ObserveIT
產品應用

內部威脅偵測、告警、中斷阻絕、蒐證

警示規則群組

警示規則

異常時段登入系統
  • 非正常時段遠端或本機登入行為。
  • 非正常遠端來源 IP之登入行為。
瀏覽內部機敏資訊平台或外部高風險網站
  • 內部機敏資訊平台及高風險外部網站URL瀏覽行為(可匯入自訂黑白名單,或整合內建之惡意網站分類資料庫)。
未經授權複製機敏資料至外接儲存裝置或上傳至外部雲端硬碟
  • 使用FTP應用程式、指令或FTP網址之行為。
  • 檔案拖拉/快捷鍵複製至外接儲存裝置或雲端硬碟等行為。
寄送機敏資料至外部信箱或與競業進行聯繫
  • 連結雲端硬碟、Dropbox等URL、Email收件者帳號、主旨關鍵字、Email夾檔點選動作及大量複製檔案等觸警行為。
未經授權之安裝/解除程式、帳號建立、異常執行序等
  • 非白名單之應用程式與執行序之使用行為。
  • 執行Setup、Installer等應用程式之行為。
  • 使用管理工具建立帳號之行為。
存取機敏資料夾或共享磁區、編輯文件與圖片
  • 非授權帳號存取特定資料夾、或開啟/複製特定文件與圖片之行為。
應用程式、機敏資料夾、內/外部網站之機敏字串搜尋
  • 於應用程式、機敏資料夾、網站URL等搜尋機敏字串之行為 ( In-App分析技術)。
  • 鍵盤輸入敏感性字串之行為 (Keylogger)。
使用LINE、Skype或Messenger等社交應用程式
  • 登入應用程式行為。
  • 傳送與複製特定檔案等觸警行為。
  • 鍵盤輸入敏感性字串之行為 (Keylogger)。


內建超過200種預設規則、24種群組分類,並可自行依據使用者群組進行分類:

  • 關連性:直接針對不同使用者群組屬性與可能風險行為進行分類與預設適合規則。
  • 精確性:依據新的Metadata重新設定規則。
  • 便利性:易於管理規則分類與使用者群組指派。
  • 隨選即用:只需定義用戶屬於何種使用者群組即可設定完成。
個人資料保護法施行細則 - 第十二條

本法第六條第一項第二款所稱適當安全維護措施、第十八條所稱安全維護 事項、第二十七條第一項所稱適當之安全措施,指公務機關或非公務機關為防止個人資料被竊取、竄改、毀損、滅失或洩漏,採取技術上及組織上之措施。 前項措施,得包括下列事項,並以與所欲達成之個人資料保護目的間,具有適當比例為原則:
一、配置管理之人員及相當資源。
二、界定個人資料之範圍。
三、個人資料之風險評估及管理機制。
四、事故之預防、通報及應變機制。
五、個人資料蒐集、處理及利用之內部管理程序。
六、資料安全管理及人員管理。
七、認知宣導及教育訓練。
八、設備安全管理。
九、資料安全稽核機制。
十、使用紀錄、軌跡資料及證據保存。
十一、個人資料安全維護之整體持續改善。

金融機構辦理電腦系統資訊安全評估辦法 - 第四項

資訊安全評估作業項目:
(二) 網路活動檢視
檢視網路設備、伺服器之存取紀錄及帳號權限,識別異常紀錄與確認警示機制。
檢視資安設備(如:防火牆、入侵偵測系統、防毒軟體、資料外洩防護等)之監控紀錄,識別異常紀錄與確認警示機制。 檢視網路封包是否存在異常連線或異常網域名稱解析伺服器(Domain Name System Server , DNS Server)查詢,並比對是否為已知惡意IP、中繼站或有符合網路惡意行為的特徵。
(五) 安全設定檢視
檢視伺服器(如網域服務Active Directory)有關「密碼設定原則」與「帳號鎖定原則」設定。
檢視防火牆是否開啟具有安全性風險的通訊埠或非必要通訊埠,連線設定是否有安全性弱點。
檢視系統存取限制(如存取控制清單Access Control List)及特權帳號管理。
檢視作業系統、防毒軟體、辦公軟體及應用軟體等之更新設定及更新狀態。
檢視金鑰之儲存保護機制與存取控制。

電子支付機構資訊系統標準及安全控管作業基準辦法

第10條 電子支付平臺之設計原則應符合下列要求:

一、 網際網路應用系統設計要求:
(九) 應設計個人資料檔案及資料庫之存取控制與保護監控措施。
(十) 應建置防偽冒與洗錢防制偵測系統,建立風險分析模組與指標,用以於異常交易行為發生時,即時告警並妥善處理。該風險分析模組與指標應定期檢討修訂。
五、 約定連結存款帳戶付款設計要求:
(五) 存取控制:應建立管控機制,限制非授權人員或程式存取私鑰及本款作業之相關程式。

