Join us June 8th to hear first-hand experiences from Bain Capital’s VP and CISO, Mark Sutton, in our webinar “Lessons Learned Building Bain Capital’s Insider Threat Program.” Register Now
Third Party Monitoring - Vendor Monitoring
Directly minimize the risks associated with vendor activity across your enterprise
Hold your vendors accountable and avoid unnecessary activity. With Third Party Monitoring, it is simple to see (and prove) exactly how vendors have spent their time working on company servers. This eliminates “who did what?” doubts, confirms SLA agreements and eases vendor billing verification.
Effectively Manage the Remote Access of Third Party Vendors
Giving external vendors access to your internal systems greatly increases the risk that their privileges will be used to steal your company information or damage your infrastructure (mistakes made while deploying code, configuring systems or assigning user permissions). Even trusted vendors with no malicious intent could potentially damage your systems or leave you open to attack.
Third Party Monitoring Key Benefits
Third Party Monitoring: Key Benefits
Manage your vendor liability. See exactly what vendors and 3rd party contractors access and receive alerts to notify you if they are out of scope.
Instantly detect, investigate and mitigate suspicious user actions.
Monitor internal and outsourced development teams. Receive alerts if a developer leapfrogs to a system they shouldn’t have access to or if a new application or tool is being pulled into the environment.
Examples of external vendors that customers are monitoring:
- Outsourced software developers and QA teams
- Managed service providers
- Outsourced Call Centers
- Outsourced employee technical support and helpdesk services
Following are some typical scenarios of suspicious vendor activity on which alerts can be generated in ObserveIT:
- Vendors accessing sensitive customer/patient records.
- A vendor accessing a file in a financial statements folder, or any irregular access during non-working hours.
- Vendor running a program or executing a command which grants the user additional permissions (for example, via the su or sudo commands).
- A vendor executing a DROP TABLE or DROP INDEX command on a production database.
- External vendors logging in to database servers during non-working days.
- Vendors browsing sensitive websites from work, or uploading company data to cloud storage.
All remote vendor activity is captured and calculated in real-time into an overall risk score and presented to the security team in form of a User Risk Dashboard. The dashboard lists the remote vendors sorted by the most risky vendors to the least risky. The risky vendors can be filtered and sorted according to the number of out-of-policy notifications and behavior trends – providing an easy way to identify those remote vendors who constantly violate security policies and those who keep ignoring them despite being warned or even blocked.
ObserveIT also captures all of the remote vendors activity in an easy-to-use video recording, that is smart enough to only record the parts of the screen that were actually changed. Idle time is not recorded (although, if needed, continuous recording is also an option). This makes the recorded data much smaller than you would expect. Sessions are recorded in real-time and stored in a SQL Server database, where they are analyzed and indexed. You can use keyword phrases to search for any metadata collected in the recorded session
By using the flexibility of ObserveIT Activity Alert Rules, the security officer can define company policies and security regulations, and practice policy enforcement by posting a specific, detailed notification message in real-time to any user violating these rules. The notification message can be triggered each time the rule is violated, or alternatively only once per each user session.
Blocking Messages that block users from whatever they were doing – forcing them to review the message, acknowledge it, and asking them to provide a comment explaining their actions (optional) before they can continue with their work.
SET UP A GATEWAY SERVER FOR REMOTE APPLICATION ACCESS
While not absolutely required, it is strongly recommended to set up a “gateway server” through which remote vendors will access your servers. A gateway server is simply a Windows machine (or virtual machine) running Remote Desktop Services (RDS), preferably with RemoteApp or Citrix XenApp running above it. This gateway server approach provides greatly enhanced security: instead of providing remote vendors with remote desktop access to the entire server, the gateway server can limit vendor access to the specific application(s) they need to be using.
ObserveIT dramatically enhances any SIEM or log management application by incorporating video playback of user sessions directly into the SIEM console. This combination provides a number of important benefits:
- Add user session data to SIEM dashboards and reports – including lists of every application run, pie charts showing active users/servers and even detailed listings of specific user actions, all linked directly to video recordings of user sessions
- Correlate system log data with user activity data – with detailed user activity drill-down and one-click access to the relevant portion of any recorded session video, for a much better understanding of what was done by any user on any server in any application
- Fill in SIEM logging gaps – for applications without any built-in logging (including legacy, bespoke, commercial and cloud applications), plus all system areas, on Windows, UNIX and Linux machines accessed via any connection method (direct console, SSH, Telnet, Remote Desktop, etc.)
- Improve regulation compliance and reduce security auditing costs – without the need for complex research and correlation projects, by instantly finding any user action and playing back relevant portions of recorded session videos
ObserveIT integration with change management solutions are available out of the box. Integrating ObserveIT's session recording system with change management tools can provide your organization with additional layers of security and monitoring unavailable in any other approach.
ObserveIT integration with ServiceNow is currently available out of the box (no development effort required). Examples of integration with ticketing systems include:
You can require specific administrators and/or remote vendors to enter a valid ticket number from your change management system before being able to log into specific servers. By linking every login to a particular ticket, unnecessary and unauthorized logins are reduced and there is greater enforcement of segregation of duties.
Once a ticket number is provided as part of the server login process, ObserveIT automatically augments the ticket data with key details about the login session which are only available to ObserveIT. For example, the ticket will include the actual user name used to access the server (based on a secondary identification login which goes beyond generic system admin login accounts), the particular server which was accessed and the exact date/time that the session occurred.
The ticket record will include a direct link to the visual recording of the particular session in which the remote vendor addressed the ticket. This provides the unique ability to visually review exactly how the user addressed the ticket. Linking a video recording of their actions addressing a ticket from within the ticket itself allows faster and easier auditing of the exact actions performed by remote vendors.
When a remote vendor for whom this feature is enabled attempts to log in to a monitored server, a window similar to the one at the right appears. The ticket number entered is validated against the change management database in real time before the user is granted access to the system.
Two optional features (which are configured by the ObserveIT system administrator) can be seen in this screen shot. Both of these are a matter of policy and can be set for individual users and/or servers:
Check box may be shown to allow the creation of a new ticket number on the fly, if the user does not already have one.
The Skip button may be enabled to allow users to enter a server even without a valid ticket number.