OBSERVEIT TECHNICAL SOLUTION OVERVIEW

Transcription

1 OBSERVEIT TECHNICAL SOLUTION OVERVIEW This document outlines the key features, system architecture, deployment scenarios, system requirements, product installation, security infrastructure, data management, and integration capabilities of ObserveIT Enterprise. Contents 1 Solution Overview Key Solution Features Insider Threat Intelligence Visual Forensics Advanced Key Logging User Activity Alerts Session and User Activity Metadata Search Reporting and Auditing DBA Activity Audit Privileged Identity Management Identity Theft Detection User Session Locking Policy Messaging and Recording Notification System Architecture Overall Architecture Windows Agent Unix/Linux Agent Application Server Web Console Database Server Deployment Scenarios Standard Agent-based Deployment (Servers and Desktops) Jump Server Gateway Outbound Jump Server Gateway Citrix Server for Published Applications Hybrid Deployment: Agent-Based + Gateway Sizing and System Requirements Small Deployments Medium Deployments Large Deployments with High-Availability Installation Overview OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 1

2 6.1 One-Click Installation Custom Installation Windows Agent Installation Unix/Linux Agent Installation Key Configuration Settings Console Users (ObserveIT Administrator Users) Server Configuration Policies SMTP, LDAP, Active Directory Security Infrastructure Windows Agent Unix/Linux Agent Data Security in Transit Data Security at Rest Installation Security System Health Monitoring Configuration Change Auditing User Privacy Protection Data Management Database Structure Database Storage File System Storage Metadata Storage Archiving Integrating ObserveIT Data into Third-Party SIEM Systems SIEM System Integration Using Database API SIEM System Integration Using Monitor Log Data Integrating ObserveIT Data into Network Management (Alerting) Systems Integrating ObserveIT with a Service Desk System Agent API for Process-Oriented Integration OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 2

3 1 Solution Overview ObserveIT is an Insider Threat Solution. The ObserveIT Insider Threat Solution offers unique visibility to investigate risky user behavior in real-time and watch exactly what users are doing to respond to internal security events. ObserveIT addresses the critical requirements to prevent insider threat by enabling security administrators to raise the security awareness of their users, dramatically reduce the risk caused by negligent users, easily track user behavior changes, and help to enforce company security policies. ObserveIT protects enterprises from data loss, fraud and IP theft across third-parties, privileged users and business users. Key Components User Behavior Analytics and Risk Scoring: Assess the risk of every user, analyzes and scores user activity to identify any actions that are out of role, suspicious, or in violation of security policies. Policy Notification and Enforcement: Define company policies and security regulations and enforce them by posting specific, detailed notification messages in real-time to any user violating these rules. User Activity Monitoring and Alerting: Capture all user activity, generates textual audit logs, screen recordings and alerts for risky behavior on desktops and servers. Live-Session Response and Visual Forensics: Provide video replay and analysis of real-time and historic user actions, and the ability to actually stop user activity. 1.1 Complete Insider Threat Solution ObserveIT s Insider Threat Intelligence platform provides unparalleled visibility into the users who are putting your organization at risk. The ObserveIT software monitors and records all user activity on Windows and Unix/Linux servers and desktops. The system generates video recordings, user activity logs, behavioral analytics and real-time alerts. ObserveIT analyzes exactly what the user does during a session using proprietary metadata and contextual screen captures, and assigns the most accurate risk score to the riskiest users. User behavior analytics and risk scoring prioritize internal investigations, so that security teams can focus on the users who are putting your business at risk. ObserveIT s application marking technology tracks elements in sensitive applications for data exposure and extraction; this visibility provides the most accurate understanding of one of the biggest sources of insider threats - applications. Alerts provide ObserveIT with a proactive, real-time detection, deterrence and prevention mechanism. When alerts are triggered, textual notifications can be displayed warning users about potential security violations so that they can take remedial action. In some cases, users can be "denied access" and hence prevented from continuing with their current activity. The ObserveIT solution provides built-in detection via a comprehensive library of canned alert rules that can be used to detect risky user activity across applications, operating systems and users. ObserveIT's Insider Threat Intelligence platform increases security awareness by educating employees about out-of-policy behavior whether malicious or negligent. Through policy notification and enforcement, users can be educated to change their behavior. The ObserveIT User Risk Dashboard provides Security Analysts and Investigators with an easy way to track users that have experienced any type of policy notification or enforcement as a result of violating company policy or security rules. Every user notification message triggers an alert that notifies security specialists about the incident and updates the user s risk score. The result is a complete solution for identifying and managing user-based risk, and preventing insider threat. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 3

4 2 Key Solution Features 2.1 Insider Threat Intelligence ObserveIT's Insider Threat Intelligence provides a platform to assess the risk of every user, analyze and score user activity, with the goal of identifying user actions that are out-of-role, suspicious, or in violation of security policies. Insider threat is prevented by educating employees about out-of-policy behavior, whether malicious or negligent. Through policy notification and enforcement, users can be educated to change their behavior User Behavior Analytics and Risk Scoring ObserveIT s User Risk Dashboard provides a broad view of risky users and their activities. Security analysts (including security and compliance staff, and those who review insider threats, compliance, or out-of-policy risks) can quickly locate and identify where user risk is coming from and investigate users. At a glance, you can see a user risk summary, breakdown of risky users by risk levels, number of new users at risk, top risky applications and alerts. The dashboard highlights new users who become risky, denoted by recent changes in their user risk score. ObserveIT allows large organizations to manage the risk of their employees in separate departments or groups, each owned by a dedicated security team member or manager. The monitored users of each department are configured based on Active Directory Groups/Users ensuring full segregated permissions across the product including all risky user data, risk summary statistics, session recordings, alerts and reports. You can build your own alert rules, or use built-in canned alert rules to detect risky user activity across your applications, operating systems and users. ObserveIT provides an enhanced library of canned and sample alert rules that business users or administrators can use to detect risky user activity. These alert rules can be applied as they are or in a customized format. The following information for each user at risk helps you prioritize which users to first investigate: General information about the user such as title, department and personal photo. Risk score color-coded by risk level, and score change since the previous day. Out-of-policy notifications and behavior trends. Which applications and alerts contributed most to the user s total risk score, so you can understand where the risk is coming from and take corrective action. A timeline of when the risky activity occurred. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 4

5 Figure 1 ObserveIT User Risk Dashboard ObserveIT User Analytics calculates a user-centric risk score that is displayed in the dashboard to identify and prioritize the most risky users. The score is an intelligent aggregation of a user s activity alerts during the last month. The daily risk score tracks a user s risk day by day, allowing you to easily identify score changes and act first on users whose risk level have recently changed. You can customize score thresholds per risk level for both alert rules and users to control what is considered critical, high, medium, or low risk in your organization Policy Notification and Enforcement ObserveIT enables you to easily define your company policies and security regulations and enforce them by posting a specific, detailed notification message in real-time to any user violating these rules. The notification message can be triggered each time the rule is violated, or alternatively only once per user session. Warning notification messages automatically disappear after a few seconds so there is no impact on end-user productivity. Customers can choose to have the notification branded with their company logo, or leave it generic. Once the notification is displayed, the user can click to view the policy/security requirements directly from the message itself and have the option to provide a comment explaining their misbehavior or to acknowledge the message. Blocking messages prevent users from continuing whatever they are doing. Users are forced to review the message, acknowledge it, and provide their comment (optionally, depending on configuration) before they can continue with their work. The policy/security requirements are available directly from the message. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 5

