WHAT’S NEW IN OBSERVEIT 7web-control.ru/f/observeit-whats-new-in-75.pdf · 2020-04-09 ·...

ObserveIT ⬥ WHAT’S NEW IN OBSERVEIT 7.5 1

WHAT’S NEW IN OBSERVEIT 7.5

ObserveIT 7.5 release is an important milestone to ObserveIT’s Insider Threat Management solution.

The exciting new features and functionality will help your security teams to identify, investigate, and

eliminate insider threats. This latest release advances our modern approach to insider threat detection

and prevention for the post-DLP world, bringing user activity and data activity together with analytics.

ObserveIT can now protect organizations against one of the most popular ways for users to exfiltrate

data – uploading files to the web.

Whether the file was originally downloaded from a company website/portal and tracked by ObserveIT, or

whether it is just a file stored on a local disk or shared network drive – ObserveIT 7.5 can now detect

and alert when the file is being uploaded to the web – covering a huge spectrum of data exfiltration

scenarios, such as emailing sensitive files to personal web mails, uploading to cloud storage websites,

social media, collaboration sites and more.

Adding the new file upload capabilities to the existing capabilities of monitoring and tracking files that

were downloaded via a browser, plus monitoring attempts to move such files to a cloud storage sync

folder – ObserveIT 7.5 now provides an end-to-end solution for monitoring file activity over the web, as

presented in the following diagram:

ObserveIT 7.5 helps Security Analysts and Investigators to identify and resolve incidents faster by

exposing File Activity Meta-data (FAM) in more modules across the Management Console, specifically in

Search and Video Player.


ObserveIT 7.5 keeps improving the scalability of the product by dramatically cutting down archive

processing time. Reducing the size of meta-data sent from agents to the backend servers helps to better

utilize existing infrastructure (lower TCO) and increase performance.

ObserveIT 7.5 integrates better with security tools and processes by adopting an API-first approach.

Additionally, it introduces modern and faster APIs to retrieve recorded meta-data and aggregated User

Activity Profile (UAP) data to be used by SIEM and analytic products. All APIs are available from a new

Developer Portal.

ObserveIT 7.5 keeps improving the Mac agent as the demand for monitoring users on Mac is growing.

Printing activity is now monitored on Mac, and user activity on Mac can be easily detected using new

icons in the Management Console.


OBSERVEIT 7.5 KEY NEW FEATURES

Monitor any file being uploaded to web – detect and stop data exfiltration

✓ Monitor and alert on any file being uploaded to any website.

✓ Alert by specific websites or web categories (e.g. Web Mail).

✓ For tracked files (originally downloaded from web) – a full history of the uploaded file is available.

FAM & enriched context across the Management Console – faster investigation

✓ Search now includes FAM data as searching options and in the results list.

✓ Activity list in Video Player shows application context and FAM data.

Exclude website categories from being recorded –protect employee privacy

✓ Control which specific web categories to record, exclude, or record as meta-data only.

Integration and Enterprise Readiness – address IT and security needs raised by customers

✓ Significantly cut down the time it takes to archive screenshot data stored on the file system.

✓ New Report & Analytics APIs (SIEM and UAP) and new Authentication API.

✓ Manage endpoints by their machine IP address (in addition to endpoint name).

Insider Threat Library (ITL) – out of the box rules to detect insider threats

✓ 66 new rules added, detecting more threats on all supported platforms.

✓ Enriched content of OOB lists with more suspicious tools to detect, also on Mac

Mac Agent – more data exfiltration scenarios and easier investigation

✓ Monitor printing activity on Mac

✓ Mac icon and OS type is used across the Management Console


DATA EXFILTRATION: MONITOR FILE UPLOADS TO THE WEB

A common way to take data out is by uploading files to external websites. Whether sending a file with

sensitive data to your personal webmail (e.g. Gmail), attaching it to a Facebook or LinkedIn message,

uploading the file to your Google Drive, or sending it to your personal email address via WeTransfer –

there are millions of easy ways for someone to exfiltrate data by simply using a web browser and internet

connection.

Organizations can block access to some of the known channels, however, this might impact everyday

business as some of the websites are legitimately used from time to time. In addition, there are too many

websites to manage and new sites are introduced quite often.

ObserveIT 7.5 monitors any attempt to upload a file to any website.

Now you can:

➢ Alert when a tracked file is sent out as a webmail attachment (e.g. Gmail).

➢ Alert when any sensitive file is uploaded to social media sites, file sharing, cloud storage or any other

website.

