User activity monitoring revealed

In this interview, Matthew Ulery, Director of Product Management with NetIQ, discusses the challenges related to user activity monitoring. He talks about the various methods, technologies as well as privacy concerns.

Exactly what does it mean to monitor user activity?
Monitoring user activity can include everything from video cameras used for physical security to active monitoring of how staff utilize social media on their computers. The scope of activity monitoring depends on the objectives of the monitoring effort and the charter defined by the organization.

User activity monitoring within enterprise IT can include this full range of what could be described as surveillance but more often includes the active review of administrator and end user activity with the specific goal of identifying misuse of privileges through ignorance, mistake or malicious intent. The driving objectives are typically information protection, compliance and ensuring availability.

Methods of user activity monitoring are as varied as the technologies used by administrators and end users. These include network packet inspection, analysis of key logging, indexed video recordings of sessions, kernel monitoring and log collection and analysis. Regardless of the monitoring technology, the information must be reviewed in context with policy and the user role to identify inappropriate activity. Such activity would include:

  • Email administrators reading email between the board and executive team
  • Healthcare workers accessing patient records for a celebrity not in their care
  • Sales representatives downloading full client lists and sales pipelines
  • Administrators taking shortcuts around the change control process so they can leave early before a long weekend.

2. What does a modern user activity monitoring solution have to provide?
It is the nature of monitoring efforts that a great deal of data is collected and analyzed to find the nugget of actionable information. Worldwide shipping containers are inspected to search for criminal environmental, smuggling or terrorist activity. The vast majority of the containers inspected pass without incident. As such, there is constant pressure to speed the process and more quickly identify the ones with illicit content. The same is true for any enterprise IT user activity monitoring solution.

Modern user activity monitoring solutions must allow organizations to quickly identify actionable information from vast amounts of collected data based on associated risk, identity context, time of day and defined policies. These solutions should be able to provide near real-time identification of these nuggets of information while also supporting detailed analysis of historical activity. In both cases, real-time and historical, the solution must answer: Who did What, When and Where?

In the age of privacy nightmares, many employees are wondering why their organizations needs user activity monitoring in the first place.
Many organizations wonder why you need to monitor users when you have controlled what they have access to do. The answer is that privileges always allow room for abuse and very few systems provide granular enough control to come close to solving this issue.

User activity monitoring can address the abuse of privileged access. Any monitoring initiative must start with clear objectives and a charter that has been approved by executive management with the approval of the legal team. The charter must be specific and take into account the governing law in every related jurisdiction. The initiative must also include supervision of the team that will perform the monitoring. Without this level of governance, it is far too easy for even well intentioned programs to violate legal and ethical standards.

Pros:

  • Mitigates the risk of inappropriate staff actions that can increase corporate risk to data theft, breach or downtime
  • Reduces the cost of compliance by automating user monitoring (if not performed manually)
  • Provides intelligence on how to refine processes and policies to improve security postures.

Cons:

  • Added expense and labor at a time when budgets are tight
  • Without sufficient governance, monitoring programs could produce privacy violations.

With SMBs, user monitoring is not a huge challenge, but with large enterprises it can become a daunting task to implement and manage. What advice would you give to those that still don’t use it and are wondering how to do it in the first place?
Any monitoring investments should be matched to the level of risk and the risk tolerance of the organization. The organization should start by clarifying the objectives of the program. Next, a charter and governance plan would be provided based on those objectives. With this in place the team would initiate monitoring to address a specific risk, allowing for initial success. From there the organization would expand the program to the extent required to meet the organizational objectives.

Active Directory monitoring is a common initial monitoring initiative. It is also common to leverage Security Information Event Management (SIEM) systems for user monitoring. SIEM is either used as the primary tool leveraging event logs or to provide additional analysis across both event logs and information from platform specific monitoring technologies.

Once the user monitoring system is in place, it generates a wealth of data. How can an organization use this data to improve its security posture?
The greater intelligence provided by modern systems allows organizations to:

  • Refine/tune policies and procedures
  • Identify governance issues with defined roles
  • Detect internal and external activity to identify and disrupt breaches
  • Automate compliance reporting
  • Avoid unplanned downtime do to administrative error.

Combined, all of these benefits of gathering and monitoring data enable organizations to improve their overarching security posture, which ultimately helps them better protect the data they house and are responsible for.