The Essential Guide to Privileged Activity Monitoring

Key Security Risks related to Privileged Users

“78% of large organizations were attacked by an unauthorized outsider in the UK, in 2012.” – Information Security Breaches Survey 2013


Business users accessing sensitive data
Privileged users are a potential security risk in many situations. At most companies, users at different organizational levels have the possibility to directly access and manipulate the most sensitive information, such as CRM data, personnel records or credit card numbers. These users can vary from legal department employees, through HR managers to accountants and customer service people. Through data loss or leakage incidents, these business users can cause great damage to the reputation of your company.

Superusers accessing “everything”
Beyond privileged business users, there are several superusers, such as administrators, IT contractors or C-level managers, who practically have unrestricted and uncontrolled access to the information assets of your company. While most employees are trustworthy, there are always employees who abuse the trust placed in them, and superusers are no exception. These users can intentionally – or accidentally – perform harmful actions in your IT systems that can cause great damage to your business. The above news about a sub-contractor technician who has stolen $1 million from the Bank of New York is just one from the many examples.

Insufficient monitoring of user actions
In many cases business applications such as legacy systems or custom developed applications are not capable of sufficient logging. Although, log management and SIEM tools are good at presenting event data, but they have also limitations such as:

■■ Hundreds of critical security event types (e.g. configuration of firewall rules) are not logged at all.
■■ Those events that are logged typically do not show what was really done.
■■ Many times, the logs only show obscure technical details about security events.

Consequently, traditional logging has limitations in tracing what your users do in the applications; moreover, a skilled administrator (or attacker) can manipulate the logs to cover his tracks. As the monitored user can compromise the logs, this information source is inadequate for reliable monitoring of privileged users.

Cyber threats: privileged accounts under attack
Privileged accounts have emerged as the primary target for cyber criminals and have been exploited to perpetrate some of the most devastating cyber-attacks and data breaches in recent years. Today, these cyber-attacks are so customized and sophisticated, that they can easily bypass the traditional protection lines. APT (Advanced Persistent Threat) intruders prefer to leverage privileged accounts where possible, such as Domain Administrators,
local Administrator accounts, service accounts, or privileged user accounts. For example, online attackers have recently penetrated the U.S. Department of Energy (DOE) network and obtained copies of personally identifiable information pertaining to several hundred of the agency’s employees and contractors.

The Solution

Like many new concepts, Privileged Activity Monitoring does not have a clear and perfect definition. Many vendors have introduced new terminology for this concept in an attempt to be first to define the market with mixed results. They are trying to use different naming conventions but similar acronyms: PUM, PAM, PAAM, etc. ‘Privileged User Monitoring’, ‘Privileged Activity Monitoring’, ‘Privileged Account Activity Management’ and all the variants of these expressions can be found on Google. In fact, even major IT analyst firms do not have a generally accepted definition, which illustrates how new this concept is. Perhaps the following definition can provide the most accurate description, according to which PAM tools aim to address the following requirements:

  1. Controlling the users’ access to privileged accounts (authenticating
    the users, restricting access based on time policies)
  2. Managing and controlling privileged sessions (for example, restricting
    administrative access to the servers)
  3. Monitoring use of shared and superuser accounts (for example, root or
  4. Collecting audit information for forensics situations, compliance reports, and so on.

Best practices:

1. Adopt the least-privilege principle
Give a user account only those privileges which are essential to that user’s work.

2. Use “God mode” only in emergency
Generally, system administrators do not need unlimited access to the systems they manage. Lock up your superuser (root, admin, system, and so on) accounts and use them only if absolutely needed.

  1. SCB (Shell control box) is a PAM solution that help to answer:
  • Control internal IT staff
  • Control third party provider
  • Control multiple protocols
  • Control SSH or Telnet or RDP or HTTP/s or VNC or ICA connection.
  • Sharing administrative password
  • Bypassing company policies
  • Hiding traces
  • Who did … on my server?
  • IT system troubleshooting and forensics
  • Monitoring and replay user sessions
  • Control remote access in detail
  • Prevent malicious action to server in real time
  • Privileged user fraud
  • ISO 27001, Basel III, MiFID II (Markets in Financial Instrument Directive), SOX-EuroSox, PCI DSS
  1. Employing advanced technology:
  • Agentless, independent
  • Fast deployment
  • Nothing changed to existing system
  • 4 eyes authorization
  • Tamper proof auditing data

Contact us now for more information about the product.


IT Security News and Event, Shell Control Box , , , , , , , , , ,

Comments are closed.