1. technology and computing
2. software
3. databases

HOW OBSERVEIT ADDRESSES
7 OF THE SANS 20 CRITICAL
SECURITY CONTROLS
The 20 Critical Security Controls published by the SANS Institute are a practical set of
tactics focused on protecting an organization’s IT infrastructure against the most
common security risks. Hundreds of organizations, including the US National Security
Agency, the British Centre for the Protection of National Infrastructure, and the US
Department of Homeland Security Federal Network Security Program, have shifted
from a compliance focus to a security focus by adopting these controls. SANS’ 20 Critical
Controls reflect the consensus of major organizations with a deep understanding of how cyber-attacks are carried
out in the real world, why the attacks succeed, and what specific controls can stop them or mitigate their damage.
ObserveIT’s User Activity Monitoring solution addresses many of the 20 Critical Controls in ways that go well beyond
the essential technical requirements. Even once organizations have satisfactorily secured their servers and
applications from external attacks, the user activity threat remains in full force. This is because the company’s
employees, administrators and contractors are authorized to operate inside the security perimeter, rendering most
traditional security mechanisms nearly useless. It is the activities of authorized users (or outsiders who manage to
gain access to authorized user accounts) within applications that pose the greatest IT security risk. Both industry
research and the rapidly-growing list of incidents in the news confirm this unfortunate reality.
Read on to learn how ObserveIT’s User Activity Monitoring solution addresses 7 of the 20 SANS Critical Security
Controls.
CSC #2: Inventory of Authorized and Unauthorized Software
CSC 2-4 specifies, Deploy software inventory tools throughout the organization covering each of the operating system
types in use, including servers, workstations, and laptops.
As part of its User Activity Monitoring functionality, ObserveIT captures the name of every application run by every
user on every monitored server and desktop. This makes it easy to automatically run periodic reports (which are
sent to designated recipients) listing every application used during a given time period. These reports include all the
users who ran each application and even a video button that plays back the screen recording of the selected time
that the application was run. This makes it child’s play for an administrator to quickly determine if any application
usage posed a danger to the organization.
Here is a portion of such a report:
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
1
CSC 2-3 specifies, Perform regular scanning for unauthorized software and generate alerts when it is discovered on
a system, and CSC 2-6 specifies, Dangerous file types (e.g., .exe, .zip, .msi) should be closely monitored.
ObserveIT’s rule-based alerts feature is ideally suited to both these controls: by defining lists of application names
and/or file types (or even the actual names of sensitive files), administrators can receive real-time notifications any
time any user accesses one of the specified applications, file names or file types. A definition for this kind of alert
rule might appear like this:
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
2
CSC #4: Continuous Vulnerability Assessment and Remediation, and
CSC #16: Account Monitoring and Control
Assessing the vulnerability of network, hardware and software infrastructure is critical, but so is assessing the risks
posed by users and their activities in applications and servers. Likewise, it is critical to monitor user accounts and to
profile usage patterns of user accounts (as enumerated in CSC 16-5, Regularly monitor the use of all accounts, and
CSC 16-13, Profile each user's typical account usage).
ObserveIT’s User Behavior Analytics helps to secure a company’s data and systems by automatically and
continuously profiling the behavior of every user. After initially profiling the typical, expected behavior of each type
of user (and even individual users), these systems are able to automatically detect behavioral anomalies that may
indicate negligent or fraudulent activities.
For example, if a hacker gains access to a login account, his behavior will appear very differently than the real
business or IT user who normally logs in with that account. Another example is a user who is suddenly accessing new
resources for the first time, or running unusually large reports. There are numerous types of behavior anomalies
that may trigger detection. Examples include:
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
3







running unusual applications
accessing unusual systems, files or others resources
performing unusual types of operations or running rarely-used commands
generating larger-than-usual reports
executing a larger number of actions than usual within a given time frame
accessing systems from unusual client machines
logging in outside normal/expected hours of the day or days of the week
ObserveIT’s User Behavior Analytics detects these behavioral irregularities and alerts IT security staff about them in
real time. The security administrator can then observe the suspicious user session via a streaming video broadcast
of the user’s desktop, or review the user activity logs generated by the current session (and past sessions). If deemed
necessary, administrators can instant-message the user via the desktop or even shut down the session from within
the same interface.
For lower-severity incidents, such as non-critical out-of-policy behaviors, administrators can later review session
transcripts and/or videos to determine if irresponsible or dangerous activities had taken place.
