Companies use surveillance cameras to record what is happening in physical locations. Now take that concept and apply it to IT systems. ObserveIT records the user interface actions that occur when someone is accessing your systems or applications. The result is a detailed audit trail that shows precisely who did what in both video and transcript format.
Any detective will tell you how helpful it is to have clear and undisputed video evidence of a crime. Imagine that a perpetrator comes onto your property, looks straight into the surveillance camera to give you a clear shot of his face, and proceeds to do his dirty work with every action he performs caught on video. Once the person is caught and goes on trial for his crime, his attorney will find it hard to refute the evidence because it’s all there for the jury to see.
What if you could have that kind of evidence for your IT systems? Rather than a video of the person’s face and his physical actions, you are collecting clear video evidence of a person’s interactions with the computer—what applications he accesses, what he types, what options he selects, which buttons he presses, and so on. This video can be saved and played back later as needed, just as the detective can play the video of our crime scene above. And not only do you get a video, but also an English text transcript of all of the actions.
I’ve just described what ObserveIT does. ObserveIT is a software solution that is like a high definition surveillance camera for IT that is watching and recording what people do on computers. Unlike a technical log that records system events, ObserveIT records the user interface activities. When you replay a video log, it’s like you are watching over the person’s shoulder to see what he has done.
This type of detailed user activity audit trail is growing in importance as more industry and government regulations require that you know precisely who is doing what on your network. It’s especially important to understand what third party vendors and managed service providers are doing on your systems, and this is a way to record and store all of that activity.
David Kavaljian, IT Director of Comanche Nation Gaming Board of Directors, has deployed ObserveIT on his systems in response to requirements by the National Indian Gaming Commission. Indian gaming is strictly regulated by the Indian Gaming Regulatory Act. Kavaljian uses ObserveIT to monitor vendor access to third party software applications. “A traditional log system doesn’t give us the extent of information that ObserveIT provides,” Kavaljian says. “We use the video and transcript audit trails to help achieve regulatory compliance with the NIGC minimum internal control standards.”
Adding ObserveIT to your security mix provides a much more complete account of events than logs alone can provide. The solution adds the vantage point of what is happening from the user perspective; it adds context to an incident. Whereas a traditional log can tell you how an event affected the systems, ObserveIT can reveal how an event initially started and how it happened. When you put those two together, you have a much more robust security system that shows you a full lifecycle of what happened.
According to Gaby Friedlander, CTO at ObserveIT, most organizations deploy the solution to monitor the actions of privileged users such as system administrators or database administrators, or to monitor third parties. “Privileged users have the keys to the kingdom,” says Friedlander. “Once they login, it’s hard to know what they are doing. Logs are not enough to get the details because logs were basically developed for debugging purposes and not to know what somebody did with the applications. We provide the details of all interaction with the systems and applications.”
There are two ways to deploy ObserveIT. The first method is to put an ObserveIT agent on a server to record every time someone accesses the machine. It doesn’t matter if people go through the console, physically login or go in through remote access. The second method is to set up a single terminal server in your DMZ that becomes a gateway for all external users who VPN in through that machine. Once they login to that device, they do a secondary hop using an RDP or SSH to the target servers they want to manage. You install ObserveIT on the gateway server and record all of the external users that go through that machine.
Users – even privileged ones – can’t disable ObserveIT’s logging. If you deploy the gateway machine, you don’t allow the administrators or external parties administrative access to the gateway, which is basically just a means to login to the target servers. You can have low privilege users access the gateway machine and from there hop into their target server. If you go the agent route and put an agent on the target server, a watchdog protects the agent. If an administrator kills the ObserveIT agent, the watchdog restarts it, and vice versa. In addition, a health check system monitors all the solution components and sends an alert if there is an issue.
The video recordings and associated transcripts get stored in a Microsoft SQL Server database. Soon ObserveIT will also support Oracle databases. The data is encrypted and digitally signed. There is a web console that allows you to retrieve and watch videos as needed. The English language transcript that is associated with a video is basically like a list of scenes on a DVD. You can scroll through those scenes to get right to a specific point in a video so that you don’t have to watch the whole thing to observe one moment in time. The transcripts are also searchable based on key words, so anything that was displayed on the user’s screen can easily be searched for.
Companies use ObserveIT to increase visibility and to enforce accountability. Let’s use a few examples to show what that means.
Suppose you have an employee who is authorized to access your instance of Salesforce.com. He can access the full contacts list and view the sensitive data as part of his job responsibility. Now imagine that he uses GoToMeeting or WebEx to allow an unauthorized person – perhaps even a competitor – to view that data. Exposing data in this fashion could be considered a data breach. A traditional log system may not find this activity unusual, but ObserveIT can put this scenario in context and let you determine if the employee violated company policy or not.
In another scenario, there is one administrative account that is used by multiple people. Ordinarily you wouldn’t know precisely which person is using the account to perform various activities. ObserveIT solves this problem by adding the step of challenging the users of the account to provide a secondary username and password that is tied to your Active Directory system. Now the recordings of each person’s activities will be tied to them as individuals rather than to a generic administrator account.
ObserveIT is non-intrusive to the people whose actions are recorded, and it’s one more means of securing your systems so you can know who is doing what.
Linda Musthaler (LMusthaler@essential-iws.com) is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.