One day last summer I was in a bank branch, standing in line waiting to conduct my business. Bored, I studied my surroundings and took note of a security camera directed toward the teller station ahead of me. No doubt it was capturing video of each person that approached the teller window and especially of the teller herself who was dispensing cash as customers made withdrawals.
Just two days later, that bank branch was robbed at gunpoint. The evening news had a fairly clear picture of the robber standing in about the same spot I was standing. I guess he didn’t notice (or didn’t care about) the camera that caught the image of him that was flashed on the news and used in a Crime Stoppers press release. A week later I read in the newspaper that the robber had been identified by his photo, apprehended at home and charged with bank robbery.
What if you could put that level of video surveillance to work for you to protect your network? It’s not that you suspect your work colleagues are perpetrating cyber crimes or corporate espionage, but perhaps you need to keep a detailed log of what privileged users are doing on your systems. At the very least, you probably operate under regulatory mandates that dictate the need to audit who is doing what with sensitive data on your network.
Instead of pointing a physical camera toward someone’s face, the view is metaphorically pointed over a user’s shoulder to capture the screen images for everything the person is doing online. In other words, there is no camera at all but rather a series of screen captures that completely document the user interface as someone goes about his work. Strung together, these screen images are like having a high definition surveillance video of what the person is doing online.
This is what ObserveIT does. Whenever someone has access to servers in your organization – for example, system administrators, database administrators or remote contractors – this solution can watch and record what they do. It also can be used to watch what high profile employees do online. Consider the financial services company that wants to record the precise actions of people who execute high value trades or wire transfers. This is an effective way to capture every pull-down menu, every option selected, every button clicked upon, every data value entered, and so on.
A complement to traditional logs
ObserveIT differs from traditional logs in that they capture what is happening with machines and systems, and they are technical. ObserveIT captures what’s happening with the user and the applications they use. This user audit trail doesn’t replace traditional logs but complements them by providing visibility into what a user was doing at a given time. This can be helpful in troubleshooting situations when you are trying to discern the root cause of a problem. Machine logs alone may not tell the story, but replaying a video of the configuration changes a system administrator made could pinpoint the problem.
Who has time to watch and analyze hours of screen videos to find a needle in the haystack? With ObserveIT, they say you don’t have to. It turns the user interface video into an English-language transcript of sorts so you can quickly read the sequence of activities someone performed. What’s more, the transcript log is searchable, so you can enter key words to help you find a specific action or command. Content also can integrate with most of the leading SIEM tools and log management tools like Splunk.
ObserveIT is a software solution, and there are two typical deployments. The first method is to install an agent on a server and then ObserveIT records every time that someone has access to that machine. The user can be physically logged into the server, or going in through remote access or via a server console. The second deployment method is a gateway solution. This is a popular approach, they say, for companies that want to capture the activities of external vendors like managed service providers, outsourcing firms or third party vendors. In this approach, you set up a single terminal server or Citrix server in your DMZ and you route all of your external parties over a VPN to that single machine. Once they login to that gateway, they do a secondary hop using a RDP or a SSH to the target servers they want to manage.
There are means to prevent a privileged user from uninstalling or disabling the solution. If it’s installed on a gateway machine, you don’t allow the external users to have administrative access to the gateway. If an agent is installed directly on a server, there is a watchdog that sounds the alarm and restarts the software if the agent is killed. A built-in health check system monitors the watchdog and agent as well. Even if there is downtime between the agent and the application server, there is local caching that will continue to record user activity.
According to ObserveIT the solution also can be used with cloud applications. Some cloud providers are beginning to offer their customers reporting from ObserveIT so that customers know what is going on with their cloud-based infrastructure, and to help the customers achieve regulatory compliance. The solution also works with cloud-based applications like Salesforce if you want to record what people are doing in those applications. For example, you can play back a video script that would take you to the exact point in Salesforce where you can observe what somebody did within that application. Let’s say there is a contact within Salesforce named John Doe. You can search on all activity that users have done pertaining to John Doe’s records.
Put activities in context
Unlike tradition system logs ObserveIT says its recordings give context. Most organizations today set up policies and rules of who can do what, but policies don’t provide context. For example, if somebody is opening a confidential file like a financial report that may be fine for that particular user to do. However, if he also is using WebEx or GoToMeeting at the time when he opens the file, and there are outsiders on the meeting site that now can view the confidential report, this may be a violation of company policy. The logs are aimed at providing context.
ObserveIT also provides insight in the event that a hacker breaks into your server. With the agent on that server, it will record what a hacker does—what he opens, what he sees, what he downloads, etc. A traditional log is not constructed to provide this level of detail.
The video files and transcripts generated by ObserveIT are stored in a database. Currently they support Microsoft SQL Server but plans to add Oracle by the end of this year. The data is encrypted and digitally signed when it is stored. The video files reportedly are relatively small because they are triggered by mouse movement and keystroke and not by time interval. Idle time is not recorded so the videos are only of the actual user interaction with the screen and not the entire length of the session when the user was logged in. This significantly reduces the size of the videos. According to ObserveIT CTO Gaby Friedlander, 1,000 servers that are recorded generate about 700 GB of data per year.
The session recording market
Other approaches to recording network traffic include CA’s Session Recording, XSuite from Xceedium, Shell Control Box from BalaBit, Timeline from Wild Packets, SilentRunner from AccessData and DeepSee Black Box Recorder from Blue Coat’s Solera Networks.