This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
5.1 Small Deployments ............................................................................................................ 32 5.2 Medium Deployments ....................................................................................................... 33 5.3 Large Deployments with High-Availability ........................................................................ 34
10 Integrating ObserveIT Data into Third-Party SIEM Systems ................................................. 51
10.1 SIEM System Integration Using Native SIEM Apps ............................................................ 51 10.2 SIEM System Integration Using Database API ................................................................... 53 10.3 SIEM System Integration Using Monitor Log Data ............................................................ 53
11 Integrating ObserveIT Data into Network Management (Alerting) Systems ........................ 57
12 Integrating ObserveIT with a Service Desk System ............................................................. 57
13 Agent API for Process-Oriented Integration ....................................................................... 59
ObserveIT provides a comprehensive solution to Identify and Eliminate Insider Threat.
ObserveIT enables organizations to precisely identify and proactively protect against malicious and negligent
behavior of everyday users, privileged users, and remote vendors, and high-risk employees. ObserveIT enables
security and risk analysts to track and monitor file activities in order to identify and alert on instances of data
exfiltration. ObserveIT significantly reduces security incidents by changing user behavior through real-time
education and deterrence coupled with full-screen video capture of security policy violations; investigation time is
thus reduced from days of sifting through logs to minutes of playing back video. User activity profiling of risky
users enables the investigation of aggregated information about user activities in order to identify and resolve
insider threats more easily.
ObserveIT monitoring of both User Activity and File Activity are critical for detecting Insider Threat and data
exfiltration. File Activity Monitoring enables organizations to track and alert when files are downloaded or
exported using browsers or web-based applications, and when files are copied or moved to default local sync
folders of cloud storage services.
ObserveIT's Insider Threat Intelligence platform increases security awareness by educating employees about
out-of-policy behavior whether malicious or negligent. Through policy notification and enforcement, users can be
educated to change their behavior. The ObserveIT User Risk Dashboard provides Security Analysts and
Investigators with an easy way to track users that have experienced any type of policy notification or
enforcement as a result of violating company policy or security rules. Every user notification message triggers an
alert that notifies security specialists about the incident and updates the user’s risk score. Preventive actions
enable security and compliance officers to stop users from breaching security or violating company policies by
forcibly logging off users from unauthorized machines and closing harmful applications.
The ObserveIT monitoring software acts like a security camera on your endpoints, monitoring and recording all
user activity on Windows and Unix/Linux servers and desktops. The system generates video recordings, user
activity logs, behavioral analytics and real-time alerts. The result is a complete solution for identifying and
managing user-based risk. Regardless of protocol or application, ObserveIT records any window session via a
terminal or console, in a compressed and searchable format. The ObserveIT software captures all activity and
generates textual audit logs, even for applications that do not produce their own internal logs. Every action that
is performed by remote vendors, developers, system administrators, and business users, connected via RDP,
SSH, Telnet, Citrix, direct console login, or any other protocol on physical and virtual machines, such as Citrix and
VMWare, is recorded by video. Video replay provides bullet-proof forensic evidence, and video content analysis
can identify all actions that were performed.
ObserveIT can help satisfy compliance requirements for PCI, SOX, HIPAA, and NISPOM.
Key Components
• Insider Threat Library: ObserveIT's extensive library of out-of-the-box alert rules cover the most common scenarios of risky user activities, with built-in policy notifications designed to increase the security awareness of users, and reduce overall company risk.
• File Activity Monitoring: Track and alert on files that were downloaded or exported using a browser or web-based application, from the internet or intranet. Alert if a tracked file is copied or moved to the default local sync folder of cloud storage services.
• Policy notification and enforcement: Define company policies and security regulations and enforce them by posting specific, detailed notification and blocking messages in real-time to any user violating these rules.
• Policy enforcement: Prevent malicious or unauthorized Linux commands from being executed based on flexible Prevention rules defined by customers.
• Preventive actions: Stop users from breaching security or violating company policies by forcibly logging off from unauthorized machines and closing harmful applications.
• Track changes in user behavior: Security Analysts and investigators can track users that have experienced policy notifications or enforcement as a result of violating company policy or security rules, and pinpoint users with the highest number of policy violations and users whose behavior is not improving with time.
• User Behavior Analytics and Risk Scoring: Assess the risk of every user, analyze and score user activity to identify any actions that are out of role, suspicious, or in violation of security policies.