6 Figure 2 Windows End-User Blocking Message On Unix/Linux systems, a policy notification is applied by writing the real-time notification message text directly to the terminal output. Users become aware of the security/policy violation message and can keep on with their work. The text is not added as input to the currently running command hence there is no impact on any interactive or back processes. A simple clear command (^L) will clear the text message. Figure 3 Unix/Linux End-User Warning Notification ObserveIT can prevent unauthorized Linux commands from being executed based on flexible Prevention rules that you can define. When a Policy Enforcement rule is triggered, the end user receives the standard operating system Permission denied message together with an optional message configured by security administrators. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 6

7 2.1.3 Track User Behavior Change via Policy Violations and Notifications ObserveIT enables you to track users that have experienced policy notifications or enforcement, pinpointing users with the highest number of policy violations and whose behavior is not improving with time. In the ObserveIT User Risk Dashboard, an indication is displayed next to a risky user s photo showing the number of out-of-policy notifications. A trend arrow indicates whether or not the user behavior has improved with time. For more details, a tooltip shows extra information about the types of violations involved so analysts can drill down to view full details of any incident including playing the video recording. Figure 4 Out-of-Policy Behavior Tooltip OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 7

8 2.2 Visual Forensics Playing back a user session shows exactly what occurred on-screen. Playback speed is adjustable. On the right side of the player window is an activity summary panel which lists, in chronological order, every action performed during the session. Clicking an action jumps directly to that portion of the video just like navigating chapters on a DVD. Alerts triggered from the session are indicated on the timeline, and during playback alert details are automatically displayed at the exact time they occurred. Figure 5 Windows Session Playback ObserveIT goes far beyond simply recording on-screen activity. All on-screen activity is transcribed into an easyto-read user activity log so that you don t need to watch the video to know what the user did. User activity logs can be selected by server (Server Diary page), by user (User Diary page), or by keyword search (Search page). Clicking on any particular event in the log launches the video playback from that exact moment. You can see at a glance exactly what a user did during a session, and if any suspicious activities were performed. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 8

9 Figure 6 User Activity Log 2.3 Advanced Key Logging Key loggers track and record an employee s or vendor s computer activities for the purposes of monitoring, root-cause analysis, forensic investigation and regulatory auditing. ObserveIT keylogging offers unique capabilities not available in any other keylogging solution. Keyword-searchable logs are generated for all of the following: Editing: If users edit existing text within a control, both the old and new versions of the text are captured. Partial typing: Even if only one character within a block of text is changed, added, or deleted, the entire text, including the new character, is captured. Copy/paste: Text pasted using the Windows Clipboard. When the Auto-Complete option is selected, whether the user is typing or if a spell checker is used, the key logger captures the entire text. Changed field values that are selected from drop-down lists. Changed check box selections, including the description of the check box. Changed numeric values using click/spin controls. Commands entered in a CMD window made using shortcuts, such as tab and up/down arrows. Unix/Linux commands, including commands run by scripts and underlying system commands. ObserveIT administrators and compliance auditors can search for text entered by a user, as well as certain application/system selections, and then jump directly to the session video recording at that exact location. To prevent users who are authorized to access the database from viewing passwords or other sensitive data, data captured by the ObserveIT key logger can be encrypted (using the SHA256 salted hash algorithm). ObserveIT supports case-insensitive search matching, even on data that is stored encrypted. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 9

10 2.4 User Activity Alerts The Alerts feature provides ObserveIT with a proactive, real-time detection, deterrence and prevention mechanism. Alerts are user-defined notifications which are generated when suspicious login events or user activity occurs during a session. When alerts are triggered, textual notifications can be displayed warning users about potential security violations so that they can take remedial action. In some cases, users can be "denied access" and hence prevented from continuing with their current activity. Alerts are integrated throughout the ObserveIT Web Console (in the User Risk Dashboard, User Diary, Server Diary, Search pages, and video Session Player) and can be easily integrated into an organization s existing SIEM system. Following are some examples of risky user activities that might trigger alerts: Accessing sensitive administration tools or configurations, such as Registry Editor Using Cloud storage or backup sites that are not allowed by company policy Connecting a USB storage device (or mobile phone) Copying a large number of files or folders to the clipboard A Unix user running a program or executing a command which grants the user additional permissions (for example, via the su or sudo commands) Browsing websites with unauthorized content or sites with potential security risk Irregular user access to sensitive customer/patient records When reviewing alerts, you can set a workflow status for each alert indicating whether it is being reviewed, has been identified as an issue, or ended up being a non-issue. You can view alerts in various display modes. For example, Gallery mode provides a view of the user environment, enabling you to see the context of exactly what the user was doing when an alert was triggered. You can browse through the screenshots of each alert while viewing the full alert details next to each screen, and easily replay sessions in which alerts occurred. Figure 7 Viewing Slideshow of Alerts with Alert Details Emphasized OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 10

11 By clicking the Video playback icon, you can open the Session Player at the screen location where an alert was generated. The following shows an example of the video replay of a session during which a number of alerts occurred. Figure 8 Replaying Sessions with Activity Alerts Configuring Alert and Prevention Rules Alert and prevention rules define the conditions under which an alert will be triggered. Administrators can configure flexible, fully-customizable alert and prevention rules which can help to detect malicious user activities, prevent unauthorized and malicious activity via policy enforcement, increase security awareness through user education and policy notifications, detect known patterns of risky behavior using built-in canned alert rules, and so on. The ObserveIT Web Console's built-in library of predefined alert scenarios has an enriched set of out-of-the-box detection rules that can detect risky user activity on either Windows or Unix/Linux operating systems. Most of these rules are active by default and require no additional configuration. Canned alert rules are available immediately after installation; they can be used as they are or customized to match the unique needs of a company. Sample built-in alert rules represent common use cases and can be easily customized to suit your organization s security needs. For each rule, you can specify a detection policy that defines the conditions that will trigger an alert (based on robust combinations of Who, Did What, On Which Computer, When, and From Which Client), and specify additional actions to be taken when the alert is triggered. User warning notifications and blocking messages notify users in real-time about any out-of-policy behavior, enabling users to think again before performing a negligent or malicious action. Users can acknowledge a message, add a comment explaining their actions, and follow a link to view the company policy. If required, the security administrator can also select an action that will start recording a user when a security violation is detected. Prevention rules can be configured on Linux systems only. ObserveIT prevention rules can prevent unauthorized Linux commands from being executed. For example, if a user attempts to run commands that manipulate OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 11

12 sensitive protection policy files, the commands will be blocked from execution, denying user access to the protection policy files. Video recording of user commands and terminal output can be activated on prevention rules. The Rule Engine Service component on the Application Server processes the activity data and generates alerts based on rules which are active. Figure 9 Alert Rule Configuration After defining an alert or prevention rule, the administrator can configure a notification policy which defines whom should be notified when the alert is generated, and how they will be notified. Configured actions identified by specific icons are displayed throughout the ObserveIT Web Console and the User Risk Dashboard. From the User Risk Dashboard, administrators can view and investigate alerts based on recorded user activity that contributed to the definition of risky users. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 12