 

第12條 電子支付平臺之系統維運人員管理應符合下列要求:

三、 硬體設備、應用軟體、系統軟體之最高權限帳號或具程式異動、參數變更權限之帳號應列冊保管;最高權限帳號使用時須先取得權責主管同意,並保留稽核軌跡。
四、 應確認人員之身分與存取權限,必要時得限定其使用之機器與網路位置(IP)。
五、 於登入作業系統進行系統異動或資料庫存取時,應留存人為操作紀錄,並於使用後儘速變更密碼;因故無法變更密碼者,應建立監控機制,避免未授權變更,並於使用後覆核其操作紀錄。
七、 帳號應採一人一號管理,避免多人共用同一個帳號為原則,如有共用需求,申請與使用須有其他補強管控方式,並留存操作紀錄且應能區分人員身分。
九、 加解密程式或具變更權限之公用程式(如資料庫存取程式)應列冊管理並限制使用,該程式應設定存取權限,防止未授權存取,並保留稽核軌跡。

 

第13條 電子支付作業環境之個人資料保護應符合下列要求:

五、 應建置留存個人資料使用稽核軌跡(如登入帳號、系統功能、時間、系統名稱、查詢指令或結果)或辨識機制,以利個人資料外洩時得以追蹤個人資料使用狀況,包括檔案、螢幕畫面、列表。
六、 應建立資料外洩防護機制,管制個人資料檔案透過輸出入裝置、通訊軟體、系統操作複製至網頁或網路檔案、或列印等方式傳輸,並應留存相關紀錄、軌跡與數位證據。
七、 如刪除、停止處理或利用所保有之個人資料後,應留存下列紀錄:
(一) 刪除、停止處理或利用之方法、時間。
(二) 將刪除、停止處理或利用之個人資料移轉其他對象者,其移轉之原因、對象、 方法、時間,及該對象蒐集、處理或利用之合法依據。

 

第15條 電子支付平臺之實體安全應符合下列要求:

七、 機房管理應具備與機房相當之操作環境,或獨立可管制人員操作系統與設備之監控室。
(一) 應具門禁與監視設備,且必須留存連線及使用軌跡,並定期稽核管理。

 

第18條 電子支付作業環境之網路管理應符合下列要求:

七、 經由網際網路連接至內部網路進行遠距之系統管理工作,應遵循下列措施:
(一) 應審查其申請目的、期間、時段、網段、使用設備、目的設備或服務,至少每年一次。
(三) 變更作業應加強身分認證,每次登入可採用照會或二項(含)以上安全設計並取得主管授權。
(五) 應建立監控機制,留存操作紀錄,並由主管定期覆核。

 

第21條 電子支付作業環境之資訊安全事故管理應符合下列要求:

一、 應將各作業系統、網路設備及資安設備之日誌及稽核軌跡集中管理,進行異常紀錄分析,設定合適告警指標並定期檢討修訂。
二、 應建立資訊安全事故通報、處理、應變及事後追蹤改善作業機制,並應留存相關作業紀錄。
三、 如有資訊安全事故發生時,其系統交易紀錄、系統日誌、安全事件日誌應妥善保管,並應注意處理過程中軌跡紀錄與證據留存之有效性。

HIPAA: HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

Requirement 160.308 – Compliance Reviews

  • ObserveIT provides pre-built and customizable compliance audit reports that are easily accessible by compliance auditors. The reports, which can be automatically sent via email, include textual summaries of user actions linked to session video replay.
  • With ObserveIT, every application automatically has a compliance audit log component, regardless of the application’s origin. ObserveIT offers the flexibility to deploy new and updated applications at any time, without the need to deploy new audit protocols.

 

Requirement 164.306 – Security Standards

  • ObserveIT offers a ‘just-in-time policy messaging’ feature that delivers important messages and updates about corporate policies generally, or for specific applications and servers. This ensures that all users have read and agreed to the relevant security policies and procedures before logging on, and are aware of both general and specific policiesh

 

Requirement 164.308 – Administrative Safeguards

  • ObserveIT offers a feature that identifies individual users logging in to servers using generic “administrator” or other shared accounts. When logging into a server using a shared-user account, ObserveIT presents a secondary identification window, where that user must sign in with their second set of credentials in order to access the server. Video recordings and activity logs are then tied to that specific user.