CSC #6: Application Software Security
Despite an organization’s best efforts to ensure that the software used on their networks is secure and that the
latest patches/upgrades are applied, software-based vulnerabilities will always remain inevitable. This is true both
because software may still have weaknesses to hacking attacks, but also because even hardened software can be
abused by the users authorized to use it. For both reasons, it is therefore critical to continuously monitor all user
activity within applications.
Whether by negligence, carelessness or malicious intent, employees and contractors alike can do things within
applications that threaten a company’s data and systems. It is extremely difficult to identify unauthorized activity
among authorized users, given the large number of actions performed every day by all types of users. However,
when organizations fail to notice abnormal activity patterns in the context of IT and business user actions, both
hackers and internal malicious users are able to steal, leak or destroy valuable data.
Examples of IT administrator activities that can impact on the security of an organization include:








Making changes to configuration files that can cause systems to fail
Creating unauthorized local or remote access accounts (e.g., VPN or SSH)
Escalating privileges on Unix/Linux machines using sudo
Changing the administrator or root password
Using admin credentials on one machine to “leapfrog” to a more restricted machine
Installing “backdoors” to enable later penetration
Running malicious code that causes denial of service (DOS) to critical services
Tampering with data by intentionally modifying data or code
Examples of business user activities that can impact on the security of an organization include:



Running a report in an application that exports a huge amount of sensitive data
“Innocently” uploading sensitive data to a third-party cloud application, exposing it in various ways
Deliberately sharing sensitive data with others via email, cloud application, thumb drive, etc.
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
4



Installing a remote desktop application to work from home, thus opening a remote back door into the
network
Responding to a phishing email, thus granting network access to a hacker
Visiting unauthorized websites that could install malware on the network
ObserveIT addresses this gaping security gap with a combination of:
Configurable real-time alerts – Security administrators can manually define any number of simple or complex “alert
rules” to generate real-time alerts about particular user activities that they want to know about, whenever they
occur. When user-based attacks occur, every second counts. The longer a threat goes undetected, the more damage
a company will incur in terms of both financial costs and brand reputation. Without the ability to monitor user
activity in real-time, companies will continue to suffer from undetected user-based breaches, significantly increasing
the scope and costs of those breaches.
Bullet-proof IT forensics – ObserveIT provides fast, easy and incontrovertible evidence of all actions performed
within applications. Keyword-searchable user activity logs and session screen recordings are invaluable for IT
troubleshooting, root cause analysis and incident investigations. If user actions are responsible for a system failure,
data leak or any other incident, administrators will be able to quickly discover exactly who did what, where, when
and how.
The deterrence factor – ObserveIT’s User Activity Monitoring has an effect similar to “speed cams” on the highway:
because users are informed upon every login that their actions are being monitored and recorded, instances of
unsanctioned and reckless activity fall dramatically. This is not theoretical; system and security administrators
consistently report that, after deploying User Activity Monitoring, employees and contractors alike exhibit much
more cautious behavior when accessing sensitive data and systems.
CSC #10: Secure Configurations for Network Devices
CSC 10-3: Use automated tools to verify standard device configurations and detect changes. All alterations to such
files should be automatically reported to security personnel.
ObserveIT allows administrators to visually record, replay, monitor and audit all configuration changes made to
network devices. Network devices – including switches, routers, hubs, firewalls and IP telephony exchanges – are
the backbone on which businesses run. While making changes to the configuration settings of these sensitive devices
is frequently necessary, both human error and malicious intent by those with administrative access have the
potential to cause disaster. The most common way these changes are tracked today is by accessing the logs
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
5
maintained by these devices. However, these logs are very technical and were designed by developers for debug
purposes – and not to provide the types of information of interest to IT admins, security officers and auditors.
Because these logs are so difficult and time-consuming to understand, they are not very useful for most investigation
and decision-making processes.
ObserveIT offers an easy-to-understand visual monitoring and auditing solution for network device configuration
changes, featuring:




Full recording and playback of every user action while working in configuration utilities
Keyword-searchable activity logs of all keyboard activity, mouse clicks and on-screen output
Custom alerts based on user-definable granular triggers
Tight integration with log management, SIEM, network monitoring and IT ticketing systems
If not already the case in the organization, access to the all
device configuration user interfaces should be restricted to
access via a gateway (e.g., Unix/Linux using SSH, Windows
Terminal Server, Citrix). The ObserveIT agent software is
installed on the gateway and configured to record all user
activity performed while configuring network devices. ObserveIT
then generates a comprehensive record of all user activity,
including screen video recordings, detailed (searchable) user
action log data and easy-to-read summary reports of every
session.
