Companies use surveillance cameras to record what is happening in physical locations. Now take that concept and apply it to IT systems to address a wide range of vital IT security needs. Why is this needed?
User activity monitoring software, also known as session recording software, is like a high-definition surveillance camera for IT, monitoring and recording what people do on company computers. Unlike a technical log recording system events, these systems record user interface activities. When an administrator, investigator or auditor replays a session video, it’s like watching over the person’s shoulder, seeing every action performed. Beyond recorded session video, top-tier session recording systems also generate keyword-searchable, human-readable transcripts of all user activities.
Here are five reasons why businesses should monitor and record computer activity of privileged users, such as system administrators, database administrators and third-party vendors.
1. Superior data breach detection
Monitoring privileged user activity on company servers is a first line of defense against data breaches. Research shows access to enterprise information by trusted employees or subcontractors with legitimate permissions (think Snowden) is the most common factor involved in security violations. However, the obvious conclusion that security monitoring must focus on employee actions is often overlooked. Once privileged users and contracted vendors are granted access to servers, most IT security managers have no idea what these users do with sensitive data now at their disposal.
User activity monitoring solutions help detect leaks of sensitive and regulated information a number of different ways:
- All users must explicitly agree to have their sessions recorded at each login, thus dramatically reducing instances of unsanctioned activity.
- Custom real-time alerts based on user, application, resource and/or keyword ensure early warning of both human error and malicious actions.
- Comprehensive monitoring ensures that even human activity blind spots missed by other logs and systems (such as SIEM) are covered.
- It prevents users from logging in to a server without entering a valid ticket number (from an external ticketing system) to ensure that every login is connected with a specific purpose.
2. IT efficiency and reduce time to repair
With video monitoring, enterprises can reduce support costs by lowering the number of escalations to Level 2 and 3 and provide Level 1 support teams a superior troubleshooting tool that shows them exactly what happened so that they can easily restore the system to the previous state.
Most IT incident investigations rely on logs; and without a user activity monitoring system, there are no logs reflecting what users actually did and there are resulting gaps in information. When detailed human behavioral data is available — both via plain-text session activity summaries and full-screen video recordings — IT troubleshooting and event forensics become much faster and all-inclusive.
3. Cheaper and easier regulatory compliance
Once a user activity recording system is deployed, many compliance-related costs and inefficiencies are instantly eliminated because:
- It is no longer necessary to invest in extensive labor to continuously maintain and update endless controls and log correlations with a log management or SIEM system. Session recording directly demonstrates what every user did without the need for complex correlations.
- Audits can be completed much faster since all on-screen actions are recorded (in video) and logged (in keyword-rich text); authoritative answers to any audit question are instantly available.
- Session recording systems typically contain “privileged identify management” features, also known as “secondary identification” capabilities, which identify individual users accessing shared accounts (e.g., root or administrator). Addressing this critical element of many IT security regulations without time-consuming and expensive password vaults is an important efficiency and cost-cutting benefit.
4. Better vendor activity auditing
User session recording systems make it easier to monitor third-party vendor activity on company servers in order to enforce SLAs and confirm accurate billing. It is easier to ensure vendors meet their obligations by reviewing who worked on servers, when, what they did and how they did it.
Verifying vendor billing is also simple when it’s possible to quickly see (and prove) exactly how long vendors spent working on company servers and if their performance during those sessions met SLAs.
5. More effective forensics investigation
The most common form of IT security monitoring is the usage of Security Information and Event Monitoring (SIEM) systems. These systems aggregate and correlate log data from servers, network devices and other sources to try detect anomalies and threats; however they are only as good as what you feed them with.
Many legacy, custom and cloud applications don’t have activity logs and those that do usually generate technical “debug” log such as “Service cannot be started” but not what the user did within the application.
By integrating and correlating log data of user activity in applications and operating system screens into a SIEM system, the SIEM itself becomes a much more comprehensive security management solution. For example, IT security staff can quickly clarify unclear system log events by replaying exactly what happened at that point; a single mouse click from inside the SIEM launches the screen video recording of the relevant moments.
What about employee privacy?
While user behavior tracking is highly valuable from the employer’s point of view, what about an employee’s right to privacy? While the particulars of jurisdictional privacy are beyond the scope of this article, the general approach embodied in most privacy regulations is balancing the employee’s reasonable expectation of privacy against the employer’s justified rights to monitor business operations. Beyond the law, there are also ethical aspects of how much respect employers should extend to their employees.
In this complex environment, it is critical that organizations implementing user activity monitoring take advantage of the privacy-related features of top-tier monitoring systems. Not only will best practices prevent employers from running afoul of privacy laws, they will accomplish the goals of user activity monitoring without generating unnecessary ill-will among employees. Here are three best practices:
- Big brother isn’t always omniscient — Good session activity recording systems make it easy for administrators to selectively record particular applications and websites for security or audit purposes, without invading employee privacy. At a minimum, employers should exclude recording websites of a personal nature (e.g., social networks) and those that show confidential information (e.g., bank websites). (Note that tracking number of visits and time spent on these sites is a completely separate, HR-related matter.) Which websites and applications to record and exclude is a policy decision each employer needs to make independently, and it’s important to inform employees as to which of their activities are — and are not — being monitored.
- Full disclosure — Every time an employee logs in to a monitored computer, the recording software must clearly show the user a message indicating all activity will be recorded. Beyond ensuring that the employee is aware of recording, logs of these disclosure agreements may be useful during any potential legal procedures.
- Dual password session playback privacy — Session recording systems should protect employee privacy by providing a mechanism that requires two separate passwords before allowing the replay of a recorded session video (this is actually mandated by some employee jurisdictional privacy regulations). When this option is activated, session video recordings can only be played back with two independent passwords: one belonging to an IT administrator and one to an employee representative (e.g., HR manager, union rep or legal counsel).
The business benefits of recording privileged user sessions on company computers are enormous, including significant reductions in data breach incidents, IT incident forensics investigation times and the costs of achieving and maintaining regulatory compliance.
Every CIO and CISO should be looking at the best way to implement user activity monitoring software in the near future, along with best practices to protect and respect the privacy of users.
Gaby Friedlander is the co-founder and CTO of ObserveIT. Gaby has built ObserveIT into an industry-leading provider of user activity recording and auditing technology in use by more than 800 corporations in 70+ countries. Connect with Gaby on Google+ or follow the company @ObserveIT.