OBSERVEIT 6.0 WHAT S NEW ObserveIT 6.0 extends ObserveIT s industry leading session recording solution to a complete Insider Threat Platform that detects and mitigates the risk of insider threats across all users in an organization - privileged users, third-party vendors and business users. 6.0 introduces the following major new capabilities: User Risk Scoring & Dashboard Know which users are putting your business at risk and why Field-Level Application Monitoring Distinguish abusive behavior from normal user activity Alert Workflow and Reporting Streamline the way you investigate and report on ObserveIT activity alerts Additional new features include: New UNIX/Linux detection capabilities Improved search performance Security automation and scale management New supported platforms USER RISK SCORING & DASHBOARD ObserveIT 6.0 includes a new user risk dashboard to quickly identify and investigate risky users across your enterprise. At a glance, you re able to see a user risk summary, breakdown of risky users, new users at risk, top risky applications and activity alerts. The user risk dashboard highlights new users becoming risky and changes in their behavior based on risk score, recent score changes, applications being used and alerts that were triggered. The list of users at risk presents all the information needed to prioritize which users to investigate first including: General information about the user such as title, department and personal photo Risk score color coded by risk level Contribution of each application and alert rule to the user s total risk score A timeline that provides a quick understanding of when the risky activity occurred To investigate risky user behavior and discover intent, select a user for a snapshot of all their recent risky activity with the ability to adjust alert list filters to broaden or narrow your view. To isolate specific user activity associated ObserveIT WHAT S NEW IN OBSERVEIT 6.0 1
with a risky application or alert, click on the event for a contextual drill-down to the full alert list with all related session recordings and alert details of who, did what, on which computer, from which client, and when. User Risk Dashboard The new scoring engine provides a risk score per user that is used by the dashboard to identify and prioritize risky users. - User score is an intelligent aggregation of a user s activity alerts during the last month - Build your own alert rules, or use built-in canned alert rules to detect risky user activity across your applications, systems and users - Customize score thresholds per risk level for both alert rules and users to control risk sensitivity for various groups and assets - The daily risk score tracks a user s risk day by day, allowing you to easily identify score changes and act first on users who s risk level have recently changed ObserveIT WHAT S NEW IN OBSERVEIT 6.0 2
FIELD-LEVEL APPLICATION MONITORING ObserveIT 6.0 allows you to understand risk at an application field-level and detect abnormal usage. ObserveIT s new field-level monitoring allows you to mark specific fields within desktop or web-based applications and track how users interact with them for security, compliance, and internal policy enforcement. These new marked fields are available for generated reports, alerts, and ad-hoc searches enabling security teams to detect a wide range of insider threats. Field values are also tracked, allowing you to get detailed alerts and reports on the inputting and altering of data in sensitive application fields. Marking fields is easy with the ObserveIT Marking Tool. Simply point and click the fields in the application UI. ObserveIT Marking Tool ObserveIT WHAT S NEW IN OBSERVEIT 6.0 3
ALERT WORKFLOW & REPORTING When reviewing alerts, you can now set a status for each alert indicating whether it is being reviewed, identified as an issue, or dismissed as a non-issue. For non-issue alerts, the risk score of the impacted user is recalculated automatically to reflect the reduced user risk Alert reports by status provide you with the ability to produce management reports reflecting the status and progress of your security and compliance review process New alert reporting allows you to summarize alerts by rule, user, computer, alert status, etc. ObserveIT WHAT S NEW IN OBSERVEIT 6.0 4
ADDITIONAL FEATURES UNIX/LINUX DETECTION CAPABILITIES ObserveIT 6.0 exposes a wider command context to the alert rule definition - allowing you to alert on the following security risks: Opening root shell from untrusted login programs, other than SSH/Telnet, rlogin, direct console login, etc. Running an unapproved setuid program Breaking out of sudo command boundaries - e.g. running rm or cp commands from sudo vi Non-interactive shells opened from specific applications e.g. Web Server opening a reverse shell that is controlled by a remote terminal Record and detect risky activity in non-interactive shells launched by cron or at commands Enhanced set of canned alert rules to be used as is or adjusted for your specific needs Unix/Linux alerts are fully integrated into the new user scoring engine. The alerts are presented in the user risk dashboard alongside all other events - providing a comprehensive and holistic view of the total risk imposed by users in the organization regardless of the platform being used. IMPROVED SEARCH: FASTER, FOCUSED, AND HIGHLY USABLE As part of any investigation process, it is crucial to be able to quickly locate forensic data. ObserveIT 6.0 dramatically boosts search performance, allowing you to narrow your search, get results faster, and explore search results quickly. With ObserveIT 6.0 search functionality has been significantly upgraded. Find exactly what you need and much faster: Narrow the search by specific user activity log attributes such as searching in key-logging data only, searching only customer emails address being viewed (e.g. in case of suspected data breach), visited URLs only, SQL statements only, Unix/Linux commands only, etc. Reduce the scope of searched sessions by filtering specific users or servers (e.g. search on PCI servers only or search only on Call Center terminals) Improved search results by showing the specific user activity log elements found (whether URL, Window Title, In-app data element, SQL statement, etc.) and highlighting the matched keyword ObserveIT WHAT S NEW IN OBSERVEIT 6.0 5
SECURITY AUTOMATION AND SCALE MANAGEMENT As in every ObserveIT release, ObserveIT 6.0 adds security automation and scale management features to support large-scale enterprise deployments with large numbers of agents with increased security. Automatically unregister unused VDI agents in large desktop environments allowing floating license model for deployments with VDIs that are created and destroyed frequently Exporting ObserveIT Web Console configuration changes (policy audit) to your SIEM allows you to integrate and correlate recording policy modification events with other security events RODC support is now available for environments that allow read-only access to Active Directory domain controllers NEW SUPPORTED PLATFORMS MS SQL Server 2014 is now supported as the ObserveIT Database Server DBA Activity now supports MS SQL Management Studio 2012 and 2014 RHEL/CentOS/Oracle Linux 7.1 RHEL/CentOS/Oracle Linux 4 Debian 8 ObserveIT WHAT S NEW IN OBSERVEIT 6.0 6