An additional advantage of this approach is that users can be restricted from logging into a particular device’s
configuration utility unless they have a valid ticket number from an IT ticketing system (ObserveIT validates the
supplied ticket number against ticketing systems such as ServiceNow in real-time). Furthermore, all ObserveIT
activity data can be incorporated into a SIEM or networking monitor system for user activity reporting within those
environments.
CSC #12: Controlled Use of Administrative Privileges
CSC 12: The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of
administrative privileges on computers, networks, and applications.
As recommended by the controls specific in CSC 12, it is very important to minimize the use of privileged accounts
within the organization, to enforce strict password controls, to implement two-factor authentication and to ensure
that there is executive-level approval of all privileged accounts. However, even once all of these recommendations
have been implemented, two important gaps remain:
1.
2.
Identification of the actual people logging in using shared administrator accounts (such as administrator,
dba, sa and root) – it is not enough to log that someone logged in to a system using a shared administrator
account; it is very important to know who logged in using that account.
Visibility into what users are doing once they’ve logged in to sensitive systems using privileged credentials
– the use of administrator accounts will always be necessary; it is very important to monitor, record and
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
6
user activity once they’ve logged in – and to generate real-time alerts when suspicious activities are
detected.
ObserveIT comprehensively addresses both of these requirements:
ObserveIT Secondary Identification – ObserveIT features a built-in “privileged user identification” solution which
ensures unambiguous identification of individual users accessing shared accounts. After logging in to a Windows or
Unix/Linux server using a shared account, ObserveIT requires valid individual credentials as well. (When logging into
server using a named-user account, this secondary identification window does not appear.) This is how it appears in
Windows:
Not only does this approach record the name of the actual person logging in to a server using a shared administrator
account, it is also a form of two-factor authentication: even if a hacker were to gain access to the password for an
administrator account, he would not be able to log in without a user’s individual credentials.
Screen capture recording and user activity logging – ObserveIT provides unparalleled visibility into everything that
users are doing on company servers. From the moment that a privileged user logs in until the last keystroke or mouse
click of the session, ObserveIT records every screen for later (or real-time streaming) video-like play-back. The
software also captures an easy-to-read user activity log so that watching the video is not necessary to get a basic
understanding of what the user was up to during the session.
Furthermore, the software provides keyword-based search of all activity logs and screen video recordings, making it
easy to find any action of interest from among thousands of hours of session recordings. Security administrators and
auditors can search by the names of applications run, the titles of windows opened, commands executed,
files/resources accessed, text typed/pasted-auto-corrected, checkboxes and radio buttons clicked and much more.
Finally, real-time alerts provide immediate awareness of suspicious, dangerous and out-of-policy behaviors.
Only this level of visibility ensures that accounts are not being abused by employees, contractors or hackers.
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
7
CSC #14: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 14: Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an
attack.
The specific CSC control implementations relate to system logs, such as those generated by operating systems,
network devices, firewalls, IDS/IPS, proxies and remote access systems. While it is very important to correlate,
monitor and audit these logs, the fact is that they focus on infrastructure and thus leave open a huge security blindspot: user activity. This blind-spot is the result of three main factors:
1.
Logging data is only available from systems, devices and applications which generate logs. Because many
critical user actions do not generate any logs at all, there is no data to analyze.
2.
The available log data was designed mostly for the purposes of debugging and tracking system changes,
and is not suited for understanding and tracking user activity.
3.
Logs typically contain hundreds or thousands of discrete events in obscure technical language, while
relying on complex and unreliable correlations, making it nearly impossible for anyone but a top security
expert with lots of time (and a specific purpose) to determine or infer what a user actually did.
To effectively address user-based risks, it is critical for organizations to understand exactly what users are doing with
company systems, data and applications. Adding ObserveIT’s User Activity Monitoring to an organization’s existing
security ecosystem fills this critical cyber-security gap and dramatically reduces the time it takes to identify and
respond to suspicious user activity, security incidents and data breaches.
