-mode executable that binds to every user session. As soon as a user logs in to a monitored server, the Agent is started and begins recording (based on a pre-determined recording policy). When there is no active user session, the Agent is dormant and consumes no memory/cpu resources. Once a user session is opened (user logs on), the Agent is triggered by user activities such as keyboard and mouse events. When triggered, the Agent performs a screen capture, and at the same time it captures textual metadata of what is seen on the screen (window title, executable name, file name, date, time, user name, etc.) The screen capture and textual descriptive metadata are packaged up and sent to the ObserveIT Management Server for processing and storage. Overhead for Windows Agent (Desktop/workstation/Windows Server/Windows Terminal Server/Citrix Server) The ObserveIT Agent is a user-mode process, which only runs when a user session is active. When active, the average utilization is 10MB of RAM. The typical CPU utilization is 1%-2%, only at the moment of data capture. During idle time, CPU utilization is negligible. These values are per session, and should be multiplied for concurrent sessions (for example, on a Citrix Server or Terminal Server). Each captured screenshot is between 5-50 KB (depending on the screen resolution and number of changes since the previous screen). The Agent is configured to record in grayscale by default, but can also capture in full color if required. 2

4 How the agent works for Unix/Linux When a user creates a session on a server, the Agent is started and begins recording, based upon a pre-determined recording policy, which is being downloaded from the Application Server. The ObserveIT Unix/Linux Agent is triggered by Command Line Interface (CLI) events. When a user is inactive, the Agent is not recording. When triggered, the Agent captures commands and their output. It also captures selected system calls metadata (Like OPEN/CHOWN/UNLINK and other file operations system calls). The Agent is active only when CLI activity is detected. Even if the Agent is active, no data is captured if the user is not performing any CLI activities. The UNIX / Linux Agent is a user-mode application that is bound to the secure shell, which means that if a user stops the Agent, the entire user session is killed. Overhead for Linux Agent The ObserveIT Agent is a user-mode process, which runs only when a user session is active. Unlike services, the ObserveIT Agent consumes resources only when a user is logged on to the monitored server(s). The Agent uses an average of 3-7 MB of RAM, about 0% CPU utilization when idle and less than 1% CPU utilization in average when recording. Use Cases 1. Better Third-Party Vendor Monitoring Control of third-party vendor relationships is improved by: Vendor SLA monitoring ensure that vendors are meeting their obligations by reviewing who worked on your servers and when. Vendor billing verification it is simple to see (and prove) exactly how vendors spent their time working on company servers. Policy acknowledgement upon login every vendor employee must accept the access policy at every login. 2. Lower Regulatory Compliance Costs Once ObserveIT is deployed, many compliance-related costs are instantly eliminated, because: It is no longer necessary to invest in the extensive labor required to continuously maintain and update endless controls and log correlations using a log management or SIEM system ObserveIT s session recording directly demonstrates what every user did without the need for complex correlations. A built-in privileged identify management solution identifies individual users accessing shared accounts, eliminating the need for time-consuming and expensive password vaults. Audits can be completed in a fraction of the time since all on-screen actions are recorded (in video) and logged (in keyword-rich text), answers to any audit question are authoritative and instantly available. 3. More Efficient IT Processes A primary benefit of implementing ObserveIT is the improvement in many IT processes, such as: Faster IT troubleshooting and event forensics recordings of human actions provide immediate and unequivocal root cause analysis of human error or intentional sabotage. More efficient ticketing system usage users can be required to enter a valid ticket number when logging in to ensure purposeful access and to automatically attach screen recording logs to the actual ticket. 3

5 Better configuration change management session recording delivers faster, easier and more accurate documentation of all changes made to server and software configurations. 4. More Effective SIEM ObserveIT makes any SIEM system more effective, by adding: A fast and easy way to clarify unclear logs screen video recordings of user sessions, accessible with a mouse-click from inside the SIEM. A new type of user activity log text-based log of every on-screen action performed by users. 5. Superior Data Breach Detection ObserveIT helps detect leaks of sensitive and regulated information, because: Custom real-time alerts based on user, application, resource and/or keyword ensure early warning of both human error and malicious actions. Comprehensive monitoring ensures that even blind spots missed by other systems are covered. Possible identity theft alerts are generated when a login from a previously-unused device occurs. All users must explicitly agree to have their sessions recorded at each login, thus dramatically reducing instances of unsanctioned activity. Users can be prevented from logging in to a server without entering a valid ticket number (from an external ticketing system), to ensure that every login is connected with a specific purpose. Architecture The ObserveIT solution is comprised of three components (can be virtual or physical). 1. The Agent: The only component that must be installed on each server/workstation that is being monitored. The ObserveIT Agent captures data any time that keyboard or mouse activity is detected. For each user action, it captures a screen snapshot and metadata. The metadata is information that is extracted by the Agent about the state of the operating system and the application program being used. In this way, ObserveIT can identify precisely what the user is doing. This information is analyzed, encoded in a standardized format, and stored and indexed in the Database Server. 2. The Management Console: An ASP.NET application that runs in the context of Microsoft Internet Information Server (IIS) and is a virtual directory under the ObserveIT website. It is the primary interface for ObserveIT users to access ObserveIT data, and to configure and administer ObserveIT. All configuration information is stored in the ObserveIT Database Server. 3. The Application Server: An ASP.NET application that runs in the context of Microsoft Internet Information Server (IIS). It accepts the data posted by the Agent, processes it, and sends it to the ObserveIT Database Server to be stored and indexed. In addition, the Application Server periodically provides configuration information to the Agents. The agent does NOT communicate directly with the SQL server. 4. The Database Server (SQL server): The database stores all configuration data and all of the metadata captured by ObserveIT Agents as well as all screenshots captured by ObserveIT Agents. Both the Application Server and Web Management Console establish a standard database connection to the SQL Server (TCP port 1433). 4