 

Requirement 164.312 – Technical Safeguards

  • ObserveIT captures a detailed textual log along with visual recordings of every user action, with logs generated for every application, including those without their own internal logs. By showing the exact user actions – not just the results – IT auditors can easily review files opened, windows viewed and other specific UI activities

 

Requirement 164.414 – Administrative Requirements and Burden of Proof

  • ObserveIT requires individual credentials to log onto a server or network, ensuring that all visual recordings and textual user activity logs are tied to specific users, providing visibility into who is doing what and when.

PCI DSS: PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Requirement 6: Develop and Maintain Secure Systems and Applications

  • ObserveIT monitors and records all user activity in your network, and generates a comprehensive, searchable audit log tied with a video recording of every user action.
  • With ObserveIT, every application has a compliance audit log component, regardless of that application’s origin. It also offers the flexibility to grow and deploy new applications at any given time, without needing to deploy new audit protocols.

 

Requirement 8: Assign Unique ID to Each Person with Computer Access

  • ObserveIT requires individual credentials to log onto a server or network, ensuring that every action will be recorded. All visual and textual metadata logs are tied to the specific user, providing visibility into who is doing what and when.

 

Requirement 10: Monitor Access to Network Resources and Cardholder Data

  • ObserveIT offers a feature that identifies users within generic ‘administrator’ users or shared accounts. When logging into a server using a shared-user account, ObserveIT offers a secondary identification window, where that user must sign in with their second set of credentials. Video recordings and logs are then tied to that specific user accordingly.
  • ObserveIT monitors all user activity. This provides an unequivocal audit trail of user activity and bulletproof evidence as to who worked on what servers. Because of this, you can easily conduct root cause analysis to find changes or use the advanced keyword search, which allows you to search by applications, user names, windows, text typed and more.

 

Requirement 12: Maintain Policy that Addresses IT Security for all Personnel

  • ObserveIT offers a ‘just-in-time policy messaging’ feature that delivers important messages and updates about corporate policies generally, or for specific applications and servers. This ensures that all users have read and agreed to the security policies and procedures before logging on, and are aware of either general or specific policies.

SOX: THE SARBANES–OXLEY ACT

SOX Section 404 – Evaluate Company-Level Controls

  • ObserveIT requires individual credentials to log onto a server or network, ensuring that every action will be recorded. All visual and textual metadata logs are tied to the specific user, providing visibility into who is doing what and when.
  • With ObserveIT, every application has a compliance audit log component, regardless of that application’s origin. It also offers the flexibility to grow and deploy new applications at any given time, without needing to deploy new audit protocols.

 

SOX Section 404 – Perform a Fraud Risk Assessment

  • ObserveIT monitors all user activity. This provides an unequivocal audit trail of user activity and bulletproof evidence as to who worked on what servers. Because of this, you can easily conduct root cause analysis to find changes or use the advanced keyword search, which allows you to search by applications, user names, windows, text typed and more.
  • ObserveIT provides pre-built and customizable compliance audit reports that are easily accessible for compliance auditors, with automated canned reports sent via email, periodic and customized reports, textual summaries and full video replay.

 

SOX Section 404 – Evaluate Controls Designed to Prevent or Detect Fraud

  • ObserveIT provides flexible alert generation based on robust combinations of user profiles, key actions and client locations.
  • ObserveIT captures a detailed textual log plus visual recordings of every user action, with logs generated for every application, including those without their own internal logs. Showing exactly what the user did – not just the underlying results – IT auditors can track files opened, windows viewed and other specific UI activity.

 

SOX Section 404 –Management’s Competency, Objectivity and Risk

  • ObserveIT offers a ‘just-in-time policy messaging’ feature that delivers important messages and updates about general corporate policies, or for specific applications and servers. This ensures that all users have read and agreed to the security policies and procedures before logging on, and are aware of either general or specific policies.

FISMA: FEDERAL INFORMATION SECURITY MANAGEMENT ACT

Perform a gap analysis to establish security controls baseline.

  • ObserveIT captures a detailed textual log along with visual recordings of every user action, with logs generated for every application, including those without their own internal logs. By showing the exact user actions – not just the results – IT auditors can easily review files opened, windows viewed and other specific UI activities.
  • ObserveIT offers zero-gap recording of all Windows and Unix/Linux sessions via any remote connection protocol or local console.

 

Perform a risk assessment of security controls.

  • ObserveIT’s threat detection console and customizable recording policies greatly increases the chances of identifying and stopping potential problems before they even start.
  • Identify, asses, correct, and prepare for future incidents using ObserveIT’s searchable logging capabilities and video summaries. All visual and textual metadata logs are tied to individual users, even when using shared login accounts, providing visibility into all past and present events.

 

Create a security system plan and documentation.

