MIND THE GAP
INFRASTRUCTURE
VS. USER-BASED
MONITORING
LACK OF USER ACTIVITY MONITORING
EXPOSES COMPANIES TO
USER-BASED RISK
A
lthough every organization wants to believe that all threats are external, the
fastest-growing IT security risk actually stems from within – authorized users.
Business users, IT users and contractors all need access to systems, applications
and data do their jobs – but these interactions are also one of the biggest sources of IT
security risk. What’s more, most organizations are blind to these user based risks, and
do not have a way to see what’s taking place in these user sessions as they interact with
company assets.
Business Users:
IT Users:
Contractors:
Laptops, Desktops
Developers, Network
Admins
Windows Admins, Root
Users, DBAs, System Admins
Given the increasing frequency of security incidents and data breaches in the news, it is
clear that something must change. Traditional security ecosystems have focused on
infrastructure and have failed to look at the actual user. To effectively address user
based risks, it is critical for organizations to understand exactly what users are doing
with company systems and data. Adding User Activity Monitoring to an organization’s
existing security ecosystem fills this critical cyber-security gap and dramatically reduces
the time it takes to identify and respond to suspicious user activity and data breaches.
TRADITIONAL SECURITY ECOSYSTEMS ARE
BLIND TO USER-BASED RISKS
Most organizations rely on traditional IT security systems to protect data and detect
breaches. These systems include log analyzers, security information and even
management (SIEM) systems, intrusion detection systems (IDS) and intrusion prevention
systems (IPS).
The problem with these systems is that they process information coming from
infrastructure/device logging, without a true understanding of what users are actually
doing. This represents a major security blind-spot where most of today’s security
incidents and data breaches are occurring undetected.
These user based risk blind-spots are the result of three separate facts:
1
Logging data is only available from systems, devices and applications which
generate logs. Because many critical user actions do not generate any logs at
all, there is no data to analyze.
2
The available log data was designed mostly for the purposes of debugging and
tracking system changes, and is not suited for determining user behavior and
intent. At best, they can tell administrators that something happened at the
system/infrastructure level, but without any insight into actual user activity.
3
Logs can contain hundreds or thousands of discrete events in obscure technical
language, making it nearly impossible for anyone but a top security expert with
lots of time (and a specific purpose) to determine what a user actually did to
generate those log events.
The truth is security teams have little or no insight into what users are actually doing
while they access critical applications, sensitive data or regulated systems. Meanwhile,
research indicates that 69% of security incidents involve trusted insiders*.
* Verizon DBIR 2013 (VDBIR13)
RISK
ASSETS
PEOPLE
?
?
?
i
Apps
Systems
Information
Users
In other words, even with SIEM, Log Management and IDS/IPS tools deployed,
organizations still cannot quickly or easily answer “who’s doing what?” with business
users, IT users or outside contractors. It is not surprising that costly data breaches are
on the rise across nearly every industry.
REAL-WORLD EXAMPLES
Here are a few examples of common user activities that put a company at risk that
traditional security solutions simply can’t see:
ACCESSING A SENSITIVE CUSTOMER OR PATIENT RECORD
Users with access to sensitive customer/patient records pose a risk of abusing this data
or leaking it to third parties as we have seen with recent Ebola patients in Houston, TX.
System logs, however, record nothing regarding user actions within Web applications
(e.g., Salesforce, SAP). Even most local/VDI applications do not generate any logs at all.
This makes it impossible to discover or audit who accessed, copied or modified sensitive
data.
UNAUTHORIZED USE OF CLOUD APPS
One of the biggest risks companies face today is the proliferation of SAAS based
applications that any user can spin up and use – shadow IT. These applications can store
and share huge amounts of data that fly completely under the radar of security team.
Trying to discover these apps and more importantly who is using them and what they
are being used for is nearly impossible when looking at infrastructure.
