Privileged users are an essential part of any organization. They know all the biggest company secrets and have access to the most vulnerable parts of the corporate network. At the same time, the 2019 Verizon Data Breach Investigations Report [PDF] names privilege abuse as the leading cause of data breaches within the category of misuse. The more privileges are assigned to a user, the closer they should be monitored.
Furthermore, privileged user monitoring (PUM) is a requirement of multiple laws, regulations, and standards including PCI DSS, SOX, NIST SP 800 171 Revision 2, NIST 800-53, and HIPAA. In this post, we discuss how to monitor user activity in Windows and other platforms, as well as describe eight privileged user monitoring best practices for improving the protection of your critical assets and mitigating cybersecurity risks.
Reasons for monitoring privileged users
Knowledge is the key to successful data protection.
Every organization has two main groups of users: privileged users and regular users. Privileged users are accounts or roles whose access rights and permissions exceed those of other users.
While activity monitoring should be applied to both regular and privileged users, the reasons for watching each group differ. Regular users, i.e. general staff, are usually monitored to:
- analyze employee performance
- improve work efficiency
- secure sensitive data
- mitigate insider and outsider threats
- meet compliance requirements
On the other hand, as privileged users have access to sensitive data and systems, they’re often watched to:
- know who can access what
- see what changes are made in the system
- protect sensitive data and critical systems
- mitigate outsider and insider threats
- meet compliance requirements
Whereas regular users are often monitored to evaluate their performance, privileged users are watched closely to make sure they don’t misuse their privileges. Let’s consider the eight best practices for monitoring privileged user access.
8 ways to improve privileged user monitoring
Even one small action can make a difference.
Today’s user activity monitoring solutions and approaches are quite flexible, allowing you to focus on what matters most. But there’s always room for improvement. We’ve prepared eight best practices of privileged user monitoring that can help make your cybersecurity routines more efficient and productive.
1. Forget about partial monitoring
User activity monitoring is resource-consuming. You need to gather extensive amounts of all kinds of information, transfer it from monitored endpoints to a server or cloud, and store it. And the more users you need to watch, the more resources you need to spend. This is why many organizations choose partial monitoring, only keeping an eye on specific types of data, systems, events, and activities.
However, when it comes to privileged users, halfway measures are a poor choice. As these users have constant and nearly unlimited access to the most valuable parts of your corporate network, you need to closely watch every action they take.
When given a choice, go for a solution that records data in light formats, such as screenshots or video recordings. Being able to search through such records is also a plus.
2. Say no to unlimited privileges
It’s vital to remember that the more privileges you assign to someone, the more devastating the consequences of their misuse. Cyber attackers often target privileged accounts, as they hold the keys to valuable information. Therefore, it would be wise to set additional limitations for accessing your most valuable systems and data.
There are several approaches you should consider implementing: the principle of least privilege, the zero trust security model, just-in-time PAM, and so on. The key is to make sure that even for privileged users, access permissions aren’t limitless and permanent.
3. Get rid of shadow admins
It’s not rare for a privileged user to be able to assign the same or a lower level of privileges to another user. However, such assignments aren’t always properly monitored and managed. Accounts that have the same access permissions as admins but aren’t included in well-known and properly monitored admin groups (i.e. Domain Admins) are usually called shadow admins.
Poorly monitored and managed accounts with admin access rights pose a significant danger. The 2019 Verizon Data Breach Investigations Report even lists adminware utilities among the top 15 causes of data breaches. This is why ensuring full visibility of all privileged accounts is essential for ensuring an organization’s cybersecurity.
It’s crucial to pay attention not only to the activity of privileged accounts but to their creation and deletion. Look for solutions that can analyze all network accounts and discover those with admin-level permissions. Once you’ve discovered all privileged accounts, make sure to delete unused ones and configure the rest in a way that makes delegating a user’s privileges or creating new shadow admins impossible.
4. Prohibit basic authentication practices
User authentication can be executed at different levels. The most basic and widely used requires entering only a standard login and password pair. Another popular variation is multi-factor authentication (MFA), where users’ identities are confirmed based on at least two out of three factors: something they know, something they possess, or who they are.
