User activity monitoring

Last updated

In the field of information security, user activity monitoring (UAM) or user activity analysis (UAA) is the monitoring and recording of user actions. UAM captures user actions, including the use of applications, windows opened, system commands executed, checkboxes clicked, text entered/edited, URLs visited and nearly every other on-screen event to protect data by ensuring that employees and contractors are staying within their assigned tasks, and posing no risk to the organization.

Contents

User activity monitoring software can deliver video-like playback of user activity and process the videos into user activity logs that keep step-by-step records of user actions that can be searched and analyzed to investigate any out-of-scope activities. [1]

Issues

The need for UAM rose due to the increase in security incidents that directly or indirectly involve user credentials, exposing company information or sensitive files. In 2014, there were 761 data breaches in the United States, resulting in over 83 million exposed customer and employee records. [2] With 76% of these breaches resulting from weak or exploited user credentials, UAM has become a significant component of IT infrastructure. [3] The main populations of users that UAM aims to mitigate risks with are:

Contractors

Contractors are used in organizations to complete information technology operational tasks. Remote vendors that have access to company data are risks. Even with no malicious intent, an external user like a contractor is a major security liability.

Users

70% of regular business users admitted to having access to more data than necessary. Generalized accounts give regular business users access to classified company data. [4] This makes insider threats a reality for any business that uses generalized accounts.

IT users

Administrator accounts are heavily monitored due to the high-profile nature of their access. However, current log tools can generate “log fatigue” on these admin accounts. Log fatigue is the overwhelming sensation of trying to handle a vast amount of logs on an account as a result of too many user actions. Harmful user actions can easily be overlooked with thousands of user actions being compiled every day.

Overall risk

According to the Verizon Data Breach Incident Report, “The first step in protecting your data is in knowing where it is and who has access to it.” [2] In today's IT environment, “there is a lack of oversight and control over how and who among employees has access to confidential, sensitive information.” [5] This apparent gap is one of many factors that have resulted in a major number of security issues for companies.

Components

Most companies that use UAM usually separate the necessary aspects of UAM into three major components.

Visual forensics

Visual forensics involves creating a visual summary of potentially hazardous user activity. Each user action is logged, and recorded. Once a user session is completed, UAM has created both a written record and a visual record, whether it be screen captures or video of exactly what a user has done. This written record differs from that of a SIEM or logging tool, because it captures data at a user-level not at a system level –providing plain English logs rather than SysLogs (originally created for debugging purposes). These textual logs are paired with the corresponding screen-captures or video summaries. Using these corresponding logs and images, the visual forensics component of UAM allows for organizations to search for exact user actions in case of a security incident. In the case of a security threat, i.e. a data breach, Visual forensics are used to show exactly what a user did, and everything leading up to the incident. Visual Forensics can also be used to provide evidence to any law enforcement that investigate the intrusion.

User activity alerting

User activity alerting serves the purpose of notifying whoever operates the UAM solution to a mishap or misstep concerning company information. Real-time alerting enables the console administrator to be notified the moment an error or intrusion occurs. Alerts are aggregated for each user to provide a user risk profile and threat ranking. Alerting is customizable based on combinations of users, actions, time, location, and access method. Alerts can be triggered simply such as opening an application, or entering a certain keyword or web address. Alerts can also be customized based on user actions within an application, such as deleting or creating a user and executing specific commands.

User behavior analytics

User behavior analytics add an additional layer of protection that will help security professionals keep an eye on the weakest link in the chain. By monitoring user behavior, with the help of dedicated software that analyzes exactly what the user does during their session, security professionals can attach a risk factor to the specific users and/or groups, and immediately be alerted with a red flag warning when a high-risk user does something that can be interpreted as a high-risk action such as exporting confidential customer information, performing large database queries that are out of the scope of their role, accessing resources that they shouldn't be accessing and so forth.

Features

Capturing activity

UAM collects user data by recording activity by every user on applications, web pages and internal systems and databases. UAM spans all access levels and access strategies (RDP, SSH, Telnet, ICA, direct console login, etc.). Some UAM solutions pair with Citrix and VMware environments.

User activity logs

UAM solutions transcribe all documented activities into user activity logs. UAM logs match up with video-playbacks of concurrent actions. Some examples of items logged are names of applications run, titles of pages opened, URLs, text (typed, edited, copied/pasted), commands, and scripts.

Video-like playback

UAM uses screen recording technology that captures individual user actions. Each video-like playback is saved and accompanied by a user activity log. Playbacks differ from traditional video playback to screen scraping, which is the compiling of sequential screen shots into a video-like replay. The user activity logs combined with the video-like playback provides a searchable summary of all user actions. This enables companies to not only read, but also view exactly what a particular user did on company systems.

Privacy

Whether user activity monitoring would jeopardize one's privacy depends on how privacy is defined under different theories. While in "control theory", privacy is defined as the levels of control that an individual has over his or her personal information, the "unrestricted access theory" defines privacy as the accessibility of one's personal data to others. Using the control theory, some argues that the monitoring system decreased people's control over information, and therefore, regardless of what whether the system is actually put into use, will lead to a loss of privacy. [6]

Audit and compliance

Many regulations require a certain level of UAM while others only require logs of activity for audit purposes. UAM meets a variety of regulatory compliance requirements (HIPAA, ISO 27001, SOX, PCI etc....). UAM is typically implemented for the purpose of audits and compliance, to serve as a way for companies to make their audits easier and more efficient. An audit information request for information on user activity can be met with UAM. Unlike normal log or SIEM tools, UAM can help speed up an audit process by building the controls necessary to navigate an increasingly complex regulatory environment. The ability to replay user actions provides support for determining the impact on regulated information during security incident response.

