ObserveIT User Activity Monitoring



Similar documents
EXECUTIVE VIEW. CA Privileged Identity Manager. KuppingerCole Report

1 Introduction Product Description Strengths and Challenges Copyright... 5

1 Introduction Product Description Strengths and Challenges Copyright... 5

Protecting the keys to your kingdom against cyber-attacks and insider threats

NextLabs Rights Management Platform

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

EXECUTIVE VIEW. Centrify Identity Service. KuppingerCole Report. by Martin Kuppinger January 2015

IBM QRadar Security Intelligence April 2013

ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing.

Safeguarding the cloud with IBM Dynamic Cloud Security

HOW OBSERVEIT ADDRESSES KEY HONG KONG IT SECURITY GUIDELINES

VENDOR REPORT by Martin Kuppinger April Atos DirX. KuppingerCole

Edit system files. Delete file. ObserveIT Highlights. Change OS settings. Change password. See exactly what users are doing!

USER ACTIVITY MONITORING FOR IBM SECURITY PRIVILEGED IDENTITY MANAGER

How To Buy Nitro Security

HOW OBSERVEIT ADDRESSES KEY INDIA DOT REMOTE ACCESS SECURITY REQUIREMENTS

Information Technology Policy

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Complete Patch Management

Record and Replay All Windows and Unix User Sessions Like a security camera on your servers

Securing Enterprise Mobility for Greater Competitive Advantage

How To Manage A Privileged Account Management

What is Security Intelligence?

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Q1 Labs Corporate Overview

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

How To Secure Your System From Cyber Attacks

Total Protection for Compliance: Unified IT Policy Auditing

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

ISO COMPLIANCE WITH OBSERVEIT

North American Electric Reliability Corporation (NERC) Cyber Security Standard

OBSERVEIT 6.0 WHAT S NEW

This research note is restricted to the personal use of

Desktop Activity Intelligence

QRadar SIEM 6.3 Datasheet

Find the needle in the security haystack

KuppingerCole Product Research Note. Virtual Forge CodeProfiler. by Prof. Dr. Sachar Paulus March 2012

Unified Security, ATP and more

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

The Cloud App Visibility Blindspot

Filling the Threat Management Gateway Void with F5

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

IBM Security QRadar Vulnerability Manager Version User Guide

Outgoing VDI Gateways:

Table of Contents Cicero, Inc. All rights protected and reserved.

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Securing Remote Vendor Access with Privileged Account Security

Security and Identity Management Auditing Converge

CA SiteMinder SSO Agents for ERP Systems

C21 Introduction to User Access

Symantec Protection Center Enterprise 3.0. Release Notes

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

IBM Security Intelligence Strategy

Trust but Verify: Best Practices for Monitoring Privileged Users

HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Insider Threat Control: Using a SIEM signature to detect potential precursors to IT Sabotage. CERT Insider Threat Center

SIEM and IAM Technology Integration

IBM Security IBM Corporation IBM Corporation

Oracle Role Manager. An Oracle White Paper Updated June 2009

Complete Patch Management

Netzwerkvirtualisierung? Aber mit Sicherheit!

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

The webinar will begin shortly

CA Technologies Data Protection

Security Information & Event Management (SIEM)

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

IBM Advanced Threat Protection Solution

Vistara Lifecycle Management

Guardium Change Auditing System (CAS)

IBM QRadar Security Intelligence Platform appliances

CloudPassage Halo Technical Overview

Securely maintaining sensitive financial and

visionapp Remote Desktop 2010 (vrd 2010)

INSTANT MESSAGING SECURITY

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

CloudPassage Halo Technical Overview

PCI Requirements Coverage Summary Table

Vulnerability Management

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Cloud User and Access Management

Goverlan Remote Control

Managing for the Long Term: Keys to Securing, Troubleshooting and Monitoring a Private Cloud

How to Choose the Right Security Information and Event Management (SIEM) Solution

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

Privilege Gone Wild: The State of Privileged Account Management in 2015

IBM Security Privileged Identity Manager helps prevent insider threats

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Guideline on Auditing and Log Management

Transcription:

KuppingerCole Report EXECUTIVE VIEW by Martin Kuppinger April 2015 ObserveIT provides a comprehensive solution for monitoring user activity across the enterprise. The product operates primarily based on agents that can be deployed across a variety of platforms. It provides detailed user behavior analysis and live session response. by Martin Kuppinger mk@kuppingercole.com April 2015 Content 1 Introduction... 2 2 Product Description... 4 3 Strengths and Challenges... 5 4 Copyright... 6 Related Research #70,960 Leadership Compass Privilege Management #70,736 Advisory Note Privilege Management

