Why Continuous Monitoring is Critical for Enterprise Compliance and Security

security_audit_img01.jpeg

Foreword

Recording the detailed actions of privileged users is more critical in today’s business environment that is driving cost efficiencies through IT outsourcing, offshoring and augmenting IT staff with external staff. Third Parties such as, Cloud Providers, Service Providers and ISVs also have security and compliance issues, which need to be addressed.  Additionally, every significant compliance regulation requires organisations to document the activities and actions of what users do with privileges and rights granted to them. Conventional approaches, such as log files, cannot fully meet these compliance obligations. Log files are suitable for aggregating and connecting events and management data for alerting and reporting purposes. However, for capturing of specific actions that were taken on a specific system, at a specific time, by a particular user, there is no replacement for a high-reliability capturing of single user activities. By capturing all privileged user activity (screen actions, events and metadata) a complete picture of intentions and impacts can be accomplished. Organisations need to ensure that every privileged user can be monitored and inspected across their dispersed infrastructure creating a high level of visibility on UNIX, Linux and Windows systems whether in the on-premise data centre or cloud infrastructure. Furthermore, the auditing approach should scale up to meet organisations growing needs without interruptions and with minimal administrative resources. The solution should be realised with a verified architectural approach that is fault tolerant, reliable and highly scalable across a vast number of systems and users.

INTRODUCTION

Organisations are facing escalating complexity in every aspect of their IT operations including the data centre, IAM infrastructure, cross-platform systems and staffing. Setting up and maintaining a security and compliance presence, in what is often an unrelated and continually changing environment, is frequently cited as the top concern of IT leaders who have responsibility for addressing risks and defending the information assets of their companies. Moreover, companies of all sizes are cutting costs through outsourcing, off-shoring and short-term personnel and progressively depend on cloud service providers and ISVs to manage crucial parts of their information systems. How do assiduous IT leaders create culpability, inspect this multifaceted environment and protect against unintended and destructive actions of privileged users which may lead to a system failure or data breach?.

In this article, I provide guidance on choosing solutions that solve the security, compliance and third-party access challenges organisations face when auditing and monitoring UNIX, Linux and Windows systems, and why traditional approaches, like log rollup tools, alone cannot meet the requirements of today’s demanding IT settings. There is a compelling case for organisations to implement solutions that capture high fidelity video and associated events and metadata, which give organisations the missing user-centric background they require to prove compliance, secure against internal threats and monitor third-party access by a variety of privileged users.

Traditional Approaches Alone Has Failed to Tackle Requirements

Log files produced by systems and applications present an incomplete picture because they contain vast amounts of an insignificant event and management data and are often not accurate enough to conclude which user carried out specific actions on a system that resulted in a system crash or compromise. Besides, interpreting log files is time-consuming and requires specialised skills held by only a minimal subset of people in the organisation. Log information is helpful for important warning and notification of likely issues but logged activities are not tied to the actions of a particular user so troubleshooting and root-cause analysis cannot provide the accountability that security best practices and compliance regulations demand.

Additional mission-critical factor organisations must consider, is lack of visibility because some applications have little or no internal auditing. It can often be the case with bespoke software solutions where auditing capabilities may not be the top priority and software developers may not know the organisation’s audit needs plus the level of detail required and importance of protecting access to log information itself. Additionally, many enterprise applications that are highly customised may not be logging critical events.

To increase visibility and gain a clearer understanding of the intents, actions and results of privileged user activity on systems higher-level alerts should point to more detailed data on actions, events and commands that the user performed on the system that leads up to the alert being triggered and captured. This metadata can only be collected by capturing the critical user-centric data (events and screen video) and cannot be reconstructed from log data generated by systems and applications.

This new, user-centric way to privileged auditing systems can address the security, compliance and third-party challenges organisations face.

User Activity Auditing Can Address Critical Compliance Challenges

user_access_img02.jpeg

Compliance Demands

The numerous compliance regulations create ongoing difficulties for businesses in every industry, and many businesses must meet multiple requirements for internal controls (SOX), payment cards security (PCI-DSS), and other industry-specific requirements. A Commonality to every first compliance regulation and industry mandate are requirements to ensure users authenticate with a unique identity, privileges are limited to only ones needed to perform job functions, and user activity is audited with enough detail to determine what events occurred, who performed them and what the the outcome was.

Table 1-1 Sample of major user activity auditing compliance requirements

Compliance Rule Description
Sarbanes-Oxley Section 404 (2) …contain an assessment… of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
PCI DSS 10.2.1-2 10.2 Implement automated audit trails to reconstruct the [user activity], for all system components.

1. Verify all individual access to cardholder data

2. Verify actions taken by any individual with root or administrative privileges.

NIST SP 800-53 (AU-14) The information system provides the capability to:

a.       Capture/record and log all content related to a user session; and

b.      Remotely view all content related to an established user session in real time.

NERC CIP -005-1 R3 (Monitoring Electronic Access) Implement and document and electronic or manual process(es) for monitoring and logging access.

