An intro to User Activity Monitoring, ObserveIT, and the impact UAM has on RDSH/VDI

User Activity Monitoring and Insider Threat Detection are quickly becoming everyday terms, but they have an impact on desktop virtualization.

User Activity Monitoring, or UAM, is something that’s been off my radar for a long time, and while I’m sure there are a number of products that do this sort of thing (it’s part of a larger space called Insider Threat Detection), I was recently turned on its implications and usage in the world of desktop virtualization by ObserveIT. I’ll get into them in a minute, but I wanted to talk a little bit about the whole idea first.

As you can derive from the name, UAM is monitoring a user’s activity in an effort to both detect malicious behavior inside a company as well as educate users on those policies. It’s not just web activity or network activity (WebSense is what came to mind when I first heard the term), it’s everything a user is doing. The buttons inside an application that they click on, what applications they use, what websites they go to, what file sharing services they use, keystrokes, processes, IP addresses being accessed, and more. It’s very Big Brother.

This kind of oversight isn’t for everyone, but some companies are more concerned about this kind of thing than others. One thing is certain, you’d be hard pressed to find a company anywhere that doesn’t have users who have browsed the odd web site at lunch or on a slow day, have access to files they shouldn’t, or who hasn’t checked their Gmail or uploaded something to Dropbox.

Some companies are more or less ok with that in small doses. Then again, there are companies that are hell bent on making sure that kind of activity doesn’t happen (healthcare, finance, government…I’m looking at you). Those companies are the reason that UAM and Insider Threat Detection exist. In fact, there are regulations such as Executive Order 13587 in the US and similar legislation in other countries that require it.

We all know that this kind of thing can be a struggle to implement, support, and maintain. When you lock down a user’s environment enough to prevent ANY violations, you typically remove so much usability that users have a hard time getting real work done. There’s a delicate balance that has to be maintained, and with that comes a fair amount of education trying to teach users what is good behavior and what isn’t. Those reasons tend to keep ITD and UAM out of many companies that don’t absolutely require it.

That’s why I decided to write about ObserveIT’s platform after a briefing with them, because when I hear about UAM my reaction is to immediately brush it off as a niche solution. That’s not fair, especially in today’s world. So I thought I’d share what I learned about their platform and how it behaves in a desktop virtualization environment.

A little background

ObserveIT has been around since 2006 making Insider Threat Detection software. They are well-established, and are discovering that a good portion of their customers are using it with RDSH and VDI environments. When Citrix took away SmartAuditor they became a Citrix partner, and even though Smart Auditor is back in the form of Session Recording, the partnership remains.

They can coexist because there’s a big difference between ObserveIT’s approach and Session Recording. Where Session Recording simply records a video of a user’s session for playback in a CYA kind of way, ObserveIT’s platform logs each interaction with screenshots, risk assessments, and even a user notification system.

Let’s dig in

ObserveIT is based on an agent that runs in user mode and hooks into every session. They have agents for Windows and Unix/Linux, and they’re even working on an OS X agent. We mostly talked about the Windows agent, which can be used on physical desktops, VDI, or RDSH servers. After a user logs in, they see a message that notifies them that everything they do is recorded and monitored. If nothing else, that keeps the honest people honest.

All applications are monitored because the agent is looking for keystrokes and mouse clicks (along with other things like the text inside forms and application windows, processes, and IP addresses). They have 150 built-in policies that most of the customers need that you can use to detect, for instance, when someone accesses Gmail. In the demo I saw, Gmail was part of their “Personal File Sharing” policy, and an alert was shown on the screen notifying the user that this activity is not allowed.

ObserveIT Personal File Sharing Alert
ObserveIT Personal File Sharing Alert

A few things are interesting about this. First, the notification includes both the policy that is being violated and a text box that allows the user to enter in an explanation for why they were using Gmail. An alert is sent to the administrator along with this contextual explanation. Next, in the notification box, the user is told why they shouldn’t do it and told about the corporate-approved alternative (in this case, OneDrive). The last interesting thing is that Gmail is not prevented from running. The system relies on education and oversight to keep people honest, so informing them that what they are about to do is both not allowed and being recorded is useful for preventing this violation and (hopefully) future ones as well. Still, the administrator can kill that process when they receive the notification.

It’s not just applications, though. They can also detect other activity like removable media (which, admittedly, is probably something you’d rather just block with a policy or UEM platform than warn the users about), copy and paste operations, and the fact that a user logs into a remote desktop session with credentials other than the ones they use on their endpoint.

The interesting thing is that all of this monitoring and recording is done with the context in mind. Every interaction gets a screenshot, and every violation gives the user a chance to explain why they were doing what they were doing. This allows ObserveIT to put together a risk assessment for each user that shows the violations (above), allows admins to watch the violation in order to understand what a user was doing, and to get feedback directly from the user about what they were trying to accomplish. Admins can also search the database for any kind of activity, even if it’s not a policy violation.

Performance & Cost

You can imagine that any software that watches everything a user is doing is probably quite resource intensive. ObserveIT says that though their agent is “light,” there are still resource implications that can affect RDSH and VDI environments. The agent is pretty easy on memory usage (coming in at around 20MB per user) and network utilization (consuming around 10MB/hour, per user), but it hits the CPU pretty hard during any user interaction. They say it’s in the 1%-3% range, and if you have users that are actually using their desktops, that means you can expect a fairly significant increase in CPU usage per user. On physical desktops this isn’t an issue since there is likely CPU to spare, but in VDI and RDSH environments, the added overhead can seriously affect density on a given piece of hardware. That either means more hardware to support the same number of users or worse performance for each of your users.

Pricing is different based on whether or not you’re using RDSH or single-user desktops. ObserveIT retails for around $150 for single user endpoints (which includes VDI), and starts at $1500 per server for RDSH environments. That means you’re spending money on hardware and software to implement something like this, and that might mean that you’re not going to jump at the chance to monitor user activity unless you absolutely have to.

Wrap up

As I mentioned before, this isn’t the kind of thing that everyone will or should use. It is, however, something that could be very valuable to certain organizations. ObserveIT has seen the bulk of their business in the financial sector, though they also have a seen a significant increase among healthcare, telco, and government organizations. In fact, their platform has been designed to adhere to US, German, and French Information Privacy laws.

I’m sure there are lots of competitors with different approaches that both stop just short of this level of oversight or go way beyond it. It’s easy to see where it fits in vertically, but I wonder if this will ever catch on horizontally. Frankly, it’s not too much of a stretch to think that we’ll see this kind of thing as a feature of the OS before too long.

Dig Deeper on Unified endpoint management