By integrating ObserveIT’s User Activity
Monitoring
with
existing
log
management, SIEM, IAM and ITSM
solutions, organizations gain a
complete user- and infrastructurebased security view. Instead of
investigating security incidents by
drilling down into arcane system logs,
security administrators can simply click
into actual video playback of user
activity at any particular point in time.
Also gained is the ability to integrate
user-based alerting and reporting. In
addition to streamlining incident
response
for
systemand
infrastructure-level issues, organizations gain complete visibility into
user-based risks and attacks to which
they were completely blind before.
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
8
WHAT IS USER ACTIVITY MONITORING?
ObserveIT’s User Activity Monitoring system generates video recordings of every user session, providing
unparalleled insight into what is being done on company servers and desktops. Whereas standard logs collect data
on server and network activity, session recordings and logs focus on the user activity within the operating system
and every application (commercial, bespoke, legacy and cloud). This granular, user-focused monitoring capability
offers a detailed and invaluable tool with which to understand what application users, administrators and remote
contractors are doing on monitored servers.
ObserveIT goes far beyond simply recording the on-screen activity to video: the software transcribes every session
into an easy-to-read user activity log so that watching the video isn’t necessary to know what the user did. Clicking
on any particular event in the log launches the video playback from that exact moment.
This activity analysis is also used to generate keyword-searchable video indexes, real-time user activity alerts and
comprehensive user activity reporting.
Integration with other systems – including log analysis, security information and event monitoring (SIEM), access
control and IT ticketing systems – further leverages the value of the session recordings and text logs by making them
readily available when and where they are needed. Learn more about ObserveIT at www.observeit.com.
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
9
ZERO-GAP MONITORING, ANALYSIS, ALERTING AND INTERVENTION
ObserveIT monitors, records and analyzes all user activity in every application, webpage and
window, over any connection method (Remote Desktop, Terminal Services, GoToMyPC, LogMeIn,
PC Anywhere, local login, etc.). ObserveIT also records Windows sessions running as Citrix
published applications, in Citrix virtual desktops and VMware environments, as well as standalone Windows, Unix/Linux desktops and servers. Addressing a major security gap in most
organizations, ObserveIT generates user activity logs and screen recordings for commercial,
legacy, bespoke and cloud apps, including those with no internal logging facilities of their own.
Administrators can watch live sessions and can even lock a session and user account from within
ObserveIT if they wish to immediately stop a suspicious activity. This is particularly useful in the event that the system
generates a real-time alert: the administrator receiving the alert can view all activity occurring in the live session
screen, rewind to see the actions that led up the alert and take immediate action to halt the session.
Additionally, the recordings and resulting user activity logs are valuable for root cause analysis, ad hoc IT forensics
and regulatory compliance audit reporting. Reports can be customized to specific business needs and can be
scheduled or run on demand.
LOW RESOURCE REQUIREMENTS
ObserveIT utilizes ultra-efficient data storage, requiring less than 250GB/year for a high-usage, 1000-server
environment. The local agents have a minimal footprint of 1%-2% CPU utilization, 10 MB RAM during session and
0% CPU when users are inactive.
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
10
OBSERVEIT FEATURE HIGHLIGHTS
 Screen capture recording plus video activity analysis
for searchable, text-based logging of all user activity
 Real-time alerts provide immediate awareness of
suspicious, dangerous and out-of-policy behavior
 Advanced keylogging enables keyword searching to
instantly find any on-screen mouse or keyboard
action
 Records actions in all system areas and all apps –
zero-gap recording of all commercial, legacy,
bespoke and cloud apps plus all system areas
 Supports all connection methods, including local
login, Remote Desktop, Terminal Services, PC
Anywhere, Citrix, VMware, VNC, Dameware, etc.
 SIEM, NMS and IT ticketing system integration for
better security and easier investigations – including
direct links to session replay and user activity logs
 Privileged User Identification, without requiring
password rotation or check-in/check-out
 Threat detection console detects and pinpoints
suspicious activity
 DBA Activity Audit monitors and audits all SQL
queries executed by DBAs against production
databases
 Pre-built and customizable audit reports can be
exported to Excel or XML, or scheduled to run
automatically for email delivery
TRUSTED BY 1200+ CUSTOMERS
OBSERVEIT
IDENTIFY AND MANAGE USER-BASED RISK
Start monitoring in minutes, free:
www.observeit.com/tryitnow
OBSERVEIT  HOW OBSERVEIT ADDRESSES 7 OF THE SANS 20 CRITICAL SECURITY CONTROLS
11