• User Activity Profile: Access a risky user's profile in order to investigate and view aggregated information about the user's activities, such as, which applications they are using, where they spend most of their time, and so on.
• Protect employee privacy: Anonymization of users in the Dashboard and Web Console protects the privacy of recorded users.
• User Activity Monitoring and Alerting: Capture all user activity, generates textual audit logs, screen recordings and alerts for risky behavior on desktops and servers.
• Efficient alert rule management: Alert rules are grouped by Categories and assigned to User Lists.
• Website Categorization: Automatically detect categories of Websites that end users are browsing, enabling alerts to be generated on browsing categories such as Gaming, Adults, Infected or Malicious Websites, Phishing Websites, and more.
• Field-Level Application Logging and Auditing: Track what is happening within on-premise and cloud apps, including those with no internal logging facilities of their own.
• Live-Session Response and Visual Forensics: Provide video replay and analysis of real-time and historic user actions, and the ability to actually stop user activity.
• Department level risk management via Active Directory Group-based permissions: Large organizations can manage the risk of their employees in departments or groups, each owned by a dedicated security team member or manager.
• Detection of potential data leaks and exfiltration when copying files, connecting USB Devices, or printing sensitive documents: Enriched metadata recording to enable the tracking of user actions such as copying/dragging files and folders, the insertion of USB-based external storage devices into a computer, or printing large documents.
• Import and export of detection rules: Enable customers to share real-time information about risky user activity and out-of-policy behavior with other departments/users and organizations.
ObserveIT allows large organizations to manage the risk of their employees in separate departments or groups,
each owned by a dedicated security team member or manager. The monitored users of each department are
configured based on Active Directory Groups/Users ensuring full segregated permissions across the product –
including all risky user data, risk summary statistics, session recordings, alerts and reports.
The following information for each user at risk helps you prioritize which users to first investigate:
• General information about the user such as title, department and personal photo.
• Risk score color-coded by risk level, and score change since the previous day.
• Out-of-policy notifications and behavior trends.
• Which applications and alerts contributed most to the user’s total risk score, so you can understand where the risk is coming from and take corrective action.
• A timeline of when the risky activity occurred.
Figure 1 – ObserveIT User Risk Dashboard
ObserveIT User Analytics calculates a user-centric risk score that is displayed in the dashboard to identify and
prioritize users who present the most risk to an organization. The score is an intelligent aggregation of a user’s
activity alerts during the last month. The daily risk score tracks a user’s risk day by day, allowing you to easily
identify score changes and act first on users whose risk level have recently changed. You can customize score
thresholds per risk level for both alert rules and users to control what is considered critical, high, medium, or
low risk in your organization.
2.1.3 User Activity Profile
ObserveIT enables Security Analysts to access risky users’ profiles to investigate employee or remote vendor
activity, such as:
• Where do users spend most of their time?
• Which applications do they use?
• How much time do users spend in applications?
• How much time during working hours is the user idle?
• Which computers are used to work on or to connect from?
• Which shared accounts are being used?
• Is anything abnormal about the user's behavior?
By viewing the normal behavior of a user or comparing it with the user’s peers, investigators can quickly determine if the activity that is being investigated is indeed risky.
Dynamic filtering capabilities enable you to focus your investigation on specific applications, endpoints, login accounts, and/or remote client machines. An overall view of user activity during the specified profile period is
displayed in a User Activity Over Time graph.
Figure 2 – ObserveIT User Activity Profile
2.1.4 Policy Notification and Enforcement
ObserveIT enables you to easily define your company policies and security regulations and enforce them by
posting a specific, detailed notification message in real-time to any user violating these rules. The notification
message can be triggered each time the rule is violated, or alternatively only once per user session.
Warning notification messages automatically disappear after a few seconds so there is no impact on end-user
productivity. Customers can choose to have the notification branded with their company logo, or leave it
generic. Once the notification is displayed, the user can click to view the policy/security requirements directly
from the message itself and have the option to provide a comment explaining their misbehavior or to
acknowledge the message.
Blocking messages prevent users from continuing whatever they are doing. Users are forced to review the
message, acknowledge it, and provide their comment (optionally, depending on configuration) before they can
continue with their work. The policy/security requirements are available directly from the message.