13 2.4.2 Dynamic Forensic Recording: Determine Intent of High Risk Activity ObserveIT also helps to protect end-user privacy and reduce storage requirements by enabling you to activate video recording only when a specific alert is triggered. You can set the recording policy to metadata-only which will provide ObserveIT with all the activity data required for analyzing user behavior, without disclosing any sensitive data that might appear on the user screen. A Start video recording action in the Alert/Policy Rule will add video recording until the end of the user session once the security incident occurs and the alert has been triggered Importing and Exporting Alert and Prevention Rules ObserveIT s Import and Export capability for alert and prevention rules with their related actions allows customers to: Benefit from recent updates to the ObserveIT Packaged Analytics (detection library) without the need to upgrade their system to the latest version. Easily migrate alert, policy, and prevention rules between staging or other environments (such as, from POC to UAT to Production). Exporting rules is done by simply selecting the rules you wish to export and providing the location for the export file. Importing rules is managed by a straightforward wizard notifying you in advance about any potential conflict or missing data on the target environment, so that you can quickly address it. Figure 10 Importing Alert and Prevention Rules OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 13

14 2.5 Session and User Activity Metadata Search ObserveIT captures all sessions and user activity, recording important information about what is seen on the screen, which applications are used, what actions are performed, the date and time of actions, and other specific metadata attributes. This "metadata" is stored in the ObserveIT database, which is located on a central SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout recorded sessions and provide a textual breakdown of each user session. As part of any investigation process, it is crucial to be able to quickly locate forensic data. ObserveIT s advanced search boosts search performance by allowing you to focus a search on specific metadata. You can search for users who logged in, application sensitive elements that were clicked or viewed, metadata that was captured on risky user activity concerning file copying and data exfiltration through USB storage devices, keystrokes typed, applications that were run, specific window titles or URLs viewed, SQL commands containing keywords (such as, a table name), and more. On Unix/Linux systems, you can search for users who logged in, executed specific commands (based on command name, full path, arguments, command switches) or acted under a different user's permissions. You can also filter searches based on specific login users, specific machines, and specific time periods. Matched keywords are highlighted. For accelerated search performance, it is highly recommended that you install the Microsoft SQL Server Full Text Search (FTS) utility prior to ObserveIT installation. Figure 11 Searching for Sessions and User Activities The displayed search results provide the context of the activity, showing the exact location of searched keywords (for example, in a URL, Window title, SQL statement, and so on). Where relevant, the resulting search hit is linked directly to the portion of the video where the action occurred, making it easy to find the exact moment that an action was performed. Within each session, you can watch the full video replay of the user session and see exactly what took place Record Metadata on Applications at Field Level ObserveIT allows you to detect data exposure, data theft and out-of-policy activities that involve specific application field data. The ObserveIT Marking Tool is used to mark specific application data field elements OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 14

15 (known as In-App elements ) for tracking user interactions with sensitive data fields for security, compliance and internal policy enforcement. For example, you can monitor exposures to sensitive data fields, such as customer personal details (SSN, credit card information, etc.) in applications, even for those that don t provide audit records on data views. While tracking field-level data, the actual content of the field is also recorded, providing detailed audit logs for all applications. You can generate alerts when specific data fields are viewed or changed, and run reports showing all sensitive or regulated data elements being viewed by users. You can also search for specific fields or values, and view screenshots in which specific user interactions with sensitive application elements were detected. All field-level data and alerts can be integrated with SIEM systems. Figure 12 Marking Data Fields in a Web Application Capture Metadata on Potential Data Leaks ObserveIT enriches the recording of metadata by enabling the capture of user activity related to potential data leaks. Any user attempt to move files (or folders) by copying them to the clipboard or dragging them with the mouse is immediately captured by ObserveIT, together with the names of the files as well as their source location and size. Thresholds can be defined to indicate a LARGE file copy based on the number of files being copied and/or their total size. In addition, if a user connects any USB storage device (including a mobile phone), ObserveIT immediately captures the device description (i.e., model and manufacturer) and the mapped drive letter. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 15

16 This new metadata is fully integrated across the product, allowing customers to detect and deter any out-ofpolicy behavior or risky activity of their employees with regard to file copying and data exfiltration through USB storage devices. Users can define alerts when sensitive files are being copied, pop up a blocking message when a USB storage device is connected, generate reports, search for specific files being copied, and export the new metadata to their favorite SIEM system. 2.6 Reporting and Auditing ObserveIT reporting can be used by novice administrators to generate reports based on preconfigured built-in reports, or by experienced administrators and security auditors who require flexible application usage reports and trend analysis reviews. Experienced administrators and security auditors can also create comprehensive customized reports based on their own requirements. Reports can provide aggregated or summary information about all monitored user activity, including activity alerts, In-App element metadata, system events and user logins. ObserveIT reporting capabilities on alerts and application data fields significantly enhance security operations and regulatory compliance: Alert reports according to workflow status (Reviewing, Issue, Non-Issue) enable you to produce management reports reflecting the status and progress of your security and compliance review process. Reports on alerts showing summaries by alert rule, user, computer, alert status, and so on. Reports on exposures or interactions with specific fields or values (for example, list all user sessions where VIP customer records were viewed). Built-in system reports showing all marked In-App data elements defined by a customer. The ObserveIT Web Console includes an abundance of ways to run reports and export user activity log data: The report generator includes canned reports and customizable report rules for filtering by user/user group, server/server group, date, application, resources accessed, and more. Reports can be run ad-hoc or delivered on a schedule by . Full-text Google-like searching allows pinpoint identification of user sessions. User activity log drill-down allows each session to be viewed item-by-item, to see which applications were run and which actions were performed during that session. Video replay can be launched directly from any audit view or report. Specific audit video can be exported for delivery as a simple HTML file for forensic evidence delivery. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 16

17 2.7 DBA Activity Audit DBA Activity Auditing provides monitoring of SQL queries executed by DBAs against production databases. SQL query activity is captured by ObserveIT when the DBA is using a DB management tool on an ObserveITmonitored computer. A recommended configuration is to ensure that all DBAs for whom recording is required must connect through a Windows gateway, on which the ObserveIT Agent and the DB management tool application are installed. Figure 13 Capturing SQL Queries Using ObserveIT, administrators and auditors can review all SQL queries performed on a given date or filter results by database, DB User, server, login ID, or any text contained within the queries. SQL queries are also included in the session activity details displayed in the Server Diary and User Diary pages. When using the Search page in Metadata (user activity log) mode, text matches within SQL queries will also return the relevant sessions in the search results. 2.8 Privileged Identity Management When admin users log in using a shared account (for example, administrator, root), ObserveIT can be configured to present particular users with a secondary challenge-response, forcing them to specify their named-user account ID. Secondary IDs can be tied to an Active Directory repository, or can be managed locally in the ObserveIT Web Console. ObserveIT s Secondary Identity mechanism allows you to manage and secure shareduser access without requiring the overhead, complexity, or expense of password rotation or password vaults. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 17

