Historically, many organizations and personnel have been concerned about user activity monitoring (UAM). Certain business cultures feel that these activities are an invasion of privacy or are distrustful. However, in today’s Internet connected, data driven world, having specific information or data means the difference in being a market leader and being out of business.

Identifying threats to employees and organizational information is key to maintaining confidentiality, integrity and availability. Maintaining the confidentiality, integrity and availability of information is paramount for business success.   This is a natural thought process—to protect themselves, organizations have to protect their personnel, and the malware explosion is a direct threat to organizations through their personnel. Drive by and other malicious downloads are distributed through malicious websites, file sharing, and other means to get into an environment. Organizations and specific roles or individuals are directly targeted by phishing and spear phishing campaigns. Nation states, organized crime syndicates, and politically motivated groups are on the hunt to both gather data and bring systems to ruin to meet their own goals with no remorse as to the personal or business consequences.

Though I have set a grim tone, I don’t believe these problems are insurmountable. I do however think that user activity monitoring can play a key role in protecting both employees and organizations. UAM does not need to be constant over-the-shoulder or big-brother monitoring. It is not designed to lay in wait for an employee to mess up. It is designed to look for activities that are anomalous or indicative of malicious intent. UAM doesn’t care whether the malicious activity is machine or human driven, and therefore it protects the employee against both malware and human theft of identity.

These are core use cases for data and employee protection. Once malware invades, it utilizes someone’s identity to move laterally in the environment to collect and exfiltrate information or to access target systems for disruptive activities. This will also protect the real user when presented with a situation where credentials are stolen by a real person and used outside of the owners’ knowledge, such as the situation created by Edward Snowden . Proper UAM maintains the activity chains associated with the identity it can show that the trusted employee was not really the perpetrator of the malicious activity.

The data collected by UAM can be highly personal and is definitely organizationally sensitive, so controlling access to the collected data is critical to ensuring both privacy and trust are maintained. UAM must have strong access controls to avoid corporate stalking or other misuses that can significantly impact both the personnel and the organization. This must be balanced with speed of access so incidents and issues can be investigated quickly. The best operational balance for this is by utilizing alerting for key events. This way personnel are not expected to troll the data looking for incidents which is both a waste of their time when nothing is happening and a potential threat for information exposure issues.

Lastly, UAM is a powerful audit and compliance tool. It provides details on activities to validate auditor requirements of who has access to controlled or protected environments and the activities of those who used the access. Having been part of multiple audits, I can say that having this level of information and having it in one place is a huge gain in confidence and time. The auditors can get more than they generally require and I as the auditee can provide it in record time so my team and I can get back to our normal jobs faster.

UAM is a technology whose time has come. Proper controls on access and data prevent big brother from raising its ugly head while alerting on policy-based activities laser focuses security and administrators on issues needing their attention while reducing possible trust and privacy violations.

Later this month I will be participating in a live panel discussion with Peter Hesse, Michael Santarcangelo, and Gabriel Friedlander to discuss “The Risk of Data Exposure through Application Usage”

  • Thursday, March 26 at 1:00 PM EST (17:00:00 UTC)

You can register for the webcast by going to the following link: https://www.sans.org/webcasts/live-panel-discussion-risk-data-exposure-application-usage-99427