ObserveIT can prevent unauthorized Linux commands from being executed based on flexible Prevent rules that you can define. For example, if a user runs an SFTP command from a remote server with intent to bypass security controls, the command will be blocked from execution preventing remote user access to the sensitive file(s). When a Policy Enforcement rule is triggered, the end user receives the standard operating system “Permission denied” message together with an optional message configured by security administrators.
capabilities not available in any other key logging solution.
ObserveIT Key Logging enables security analysts to detect and generate alerts on:
• Sensitive keywords and commands that users typed in desktop applications, websites, and shell command tools.
• Data exfiltration attempts by users typing protected keywords in emails or chat applications, social media sites, etc.
• Commands executed in CLI tools such as Windows CMD, PowerShell, PuTTY or Mac Terminal.
ObserveIT administrators and compliance auditors can search for text entered by a user, as well as certain
application/system selections, and then jump directly to the session video recording at that exact location.
To prevent users who are authorized to access the database from viewing passwords or other sensitive data, data captured by the ObserveIT key logger is hashed (using the SHA256 salted hash algorithm). There is no way to reverse (un-hash) the hashed data. ObserveIT Administrators cannot disable Key logger hashing from the ObserveIT Web Console.
The Alerts feature provides ObserveIT with a proactive, real-time detection, deterrence and prevention
mechanism. Alerts are user-defined notifications which are generated when suspicious login events or user
activity occurs during a session. When alerts are triggered, textual notifications can be displayed warning users
about potential security violations so that they can take remedial action. In some cases, users can be "denied
access" and hence prevented from continuing with their current activity.
Alerts are integrated throughout the ObserveIT Web Console (in the User Risk Dashboard, User Diary, Endpoint
Diary, Search pages, and video Session Player) and can be easily integrated into an organization’s existing SIEM
system.
The ObserveIT installation package includes an extensive library of out-of-the-box alert rules that Business users and Administrators can use to detect risky user activity and trigger alerts on Windows, Mac, or Unix/Linux machines.
Following are some examples of risky user activities that might trigger alerts:
• Logging-in locally or remotely to unauthorized endpoints by unauthorized users or from unauthorized clients
• Sending sensitive documents to a local/network printer during irregular hours
• Copying files or folders that are either sensitive or located in a sensitive location during irregular hours
• Connecting a USB storage device (or mobile phone) in order to copy sensitive information
• Using Cloud storage backup or large file-sending sites that are not allowed by company policy
• Storing passwords in files that can be easily detected by password harvesting tools
• Clicking links within emails that open Phishing websites
• Browsing contaminating websites with high potential security risk
• Browsing websites with unauthorized content (gambling, adults, etc.)
• Being non-productive by wasting time on Social Networks, Chat, Gaming, Shopping sites, and so on
• Searching the Internet for information on malicious software, such as steganography tools (for hiding text-based information within images)
• Accessing the Darknet using TOR browsers
• Performing unauthorized activities on endpoints, such as, running webmail or Instant Messaging services
• Running malicious tools such as, password cracking, port scanning, hacking tools, or non-standard SETUID programs on Linux/Unix
• Hiding information and covering tracks by running secured/encrypted email clients, clearing browsing history, zipping files with passwords, or tampering with audit log files
• Attempting to gain higher user privileges (for example, via the su or sudo commands, running an application as Administrator)
• Performing copyright infringement by browsing copyright-violating websites or by running P2P tools
• Changing the root password by regular user or searching for directories with WRITE/EXECUTE permissions in preparation for an attack (on Linux/Unix)
• Performing IT sabotage by deleting local users or files in sensitive directories (on Linux/Unix)
• Creating backdoors by adding users/groups to be used later un-innocently
• Installing questionable or unauthorized software such as hacking/spoofing tools on either desktops or sensitive endpoints
• Accessing sensitive administration tools or configurations, such as Registry Editor, Microsoft Management Console, PowerShell, Firewall settings, etc.
and more. On Unix/Linux systems, you can search for users who logged in, executed specific commands (based
on command name, full path, arguments, command switches) or acted under a different user's permissions.
You can also filter searches based on specific login users, specific machines, and specific time periods. Matched
keywords are highlighted.
For accelerated search performance, it is highly recommended that you install the Microsoft SQL Server Full Text Search (FTS) utility prior to ObserveIT installation.
Figure 15 – Searching for Sessions and User Activities
The displayed search results provide the context of the activity, showing the exact location of searched
keywords (for example, in a URL, Window title, SQL statement, and so on). Where relevant, the resulting search
hit is linked directly to the portion of the video where the action occurred, making it easy to find the exact
moment that an action was performed. Within each session, you can watch the full video replay of the user
session and see exactly what took place.