Many organizations implement MFA into their daily routines, hoping it will decrease the risk of account compromise and secure their sensitive data. The problem is that when given a choice, people tend to walk the easy road. For instance, in 2018, Google reported that for more than 90% of active Gmail accounts, the MFA option wasn’t used. And according to the 2020 State of Password and Authentication Security Behaviors Report by the Ponemon Institute, 56% of those who use mobile devices for work purposes still don’t enable MFA.
Therefore, it would be wise to make MFA obligatory, at least for the most critical systems, applications, and services.
5. Watch for unapproved remote logins
From 2015 to 2020 in the US, the number of people working remotely grew 44%. But as the popularity of remote work grows, so does the number of related security concerns. Organizations provide different groups of users with remote access to their data: regular employees, part-time workers, subcontractors. And if these users have access to any kind of sensitive information within your network, they must be closely monitored.
For privileged users, you should monitor and record remote desktop protocol (RDP) sessions the same as local sessions. Also, consider setting strict rules specifying the systems and data for which remote logins are allowed and creating whitelists of IP or MAC addresses.
6. Make changing logs and records impossible
Depending on the scale of their permissions, privileged users might be able to alter or delete various logs and records. At the network level, this concern can be addressed by providing unrestricted access to system logs only to a specific role or a strictly limited circle of users.
But when it comes to choosing a user activity monitoring solution, it’s important to pick one in which altering gathered logs or generated reports is impossible by default. Only then can you be sure that records haven't been tampered with.
7. Watch for anomalies
When a wolf hides in sheep’s clothing, it still continues acting like a wolf. The behavior of a legitimate user differs significantly from the behavior of an outside attacker or malicious insider. Common examples of user behavior anomalies include:
- Logging in or out of the system at unusual hours
- Attempting to access unused or restricted systems
- Starting suspicious software
- Connecting suspicious removable devices
- Uploading large volumes of data to unknown destinations
User and entity behavior analytics (UEBA) is one technology that can be used for detecting the abnormal behavior of network users. It builds a baseline behavior profile for every user or entity in the system. Then, based on these profiles, it analyzes user and entity activity and distinguishes normal (safe) actions from abnormal (potentially dangerous) ones.
Consider implementing such technology for catching any anomalies in the actions of your privileged users.
8. Never take a break
Last but not least, privileged user monitoring should never be treated as a one-time event. When executed only periodically, user activity monitoring can’t ensure full visibility of a user’s actions or properly protect critical data.
PUM is a continuous process, and it should be constantly improved. Make sure to revise your privileged user monitoring and management routines and enhance them with up-to-date technologies and solutions.
Monitor privileged users with Ekran System
Ekran System is the ultimate platform for monitoring all types of users and managing access to critical systems, applications, and data. It works perfectly for monitoring privileged users, as it provides a rich set of user activity monitoring functionalities, including:
- continuous monitoring of all servers (including jump servers), endpoints, and remote workstations
- context-rich recording of local, terminal, SSH, and RDP sessions in searchable video and audio formats
- monitoring and management of connected USB devices, including flash drives and USB modems
- gathering of additional data such as names of launched applications and opened files, visited URLs, and entered keystrokes using keystroke logging solutions
- responding to cybersecurity incidents with custom alerts, real-time notifications, and termination or blockage of suspicious users and processes
- creating detailed reports and exporting them for forensic investigation
All these capabilities are essential for keeping an eye on your most important assets. But they’re also important for SOX, HIPAA, PCI compliance solutions, and other requirements for privileged user monitoring. Additionally, Ekran System offers a wide selection of PAM features and third-party vendor monitoring functionality.
Privileged users play an essential part in an organization’s lifecycle. People assigned elevated access rights work with sensitive data, critical systems, and valuable assets. Therefore, they should be monitored thoroughly.
Ekran System is an insider threat management platform for monitoring and managing privileged users and accounts, regular users, and third-party vendors. Get a 30-day trial and boost the protection of your corporate network today.