Like most insurance companies, AIG Israel Insurance Company Ltd. faces strict compliance regulations and security...
standards. To meet those standards, it was using auditing software to track server configurations and Active Directory changes. But when a user's error knocked one of its systems out, the company realized it couldn't just rely on securing its assets. User activity monitoring was needed, too.
One of AIG's provider partners mistakenly added a space to a configuration file, a simple error that went under the radar until services crashed, leaving AIG scrambling to find the root of the problem. "We saw that it makes sense to deploy [user activity monitoring] … because these things happen. We are human, after all," said Snir Hoffman, infrastructure architect at AIG Israel.
Stories like AIG's are not unique. While enterprises regularly secure assets -- like servers and corporate data -- user activity monitoring hasn't historically been a priority. But high-profile security breaches are causing many businesses to think about where they are leaving their networks exposed. Whether it's a result of inattention by the user or intentional, nefarious activity, 69% of security incidents involve a trusted company insider, according to a recent report by research firm Enterprise Management Associates Inc. based in Boulder, Colo. Of these incidents, 84% involve business users who don't have administrative privileges. And because user data is often the primary target for many attacks, these numbers are on the rise, said David Monahan, the EMA research director who wrote the report.
While insider access can be a major source of security risk, businesses still need to trust their users, and can feel more at ease with user activity monitoring tools as a part of their overall security strategy, Monahan said.
User activity monitoring needed alongside asset monitoring
Most enterprises are focused on the risk associated with certain assets, like which servers and applications are critical for employees and where sensitive data resides. But many breaches occur through the misuse of legitimate user credentials, which asset protection technologies are unable to see, said Dimitri Vlachos, vice president of marketing for ObserveIT, a Boston-based security vendor.
"There is a huge number of regular, Average Joe users who aren't being heavily monitored or watched -- this is a huge delta, and requires a huge shift in our mentality" EMA's Monahan said.
ObserveIT, who commissioned the EMA survey, offers user activity monitoring software. The technology can help IT professionals identify the level of risk they have with different user groups -- like internal users, contractors, and administrators. It can provide ways to manage and mitigate user-based risks, Vlachos said. "Security threats generated from users have become a real problem, and the traditional ways of looking at security can’t address these risks," he said.
Traditional security tools -- like log management and security information and event management (SIEM) products -- can help businesses understand their systems, but they won't give IT teams any insight into what users are doing, and whether any of those activities are atypical. ObserveIT's tools record user-based activities and creates searchable logs of users, applications accessed, and activities carried out within the applications, Vlachos said.
AIG Israel uses ObserveIT user activity monitoring software in its central data center as part of its network security strategy. The company has created a virtual desktop infrastructure environment, in which every provider partner has its own Windows 7 workstation that is centrally monitored. ObserveIT also monitors AIG's own systems administrators.
The latest version of ObserveIT allows for enterprises to monitor users in real-time, a capability that Hoffman and his team plan on rolling out and integrating with its existing security infrastructure. "It would be nice to be able to set rules -- like if someone opens a certain file or accesses a certain location, an alert can be sent right away because that's not supposed to happen, and we wouldn't have to go back to the logs," Hoffman said.
User Activity Monitoring is not an exact science
Regardless of the security technology or process that may be in place, it can be still be challenging to know for sure if a user's identity has been compromised. Even the best security system could have a hard time identifying whether certain activity is suspicious, or if the user is lawfully accessing applications or data that he or she typically uses.
But user activity monitoring software can help identify if a remote session was initiated for a certain user, or if there are unrelated activity paths occurring at the same time for one user, EMA's Monahan said.
Hoffman and his team would also be able to see through the historical data collected by ObserveIT if a user's credentials had been used fraudulently. They are able to determine which activities or work was performed and which workstation was used, as well as if the same user was logged in at the same time on another workstation, he said.
"We can see very specific timelines. We can search by the workstation, and even go to the user in question to ask why they were using another user's credentials if we had to," he said. The system also generates an alert to users that tell them activity is being recorded. "This warning makes [the user] think twice, and are much more careful about what they do," Hoffman said.
User activity monitoring help track down stolen credentials
Monitoring user activity to track file access
Implementing user activity monitoring to boost data privacy and security