6 On Windows devices, any user activity, like a mouse-click or keystroke generates a screen capture along with metadata. On Linux/Unix servers, any SSH, Telnet, or PuTTY session will generate a screen capture and metadata. That information is then pushed to the application server where it is encrypted, packaged and bundled and then stored on the SQL server. The flow of activity and communication between the components 1. Each monitored desktop or server runs the ObserveIT Agent. 2. The Agent captures information about user activity, secures it, and sends it to the Application Server. 3. Application Server analyzes the data and stores it in the Database server. 4. The Web Management Console s web-based interface searches for and reports on captured user activity. Deployment 1. Standard Agent-based deployment (Servers and Desktops): The standard method of deployment involves deploying the ObserveIT Agent on each machine to be monitored. An Agent is installed on each machine that is being monitored, which captures activity on the machine and feeds the video / log data to the management server. 2. Gateway Deployment: In this scenario, the ObserveIT Agent is only deployed on a gateway machine. Users are routed via this gateway, and thus ObserveIT still records all user sessions in which the user connects to another target machine via RDP, SSH or other protocol. a. Limitations: ObserveIT does not record any user session in which a user logs on directly to the target machine (via local console login, or via a direct RDP/SSH/etc. window that isn t routed via a gateway.) Also, the amount of textual metadata captured is less than for the full Agent deployment, due to the fact that the ObserveIT Agent on the gateway does not have access to OS specific information on the target machine (for example, it cannot see the name of a file opened within an RDP window). 3. Hybrid Deployment: Agent-based + Gateway : ObserveIT allows you to deploy any combination of these architectures simultaneously. A gateway can be used for full network coverage, providing an audit of all activities for the majority of users who are routed via the gateway. Then, Agents can also be deployed on specific sensitive servers that require a more detailed audit, including any logins performed by highly-privileged users who have direct access to the machine. Agent Versus Agentless Deployment There are two ways to deploy the ObserveIT solution. 1. Agent based: Here we would install an agent on the target device (workstation, desktop, Window Server (without terminal services), Linux server, Unix server). a. For a workstation, desktop, or Windows Server (without terminal services), any action on that device would be recorded and monitored including all meta-data. Also, any connection to that monitored device would also be monitored and recorded. b. For Linux and Unix servers we record all SSH, Telnet, and PuTTY sessions. We do not record the GUI (graphical User Interface) 2. Agentless: Here we would install an agent on a gateway server (Windows Terminal server or Citrix Server). a. Any user that connects to the gateway server and then connects to other servers, workstations, or desktops would be recorded and monitored. 5

7 b. All users would be recorded, not matter what their target server is. However, if they connect directly to that target server (and there isn t an agent on it) then their actions would not be recorded c. Some of the metadata is lost because ObserveIT can only see that, for example, a remote connection is occurring but can t ask the operating system what the underlying processes are. Security 1. Windows Agent: The Windows Agent is protected by a multi-layered Watchdog mechanism. The Agent itself consists of two separate processes that act as a watchdog for each other; each will restart the other process if ended. In addition, a local service watches both processes to restart them if they are somehow stopped simultaneously. 2. Unix/Linux Agent: The UNIX / Linux Agent hooks to the terminal device and to the user shell. Thus, any attempt to stop / kill the logger will immediately result in killing or hanging the user shell. 3. AppServer-Agent Health Check An additional system health check residing on the Application Server will alert the administrator of any actions involving improper modification or stopping of Agent processes or services. This includes stopping of any Agent process/service, file modification and registry modification. 4. Data Security (in Storage) Data that is stored in MS SQL Server automatically inherits any data protection mechanisms already in place for the corporate database. In addition, if the data integrity of the ObserveIT database storage is violated (for example, if a dba succeeds in deleting an incriminating screenshot from within the entire collection), ObserveIT will provide a warning indicator within the Web Console. 5. Communication between ObserveIT Components Communication between ObserveIT components is handled over HTTP protocol. SSL is fully supported (optional feature) in order to encrypt all communication between the different components. If required, an IPSec tunnel can also be used to protect the Agent to Server traffic. Competitive Analysis Cyber-Ark Cyber-Ark is a great product. If you are using Cyber-Ark session recording than I am sure you see the value of having a playback of what a privilege user is doing. ObserveIT is not directly competing with Cyber-Ark, actually we can augment Cyber-Ark with enhanced session recording beyond what Cyber-Ark provides. In a nutshell, there are three main differences between Cyber-Ark and ObserveIT 1) Cyber-Ark: User recordings are generated for each user session that is initiated via their password vault, but does not audit users that bypass the vault such as named users ( Bob, Dave ect..) who connect to the server directly. ObserveIT: Captures every user session, whether it is shared-user accounts ( admin, su ) or named-user accounts ( alice, bob ). 2) Cyber-Ark: Only captures sessions that are routed via their gateway device. ObserveIT: Captures every session, including: a) via a gateway; b) remote login not routed through gateway; and c) direct login to the console e) Physical Desktops, VDI, Citrix and more 3) Cyber-Ark: Captures only video and require full video playback. ObserveIT provides video content analysis that allow you to search across the session recording database for any particular incident such as a file deleted or a change in an excel filed ect.. 6