Appliance vs. software

UAM has two deployment models. Appliance-based monitoring approaches that use dedicated hardware to conduct monitoring by looking at network traffic. Software-based monitoring approaches that use software agents installed on the nodes accessed by users.

More commonly, software requires the installation of an agent on systems (servers, desktops, VDI servers, terminal servers) across which users you want to monitor. These agents capture user activity and reports information back to a central console for storage and analysis. These solutions may be quickly deployed in a phased manner by targeting high-risk users and systems with sensitive information first, allowing the organization to get up and running quickly and expand to new user populations as the business requires.

See also

Related Research Articles

An audit trail is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device. Audit records typically result from activities such as financial transactions, scientific research and health care data transactions, or communications by individual people, systems, accounts, or other entities.

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored. Data can then be retrieved by the person operating the logging program. A keystroke recorder or keylogger can be either software or hardware.

Computer and network surveillance is the monitoring of computer activity and data stored locally on a computer or data being transferred over computer networks such as the Internet. This monitoring is often carried out covertly and may be completed by governments, corporations, criminal organizations, or individuals. It may or may not be legal and may or may not require authorization from a court or other independent government agencies. Computer and network surveillance programs are widespread today and almost all Internet traffic can be monitored.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural or administrative, and physical.

Employee monitoring software, also known as bossware or tattleware, is a means of employee monitoring, and allows company administrators to monitor and supervise all their employee computers from a central location. It is normally deployed over a business network and allows for easy centralized log viewing via one central networked PC. Sometimes, companies opt to monitor their employees using remote desktop software instead.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

A data breach, also known as data leakage, is "the unauthorized exposure, disclosure, or loss of personal information".

Employee monitoring is the surveillance of workers' activity. Organizations engage in employee monitoring for different reasons such as to track performance, to avoid legal liability, to protect trade secrets, and to address other security concerns. This practice may impact employee satisfaction due to its impact on the employee's privacy. Among organizations, the extent and methods of employee monitoring differ.

<span class="mw-page-title-main">Continuous auditing</span>

Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

LUARM is an Open Source experimental live digital forensics engine that produces audit data that facilitate insider threat specification as well as user action computer forensic functionality for the Linux operating system. It is designed to log in detail user activities into a simple Relational Database Management System (RDBMS) schema. MySQL is used for the relational backend although the schema could be easily converted to PostgreSQL and other popular relational databases. LUARM is written in Perl and provides a near real-time snapshot of file access, process/program execution and network endpoint user activities organized in well-defined relational table formats. The purposes are:

Computer surveillance in the workplace is the use of computers to monitor activity in a workplace. Computer monitoring is a method of collecting performance data which employers obtain through digitalised employee monitoring. Computer surveillance may nowadays be used alongside traditional security applications, such as closed-circuit television.

In the Matter of TRENDnet, Inc., F.T.C. File No. 122-3090, is the first legal action taken by the Federal Trade Commission (FTC) against "the marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the Internet of things." The FTC found that TRENDnet had violated Section 5(a) of the Federal Trade Commission Act by falsely advertising that IP cameras it sold could transmit video on the internet securely. On January 16, 2014 the FTC issued a Decision and Order obliging TRENDnet, among other things, to cease misrepresenting the extent to which its products protect the security of live feeds captured and the personal information that is accessible through those devices.

The following outline is provided as an overview of and topical guide to computer security:

Corporate surveillance describes the practice of businesses monitoring and extracting information from their users, clients, or staff. This information may consist of online browsing history, email correspondence, phone calls, location data, and other private details. Acts of corporate surveillance frequently look to boost results, detect potential security problems, or adjust advertising strategies. These practices have been criticized for violating ethical standards and invading personal privacy. Critics and privacy activists have called for businesses to incorporate rules and transparency surrounding their monitoring methods to ensure they are not misusing their position of authority or breaching regulatory standards.

A cloud access security broker (CASB) is on-premises or cloud based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies. A CASB can offer services such as monitoring user activity, warning administrators about potentially hazardous actions, enforcing security policy compliance, and automatically preventing malware.

References

  1. "What is User Activity Monitoring Software?". ActivTrak. February 17, 2019. Retrieved March 5, 2019.
  2. 1 2 "Data Breach Reports" (PDF). Identity Theft Resource Center. December 31, 2014. Retrieved January 19, 2015.
  3. "2014 Data Breach Investigation Report". Verizon. April 14, 2014. Retrieved January 19, 2015.
  4. "Virtualisation: Exposing the Intangible Enterprise". Enterprise Management Associates. August 14, 2014. Retrieved January 19, 2015.
  5. "Corporate Data: A Protected Asset or a Ticking Time Bomb?" (PDF). Ponemon Institute. December 2014. Retrieved January 19, 2015.
  6. Martin, Kirsten; Freeman, R. Edward (April 1, 2003). "Some Problems with Employee Monitoring". Journal of Business Ethics. 43 (4): 353–361. doi:10.1023/A:1023014112461. ISSN   1573-0697.