18 Figure 14 Shared-User Login Triggers Secondary User Authentication 2.9 Identity Theft Detection ObserveIT s Identity Theft Detection module brings a brand new approach to preventing and discovering incidents of stolen privileges. Today, security officers provide users with tools and education on how to protect their identity (such as, Two-Factor Authentication, Password complexity, reset rules, and so on). But once an identity is stolen, no tool can clearly identify or track the incident, and the responsibility for detection lies entirely on the security officer. ObserveIT enables you to include users in the detection process, and thus make users responsible for their identities. IT identity theft incidents can be detected and neutralized much quicker when users have a means to flag unauthorized logins. For each monitored server, ObserveIT keeps track of authorized/confirmed pairings of User IDs and client machines. If a user logs in to a server from a client that is not paired to the user, an is sent to the user. For example: A hacker steals a password and logs in from a remote machine. An is sent to the user saying The user johnsmith just logged in to server WEBSRV-PROD from unauthorized IP address Please confirm that it was you who performed this action. An internal user steals an administrator s password and logs in to a server from her own desktop, generating an saying, The user johnsmith logged in to server DBPROD-4 from unauthorized desktop KATHY- DSKTP. Please confirm that it was you who performed this action. The user can either confirm or deny the action. In parallel, an event is logged for the administrator to track and monitor unauthorized pairings. Granular security rules can be applied to specify how to manage each user confirmation User Session Locking With ObserveIT, you have the ability to view live user sessions in real time. If required, you can interact with the user of each session by sending messages (for example, You should not be running SQL queries on the production database. ) and can also stop the user session entirely by locking the session. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 18

19 2.11 Policy Messaging and Recording Notification Policy information can be delivered to users as they log into a server or desktop. This policy info can include notification of auditing activity (for example, Please note that all activity on this machine is recorded. ). Policy information can also relate to company or regulatory policies ( Please note that PCI requirements mandate that no database traces be implemented on this server. ). Policy messages can also be set to require the user s response. This can be used to record the user s acknowledgment that he/she is being recorded (a legal requirement in some jurisdictions). Users can optionally be prevented from completing their logon to the computer until they provide a confirmation and/or response. Figure 15 Policy Messaging Delivered to the User on Windows and on Unix/Linux OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 19

20 3 System Architecture 3.1 Overall Architecture ObserveIT is a software-based User Activity Monitoring and internal risk identification platform. Software agents running on Windows and/or Unix/Linux gateways, and servers and/or desktops capture user activity data and send it to an ObserveIT Application Server. The Application Server sends the relevant user activity log and screen video data to a Database Server for storage. Administrators manage the system and access user activity logs, screen video, reports and other features using the ObserveIT Web Console, which is served by the Application Server. Figure 16 ObserveIT Architecture OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 20

21 3.2 Windows Agent The ObserveIT Windows Agent is a software component that is installed on any Windows-based operating system (server or desktop) that you want to record. It can be installed on any version of Windows from Vista through Windows 8, Windows Server 2008 R2 (32/64 bit), and Windows The Windows Agent is a user-mode executable that binds to every user session. As soon as a user logs into a monitored server, the Agent begins recording based on the configured recording policy. From the moment a user logs on, the Windows Agent begins capturing user activity data logs and, if configured, screen video. All captured user activity data can be searched for, reported on, configured for alerts, and integrated with SIEM systems. The Agent sends all screen capture video and textual activity logs to the ObserveIT Application Server for processing and storage. Figure 17 Windows Agent Architecture By default, the Agent only records the screen when actual user activity is detected at the keyboard or mouse. During idle time (the user is inactive on the machine), the Agent does not generate logs of screen capture data. Optional time-based recording allows the recording of everything that appears on the screen, even when there is no user activity. This can be useful for monitoring what the screen shows even while the user is idle or not present, such as the output of lengthy scripts run by IT users. When network connectivity between the Agent and the Application Server is unavailable, the Windows Agent maintains an offline buffer to temporarily collect data. The buffer size is customizable. Once connectivity is restored, the buffered data is delivered to the Application Server Supported Platforms for Windows Agents Microsoft Windows Server 2003/2003 R2/2008/2008 R2/2012/2012 R2, Windows Vista, Windows 7, Windows 8, and Windows 8.1. For an up-to-date list of supported Windows platforms, refer to: OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 21

22 3.3 Unix/Linux Agent The ObserveIT Unix/Linux Agent is a software component that can be installed on any supported UNIX or Linux system that you want to monitor. The Unix/Linux Agent runs in user mode and is triggered when an interactive session is created on a monitored machine (connected via SSH, Telnet, Rlogin, and so on). It records user activity inside the sessions, including interactive user activity and system functions such as OPEN, EXEC, CHMOD and others. The recorded data is sent to the ObserveIT Application Server and can be replayed or searched for input commands, system functions and output data. All recorded data can be searched, reported, configured for alerts, and integrated with SIEM systems. SFTP sessions to Unix/Linux machines can also be recorded, logged, searched, configured for alerts and integrated with SIEM systems, in the same manner as SSH sessions. Figure 18 Unix/Linux Agent Architecture When a user logs-in on a Unix/Linux machine, the Agent is started and begins recording the shell actions based on a predefined data recording policy. The ObserveIT Unix/Linux Agent captures all the internal actions and the names of files and resources that are effected by command line operations. All output, commands and important system functions inside commands are captured and forwarded to the Agent, which sends it to the ObserveIT Application Server for processing and storage. In offline mode, the ObserveIT Agent allows local storage of the recorded data in the event of network malfunction or disconnection. When network connectivity is re-established, the ObserveIT Service transmits the locally cached data back to the Application Server. To prevent the local disk from reaching its full capacity, the volume of local data cache is limited per offline session. Attempting to stop the recording process will terminate the user session, preventing any further user activity from not being recorded. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 22

23 3.3.1 Supported Platforms for Unix/Linux Agents Solaris 10 (updates 7-11) and Solaris 11 (updates 1-2) RHEL/CentOS , RHEL/CentOS , RHEL/CentOS and RHEL/CentOS Ubuntu and Oracle Linux , Oracle Linux , Oracle Linux and Oracle Linux SLES SuSE 10 SP2-SP4, SLES SuSE 11 SP2-SP3, and SLES SuSE 12 AIX 6.1 and AIX 7.1 HP-UX and Debian 6, 7 and 8 (64-bit only) Amazon Linux AMI For a full list of supported platforms for Unix/Linux Agents, refer to: Application Server The ObserveIT Application Server is an ASP.NET application that runs on a Windows Server-based computer (physical server or VM), in the context of Microsoft Internet Information Server (IIS). Recorded data is sent by the Agents to the Application Server(s), which store it in the SQL Server databases, and on a file system shared folder. Windows-based operating system recorded data is divided into 2 sections: the metadata (approx. 30% of the total storage size) and the graphical images (approx. 70% of the total storage size). UNIX\Linux-based operating system recordings are 100% metadata. The Application Server also maintains recording policies and other configuration data, actively communicates with Agents to deliver configuration updates and to monitor system health, handles data maintenance/archiving, and generates reports. 3.5 Web Console The ObserveIT Web Console is also an ASP.NET application that runs in the context of Microsoft Internet Information Server (IIS). It is the primary interface for audit review, video replay, and reporting, as well as for configuring and administering ObserveIT. All configuration information is stored in the ObserveIT Database Server. The Web Console includes granular policy rules for limiting access to sensitive data. In most cases, the ObserveIT Web Console component is installed on the same computer as the ObserveIT Application Server (one of them if there are multiple Application Servers). 3.6 Database Server By default, ObserveIT uses Microsoft SQL Server for data storage. This storage includes user activity configuration data, user analytics data, textual audit metadata and possibly the screenshots captured by the ObserveIT Agents for video replay. ObserveIT can also be configured to store the video replay screenshots in file system storage instead of in the SQL database, either on the local hard drive of the ObserveIT Application Server, or on a file share in the network. In these cases, the MS SQL Server database is still used for storing user activity log and configuration data. ObserveIT can work with SQL Server Express, but it is not recommended due to its size limitations. Connectivity with the database is on standard TCP port OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 23

