The problem of suspicious user activity identification is still a hot topic, widely discussed by IT community. The recent Verizon Data Breach Investigations Report gives food for thought, revealing that 88 per cent of insider misuse incidents are the result of privilege abuse.
The report sets a task for businesses of all sizes to establish user activity monitoring as a mandatory measure that ensures integrity of sensitive business data. However, the ethical aspect of continuous monitoring arises – where does the adequate level of tracking a person’s activity end and where does ‘paranoid’ shadowing begin?
During the recent Gartner Security and Risk Management summit in London, analyst Andrew Walls raised the question of the borderline between surveillance and monitoring. He stated that the problem hides behind the intentions, stressing that focus on monitoring a person, unlike tracking system changes, is a case of surveillance.
Indeed, suspicious activity should attract attention and lead to careful investigation. Let’s imagine a situation when someone starts random browsing through files on a file server using an account of an employee who has recently left the company. Isn’t it a reason for concern? The goal here is to detect increased activity of the account that is considered to be inactive and take necessary measures to investigate this behavior and prevent possible information leak. User activity monitoring can help and that’s why it should be a part of security policy.
On the other hand, when it comes to privileged users, it is always recommended to use advanced solutions for monitoring these accounts, as they often represent a weak link in maintaining a secure environment.
Once a hacker gets access to a system under an administrator account, consider that a breach has already happened. What plays a vital role is the time factor – IT departments should be the first to know about the malicious activity and be able to prevent security violations at early stages. The right solution here is establishing mechanisms of continuous change auditing that should become an integral and ongoing part of your security strategy.
To enable easier and faster investigation of a security incident, you need real-time alerts, state-in-time reports on system configuration and detailed reports on critical changes, providing information about who changed what, when and where across the entire IT infrastructure.
Unfortunately, security breaches will exist as long there is valuable data worth hunting for; thus the only goal is to minimise the risk of data compromise and to ensure that no data leak is overlooked, even if it means having continuous monitoring of user activity.
An important thing to remember is that minimising the consequences of security breaches is mostly up to competent security policy. It should be working not only on paper, but performing properly, helping to get relevant and on-time information on the state of IT infrastructure.
By Michael Fimin, CEO and co-founder of Netwrix