2.7.1 Capture Metadata on Potential Data Leaks
ObserveIT enriches the recording of metadata by enabling the capture of user activity related to potential data
leaks. Any user attempt to move files (or folders) by copying them to the clipboard or dragging them with the
mouse is immediately captured by ObserveIT, together with the names of the files as well as their source
location and size. Thresholds can be defined to indicate a LARGE file copy based on the number of files being
copied and/or their total size. In addition, if a user connects any USB storage device (including a mobile phone),
ObserveIT immediately captures the device description (i.e., model and manufacturer) and the mapped drive
letter.
Furthermore, copying to the clipboard text from sensitive applications can now be tracked and alerted on,
providing administrators with additional detection visibility on potential data leaks.
The ObserveIT detection mechanism also captures metadata relating to user attempts to print sensitive or
confidential data. Upon a user attempt to print files or documents, ObserveIT immediately captures the titles of
the files, the printer, and the number of pages being printed, while differentiating between the printing of large
and standard size documents. This enriched metadata is fully integrated across the product, allowing customers
to detect and deter any out-of-policy behavior or risky activity of their employees with regard to file copying and
data exfiltration through USB storage devices or printing sensitive data.
Users can define alerts when sensitive files are being copied or printed, pop up a notification or blocking
message when a USB storage device is connected, generate reports, search for specific files being copied or
printed, and export the new metadata to their favorite SIEM system.
2.8 Reporting and Auditing
ObserveIT reporting can be used by novice administrators to generate reports based on preconfigured built-in
reports, or by experienced administrators and security auditors who require flexible application usage reports
and trend analysis reviews. Experienced administrators and security auditors can also create comprehensive
customized reports based on their own requirements. Reports can provide aggregated or summary information
about all monitored user activity on Windows, Mac, or Unix-based endpoints.
ObserveIT reporting capabilities significantly enhance security operations and regulatory compliance by
providing reports on alerts, websites visited, documents printed, USB storage device connections, file/folder
copying, large file/folder copying, typed key logger data, SQL queries executed against production databases,
installing and uninstalling applications, system events, user logins, and more. Captured metadata can be used to
expose potential data leaks by generating reports that show for example, when corporate or sensitive files were
copied or printed, when a user connected a USB storage device, when notification or blocking messages were
displayed to users, when large files were copied or printed, and so on.
The ObserveIT Web Console provides several ways to run reports and export user activity log data:
• The report generator includes built-in reports and customizable report rules for filtering by user/user group, endpoint/endpoint group, date, application, resources accessed, and more.
• Reports can be run ad-hoc or delivered on a schedule by email.
• Full-text Google-like searching allows pinpoint identification of user sessions.
• User activity log drill-down allows each session to be viewed item-by-item, to see which applications were run and which actions were performed during that session.
When admin users log in using a shared account (for example, administrator, root), ObserveIT can be configured
to present specific users with a secondary challenge-response, forcing them to specify their named-user account
ID. Secondary IDs can be tied to an Active Directory repository, or can be managed locally in the ObserveIT Web
Console. ObserveIT’s Secondary Identity mechanism allows you to manage and secure shared-user access
without requiring the overhead, complexity, or expense of password rotation or password vaults.
Figure 17 – Shared-User Login Triggers Secondary User Authentication
2.11 Identity Theft Detection
ObserveIT’s Identity Theft Detection module brings a new approach to preventing and discovering incidents of
stolen privileges. Today, security officers provide users with tools and education on how to protect their identity
(such as, Two-Factor Authentication, Password complexity, reset rules, and so on). But once an identity is stolen,
no tool can clearly identify or track the incident, and the responsibility for detection lies entirely on the security
officer. ObserveIT enables you to include users in the detection process, and thus make users responsible for
their identities. IT identity theft incidents can be detected and neutralized much quicker when users have a
means to flag unauthorized logins.
For each monitored endpoint, ObserveIT keeps track of authorized/confirmed pairings of User IDs and client
machines. If a user logs in to an endpoint from a client that is not paired to the user, an email is sent to the user.
For example:
• A hacker steals a password and logs in from a remote machine. An email is sent to the user saying “The user ‘johnsmith’ just logged in to server WEBSRV-PROD from unauthorized IP address 11.22.33.44. Please confirm that it was you who performed this action.”