24 4 Deployment Scenarios ObserveIT can be deployed in a number of different ways, as shown below. The different methods are not mutually-exclusive, allowing for a hybrid deployment when required. 4.1 Standard Agent-based Deployment (Servers and Desktops) The standard method of deployment involves deploying the ObserveIT Agent on each machine to be monitored. An Agent is installed on each machine that is being monitored, which captures activity on the machine and feeds the video/log data to the Application Server. Figure 19 Agent-Based Deployment OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 24

25 4.2 Jump Server Gateway The Jump Server (Terminal Server) Gateway deployment is the ideal solution for logging all user configuration changes on remote network devices, servers, desktops and DB servers. In this topology, the ObserveIT Agent is deployed only on a gateway machine; only one Agent is required for recording all sessions. Users are routed via the gateway, and ObserveIT records all user sessions in which the user connects to another target machine via RDP, SSH or other protocol. Client applications (such as, Microsoft SQL Server Management Studio, browsers, and others) are recorded with full user activity log analysis on the gateway. In this deployment, ObserveIT does not record any user session in which a user logs on directly to a target machine (via local console login, or via a direct RDP/SSH/etc. window) that is not routed via a gateway. The volume of user activity log data captured is less than for the full Agent deployment, due to the fact that the ObserveIT Agent on the gateway does not have access to OS-specific information on the target machine. For example, it cannot detect the name of a file opened within an RDP window. Figure 20 Terminal Server Gateway (Jump Server) Deployment OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 25

26 Figure 21 Linux Gateway (Jump Server) Deployment 4.3 Outbound Jump Server Gateway The Jump Server Gateway topology described above can also be used for environments in which remote users need to access multiple external resources. For example, a Managed Services Provider that needs to support multiple customers and wants to record and audit all the actions performed by the support employees. The topology is essentially the same as for the Jump Server Gateway; the only difference is the location of each resource that is, the Terminal Server is not on the same network as the target machines. Figure 22 Outbound Jump Server OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 26

27 4.4 Citrix Server for Published Applications The ObserveIT Agent can be deployed on a Citrix Server in order to record all activities that take place within Published Applications served by the Citrix machine. Figure 23 Citrix Server Deployment OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 27

28 4.5 Hybrid Deployment: Agent-Based + Gateway The Hybrid topology is the most commonly-used ObserveIT deployment because it allows you to simultaneously deploy any combination of the above topologies. Any remote or local user can be routed via a gateway. This enables ObserveIT to capture and record every outbound session which can be replayed at any time. Agents can also be deployed on specific sensitive servers that require a more detailed audit, including any logins performed by privileged users with direct access to the servers. ObserveIT provides full user activity log data analysis and recorded video of all user actions that take place on sensitive servers upon which Agents are installed for which privileged users have direct access (and can therefore bypass the gateway). Figure 24 Hybrid Deployment: Gateway + Agent OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 28

29 5 Sizing and System Requirements 5.1 Small Deployments For installations with low user activity (less than 1,000 monitored users in average user cases), an All in One installation can be utilized, which means that the Application Server, Web Console and Database Server are all installed on the same platform. This platform can be a physical server, or it can be a virtual machine running in a typical virtualization solution. Web Console Access ObserveIT Agents All in One Database Server App Server Web Console Figure 25 Small Implementation System Requirements and Data Sizing for Small Deployments Physical Server with 4-8 Core CPU 2.4 GHZ or higher (processor configuration as needed) 16 GB of RAM Operating System hard disk: 80 GB (15K or SSD) 2 NICs - 1 GB Ethernet (10 GB Ethernet is recommended) OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 29

30 5.2 Medium Deployments For medium-sized implementations of ObserveIT comprising 1,000-6,000 monitored servers in average user cases, it is preferable for the MS SQL Server to be installed separately from the Application Server/Web Console. If required, an existing SQL Server can be used, or a new instance can be created. Depending on the company s data storage strategies, a file system storage method for screen-capture data might be considered for this size deployment. Web Console Access ObserveIT Agents App Server & Web Console Database Server Figure 26 -Medium Implementation System Requirements and Data Sizing for Medium Deployments For each Application Server*, the recommended requirements are: 8 Core CPU 2.4 GHZ 16 GB RAM 100 GB free hard disk space * It is recommended to add another Application Server for every 2,000 concurrent users. For more specific sizing information, or for configurations exceeding 1,000 Agents, contact an ObserveIT representative. For the SQL Server, the recommended requirements are: Physical Server with 12 Core CPU 2.4 GHZ 32 GB of RAM 24 TB for 1 month data retention For specific recommendations, contact an ObserveIT representative. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 30

31 5.3 Large Deployments with High-Availability ObserveIT supports large enterprise implementations comprising more than 6,000-10,000 concurrent users per site. Optimized database storage configuration and Application Server performance provide support for an increasingly large number of ObserveIT business users. If you have more than 10,000 users relying on your expected user activity and ObserveIT configurations, you may still be able to actively monitor all your users with no difficulties using the specifications listed in System Requirements and Data Sizing for Large Deployments. However, it is recommended to consult an ObserveIT representative. For best practices for common scenarios and benchmark data for assessing a customer s hardware configuration requirements (Application Servers, Database Servers, and Storage) in large scale deployments, contact an ObserveIT representative. Large enterprise implementations of ObserveIT will typically be accompanied by load balancing (LB), highavailability (HA) and redundancy requirements. Key factors for deploying HA include: Two or more servers running ObserveIT Application Server and Web Console Cluster-based implementation of Microsoft SQL Server SQL Server using a dedicated storage device or, alternatively, using ObserveIT s file system storage mechanism for visual screen shot data storage Load Balancer Implementation When full LB and HA are required, you can use a software-based load balancer (such as Microsoft NLB) or hardware-based load balancer (such as F5). Optionally, this can be further augmented by a failover cluster for the Application Server with an active/passive cluster that has only one node operational at any given time. Also, more nodes can be added, as needed, to the failover cluster. ObserveIT Agents App Server App Server 2 MS SQL Server Failover Cluster DNS Records: oitsrv A Figure 27 Load Balancing Implementation OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 31

