IMPROVE DATA PROTECTION WITH USER ACTIVITY MONITORINGPresented by Matt Zanderigo

Who is ObserveIT?

Risk of Data Exposure through core apps

Examples of Risky Application Scenarios

Brief Demonstration of ObserveIT

AGENDA

WHO IS OBSERVEIT?

HQ Boston, MA / R&D Tel Aviv, Israel Founded 2006 1,200+ Customers Worldwide $20M Invested by Bain Capital

The leading provider of User Activity Monitoring for Application Users, Admins and External Vendors

Audit and Compliance

WHAT’S BEING MONITORED

Application Users

__________________________________________

Custom & Commercial Apps:

External Vendors

__________________________________________

Service Providers & Contractors:

Privileged Users

__________________________________________

Critical Systems, Files & Data:

SOXEU Data

Protection Reform HIPPA

Healthcare (PHI) data Customer (PII) data Employee data Company data Financial data Intellectual property Sales & marketing

data

AT&T will pay $25 million after

call-center workers sold

customer data

Morgan Stanley insider exposes rich clients' info

online

DATA EXPOSED THROUGH APPLICATIONS

Ex-JPMorgan Employee

Charged With Stealing

Customer Data

APPS ARE THE WINDOW TO OUR MOST SENSITIVE DATA: Healthcare (PHI)

data Customer (PII) data Employee data Company data Financial data Intellectual

property Sales & marketing

data

WHAT DOES THE USER SEE?

Maintain backend application systems, DBs, and infrastructure for business users

Risks• Remote Access• Configuration

Changes• Audit &

Compliance

IT Users

Systems

Front End

Data

Application

User variety of applications everyday to drive business

Risks• App Data

Extraction• Shadow IT • Audit &

Compliance

Business Users

TODAY’S RISK OF DATA EXPOSED THROUGH APPLICATIONS:

95%BUSINESS USERS

5%IT USERS

84% of Insider based breaches involve users with no admin rights

Source: Gartner 2013 Key IT Metrics Report & 2014 IBM/Ponemon

BUSINESS USERS OUTNUMBER IT ADMINISTRATORS BY 20:1

HERE'S THE PROBLEM:

Unified logging for

all apps_____________________________________________

________

Access to view

information_____________________________________________

________

Shadow IT_____________________________________________________

Remote Workers Employee Turnover

Layoffs Two weeks notice

HR watch list

INTERNAL AUDITS Takes staff a long time to review

each log

Reduced audit times by correlating events with view video-like playback in plain English

DATA SECURITY

Each log is different for each

application

Instantly detect changes in actual user behavior that warrant investigation

Homegrown / Web app’s don’t

produce logs

Isolate users, systems and data in real-time and historically with detailed forensic data

FORENSIC INVESTIGAT

IONS

RELYING ON LOGS DOESN'T CUT IT

Firewall

IDS

IAM

SIEM

WHY DATA LOSS PREVENTION SOFTWARE FALLS SHORT

SystemsFront End Data

Application

App Users

Contractors

IT Users

DLP

Employee scanning unnecessary customer records in call center

Employees viewing personal claims information for business claims clients

Employee views the record of a patient not under their care

Employee views the record of high profile customers (VIP)

RISKY APP SCENARIOS

Record User Activity

Video-like Playback

User Activity Logs

Profile User Behavior

Rule-Based Analytics

Report & Audit

Instant Notification

Real-Time Drill Down

Kill Sessions

OBSERVEIT USER ACTIVITY MONITORING

ONE SCREEN CAPTURE IS WORTH A THOUSAND LOGS

RECORD USER ACTIVITY

REPORT & AUDITCUT AUDIT AND REPORTING EFFORTS IN

HALF

EVENT AND ACTIVITY API

Real-time event and activity stream via Direct DB connection

Support all user activities, alerts and system events

Fully supported and documented API

LEARN ABOUT INSIDER RISKS BEFORE THEY BECOME A REAL THREAT

Real-time Alerts Who? Did what? On which

computer? When? From which client?

Setting SeverityNotification Policies

INSTANT NOTIFICATION

Window Title: Break-Glass Scenario

Are you sure you want to view another employee of

the hospitals medical records?

Window Title: Trade Confirmation

Are you sure you want to process ticket for trade

#2334323?

Application Process: Exporting .XML

Application Name: Fiserv Case Management / Transaction Tracking

Application Name: ClaimCenter / Claim Management

Window Title: Customer Order #

Visited URL: Facebook.com / Pastebin

EMAIL NOTIFICATIONS

INTEGRATION WITH SIEMNative HP ArcSight integration via CEF file formatExport alert data to SIEM (all formats)

BRIEF DEMONSTRATION