8 Competitive Analysis Spector 360 The primary purpose of Spector 360 is to track employee efficiency and internet usage. These capabilities exist in Spector360 specifically because the product is simply an extension of the company s flagship home-pc monitoring and child-safety software. If a formal security audit is needed with enterprise-level features, enterprise-level architecture, and a focus on compliance and security, ObserveIT answers these needs because this is its core focus. 1. ObserveIT reporting tools are focused on meeting corporate compliance and answering corporate security concerns. Spector 360 reporting focuses on finding which employees are playing Solitaire. Spector 360: Primary features and core product purpose centers around knowing how much time employees are playing games, chatting on IM or on non-business websites. 2. ObserveIT captures detailed metadata about each session (resources affected, windows and dialog boxes viewed, URL parsing, processes spawned, etc.) Spector 360: Captures only simple data within each session, such as name of application Why this matters: Most security breaches occur by highly trained users that know how to disguise improper activity within script files, batch processes etc. 3. ObserveIT allows you to search across all users and all desktops/servers Spector 360: Only gives an enterprise-wide view via roll-up dashboards. No true searching for metadata across all user sessions. 4. Spector 360 does not support any UNIX or Linux platforms ObserveIT: Wide platform support for Windows (servers and desktops), UNIX, Linux and VDI/Published applications 5. ObserveIT has enterprise-ready resource optimization to capture relevant user activity but skip idle time Spector 360: Captures video screenshots at a timed interval, without taking into consideration idle time 6. Spector 360 provides no user identification for shared-account users. Any generic login id (ex: administrator, su ) will remain anonymous ObserveIT: Ties every shared-account user session to a specific named user 7. ObserveIT can easily integrate with Alerting, Network Monitoring, SIEM and Log Management platforms Spector 360: Standalone audit data management SIEM and Log Management Integration Splunk IBM Security QRadar SIEM CA User Activity Reporting Module (UARM) HP ArcSight RSA envision LogLogic LogRhythm (sorry no link to integration) Ticketing System Integration SeviceNow (available now, out of the box) ServiceDesk Remedy Track-It! 7

9 HEAT Kayako Important Links for s 5 minute video demonstration: Architecture: Datasheet: ObserveIT brochure: SIEM Integration: Ticketing Integration: Service Now Integration: DBA activity audit: Threat Detection console: Advanced Corporate Keylogger: Customizable recording policies: Privileged User Identification: Where to download the Enterprise Edition: Competitive Comparison ObserveIT Competitive Comparison Balabit ObserveIT Competitive Comparison Centrify Direct Audit ObserveIT Competitive Comparison Citrix SmartAuditor ObserveIT Competitive Comparison CyberArk ObserveIT Competitive Comparison Exceedium ObserveIT Competitive Comparison RSA NetWitness ObserveIT Competitive Comparison SpectorSoft ObserveIT Competitive Comparison TSFactory Whitepapers The Cure for Cloudphobia Compliance - PCI Coverage ObserveIT Datasheet-Technology Overview Remote Vendor Monitoring with ObserveIT Top 5 Reasons to Implement ObserveIT in your Organization Now Employee Privacy PCI and Remote Vendors PCI When Logs Don t Help Anton Chuvakin Recording Remote Access Log Blind Spots Number 1 Cause of Downtime ObserveIT for Indian Gaming IT Controls 8

10 Outgoing VDI Brochures and Factsheets Costs and Fines Associated with Major Audits General OIT Brochure Infographic ObserveIT - The Cure Cloudphobia - Cloud Providers POC ObserveIT POC Technical Requirements ObserveIT POC use cases list and validation table Glossary Server Host Terminal server Gateway server Jump server Application server Management server VDI VM Database Citrix Server ZenApp ZenDesktop What type of agent for specific use case/server/workstation Compatabilities, how it works with things like zen app and citrix 9