32 5.3.2 File System Storage To improve performance of the MS SQL Server, it is sometimes recommended to use ObserveIT s file system storage capabilities. In this deployment, the SQL Server is still used for user activity log and configuration data, but the actual screenshot images are stored in a file system directory structure, which is fully managed by ObserveIT. ObserveIT Agents Database Server File System Storage App Server & Web Console Figure 28 File System Storage System Requirements and Data Sizing for Large Deployments For each Application Server*, the recommended requirements are: 8 Core CPU 2.4 GHZ 16 GB RAM 100 GB free hard disk space * It is recommended to add another Application Server for every 2,000 concurrent users. For more specific sizing information, or for configurations exceeding 1,000 Agents, contact an ObserveIT representative. For the SQL Server, the recommended requirements are: Physical Server with 24 Core CPU 2.4 GHZ 64 GB or higher RAM (OS 2012) 15 TB for SQL server, 35 TB for file system (1 month data retention) For specific recommendations, contact an ObserveIT representative. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 32

33 6 Installation Overview 6.1 One-Click Installation One-Click installation is the easiest way to deploy ObserveIT in the most common environments. The main installation screen provides settings for configuring the SQL Server, Web Console and License. One-Click installation will also install an Agent locally on the Application Server machine. Figure 29 One-Click Installation 6.2 Custom Installation Each of the ObserveIT components can be installed separately as part of a custom installation, whereby you can distribute the components and use advanced configuration options as needed. Active Directory Domain membership is not mandatory, although ideally all components should be placed on domain members. This enables usage of AD groups for Console Users; filtering of AD groups for Privileged Identity Management; DNS integration for Agent auto-configuration; and GPO-based installation. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 33

34 6.3 Windows Agent Installation Windows Agent installation is performed over a standard Windows installer package (.MSI) that is well supported by software distribution applications and Group Policy (GPO). The Windows Agent can be installed by using the default installation (using a simple batch file) or by using a custom installation which allows you to configure advanced settings, including the Agent registration mode and user recording policy. For improved security, you may also be required to provide a security password when installing or uninstalling the Agent. Requiring a password to install Agents prevents the unauthorized recording of computers and the unauthorized consumption of ObserveIT licenses. By also requesting a password on uninstallation of an Agent, unauthorized removal of a computer from ObserveIT's list of recorded machines is prevented. No reboot is required after installation. Optionally, a system tray icon can be configured to be displayed on the machine when the Agent is running. 6.4 Unix/Linux Agent Installation The Unix/Linux Agent installer is a self-extracting file which includes the package and the installation program. All Unix/Linux Agent installation files are centrally located. The Agent installation procedure is the same for all Unix/Linux platforms; a single installation script can be used for every supported platform. For example:./observeit-agent-ubuntu precise run -- -i -s For improved security, you may also be required to provide a security password when installing or uninstalling the Agent. The installation script can also be run in interactive or silent mode: Interactive mode: The installation program prompts you to enter the installation parameters that are required to configure the Agent. Prompts are triggered if the user does not specify the name of the Application Server or if registration to the Application Server fails. Silent mode: The installation program does not prompt for any configuration options during the installation process. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 34

35 The following example shows an ObserveIT interactive installation on a Linux Agent, and the Linux directory structure: Figure 30 Interactive Unix/Linux Installation OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 35

36 7 Key Configuration Settings 7.1 Console Users (ObserveIT Administrator Users) The following permission levels can be defined for user accounts with access to the Web Console: Admin: This role grants the highest permissions and allows administrators to make configuration changes, view user activity logs and play back all recorded session videos. View-Only Admin: This role allows administrators to view session recordings but not access any ObserveIT configuration options. Config Admin: This role maintains user privacy by allowing administrative access to most configurations options in the Web Console but prevents the viewing of any user activity logs or screen recordings. Different levels of access can be defined for specific users or user groups. Console users can be granted permissions to view recorded sessions on one or more servers (on which the ObserveIT Agent is installed), server groups, individual users (domain\user), or Active Directory groups. These permissions are given to users based on their defined role. Permissions can also be assigned to Active Directory groups to view and access session data on specific servers or server groups. When configured, only session data that applies to the Active Directory group will be available. Figure 31 Console User Configuration OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 36

37 7.2 Server Configuration Policies Server Policies are sets of configuration options that control aspects of how the monitored server is configured. By using Server Policies, the administrator can configure one set of recording settings and apply these settings on many monitored servers simultaneously. Policy settings include: Enabling Agent Recording Enabling Identity Theft Detection Enabling Agent API Showing/Hiding the Agent Tray Icon Restricting Recording to RDP Sessions Enabling Hotkeys Enabling Key Logging Enabling In-App Elements Detection Enabling Entire Screen Capture Optimizing Screen Capture Data Size Enabling Recording Notification Recording in Color or Grayscale Setting Session Timeout Setting Keyboard Stroke Recording Frequency Setting Continuous Recording Data Recording Policy Offline Recording Policy Data Loss Detection Policy Identification Policy (Secondary User Identification/PIM) User Recording Policy Application Recording Policy Non-Interactive Programs Recording Policy Agent Logging and Debugging Memory Management Figure 32 Server Policies OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 37

38 7.3 SMTP, LDAP, Active Directory SMTP configuration enables ObserveIT to send messages and scheduled reports to Console Users. Figure 33 SMTP Configuration LDAP integration is commonly used for secondary user authentication. Figure 34 LDAP Configuration OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 38

39 If during installation the server which hosts the ObserveIT Application Server component is a member of an Active Directory domain, this connector is created automatically. If the server is not a member of a domain during installation, but is made a member later, the connector can still be created. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 39

40 8 Security Infrastructure ObserveIT is a highly-secure, enterprise-class platform designed for full reliability and non-repudiation. 8.1 Windows Agent The Windows Agent is protected by a multi-layered watchdog mechanism that continuously monitors the recording Agent. In the event that the Agent process is unexpectedly stopped, the watchdog immediately restarts it and reports the incident to the Application Server. If so configured, the event will also be reported to a SIEM system and/or an address. ObserveIT detects any Agent files or offline data that has been tampered with or has incurred data loss, and generates events which can be viewed in the Web Console and Administrator Dashboard. These events can also be sent to an address and/or to an integrated SIEM system. 8.2 Unix/Linux Agent The ObserveIT watchdog mechanism also continuously monitors the Unix/Linux Agent. The Unix/Linux Agent hooks to the terminal device and to the user shell. Thus if there is any attempt to stop/kill the Agent logger process, the watchdog will immediately report the incident and terminate the shell process. Tampering with Unix/Linux Agent files or offline data also generates events which can be viewed in the Web Console and Administrator Dashboard. 8.3 Data Security in Transit Communication between ObserveIT components is handled over HTTP protocol. SSL is fully supported (an optional feature) in order to encrypt all communication between the different components. If required, an IPSec tunnel can also be used to protect the Agent-to-Server traffic. Figure 35 HTTPS and IPSec Security OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 40