➢ Educate and deter users by displaying just-in-time warnings or blocking messages when a suspicious

upload activity is detected.

➢ Track the full history of the uploaded tracked file – back to the original download site (if the file was

originally downloaded from web).

➢ Easily search uploaded files by their name, location, target website, uploading user, and more.

➢ For tracked files you can also search by the original file name and original website. For example, you

can search for the following activity using the File Diary:

“Show all file uploads by John, but only those files that were originally downloaded from

Salesforce as Excel files”.

Even if the user renamed the file before the upload, ObserveIT will still know that this file is originally

an Excel file that was downloaded from Salesforce.


Monitoring files uploaded to any website

Alerts on file uploads are very flexible. You can define alerts based on:

➢ File name, e.g. any file name containing “strategy”

➢ File type, e.g. file names ending with “.xls” or “.xlsx”

➢ Target web site or web category, e.g. “facebook.com” or “Social Media Site”

➢ File location, e.g. “\\fileshare\finance\payments\2018”

➢ For tracked files, you can alert also based on the original file name and the website it was

downloaded from.


Example: Alert on any downloaded MS-OFFICE file being uploaded to any webmail, social, IM, or cloud storage

website – except for box.com (which is used for in-house file collaboration)


SEARCH: INCLUDES FILE ACTIVITY METADATA (FAM)

Security analysts can now search for any user or data activity including file downloads & uploads, copy to

cloud, and more.

FAM data is integrated into the Search module allowing you to:

➢ View search results for file activity together with all other user activity

➢ Find specific data activity (e.g. file download, upload) from the Search window. No need to go to the

File Diary for that.

For example, searching for “roadmap.pptx”, will return any user or data activity related to the file name:

➢ Any download of “roadmap.pptx”

➢ Any upload of “roadmap.pptx”

➢ Any copy/move of “roadmap.pptx”

➢ Copy of “roadmap.pptx” to one of the supported Cloud vendor’s sync folders

➢ Printing of “roadmap.pptx”

➢ Renaming or deleting the file (in case of a tracked file)

➢ Viewing the file, e.g. Window title contains “roadmap.pptx”

➢ Using “roadmap.pptx” as part of a URL address

➢ Using “roadmap.pptx” as part of a command line


New search options help you to quickly focus on both User and Data Activity

VIDEO PLAYER: RICHER CONTEXT IN USER ACTIVITY LIST

During session playback, it is important to see the full context of what happened through the session.

ObserveIT 7.5 helps Security Analysts and Investigators to respond faster by providing richer context in

the user activity list:

➢ Application / Website

Every activity now shows the application (or website for web activity) in which the activity

occurred

➢ FAM data

FAM data activity, such as file download, upload, copy to cloud, etc. - is now displayed together

with all other user activities and in the right chronological order.

Monitoring files uploaded to any website


ARCHIVE: SIGNIFICANTLY REDUCE PROCESSING TIME

As the size of ObserveIT deployments grow, the time it takes to archive or delete the recorded

screenshots grows as well. ObserveIT 7.5 redesigned the way screenshot data is stored on the file

system to significantly reduce archive processing time – especially in large size deployments.

ObserveIT 7.5 can Archive or Delete up to 6 times faster compared to earlier releases, allowing

customers to complete the processing time within the allocated nightly batch window.

This improvement is relevant for video recording with screenshots stored in the file system.

The performance improvement is achieved by packing completed sessions into a single file – resulting in

a much faster copy/delete action compared to copying/deleting many image files, which is much slower.

To enable the new capability, you need to select the appropriate storage mode as shown below.

Configuring Screen Storage Optimization for best performance


PRIVACY: EXCLUDE WEBSITE CATEGORIES FROM BEING RECORDED

Protecting employee privacy is an important goal for our customers – and therefore for us.

It is sometimes required not to record certain types of websites that are considered personal and are

often not related to work (e.g. Social Media, Financial Products).

ObserveIT 7.5 allows you to exclude such websites from being recorded by simply identifying the web

category you wish to exclude. Using our website categorization capabilities, ObserveIT can match any

URL visited by the user to the right category.

You can also decide to only record meta-data (i.e. no video) for the selected categories, so you can still

have meta-data for detection and investigation – and turn on video only upon alert.

If needed, you can also decide to record only certain web categories.

Excluding personal website categories from being fully recorded


INTEGRATIONS: DEVELOPER PORTAL

ObserveIT is deeply integrated within the security fabric of organizations, with native integrations into top

software and systems.