GRANTING SUDO RIGHTS TO A NON-AUTHORIZED UNIX/LINUX USER
Giving sudo rights to an account allows a user to access sensitive commands, services
and data. Yet, what appears in system event logs for this action? Using auditctl and
ausearch, one can only see that the visudo command was run. Unfortunately, this
logging is almost entirely of a technical nature: one can see the working directory from
which it was launched, its process ID, and the fact that it finished with a success return
value. However, there is no indication of what rights were granted, or what the user did
once those rights were assigned.
CHANGING AN IIS WEBSERVER CONFIGURATION FILE
Changing the IIS webserver configuration file can affect server operation in numerous
different ways, and can expose the server to security risks. During the 20 seconds it
takes a user to make a change, Windows logs 6,000 system events. The closest the log
entries come to indicating that this file was changed was one log entry indicating that
"web.config" was added to the "Recent Files" list in Windows!
THE SOLUTION:
USER ACTIVITY MONITORING
Adding User Activity Monitoring to your security ecosystem will significantly improve
your organization’s ability to rapidly detect and respond to security incidents. With User
Activity Monitoring, IT administrators and security staff get a clear, easy-to-understand
picture of exactly what happened – whether in response to an alert or during an
investigation.
User Activity Monitoring uses screen-recording and analysis technology to capture all
user activity, regardless of environment or access method (local/remote), and to
generate alerts for suspicious activity. Beyond providing video playback of all user
activity, User Activity Monitoring leverages visual interpretation technology to turn the
screen capture recordings into plain-English user activity logs that can be easily
searched, analyzed, prioritized, audited and acted upon. This enables security teams to
rapidly detect and respond to the threats of account hijacking, stolen passwords, remote
vendor access and insider actions from either negligent or malicious users.
CORPORATE
SERVER
Apps
Keystrokes
Clicks
Monitor desktops
& servers
In other words, instead of inferring user actions from infrastructure data, User Activity
Monitoring focuses on actual user activity. This ability to track and understand user
activity enables organizations to benefit from an open business environment while
protecting their intellectual property and customer data.
“If you want to know exactly what happened in your systems,
event log monitoring isn't enough. User Activity Monitoring
shows you exactly what happened: who did what and when.”
Senior System Analyst
THE IMPORTANCE OF USER ACTIVITY MONITORING
For most organizations, knowing what users are actually doing on their servers is a
missing vantage point that can no longer be ignored. In fact, 69% of reported security
incidents involve a trusted insider:
IT Users – System administrators, DBAs and other IT users, with their broad access to
sensitive data and systems, pose a serious risk to every organization. While it is
important to restrict all user access rights to the bare minimum required to perform
their duties (“separation of duties”), it remains inevitable that numerous IT users will
need access rights that represent a security opening that requires careful monitoring.
Business Users – 84% of insider-based security incidents involve everyday business
users, people with no administrator rights. In large organizations, there are thousands of
such users who need access to critical applications and data every day. In order to
prevent and mitigate data breaches, it is critical to be able to quickly identify suspicious
or out-of-policy business user behavior.
Contractors – Almost every organization relies on outsourced contractors to provide a
variety of business-critical functions: IT system and infrastructure management,
application development, quality control, billing, business processing and many more.
These third-party vendors often require access to sensitive servers, applications and
data. It has become critical for the organization to know exactly what data, applications
and systems these third-party vendors accessed and what they did during that access.
CONCLUSION
Given the shortcomings commonly experienced with traditional infrastructure logging, it
is imperative that organizations add an understanding of what their users are doing and
the associated risks to their existing security ecosystem. User-based threats are a major,
and growing, security concern that requires a new, user-centric monitoring approach.
This user-centric approach is important not only for rapid response to breaches, but is
also a critical element for proactively identifying underlying behaviors that lead to data
breaches.
Infrastructure monitoring is an important management tool that has its uses in security
monitoring, but, alone, it falls short for addressing user-based threats. Organizations
need to bring user-focused security monitoring to the front and center of their security
and risk management strategy by adding User Activity Monitoring to their existing
security architecture.
www.observeit.com