41 8.4 Data Security at Rest Data that is stored in MS SQL Server automatically inherits all the data protection mechanisms already in place for corporate databases. Additionally, ObserveIT will encrypt all screen recordings when the Image Security option is enabled. In this situation, the ObserveIT Agents and Application Server will use a token exchange mechanism to encrypt all session data. The recordings are digitally signed by the Application Server when stored in the database. When ObserveIT detects any tampering with a session s data (for example, if a DBA deleted an incriminating screenshot from within the session recording), a warning indicator Console: appears for that session in the Web Figure 36 Data Integrity Warning Indicator For privacy, all screen capture data (whether stored in an SQL database or in the file system) can be encrypted by a synchronous Rijndael 256-bit key. To further protect this key, the key itself can be encrypted by an asynchronous 1024-bit X509 certificate (with RSA encryption key). This encryption is also inherited by any sessions exported for offline viewing. ObserveIT Agents are FIPS (Federal Information Processing Standards) compliant. Both Windows and Unix/Linux Agents comply with the FIPS security standard and can be deployed on any supported FIPS-enabled machine. The Transport Layer Security (TLS) encryption protocol is used to secure traffic between the ObserveIT Agents and the ObserveIT Application Server. 8.5 Installation Security The ObserveIT administrator can protect against improper or unauthorized Agent installation by requiring the person installing or uninstalling any Agent to provide a security password, which is registered on the Application Server. Requiring a password to install Agents prevents the unauthorized recording of computers and the unauthorized consumption of ObserveIT licenses. By enforcing a password also on uninstallation of an Agent, the unauthorized removal of a computer from ObserveIT's list of recorded machines is prevented. The main ObserveIT Administrator Dashboard and mini Administrator Dashboard display the number of Agents that were recently installed and uninstalled. In addition, if configured, notifications via can report successful or failed installation/uninstallation events due to security password enforcement. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 41

42 8.6 System Health Monitoring ObserveIT provides comprehensive monitoring of all system components, providing administrators with a highlevel system health overview, along with drill-down capabilities to quickly investigate any issues. An Administrative Dashboard presents administrators with an overview of the most important system components and any issues requiring attention, such as communication faults, data loss, dwindling disk space or Agent tampering. Most Dashboard elements can be clicked to drill down into the details of that element. Figure 37 Administrator Dashboard You can easily drill down from the Dashboard to the affected entity, and then directly to the individual events that led to a particular incident. Additionally, the status of the most important elements is highlighted in a mini Admin Dashboard that appears at the top of every ObserveIT page, providing immediate drill-down to more details: Figure 38 Mini Admin Dashboard alerts can be configured to inform administrators of critical issues in real time. Links in the lead directly to the ObserveIT Web Console for further information or investigation. The following types of system events are covered by the Dashboard; they can be included in alerts and they can be integrated within a third-party SIEM system via simple integration: Agent or Service killed or stopped Agent went offline, lost data or experienced communication problems Agent tampered with Agents installed and uninstalled Application Server went offline OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 42

43 8.7 Configuration Change Auditing ObserveIT provides detailed auditing reports that show critical configuration changes that were made while working in the Web Console. For example, if an Agent's recording was turned off or changes were made in a Server Policy configuration, you can track exactly who did this and when it happened. These reports are valuable for security auditing and change management. Figure 39 Auditing Web Console Changes 8.8 User Privacy Protection ObserveIT provides the following options for protecting user privacy: Granular access rights: ObserveIT users access can be restricted so that they can be assigned permissions to view sessions of particular servers, server groups, individual users, or Active Directory groups. Permissions are reflected in session recordings throughout the Web Console. For example, the Database group manager can view sessions by DBAs on any computer, plus any user session that took place on the database server. This ensures relevant access by authorized users while blocking inappropriate access by users without a valid reason. These rules extend to all user activity logs, reports and video replay. Granular access rights also apply in the User Risk Dashboard where security analysts are allowed to view and monitor only the risky users and their data to which they have been assigned permissions. Start video recording upon alert: The Start video recording action in the Alert/Policy Rule protects user privacy by allowing the recording of metadata only and adding video as further evidence of the user actions only when a specific alert is triggered. Dual Password Protection for Playback (4-Eyes Protection): ObserveIT allows you to specify a second password (not managed by the ObserveIT administrator) that is required in order to replay the video of a user session. This ensures both audit completeness and employee privacy. In typical situations, IT management (via an ObserveIT administrator) holds the main ObserveIT password, and legal counsel or a union rep holds the second password. This satisfies stringent privacy protection regulations, including BDSG OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 43

44 (Germany), CNIL (France), DPD 95/46/EC (EU), and Human Rights Act (UK). Granular deployment allows textual audit logs to be accessed by compliance officers (without the second password), whereas video replay requires legal counsel authorization (both passwords). ObserveIT self-auditing: ObserveIT audits itself, capturing logs and videos of every ObserveIT user who views recorded sessions. Recording Policy options: ObserveIT lets you decide which users/user groups to record, which applications not to record (for example, facebook) and the recording level (for example, metadata only with no video). OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 44

45 9 Data Management 9.1 Database Structure By default, ObserveIT utilizes the following databases, which are created during installation: ObserveIT: Stores all the user activity configuration data and textual audit metadata captured by the ObserveIT Agents. ObserveIT_Analytics: Stores the data that is displayed in the Insider Threat Intelligence Dashboard. This includes alerts statistics and users' score data over time, aggregated by users, applications and alert types. It also stores user profile information, such as job title, photo, department, region, address and more. ObserveIT Data: By default stores all the ObserveIT screenshot images captured by ObserveIT Agents. Screenshot images can also be stored in the file-system. ObserveIT_Archive_1: The archive storage database stores both the archived user-activity metadata and screenshot images (unless file-system storage is configured). ObserveIT_Archive_template: Used for backup and restore when creating a new archive database. 9.2 Database Storage All data stored in SQL databases can utilize existing backup solutions that are built in to MS SQL Server or thirdparty database backup solutions. The SQL Server database is used to store user activity configuration data, user analytics data, textual audit metadata and possibly (unless the file-system is used) the screenshots captured by the ObserveIT Agents for video replay. To prevent data loss as the database becomes full, ObserveIT allows you to configure additional storage space. You can configure a threshold specifying the maximum disk space that is allocated for the database. A system event is generated when the database storage threshold (%) reaches its configured limit, alerting you to configure additional storage space by updating the specified threshold or by running the archive process. 9.3 File System Storage Visual screenshots represent the largest portion of ObserveIT s data storage needs. For large scale deployments and to prevent SQL Server database performance issues, you can configure the video replay screenshots for filesystem storage instead of in the SQL database, either on the local hard drive of the ObserveIT Application Server or on a file share in the network. When using file-system storage, there is still a need to maintain the SQL Server database in order to store the textual metadata and the ObserveIT configuration data ObserveIT automatically manages the directory where you specify that screenshot data should be stored, including an auto-generated and archived subdirectory tree per date and per session. 9.4 Metadata Storage ObserveIT also records important information about what is seen on the screen, which applications are currently used, what actions the user has performed, the date and time of the action and more. This "metadata" stored in ObserveIT's database is located on a central SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout all recorded sessions and provide a textual breakdown of each user session. Recorded metadata is a very important aspect of the auditing experience and capabilities. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 45