  • ObserveIT offers a ‘just-in-time policy messaging’ feature that delivers important messages and updates about corporate policies generally, or for specific applications and servers. This ensures that all users have been informed of, and have agreed to, the relevant security policies and procedures before logging on. This feature can also deliver critical information to remote users each time they log on.

 

Perform an audit of the security controls to determine effectiveness.

  • ObserveIT provides an unequivocal audit trail of user activity, along with bulletproof evidence as to who did what on which servers. This dramatically eases root cause and forensic analysis. The system’s advanced keyword search makes it easy to discover specific user actions based on application name, user name, window title, text typed/pasted and more.

 

Monitor security controls on a continual basis.

  • With ObserveIT, every application automatically has a compliance audit log component, regardless of the application’s origin. ObserveIT also offers the flexibility to deploy new and updated applications at any time, without the need to deploy new audit protocols.

NERC: NORTH AMERICAN ELECTRIC RELIABILITY CORPORATION

Requirement CIP-002 RI: BES Cyber System Identification and Categorization

  • ObserveIT requires individual credentials to log onto a server or network, ensuring that every user is authorized, and all actions will be recorded. All visual and textual metadata logs are tied to the specific user, providing forensic evidence as to who did what and when.

 

Requirement CIP-003: Security Management Controls

  • ObserveIT offers a ‘just-in-time policy messaging’ feature that delivers important messages and updates about corporate policies generally, or for specific applications and servers. This ensures that all users have read and agreed to the security policies and procedures before logging on, and are aware of either general or specific policies.
  • Also deliver critical information, monitor, and record remote users each time they log on.

 

Requirement CIP-004: Training and Personnel Security

  • Identify, asses, correct, and prepare for future incidents using ObserveIT’s capabilities which monitor and record all user activity in your network, and generates a comprehensive, searchable audit log tied with a video recording of every user action.
  • With ObserveIT, every application has a compliance audit log component, regardless of that application’s origin. Therefore, ObserveIT provides an unequivocal audit trail of user activity and visibility as to who worked on what servers.

 

Requirement 164.414 – Administrative Requirements and Burden of Proof

  • ObserveIT offers a feature that identifies users within generic ‘administrator’ users or shared accounts. When logging into a server using a shared-user account, ObserveIT offers a secondary identification window, where that user must sign in with their second set of credentials. Video recordings and logs are then tied to that specific user accordingly.

企業組織面對資安案件常面臨的問題

  • 不知如何有效的著手調查,致使調查過程曠日費時。
  • 常以Log或文字資料佐證,卻常因證據不完備而被法院駁回或不予起訴。
  • 欠缺有效及時的數位證據取得方式及工具,故無法分辨使用者異常行為或蓄意目的,導致錯失事前防範、事後還原人事時地物的關鍵時機,造成無可彌補的財務與商譽損失。
「勤業眾信建議,企業組織應儘早確保數位證據之完備性,提早異常行為的預警機制建立,當資安案件發生時,能夠及時進行數位證據保全與封存,以防止證據遭到滅失或竄改。」

數位證據具備證據能力之關鍵

數位證據具備證據能力之關鍵
…符合上述始可認定為具備「證據能力」!
資料來源:士林地檢署 邱獻民檢察事務官組長

數位證據鏈

數位證據鏈

視覺化數位證據強化證據能力與證據價值

視覺化數位證據強化證據能力與證據價值

精確的視覺化軌跡

針對非正常時段登入、未經授權存取、大量檔案複製/上傳/列印、安裝/解除程式、建立帳號、異常執行序、網站違規瀏覽等各類內部威脅使用行為提供視覺化軌跡,精準地還原資安事/案件之人事時地物,而加密不可竄改之視覺化鑑識證據,有效增加資安案件之證明力與證據價值。

 

迅速偵測與回應

威脅風險儀表板隨時偵測端點行為,具體呈現內部威脅風險與趨勢分析,協助管理者迅速排定內部調查順序。具偵測、告警與中斷/阻絕機制,立即辨識使用者意圖並採取行動,更可於大量軌跡資料中精確還原事件發生點,大幅減少調查時間與人力,達到「事前偵測阻絕」、「事中蒐證回應」與「事後稽核舉證」資安管理目標。

 

全面提昇資安意識

凡使用者複製資料至USB或雲端硬碟、違規下載安裝程式、使用Line/Skype/Messenger等社交應用程式或進行任何可能產生資安風險之端點操作行為,可立即主動提醒告知使用者內部資安政策,對於不符政策之行為均提供視覺化稽核記錄,更可要求使用者輸入原因,以便即時教育宣導並矯正濫用不良之使用行為。

 

關於內部威脅您需要知道的5件事!

 

如何在5分鐘內建立一個內部威脅的實用程序