1 Introduction Privilege Management deals with the most powerful IT users within your organization: your administrators and super users. Administrators in your windows environments, the admin users of your virtualization platform, your SAP super users or the DBAs of your database systems - to name only a few possible administrator types - are highly privileged users. The protection and monitoring of these accounts is traditionally weak for a number of reasons, including the fact that privileged accounts are typically not associated with a single person, which means that they are usually shared between several administrators. This is especially true for the master account of UNIX systems, the root account, which is still at the core of most UNIX-based administrative scenarios. In practice there is rarely a user life-cycle management scheme for privileged users in place and the danger of password leaks when internal admins leave the organization or the contract period of an external admin comes to an end has to be considered high. Without further measures there is no accountability of which person actually used an administrative account to perform a certain action or any evidence at all as to which operations have been performed, which devices have been accessed or which data has been copied, deleted or modified. Protecting the perimeter of an enterprise or a government agency, e.g. through the use of firewalls, is, today, a common approach to information security, but more and more organizations are realizing the danger of insider attacks, especially by highly privileged users like administrators. The fact that this is an actual danger to every company or institution has been proven by several well documented incidents as reported in the press recently, with the most prominent being Edward Snowden who was working as an administrator for the US National Security Agency (NSA). Understanding that actions performed even by a legitimate and trusted internal administrator can be a severe threat to an IT system and thus impose immediate business risks, no matter whether they are performed inadvertently or deliberately, should lead to suitable measures being taken as a key element for an organization s IT Security strategy. This includes the definition and implementation of appropriate processes for privileged user management and their enforcement. The key processes for Privileged User and Access Management include: Application onboarding, maintenance and offboarding: This covers the full life cycle of a target system integrated into a Privilege Management solution. This life cycle starts with the initial integration of the system, includes all changes to the system during its lifetime and the removal of the system after its decommissioning. Request for access: Administrative access using a privileged account usually requires some technical or business justification. To avoid uncontrolled access to the system an appropriate access request workflow has to be in place for the individual types of access requests. This includes ad hoc access, e.g. for immediate troubleshooting, scheduled access for planned tasks and regular access for maintenance purposes. Page 2 of 7

Approval: workflows for approving, challenging, or refusing access have to be in place as well. Access might be approved on a scheduled basis at a defined point in time and for a pre-defined duration or ad hoc for immediate access, if required. System access: The privileged access management system has to provide the actual access to the integrated system as requested and approved. Monitoring control and audit: Administrative access to critical systems requires appropriate audit measures. This includes monitoring all active administrative sessions, real-time access to individual current administrative sessions for supervisors and both the logging of typed key sequences and visual session recording and archiving of the collected information. Additionally automated process monitoring might be in place to detect and intercept undesirable actions within an administrative session. Mature Privilege Management solutions do not act as point solutions for access to individual critical systems but rather provide a unified Privilege Management platform for many critical systems which is integrated into overall IT Security and Identity and Access Management (IAM) strategies. The information gathered during the deployment of a Privilege Management system and its communication to connected systems might further be used in the analysis of an organization s overall Governance, Risk and Compliance (GRC) systems. To accomplish this, Privilege Management Systems have to provide appropriate interfaces and must adhere to the relevant standards (regarding file formats and communication protocols). The market for Privileged User Management products and Privileged Access Management products (usually referred to as Privilege Management or, in short, PxM due to the fact that the categorizations of the products vary between vendors) has developed very late in comparison with other sectors of IT security products. Nevertheless, as of now a large number of dedicated Enterprise IT Security vendors provide mature and enterprise-grade Privilege Management tools. The technological approaches of the products offered include: jump-host architectures implementing Privilege Management; transparent gateway and scanning appliances capturing, analyzing and recording network traffic; and security suites implementing Privilege Management architectures deploying serverside agent components. A comprehensive review of this market sector is available as the KuppingerCole document 70960 Leadership Compass Privilege Management. Within the Privilege Management market, there is a critical functional area around session monitoring, recording, and user behavior analytics that should ideally include real time response to sessions in case of policy violations. Page 3 of 7