With ObserveIT 7.5, we’re launching a revamped developer portal that enables our customers and

partners to easily build or extend integrations with top SIEM, security automation and orchestration, and

ticketing solutions. Besides the out of the box native apps for Splunk, IBM QRadar, LogRhythm, and

others, developers can use the RESTful APIs to access comprehensive metadata around users and their

data activity with real-time alerts.

ObserveIT Developer Portal


The new Developer Portal supports the following RESTful APIs:

API Description

Report API User activity and alerts exported to SIEM, analytics, orchestration,

and other tools.

Note: Exporting data to SIEM works about 20 times faster in

ObserveIT 7.5.

Report Analytics API (UAP) Aggregated activity time spent by the user in applications, websites,

endpoints, etc.

Authentication API OAUTH2 based API

Control API List management API

ITL: NEW AND ENHANCED OUT-OF-THE-BOX RULES

ObserveIT’s Insider Threat Library (ITL) is a set of hundreds of out-of-the-box rules that detect 30

categories of insider threats. Base on feedback from our customers and from market researchers (e.g.

CERT), we keep improving the ITL to better identify and eliminate insider threats.

ObserveIT 7.5 introduces additional 66 new rules, totaling to over 300 ITL rules.

New ITL alerts include:

➢ Exfiltrating ANY file by uploading to web (not just tracked)

➢ Exfiltrating data via command line (ftp, curl, etc.)

➢ Mac specific: Sensitive logins, machine takeover, creating backdoors, etc.

➢ Disabled users (ex-employees) logging in

➢ Messing with ObserveIT libraries/processes

➢ Suspicious activity in Docker & Container environments (Unix/Linux)

➢ Performing suspicious activity in Git

Many of the rules are based on lists (e.g. Sniffing Tools) for easier management and reuse.

ObserveIT keeps updating the lists to catch up with market changes and to align them with newly

supported agent platforms.


New and enhanced ITL lists include:

➢ Disabled users (ex-employees)

➢ Port scanning

➢ Hacking & password cracking tools

➢ VPN tools

➢ Steganography

➢ Enterprise web applications

➢ Cloud backup tools

➢ P2P tools

➢ Remote login utilities

➢ SQL tools

➢ Command line tools

➢ Unauthorized commands

MANAGE ENDPOINTS BY MACHINE IP

Some IT organizations prefer to manage their endpoints by their machine IP address versus by the

machine name.

In the previous release (7.4) we added support for IP ranges (CIDR), while in ObserveIT 7.5 we simplify

agent management and the investigation process by adding the option to display endpoint IP addresses

across the Management Console (Diaries, Search, Reports, Alerts, etc.) – in addition to the endpoint

name.

Showing endpoint IP address in the Endpoint Diary


As one endpoint can have multiple IP addresses, the displayed IP address is the one used by the agent to

connect to the Application Server. This new capability is relevant when the IP address is fixed and not

dynamic.

MAC AGENT ENHANCEMENTS

ObserveIT 7.5 introduces a better Mac agent that can detect data exfiltration done via Printing. In

addition, the visibility of Mac endpoints and user activity in the Management Console is enhanced.

MONITORING PRINTING ACTIVITY

Printing is still a common way for users to take data out. ObserveIT 7.5 introduces new capability to

monitor printing activity on Mac, allowing customers to search and report on any printing activity, and to

define alerts on suspicious printing activity.

The meta-data collected on printing includes:

➢ Printer name

➢ Document name

➢ Number of pages sent to the printer

MAC PRESENCE IN THE MANAGEMENT CONSOLE

To make the management of Mac endpoints easier, and to make investigation faster, ObserveIT 7.5

displays a Mac icon near recorded Mac sessions, Mac endpoints, Mac endpoint groups, etc.

Mac OS type is available in various filters to quickly focus on Mac-specific activity.


Mac endpoints and user activity easily spotted with new Mac icon


NEW PLATFORMS

ObserveIT 7.5 supports recently introduced platforms to allow maximum coverage across the

organization.

Product Component New Platforms

Windows agent DBA Activity support for Microsoft SSMS 17.1, 17.2, 17.3

Citrix agent XenDesktop and XenApp 7.15

Linux agent Oracle Linux 6.9

Debian 9

Amazon Linux 2017.09

Database Server Microsoft SQL Server 2017

* Stop supporting Microsoft SQL Server 2008

WHAT’S NEW IN OBSERVEIT 7web-control.ru/f/observeit-whats-new-in-75.pdf · 2020-04-09 ·...

Documents

Transcript of WHAT’S NEW IN OBSERVEIT 7web-control.ru/f/observeit-whats-new-in-75.pdf · 2020-04-09 ·...