• An internal user steals an administrator’s password and logs in to a server from her own desktop, generating an email saying, “The user ‘johnsmith’ logged in to server DBPROD-4 from unauthorized desktop KATHY-DSKTP. Please confirm that it was you who performed this action.”
The user can either confirm or deny the action. In parallel, an event is logged for the administrator to track and
monitor unauthorized pairings. Granular security rules can be applied to specify how to manage each user
ObserveIT supports large enterprise implementations comprising more than 6,000-10,000 concurrent users per
site. Optimized database storage configuration and Application Server performance provide support for an
increasingly large number of ObserveIT business users.
If you have more than 10,000 users relying on your expected user activity and ObserveIT configurations, you
may still be able to actively monitor all your users with no difficulties using the specifications listed in System
Requirements and Data Sizing for Large Deployments. However, it is recommended to consult an ObserveIT
representative.
For best practices for common scenarios and benchmark data for assessing a customer’s hardware configuration requirements (Application Servers, Database Servers, and Storage) in large scale deployments, contact an ObserveIT representative.
Large enterprise implementations of ObserveIT will typically be accompanied by load balancing (LB), high-
availability (HA) and redundancy requirements. Key factors for deploying HA include:
• Two or more endpoints running the ObserveIT Application Server and Web Console
• Cluster-based implementation of Microsoft SQL Server
• SQL Server using a dedicated storage device or, alternatively, using ObserveIT’s file system storage mechanism for visual screenshot data storage
Load Balancer Implementation When full LB and HA are required, you can use a software-based load balancer (such as Microsoft NLB) or
hardware-based load balancer (such as F5). Optionally, this can be further augmented by a failover cluster for
the Application Server with an active/passive cluster that has only one node operational at any given time. Also,
more nodes can be added, as needed, to the failover cluster.
Windows Agent installation is performed over a standard Windows installer package (.MSI) that is well
supported by software distribution applications and Group Policy (GPO). The Windows Agent can be installed by
using the default installation (using a simple batch file) or by using a custom installation which allows you to
configure advanced settings, including the Agent registration mode and user recording policy.
For improved security, you may also be required to provide a security password when installing or uninstalling
the Agent. Requiring a password to install Agents prevents the unauthorized recording of computers and the
unauthorized consumption of ObserveIT licenses. By also requesting a password on uninstallation of an Agent,
unauthorized removal of a computer from ObserveIT's list of recorded machines is prevented.
No reboot is required after installation. Optionally, a system tray icon can be configured to be displayed on the
machine when the Agent is running.
6.4 Unix/Linux or Mac Agent Installation
The Unix/Linux or Mac Agent installer is a self-extracting file which includes the package and the installation
program. All Unix/Linux or Mac Agent installation files are centrally located.
The Agent installation procedure is the same for all platforms; a single installation script can be used for every
supported platform.
For example: ./observeit-agent-Ubuntu-12.04-precise-5.8.0.156.run -- -i -s 10.3.0.72
For improved security, you may also be required to provide a security password when installing or uninstalling
the Agent.
The installation script can also be run in interactive or silent mode:
• Interactive mode: The installation program prompts you to enter the installation parameters that are required to configure the Agent. Prompts are triggered if the user does not specify the name of the Application Server or if registration to the Application Server fails.
• Silent mode: The installation program does not prompt for any configuration options during the installation process.
The Rule Engine Service component on the Application Server processes the activity data and generates alerts based on rules which are active.
The administrator can configure a notification policy which defines whom should be notified when an alert is
generated, and how they will be notified.
For enhanced management and operation, alert rules can be assigned to one or more user groups (a.k.a “User
Lists”) such as Privileged Users, Everyday Users, Remote Vendors, Terminated Employees, Users in a Watch-List,
Executives, Developers & DevOps. Privileged Users and Everyday Users lists are prepopulated based on common
Active Directory groups. These lists can be modified, and other lists can be easily created or populated by
assigning them individual users or Active Directory groups.
In addition, alert rules can be assigned to security Categories (such as, Data Exfiltration, Hiding Information and
Covering Tracks, Running Malicious Software, Performing Unauthorized Admin Tasks, and more) in order to help
navigation and facilitate rules operation and maintenance.
Categories can be applied on Windows, Mac, or Unix/Linux operating systems. Some categories are relevant for
all systems.
Alert rules in the Insider Threat Library are already grouped into Categories and assigned to relevant User Lists with appropriate risk levels.
