User monitoring

How User monitoring can increase safety of your organisation

Insider threat is a security threat to network assets and business data coming from company employees and contractors or partners with access to the network. Data breaches caused by employees are often unintentional, losing a company laptop or sending a document to a wrong address. Sometimes data breaches are caused by intentionally malicious employees. Data breaches caused by outsiders that are authorized to access networks are more intentional than accidental. The world famous case is Edward Snowden’s, he was an outside contractor for NSA and stole their data.

Unintentional data breaches are usually caught by DLP solutions. Intentional insider attacks are more sophisticated and harder to detect. For that we need other types of solutions, besides DLP. One is direct user activity monitoring. Another one is User & Entity Behavioral Monitoring or UEBA.

User monitoring is kind of like using video cameras to monitor production facilities, but it works in a digital world. A solution like ObserveIT monitors user sessions when they are connected to critical servers. A solution should support monitoring direct access through keyboard and monitor, meaning a monitoring agent must be installed on a server. And it should be capable of monitoring remote access like RDP or SSH, meaning it must sit somewhere where it intercepts traffic between the user and a server. A product that monitors a remote session from outside sees and records all the data sent between a user and a system, specially user input with keyboard and mouse, and system output or screen. All this data must be searchable, better solutions can also alert on suspicious activities. Products also create a kind of a video recording of what a complete user session, which a security analyst can replay to a detail. Intercepting remote session is a bit limited compared to monitoring sessions directly on a server. An agent on a server can gather more data, it has insight into internals of user actions and system responses. Besides input, output, the user desktop itself, it can also detect changes in the and activities background. Those are not directly seen in user command or output, but still happened, like – what system libraries were called, additional scripts that were run as a result of a command, memory access, files not appearing in command opened, deleted or changed, etc.