Join us June 8th to hear first-hand experiences from Bain Capital’s VP and CISO, Mark Sutton, in our webinar “Lessons Learned Building Bain Capital’s Insider Threat Program.” Register Now
Allow third parties to do their work while ensuring data is secure and audited
Giving external vendors access to your internal systems greatly increases the risk that their privileges will be used to steal your company information or damage your infrastructure (mistakes made while deploying code, conﬁguring systems or assigning user permissions). Even trusted vendors with no malicious intent could potentially damage your systems or leave you open to attack. Allowing external vendors access to your system should be a carefully controlled and monitored process. Third party monitoring is a way to ensure external vendors stay within their scope and are only performing their assigned tasks. This allows for more flexible access without sacrificing security.
Examples of external vendors that customers are monitoring:
- Outsourced software developers and QA teams
- Outsourced software application conﬁguration/customization consultants
- Outsourced database administrators
- Managed service providers responsible for servers, network equipment (ﬁrewalls, routers, switches, etc.) and even entire data centers
- Managed service providers responsible for employee desktops (operating systems, user permissions, software applications)
- Outsourced employee technical support and helpdesk services
Examples of some specific vendors’ customers are monitoring (by industry):
Examples of some specific customers vendor monitoring scenarios:
PREVENT UNSCHEDULED ACCESS
ObserveIT was able to generate a real-time alert when an external vendor’s privileged user account was used to log in to a UNIX server on a weekend. The on-call NOC security oﬃcer who received the alert immediately began watching the session in real-time using the session recording system. When he saw the logged-in user preparing to upload ﬁles via FTP to an IP address outside the network, he immediately terminated the session and notiﬁed the company’s CISO.
REPORTING ON REMOTE ACCESS
ObserveIT is being used for creating a daily user activity report of a remote vendor activity. A number of logins to a Windows server from an account that had not been used for months, and a quick review of the screen recordings of these sessions showed obviously unauthorized activity, including extensive use of Windows Explorer to browse the ﬁles on a number of other network servers. The account was immediately disabled and the IP address of the remote computer was provided to law enforcement authorities for further investigation.
MONITORING NEW VENDORS
ObserveIT is being used for creating a weekly user activity summary report of applications run on a company’s servers. In a certain instance, a remote control application (TeamViewer) having no business on a company server was installed. An immediate investigation with ObserveIT revealed that a newly-hired external vendor installed TeamViewer on a server which stored customer credit card information and enabled the software to provide full control of the machine from any outside computer.
HOW OBSERVEIT HELPS
ObserveIT provides alerting and reporting for numerous types of behavior anomalies that may put your company at risk. Security administrators can run reports and receive real-time alerts about particular user activities that they want to know about, whenever they occur.
Following are some typical scenarios of suspicious vendor activity on which alerts can be generated in ObserveIT:
- Vendors accessing sensitive customer/patient records.
- A vendor accessing a file in a financial statements folder, or any irregular access during non-working hours.
- Vendor running a program or executing a command which grants the user additional permissions (for example, via the su or sudo commands).
- A vendor executing a DROP TABLE or DROP INDEX command on a production database.
- External vendors logging in to database servers during non-working days.
- Vendors browsing sensitive websites from work, or uploading company data to cloud storage.
CITRIX XENDESKTOP AND XENSERVER MONITORING
ObserveIT is certified Citrix Ready by Citrix for recording, searching and replaying user sessions in Citrix XenApp published applications and XenDesktop virtual desktop environments. The new XenDesktop 7 will not offer SmartAuditor, so ObserveIT is the natural alternative to Citrix SmartAuditor, providing even smarter user session recording, playback and activity search to Citrix XenDesktop and XenServer.
The integration of ObserveIT and Citrix delivers a reliable, full-featured user auditing solution for all XenApp and XenDesktop users. ObserveIT captures screen videos plus text descriptions of every user action, making it easy to quickly review a summary of the user sessions or instantly search for particular moments across thousands of hours of user session recordings.
Whether you are using XenApp (any edition, not just Platinum) or XenDesktop, take advantage of ObserveIT’s solution to improve helpdesk support remote vendor monitoring and regulatory compliance. ObserveIT records user activities – in every application and system area – so that security administrators, IT troubleshooters and auditors can replay any session, just as if someone had been standing over the user’s shoulder with a video camera in hand.
ObserveIT integration with change management solutions are available out of the box. Integrating ObserveIT's session recording system with change management tools can provide your organization with additional layers of security and monitoring unavailable in any other approach.
ObserveIT integration with ServiceNow is currently available out of the box (no development effort required). Examples of integration with ticketing systems include:
You can require specific administrators and/or remote vendors to enter a valid ticket number from your change management system before being able to log into specific servers. By linking every login to a particular ticket, unnecessary and unauthorized logins are reduced and there is greater enforcement of segregation of duties.
Once a ticket number is provided as part of the server login process, ObserveIT automatically augments the ticket data with key details about the login session which are only available to ObserveIT. For example, the ticket will include the actual user name used to access the server (based on a secondary identification login which goes beyond generic system admin login accounts), the particular server which was accessed and the exact date/time that the session occurred.
The ticket record will include a direct link to the visual recording of the particular session in which the remote vendor addressed the ticket. This provides the unique ability to visually review exactly how the user addressed the ticket. Linking a video recording of their actions addressing a ticket from within the ticket itself allows faster and easier auditing of the exact actions performed by remote vendors.
When a remote vendor for whom this feature is enabled attempts to log in to a monitored server, a window similar to the one at the right appears. The ticket number entered is validated against the change management database in real time before the user is granted access to the system.
Two optional features (which are configured by the ObserveIT system administrator) can be seen in this screen shot. Both of these are a matter of policy and can be set for individual users and/or servers:
- A check box may be shown to allow the creation of a new ticket number on the fly, if the user does not already have one.
- The Skip button may be enabled to allow users to enter a server even without a valid ticket number.