7.1.1 Importing and Exporting Rules
ObserveIT allows the importing and exporting of rules. Importing is managed by a straightforward wizard that
notifies you in advance about any potential conflict or missing data on the target environment. Exporting rules is
simply done by selecting the rules you wish to export and providing the location for the export file.
The ability to export and import rules extends ObserveIT's Insider Threat Solution, by enabling the sharing of
real-time information about risky user activity and out-of-policy behavior with other departments/users in an
organization and with other organizations.
Rules can be integrated with external HR systems; ObserveIT User Lists can be exported and imported as a
comma-delimited format file (CSV), so for example, you can simply export your current "Employee watch-list"
from your HR system and import it into your list in ObserveIT.
Alert, policy, and prevent rules can be easily migrated between staging or other environments (such as, from
POC to UAT to Production).
ObserveIT customers and business partners can use the exported/imported ObserveIT rules to detect risky user
activity and out-of-policy behavior on their own Windows or Unix/Linux machines. After the export/import
process is completed, the rules can be edited as required to suit the needs of the organization.
Note: System rules in the ObserveIT Insider Threat Library are automatically and regularly updated without the need to upgrade to the latest version. The export of System Rules from the ObserveIT Insider Threat Library (ITL) is managed by ObserveIT. System rules are exported with their User List assignments; any changes that were made in List Items are included in the file to be imported.
The following permission levels can be defined for user accounts with access to the Web Console:
• Admin: This role grants the highest permissions and allows administrators to make configuration changes, view user activity logs and play back all recorded session videos.
• View-Only Admin: This role allows administrators to view session recordings but not access any ObserveIT configuration options.
• Config Admin: This role maintains user privacy by allowing administrative access to most configurations options in the Web Console but prevents the viewing of any user activity logs or screen recordings.
Different levels of access can be defined for specific users or user groups. Console users can be granted
permissions to view recorded sessions on one or more endpoints (on which the ObserveIT Agent is installed),
endpoint groups, individual users (domain\user), or Active Directory groups. These permissions are given to
users based on their defined role.
Permissions can also be assigned to Active Directory groups to view and access session data on specific endpoints or endpoint groups. When configured, only session data that applies to the Active Directory group will be available.
Data that is stored in MS SQL Server automatically inherits all the data protection mechanisms already in place
for corporate databases.
Additionally, ObserveIT will encrypt all screen recordings when the Image Security option is enabled. In this
situation, the ObserveIT Agents and Application Server will use a token exchange mechanism to encrypt all
session data. The recordings are digitally signed by the Application Server when stored in the database.
When ObserveIT detects any tampering with a session’s data (for example, if a DBA deleted an incriminating
screenshot from within the session recording), a warning indicator appears for that session in the Web
Console:
Figure 40 – Data Integrity Warning Indicator
For privacy, all screen capture data (whether stored in an SQL database or in the file system) can be encrypted
by a synchronous Rijndael 256-bit key. To further protect this key, the key itself can be encrypted by an
asynchronous 1024-bit X509 certificate (with RSA encryption key). This encryption is also inherited by any
sessions exported for offline viewing.
ObserveIT Agents are FIPS (Federal Information Processing Standards) compliant. Both Windows and Unix/Linux Agents comply with the FIPS security standard and can be deployed on any supported FIPS-enabled machine. The TLS encryption protocol is used to secure traffic between the ObserveIT Agents and the ObserveIT Application Server.
8.5 Installation Security
The ObserveIT administrator can protect against improper or unauthorized Agent installation by requiring the
person installing or uninstalling any Agent to provide a security password, which is registered on the Application
Server. Requiring a password to install Agents prevents the unauthorized recording of computers and the
unauthorized consumption of ObserveIT licenses. By enforcing a password also on uninstallation of an Agent,
the unauthorized removal of a computer from ObserveIT's list of recorded machines is prevented.
The main ObserveIT Administrator Dashboard and mini Administrator Dashboard display the number of Agents
that were recently installed and uninstalled. In addition, if configured, notifications via email can report
successful or failed installation/uninstallation events due to security password enforcement.
ObserveIT provides detailed auditing reports that show critical configuration changes that were made while
working in the Web Console. For example, when anonymization is enabled/disabled, when an endpoint is
unregistered, or when an Agent's recording was turned off or changes were made in a Recording Policy
configuration, you can track exactly who did this and when it happened. These reports are valuable for security
auditing and change management.