Compliance requirements often refer to “logging” or “record” when describing a specific audit control. To adequately address the compliance rule and satisfy auditors it often requires organisations to offer more information than application, and system log files can provide – this had caused an audit hole. Privileged user activity auditing provides the detailed metadata and visual record of actions that meet the strictest interpretation of the regulation.

The absence of sufficient and comprehensive user activity auditing can result in higher costs due to slower compliance reporting, increased staff time and essentially fines for non-compliance. Users are tracked through system logs when they sign-in and sign-out but fails to capture activity with sufficient details to address compliance requirements.

Lessening Insider Compromises

insider_threat_img01.jpeg

Information Security Managers’ crucial worry remains the risk of insider compromise that can lead to a data breach or system outage. Several factors have led to an increase in insider incidents including the sharing account credentials, privileged users with too many credentials across systems and assignment of privileges that are too broad concerning the job responsibilities of the user. Because many organisations have privileged users that are geographically dispersed organisations be able to have visibility into their activities of local and remote administrators and users.

User activity auditing can create the accountability required for security and compliance including:

  • Capture and search historical user activity so that suspicious actions can be examined to determine if an attack is occurring – before the damage is done.
  • Alter privileged user behaviour through deterrents ensuring that trustworthy employees are not taking shortcuts and disgruntled employees know any malicious actions are recorded.
  • Set a clear, explicit record for evidence in legal proceedings and dispute resolution.

Moreover, insider threats are not going away anytime soon, according to the ca technologies 2018 insider report:

  • 90% of organizations feel vulnerable to insider attacks. 37% of the respondents said, the main enabling risk factors include too many users with excessive access privileges, 36% of devices with access to sensitive data, and 35% said there is an increasing complexity of information technology.
  • 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). 27% of organizations surveyed for the report say insider attacks have become more frequent.
  • 64% of organizations are shifting their focus on detection of insider threats, followed by 58% deterrence methods and analysis and 48% post breach forensics. The use of user behaviour monitoring is accelerating; 94% of organizations deploy some method of monitoring users and 93% monitor access to sensitive data.
  • The most popular technologies to deter insider threats are Data Loss Prevention (DLP), encryption, and identity and access management solutions. To better detect active insider threats, companies deploy Intrusion Detection and Prevention (IDS), log management and SIEM platforms.
  • 86% of respondent organizations already have or are building an insider threat program. Thirty-six percent have a formal program in place to respond to insider attacks, while 50% are focused on developing their program.

Intermediary Access Review and Awareness Education

access_review_img01.jpeg

Today’s business environment is driving enterprises to find cost efficiencies at every level of their operations. Outsourcing, off-shoring and cloud computing are giving organisations agility, flexibility and the cost control they require to remain competitive but, organisations are still responsible for the security and compliance of their IT systems. This is made more explicit in newly revised compliance requirements that specifically call put the enterprise’s responsibility when contracting Independent Software Vendors, Service Providers and outsourcing firms.

Third-party user access creates even more stimulus to use thorough user activity inspection. In addition to the insider attacks and compliance demands already mentioned third-party access increases the pressure to quickly troubleshoot ailing systems, auto-document critical processes and create training procedures for personnel hand-offs, which occur more frequently with contractors and service providers.

Critical Requirements for User Activity Auditing

For enterprises to take complete advantage of the privileges that user activity auditing can provide they should contemplate the requirements that are vital to the smooth and efficient acquisition and collection of user activity; and thorough search with a full replay of user sessions. Also, any solution for privileged user auditing should fit into the enterprise environment integrating with existing infrastructure and ensuring that audit data is secure and can only be replayed by auditors, security managers and other authorised staff. Below is a list of requirements organisations should consider when deploying a user activity auditing solution.

Capture and Collection Requirements

  • Capture both remotely as well as locally initiated user sessions across Windows, UNIX and Linux Systems.
  • Ensure the solution can scale up from a single deployment to the growing demands of auditing user sessions on thousands of cross-platform systems.
  • Supports the ability to selectively capture sessions based on Active Directory users and groups.
  • High fidelity capture of session video with detailed capture of events and metadata.
  • Encryption and compression of all audit data in transit and at rest.

Search and Replay Requirements

  • Easy to use interface supporting granular queries across multiple user sessions and systems.
  • Support for ad-hoc, distributed searches for commands, applications and text independent of operating system.
  • Intuitive and fast session navigation, preview and replay.

Enterprise Ready and Integrated Requirements

  • Automated discovery and re-configuration of audit system components for reliability and fault-tolerance with minimal administrative personnel involvement.
  • Ensure only trusted components can participate in the auditing system.
  • Built-in integration support for existing SIEM, event and monitoring tools.

Security Management Requirements

  • Role-based control to user session replay so only authorised users can access audit data and replay sessions.
  • Delegated administration and management of all auditing system components.

In Conclusion

Ultimately, the information security leaders and their companies need to determine the answers to the following strategic questions and decisions when it comes to privileged access security:

    • What should we do and when? (You can’t do it all at once!)
    • What is the best mix of controls? (Prevent and detect)
    • How much is enough? (Find the balance between “adequately secure” and “overly restrictive.”)

 

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.