Skip to main content

Closing the Human Behavior Gap in IT Security Monitoring

By November 5, 2013Article

Research into data breaches consistently shows that access to enterprise information by trusted employees or subcontractors with legitimate permissions is the most common factor involved in security violations. However, the obvious conclusion that security monitoring must focus on employee actions is often overlooked. Once privileged users and contracted vendors are granted access to servers, most IT security managers have no idea what these users are doing with the sensitive data now at their disposal. 

Most IT security focuses on external threats 

Because of the (justified) fears that outside hackers can cause tremendous damage by stealing data or corrupting systems, most IT security efforts are focused on protecting sensitive servers and data from security breaches originating outside the organization. Deployment of advanced firewalls, virtual private networks (VPNs), two-factor login security and Security Information and Event Management (SIEM) solutions are the types of solutions typically used. 

However, none of these solutions provide protection or deterrence when the threat comes from an in-house IT administrator or contracted vendor with malevolent intentions. 

Monitoring privileged user activity 

For these reasons (and others), monitoring and recording of employee behavior in digital environments is on the rise. Keeping close tabs on the behavior of users with access to your company’s sensitive servers is a critical, yet often overlooked, building block of IT security and regulatory compliance. It is also an important component of root cause analysis: when something goes wrong in a server or on a network, being able to watch a video showing exactly who did what and when is invaluable. 

An important additional benefit of monitoring and recording user activity on sensitive servers is the “speed cam effect.” Just like drivers on the highway tend to keep within the speed limit on stretches of road where it is known that there are speed cameras, privileged users are much more careful how they behave on company servers when they’re aware that their every action is monitored and recorded. 

Session recording and playback 

Here’s how it works: every time a privileged user logs into a sensitive server (i.e., a server with access to important applications, data and/or network devices), the user is presented with a message disclosing that all user activity on the server is monitored and recorded. Beyond the deterrence benefit mentioned above, this step is also necessary to conform to privacy regulations in some jurisdictions (the user may be asked to click an “acknowledge” button on this message in order to proceed, so that the employer has a record of their compliance with disclosure requirements). 

From that moment on, every keystroke, mouse click and screen image is recorded to a secure database. IT security staff can observe user sessions in real time for monitoring purposes or play back any session recording at a later time. Particular sessions can be located using a number of search criteria including date/time, user, server, application name, window title or activity keyword. 

Session activity analysis 

The term “activity keyword” at the end of the last sentence is a huge part of effective user activity recording systems. “Dumb” screen recording systems store user activity videos, but finding a particular event from among thousands of hours of video is impractical, if not impossible. Thus, it is essential that enterprise-grade session activity recording systems include the ability to perform “session activity analysis.” This means that user actions are transformed into plain text line items that can be quickly reviewed (to get a quick sense of what the user was doing during the session) and searched via keywords that represent nearly any kind of on-screen activity. 

Some illustrative examples will be helpful to appreciate the value of how this search capability is used: 

  • If the user clicked a checkbox labeled “Delete browsing history on exit,” the search must find this mouse-click by searching for these words.
  • If the user ran “services.msc” by pasting this name into the Windows Run command box (without actually typing it), a search for “services.msc” must find this action.
  • If the user executed the PowerShell “get-psdrive” command using auto-complete (the command name was never typed), a search for this command must discover this action.
  • If the user changed the “NtpServer” registry value from “” to “,” a search for either “NtpServer” or “” must discover this action.
  • If the user used the up arrow to find a previously used Windows command prompt command, the search must find every instance of the command, even the ones where it wasn’t typed.
  • If the user typed the UNIX command “RMDD<backspace>IR,” the search must find RMDIR. 

Without the capability to allow this kind of “smart” searching into vast stores of user activity data, having the recorded sessions may be nearly useless. 

User activity-based real-time alerts 

A final important capability of an enterprise-grade session monitoring system is the ability to generate customized real-time alerts based on user activity. These alerts can simply appear in a report that IT admins review periodically, or they can automatically result in the performance of system actions such as sending an SMS, sending an email or running a particular system script. 

To be truly useful, user activity-based alerts must provide IT security with the flexibility to define the user actions of interest, and the contexts in which they occur. For example, an IT security administrator might want to define an alert that sends him an email any time an outside vendor logs into a company server outside working hours (probably suspicious!) or when anyone launches a Web conferencing or file transfer app on a server (a suspicious activity that could easily facilitate a data breach). 

Another example: a compliance officer might define an alert that sends him an SMS any time a privileged user logs into one of the company’s sensitive database servers, except when it’s a management-level employee. One click from within any such alert will launch the session replay video from the specific point that the action occurred, allowing surveillance of the user activity immediately or at a later time. 

Closing the human behavior IT security gap 

Adding searchable, context-aware user activity monitoring, recording and alerting delivers a range of benefits to the organization, including improved IT security, better deterrence of malicious actions by insiders and easier root cause analysis. Additional benefits not discussed in this article include monitoring of contracted IT vendors (with video session review, it’s easy to review their performance, professionalism and adherence to SLAs) and HR oversight (for example, generate reports of non-work applications used by employees). 

At the least, it has become critical for IT administrators and compliance officers to be able to answer the question, “Who did what and when?” regarding activity on company servers. Protecting the company’s infrastructure and data from both malicious and inadvertent insider actions is just as important as protecting the company from outside hackers. 

Gaby Friedlander is the co-founder and CTO of ObserveIT. Gaby has built ObserveIT into an industry-leading provider of user activity recording and auditing technology in use by more than 800 corporations in 70+ countries. Connect with Gaby on Google+ or follow the company @ObserveIT.

Copy link
Powered by Social Snap