Figure 43 – Auditing Web Console Changes
8.8 User Privacy Protection
ObserveIT provides the following options for protecting user privacy:
• Anonymization of user details: ObserveIT can be configured to work in “Anonymized” mode. In this mode, all personal user information in the Dashboard and the Web Console is encoded – so there is no way to identify the name of the user, the role or department, or see the user's personal photo. Computers that are accessed and login accounts being used can also be anonymized. A Security Analyst or an Investigator using the system can still get detailed visibility to the risky users including their alerts and activity, but without their personal identity being exposed.
Figure 44 – Anonymized Users in the ObserveIT Dashboard
If there is a need to expose user details during the investigation process, an Exposure Request can be
submitted, and the request will be reviewed and approved (or rejected) by an authorized administrator
acting as the Privacy Officer. In addition, certain users or groups (e.g., Remote Vendors) can be excluded
from being anonymized, and high ranking individuals (e.g., the CISO) can be allowed to view data in the clear
(i.e., not anonymized).
• Granular access rights: ObserveIT users’ access can be restricted so that they can be assigned permissions to view sessions of specific endpoints, endpoint groups, individual users, or Active Directory groups. Permissions are reflected in session recordings throughout the Web Console. For example, the Database group manager can view sessions by DBAs on any computer, plus any user session that took place on the database server. This ensures relevant access by authorized users while blocking inappropriate access by users without a valid reason. These rules extend to all user activity logs, reports and video replay. Granular access rights also apply in the User Risk Dashboard where security analysts are permitted to view and monitor only the risky users and their data to which they have been assigned permissions.
• Start video recording upon alert: The “Start video recording” action in the Alert/Policy Rule protects user privacy by allowing the recording of metadata only and adding video as further evidence of user actions only when a specific alert has been triggered. This feature provides ObserveIT with activity data required for analyzing user behavior without disclosing any sensitive data that might appear on the user screen.
• Dual Password Protection for Playback (4-Eyes Protection): ObserveIT allows you to specify a second password (not managed by the ObserveIT administrator) that is required for replaying the video of a user session. This ensures both audit completeness and employee privacy. In typical situations, IT management (via an ObserveIT administrator) holds the main ObserveIT password, and legal counsel or a union rep holds the second password. This satisfies stringent privacy protection regulations, including BDSG (Germany), CNIL (France), DPD 95/46/EC (EU), and Human Rights Act (UK). Granular deployment allows textual audit logs to be accessed by compliance officers (without the second password), whereas video replay requires legal counsel authorization (both passwords).
• ObserveIT self-auditing: ObserveIT audits itself, capturing logs and videos of every ObserveIT user who views recorded sessions.
• Recording Policy options: ObserveIT lets you decide which users/user groups to record, which applications not to record (for example, facebook) and the recording level (for example, metadata only with no video).
By default, ObserveIT utilizes the following databases, which are created during installation:
• ObserveIT: Stores all the user activity configuration data and textual audit metadata captured by the ObserveIT Agents.
• ObserveIT_Analytics: Stores the data that is displayed in the Insider Threat Intelligence Dashboard. This includes alerts statistics and users' score data over time, aggregated by users, applications and alert types. It also stores user profile information, such as job title, photo, department, region, email address and more.
• ObserveIT Data: By default, stores all the ObserveIT screenshot images captured by ObserveIT Agents. Screenshot images can also be stored in the file-system.
• ObserveIT_Archive_1: The archive storage database stores both the archived user-activity metadata and screenshot images (unless file-system storage is configured).
• ObserveIT_Archive_template: Used for backup and restore when creating a new archive database.
9.2 Database Storage
All data stored in SQL databases can utilize existing backup solutions that are built in to MS SQL Server or third-
party database backup solutions.
The SQL Server database is used to store user activity configuration data, user analytics data, textual audit
metadata and possibly (unless the file-system is used) the screenshots captured by the ObserveIT Agents for
video replay. To prevent data loss as the database becomes full, ObserveIT allows you to configure additional
storage space. You can configure a threshold specifying the maximum disk space that is allocated for the
database. A system event is generated when the database storage threshold (%) reaches its configured limit,
alerting you to configure additional storage space by updating the specified threshold or by running the archive
process.