46 9.5 Archiving ObserveIT has built-in database archiving capabilities to move data from the main ObserveIT database to a secondary database. Storing obsolete and irrelevant data online reduces the overall performance of a database server. By archiving data, you can decrease disk space usage and reduce the maintenance required, for example, in defragmentation, backup and restore procedures. From a performance point of view, if a production database or file system storage has obsolete data that is never or rarely used, query execution can be timeconsuming because queries also scan obsolete data. To improve query performance, you should move obsolete data from the production database to another archive database. Archiving of data can also be performed on file systems that are used for storing screen capture data. Archiving jobs can be launched manually or can be scheduled for automatic periodic archive rotation. Figure 40 Archiving The archive process moves the image (screen capture) data, but maintains the user activity log data for search purposes. This ensures that the data that consumes the most storage is moved, while maintaining the searchability of user activity log information. Video replay can be launched directly from an archived session. OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 46

47 10 Integrating ObserveIT Data into Third-Party SIEM Systems ObserveIT s user activity data can be integrated with third-party SIEM monitoring systems (such as Microsoft System Center Operation Manager, IBM QRadar, HP ArcSight, Splunk, and McAfee SIEM/ELM) in order to enhance real-time alerting and reporting capabilities. The ObserveIT log data can be integrated with SIEM systems by providing the data in database API format, or by exporting ObserveIT monitor log files which can be imported to an organization s existing SIEM system. The following types of ObserveIT log data can be exported to SIEM systems: User Activity DBA Activity Session Activity Alerts System Events In-App Elements Audit Sessions Audit Logins Audit Configuration 10.1 SIEM System Integration Using Database API Providing log data via ObserveIT s database API enables SIEM systems and other third-party monitoring software to programmatically integrate with ObserveIT in order to receive session data and recordings. When using the API, access is provided to log data stored in ObserveIT s database tables. Thus, third-party systems can retrieve the exposed data directly from ObserveIT s database. ObserveIT s API provides log data using views. Users with role_api read permissions can access the API_OIT views. The ObserveIT database API provides the following views for each of the log file data types: API_OIT_User_Activity: Contains data about user activities on monitored servers, including captured screenshots and user activity log data (details about applications, registry settings, and files that the user accessed). API_OIT_Session_Activity: Contains data about sessions that occurred on monitored servers. API_ OIT_DBA_Activity: Contains data about SQL database queries that were performed during sessions. API_OIT_Alert_Activity: Contains data about activity alerts which were generated when suspicious login events or user activity occurred during a session. Alert rules define the conditions under which an alert is triggered. API_OIT_System_Events: Contains data about events that were triggered by the system (for example, when a user logs in, or during the health check monitoring of the Agent, Notification Service, Application Server or Web Console). Events are defined by their severity, source for example, Notification Service and category (Login, Health Check). API_ OIT_InApp_Elements Contains data about specific elements (In-App Elements) within desktop and web-based applications that were marked for tracking risky user behavior. API_OIT_Audit_Session Contains data about all the sessions which were replayed by the user. API_OIT_Audit_Logins Contains data about all successful and failed logins to the Web Console. API_OIT_Audit_Configuration Contains data about configuration changes that were made while working in the Web Console (like when a server is unregistered or when changes were made in a server policy configuration). OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 47

48 10.2 SIEM System Integration Using Monitor Log Data ObserveIT Monitor Log data can be easily integrated into an organization s existing SIEM system. Integration with HP ArcSight SIEM enables the export of ObserveIT log data to ArcSight Common Event Format (CEF). All log files from ObserveIT user activities, DBA activity, activity alerts, system events, In-App Element data, user logins, and audit sessions, logins, and configurations can be exported and integrated into the SIEM monitoring software at timed intervals. The SIEM integration parses the ObserveIT log files, and create events, triggers, and alerts based on text strings of information that appear inside the log file. Integrated log data can be viewed and videos of recorded sessions can be replayed directly from within the external SIEM dashboard or report environment. This screenshot shows how ObserveIT user activity and alert data is incorporated within the HP ArcSight SIEM monitoring software. Figure 41 ObserveIT User Activity and Alerts SIEM Integration OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 48

49 User Activity Log Integration Most SIEM platforms utilize data collector mechanism for importing log data. ObserveIT s user activity logs fit this model well. Any SIEM can access ObserveIT user activity logs via real-time log file polling. This method uses direct access to the data source without the need to go via a Web service or API-call layer. Your SIEM / Log Mgmt Application Poller Log file polling (Direct access, no AppServer interaction) Poll every x seconds OIT AppServer Real-time Metadata Log File Field Mapper Log file polling results Latest deltas Your Database Figure 42 Real-Time Log File Polling Data Collector Schematic ObserveIT user activity logs can be added to a real-time log file by enabling this within the Integrated SIEM configuration settings. The log file can then be integrated into any SIEM system, including native integration such as HP ArcSight CEF file format. Figure 43 Enabling Real-Time Logs OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 49

50 Video Replay Integration Unlike the user activity log data, the video replay data is typically maintained within the ObserveIT environment, enabling enhanced custom playback functionality and reducing the amount of data that would otherwise be continuously added to the SIEM. OIT Web Console Your Custom App HTTP Port 4884 Video Player HTML Wrapper Video Database Single sign-on: Custom app uses uid/pwd of OIT web console Passwords are not transferred: Token-based authentication with TTL limits Figure 44 Video Replay Integration Schematic The video replay is available as a single HTTP target even if the ObserveIT database is federated across multiple local installations. The custom application does not need to be aware of the actual video storage location. Your Custom App OIT Centralized Web Console Config data for centralized console HTTP Port 4884 Single URL for on-the-fly video replay Video Player HTML Wrapper Config data for each local OIT deployment Single sign-on: Custom app uses uid/pwd of centralized OIT console Passwords are not transferred: Token-based authentication with TTL limits Same SSO / pwd / token / TTL process for communication with each local install OIT Local Install 1 OIT Local Install 2 OIT Local Install 3 Video Database Video Database Video Database Figure 45 Video Replay Integration with Federated Databases OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 50

51 11 Integrating ObserveIT Data into Network Management (Alerting) Systems The same data integration highlighted above for SIEM integration can be used to implement a custom alerting method within any common Network Management Platform. 12 Integrating ObserveIT with a Service Desk System The integration of ObserveIT s user activity monitoring solution with an IT Service Desk system provides additional layers of security and monitoring to your organization. The main benefits of service desk system integration are: 1. You can require specific administrators and/or remote vendors to enter a valid ticket number from the service desk system before being able to log into specific servers. By linking every login to a particular ticket, unnecessary and unauthorized logins are reduced and there is greater enforcement of segregation of duties. 2. Once a ticket number is provided as part of the server login process, ObserveIT automatically augments the ticket data with key details about the login session which are only available to ObserveIT. For example, the ticket will include the actual user name used to access the server (based on a secondary identification login which goes beyond generic system admin login accounts), the particular server which was accessed, and the exact date/time that the session occurred. 3. The ticket record will include a direct link to the video recording of the particular session in which the administrator or remote vendor addressed the ticket. This provides the unique ability to visually review exactly how the user addressed the ticket. Linking a video recording of their actions addressing a ticket from within the ticket itself allows faster and easier auditing of the exact actions performed by administrators and remote vendors. When an administrator or remote vendor attempts to log in to a monitored server, a message is displayed requesting the user to enter a valid ticket number from a service desk system in order to log on to the server. Figure 46 Ticket Window OBSERVEIT TECHNICAL SOLUTION OVERVIEW 2016 ObserveIT. All rights reserved. 51