2 Product Description ObserveIT is one of a few specialized vendors that started in the area of Privileged Session Monitoring. Like all players in that particular of the Privilege Management market, ObserveIT extended its portfolio gradually to provide a more comprehensive feature set. The company now focuses on User Activity Monitoring for all types of sensitive users, including three major capabilities: Monitoring and recording of sessions in visual form, both command line and GUI sessions, and the creation of user activity logs from the recorded data; User behavior analytics, that detect and alert about abnormal or illegitimate activities of users or hijacked accounts; and Live session response, allowing interception and alteration of sessions at runtime based on both information collected with user behavior analytics or through external products such as SIEM (Security Information and Event Management) tools. Additionally, their focus has extended from solely the traditional coverage of administrators and operators to also supporting use cases of other application users of systems such as SAP and external service providers that operate applications. In the area of session monitoring and recording, or to use the term ObserveIT introduced Visual Endpoint Recording, ObserveIT can capture sessions across a variety of systems, supporting all major protocols such as RDP (Remote Desktop Protocol) including the Citrix variant, SSH, Telnet, direct logins to consoles etc. Due to the fact that ObserveIT works with an agent-based approach, information can also be collected locally, in contrast to a number of other solutions that are network- or gateway-based. ObserveIT s agent-based approach not only allows monitoring and subsequently session recording, it also creates user activity logs that translate all user actions into logs. These logs allows meaningful and efficient searches, thus customers can quickly jump to the right section in a recording when doing forensics. ObserveIT delivers a strong implementation in that feature area, allowing for efficient analysis of recorded sessions. These user activity logs include detailed information not available from other sources, including the applications, open windows, accessed URLS, text entry, etc. All that information can be easily searched, without even going to the recording. Based on that, a number of reports are available. Information can also be exported in common formats such as Microsoft Excel files or XML documents. The tool provides an integrated report generator, allowing the creation of preconfigured, customized reports. Based on the wealth of information collected, ObserveIT furthermore provides the ability to run rulebased user activity analytics and generate alerts in case of rule violations. Such rules can be configured to, e.g., identify access to uncommon applications, systems, or other resources; identify the execution of an unusual number of activities; or alert on activities outside the normal work hours. There is a broad variety of criteria available for such analysis. Page 4 of 7

Furthermore, information can be exported to other solutions such as SIEM tools or the upcoming Real Time Security Intelligence (RTSI) products which extend SIEM by adding big data analytics and other capabilities. As of now, ObserveIT does not support predictive, pattern-based analytics, but is limited to rule-based analytics. Pattern-based approaches for analytics, based on historical data, can autonomously identify unusual patterns and anomalies, instead of creating large set of rules for that purpose. While advanced RTSI solutions might do that analysis and provide results back, adding such analytical capabilities would add value to the ObserveIT product. Based on the rules, alerts can be created at runtime, notifying defined individuals about rule violations, so that they can take action. These actions include access to the video recordings of sessions, but also access to the detailed user activity log. Based on the integration with 3 rd party SIEM solutions or its own rule set, ObserveIT allows real time drill-down of sessions, instant communication with the user, and shutdown of sessions if required. Agents collect the information and forward it to the ObserveIT Application Server, which uses a database server in the backend. Analytics run at the application server component, which also integrates with Microsoft Active Directory and Network Management solutions, while Business Intelligence and SIEM solutions can directly interface with the database server. This architecture is quite simple. ObserveIT has a well-defined partner program for various groups of partners, including alliance and technology partners for technical integration, resellers and distributors, and managed service and consulting partners. 3 Strengths and Challenges ObserveIT provides a robust solution for Privileged Session Management and subsequent session analysis. The agent-based approach chosen by ObserveIT also allows collecting a variety of data on local systems, supporting the wealth of context information collected by ObserveIT in addition to the video recordings and also allowing monitoring of local sessions. However, this requires deployment of local agents which might be a hurdle in some scenarios. ObserveIT also has strong support for virtualized and shared desktop environments (Citrix, VDI, etc ) Overall, ObserveIT is a strong contender in the Privilege Management Market as well as the growing User Activity Monitoring market segment. The major challenge from our perspective is the lack of support for advanced pattern-based analytics. Aside from that, all major features we expect to see in that market segment are provided, making ObserveIT one of the solutions customers should evaluate when looking at these markets. Furthermore, ObserveIT can build on a strong, global partner ecosystem and provides support for a variety of platforms and systems, with many technology alliances providing out-of-the-box integration. Page 5 of 7

Strengths Robust and versatile solution for Privileged Session Management Strong session recording features including comprehensive context information Strong reporting capabilities based on user activity log information associated to videos Broad number of partners in all areas with global coverage Strong integration with backend systems such as SIEM solutions Real time analytics of sessions and alerting and interception capabilities Broad platform support across the enterprise (Desktop, server, Citrix, Jump server ) Challenges No support for advanced pattern-based analytics of user behavior Agent deployment required, however agents deliver strong functionality in session analysis Large scale deployments might become challenging due to centralized backend server architecture 4 Copyright 2015 Kuppinger Cole Ltd. All rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them. Page 6 of 7

The Future of Information Security Today KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decision making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business. KuppingerCole, founded in 2004, is a leading Europe-based analyst company for identity focused information security, both in classical and in cloud environments. KuppingerCole stands for expertise, thought leadership, and a vendor-neutral view on these information security market segments, covering all relevant aspects like Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), IT Risk Management, Authentication and Authorization, Single Sign-On, Federation, User Centric Identity Management, eid cards, Cloud Security and Management, and Virtualization. For further information, please contact clients@kuppingercole.com Kuppinger Cole Ltd. Sonnenberger Strasse 16 65193 Wiesbaden Germany Phone +49 (211) 23 70 77 0 Fax +49 (211) 23 70 77 11 www.kuppingercole.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information