9.3 File System Storage
Visual screenshots represent the largest portion of ObserveIT’s data storage needs. For large scale deployments
and to prevent SQL Server database performance issues, you can configure the video replay screenshots for file-
system storage instead of in the SQL database, either on the local hard drive of the ObserveIT Application Server
or on a file share in the network. When using file-system storage, there is still a need to maintain the SQL Server
database in order to store the textual metadata and ObserveIT configuration data.
ObserveIT automatically manages the directory where you specify that screenshot data should be stored,
including an auto-generated and archived subdirectory tree per date and per session.
9.4 Metadata Storage
ObserveIT also records important information about what is seen on the screen, which applications are
currently used, what actions the user has performed, the date and time of the action and more. This "metadata"
stored in ObserveIT's database is located on a central SQL Server. Because metadata is centrally stored and
indexed, it can be used to easily search throughout all recorded sessions and provide a textual breakdown of
each user session. Recorded metadata is a very important aspect of the auditing experience and capabilities.
Providing log data via ObserveIT’s database API enables SIEM systems and other third-party monitoring
software to programmatically integrate with ObserveIT in order to receive session data and recordings. When
using the API, access is provided to log data stored in ObserveIT’s database tables. Thus, third-party systems can
retrieve the exposed data directly from ObserveIT’s database.
ObserveIT’s API provides log data using “views”. Users with “role_api” read permissions can access the
API_OIT views. The ObserveIT database API provides the following views for each of the log file data types:
• API_OIT_User_Activity: Contains data about user activities on monitored endpoints, including captured screenshots and user activity log data (details about applications, registry settings, and files that the user accessed).
• API_OIT_Session_Activity: Contains data about sessions that occurred on monitored endpoints.
• API_ OIT_DBA_Activity: Contains data about SQL database queries that were performed during sessions.
• API_OIT_Alert_Activity: Contains data about activity alerts which were generated when suspicious login events or user activity occurred during a session. “Alert rules” define the conditions under which an alert is triggered.
• API_OIT_System_Events: Contains data about events that were triggered by the system (for example, when a user logs in, or during the health check monitoring of the Agent, Notification Service, Application Server or Web Console). Events are defined by their severity, source – for example, Notification Service – and category (Login, Health Check).
• API_ OIT_InApp_Elements – Contains data about specific elements (In-App Elements) within desktop and
web-based applications that were marked for tracking risky user behavior.
• API_OIT_Audit_Session – Contains data about all the sessions which were replayed by the user.
• API_OIT_Audit_Logins – Contains data about all successful and failed logins to the Web Console.
• API_OIT_Audit_Configuration – Contains data about configuration changes that were made while working in the Web Console (like when a server is unregistered or when changes were made in a recording policy configuration).
10.3 SIEM System Integration Using Monitor Log Data
ObserveIT Monitor Log data can be easily integrated into an organization’s existing SIEM system.
ObserveIT is currently certified to provide integration support with the HP ArcSight SIEM monitoring software.
Integration with HP ArcSight SIEM enables the export of ObserveIT log data to ArcSight Common Event Format
(CEF). All log files from ObserveIT user activities, DBA activity, activity alerts, system events, In-App Element
data, user logins, and audit sessions, logins, and configurations can be exported and integrated into the SIEM
monitoring software at timed intervals. The SIEM integration parses the ObserveIT log files, and create events,
triggers, and alerts based on text strings of information that appear inside the log file.
Integrated log data can be viewed and videos of recorded sessions can be replayed directly from within the
external SIEM dashboard or report environment.
This screenshot shows how ObserveIT user activity and alert data is incorporated within the HP ArcSight SIEM
The ticket number entered is validated against the service desk system database before the user is granted
access to the system. The ticket associated with the session is linked to a video recording of the session. In
addition, specific information about the login session is automatically saved by ObserveIT and included in the
service desk system.
Within the service desk system itself, a direct link to the video recording of the specific session in which the
administrator or remote vendor addressed the ticket provides faster and easier auditing of the exact actions
performed by administrators and remote vendors.
ObserveIT offers built-in integration with ServiceNow that works out of the box. Integration with most other ticketing systems (such as ServiceDesk, Remedy, Track-It!, HEAT, and Kayako) may be implemented by customers according to their own requirements. ObserveIT provides API guidance to help customers build a Web Service that will enable them to integrate ObserveIT with their own ticketing system. For details, see the ObserveIT Service Desk Integration Guide.
For further details about integrating ObserveIT's session recording system with an IT service desk system, refer
to http://documentation.observeit.com/7.1/#service_desk_integration.htm.