HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS

Transcription

1 HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS In January 2013, the Department of Telecommunications of the Government of India s Ministry of Communications & IT contacted all telecom service providers in India with a set of security and auditing requirements for remote access systems. This document presents a high-level look at how ObserveIT s server session recording solution addresses a number of these key auditing requirements. WHAT IS USER ACTIVITY MONITORING? ObserveIT s User Activity Monitoring system generates video recordings of every user session, providing unparalleled insight into what is being done on company servers. Whereas standard logs collect data on server and network activity, session recordings and logs focus on the user activity within the operating system and every application (commercial, bespoke, legacy and cloud). This granular, user-focused monitoring capability offers a detailed and invaluable tool with which to understand what administrators and remote vendors are doing on monitored servers. However, ObserveIT goes far beyond simply recording the on-screen activity to video: the software transcribes every session into an easyto-read user activity log so that watching the video isn t necessary to know what the user did. Clicking on any particular event in the log launches the video playback from that exact moment. This activity analysis is also used to generate real-time user activity alerts and reporting. Integration with other systems including log analysis, security information and event monitoring (SIEM), access control and IT ticketing systems further leverages the value of the session recordings and text logs by making them readily available when and where they are needed. Learn more about ObserveIT at OBSERVEIT HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS 1

2 The Top 3 Ways ObserveIT Addresses DoT Remote Access Requirements 1 REMOTE ACCESS LOGGING AND AUDITING The DoT requirements: Complete audit trail of remote access activities pertaining to the network operated in India, maintained for six months Remote access storage server in India storing remote access command logs locally in the storage server for the purpose of audit All remote access requests/commands given from foreign locations on India network elements captured and stored directly on the Indian remote access storage server 2 The ObserveIT Solution ObserveIT generates both screen recordings and plain-english user activity logs of all actions performed by all users on all Windows and Unix/Linux servers via all connectivity methods (RDP, Citrix, Telnet, SSH, etc.) in all applications and system areas, with no gaps! Auditors can review reports presenting every login, command executed, application run, window opened, URL accessed and so forth. Auditors can jump directly to screen recordings of remote access activities by server, by user, by application or by keyword search. Auditors can define granular user activity alerts to ObserveIT activity logs can be integrated into log management, SIEM and access control systems for activity analytics within those systems. OBSERVEIT HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS 2

3 2 KEYWORD SEARCH OF THE AUDIT TRAIL The DoT requirements: Capability to search for specific commands or keywords from the available audit trail The ObserveIT Solution ObserveIT provides keyword search within user activity logs, where search results are linked directly to the specific portion of the screen recordings. The keyword search capability provides for highly granular location of specific activities, by searching for: o System commands executed o Names of system settings changed o Names of applications run o Titles of windows opened o URLs visited in a Web browser o o Keystrokes typed Text entries made (even by partial typing, editing, keyboard shortcuts, auto-complete, paste from Clipboard, etc.) ObserveIT generates both screen recordings and plain-english user activity logs of all actions performed by all users on all Windows and Unix/Linux servers via all connectivity methods (RDP, Citrix, Telnet, SSH, etc.) in all applications and system areas, with no gaps! Sspecific commands and keywords can also be used to generate real-time alerts so that auditors can quickly review any suspicious user actions that occurred during any given time frame. Alert details are overlaid in the session player, at the moment in the video that the alert was generated. OBSERVEIT HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS 3

4 3 MIRROR IMAGE AND HIGH AVAILABILITY The DoT requirements: Mirror image of the remote access information is available on line for monitoring purposes The uptime of the remote access storage server should not be less than 99.99% The ObserveIT Solution The ObserveIT solution is built with Microsoft technologies, making it straightforward to implement all available Microsoft-provided infrastructure solutions. Thus, high availability, fault tolerance and online mirrors of the ObserveIT server are readily available using standard Microsoft infrastructure solutions. ADDITIONAL OBSERVEIT BENEFITS Beyond the core logging and auditing capabilities described above, ObserveIT provides the following additional features which enhance remote access security, control and auditing. Unique User Identification over Shared Accounts ObserveIT includes a secondary identification feature that uniquely identifies each actual user, even when using shared accounts (e.g., Administrator, root). After logging in to a server using a shared account, the user is required to enter his own personal credentials which are then logged together with the shared account access. Logon Banner Acknowlegment ObserveIT includes a logon banner feature that requires the user to click an acknowledgment of the organization s policies in order to access a server. The user s action of acknowledging the banner is visually recorded by the system. Integration with SIEM, IT Ticketing and Access Control Systems Enhance log management and Security Information and Event Management (SIEM) systems (such as Splunk, HP ArcSight and RSA envision) by incorporating gap-less activity logs, covering every application (commercial, bespoke, legacy, cloud) and operating system area. Users can be required to enter a valid ticket number from an external IT ticketing system such as ServiceNow, ensuring that every login is connected with a specific purpose. Tight integration with access control platforms (such as CA Access Control) makes it much easier to determine, audit and refine access permissions for each role/user. OBSERVEIT HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS 4

5 ZERO-GAP MONITORING, ANALYSIS, ALERTING AND INTERVENTION ObserveIT monitors, records and analyzes all user activity in every application, webpage and window, over any connection method (Remote Desktop, Terminal Services, GoToMyPC, LogMeIn, PC Anywhere, local login, etc.). ObserveIT also records Windows sessions running as Citrix published applications, in Citrix virtual desktops and VMware environments, as well as stand-alone Windows, Unix/Linux desktops and servers. Addressing a major security gap in most organizations, ObserveIT generates user activity logs and screen recordings for commercial, legacy, bespoke and cloud apps, including those with no internal logging facilities of their own. Administrators can watch live sessions and can even lock a session and user account from within ObserveIT if they wish to immediately stop a suspicious activity. This is particularly useful in the event that the system generates a real-time alert: the administrator receiving the alert can view all activity occurring in the live session screen, rewind to see the actions that led up the alert and take immediate action to halt the session. Additionally, the recordings and resulting user activity logs are valuable for root cause analysis, ad hoc IT forensics and regulatory compliance audit reporting. Reports can be customized to specific business needs and can be scheduled or run on demand. LOW RESOURCE REQUIREMENTS ObserveIT utilizes ultra-efficient data storage, requiring less than 250GB/year for a high-usage, 1000-server environment. The local agents have a minimal footprint of 1%-2% CPU utilization, 10 MB RAM during session and 0% CPU when users are inactive. OBSERVEIT HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS 5

6 OBSERVEIT FEATURE HIGHLIGHTS Screen capture recording plus video activity analysis for searchable, text-based logging of all user activity Real-time alerts provide immediate awareness of suspicious, dangerous and out-of-policy behavior Advanced keylogging enables keyword searching to instantly find any on-screen mouse or keyboard action Records actions in all system areas and all apps zero-gap recording of all commercial, legacy, bespoke and cloud apps plus all system areas Supports all connection methods, including local login, Remote Desktop, Terminal Services, PC Anywhere, Citrix, VMware, VNC, Dameware, etc. SIEM, NMS and IT ticketing system integration for better security and easier investigations including direct links to session replay and user activity logs Privileged User Identification, without requiring password rotation or check-in/check-out Threat detection console detects and pinpoints suspicious activity DBA Activity Audit monitors and audits all SQL queries executed by DBAs against production databases Pre-built and customizable audit reports can be exported to Excel or XML, or scheduled to run automatically for delivery TRUSTED BY CUSTOMERS OBSERVEIT IDENTIFY AND MANAGE USER-BASED RISK Start monitoring in minutes, free: OBSERVEIT HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS 6