September 28, 2022,
Privileged users are an essential part of any organization. However, with access to commercial secrets and to the most vulnerable parts of the corporate network, they can pose high risks to your corporate cybersecurity. For this reason, the more privileges users have, the closer they need to be monitored.
Furthermore, privileged user monitoring (PUM) is a requirement of multiple laws, regulations, and data security standards including PCI DSS, SOX, NIST SP 800 171, NIST 800-53, GDPR and HIPAA. In this post, we describe the top 10 PUM best practices for improving the protection of your critical assets, and mitigating cybersecurity risks.
Reasons for monitoring privileged users
Every organization has two main groups of users: privileged users and regular users. The access rights and permissions of privileged user accounts exceed those of other users.
While the activity of both regular and privileged users needs to be monitored, the reasons for watching each group differ. Regular users, i.e. most staff, are usually monitored to:
- Analyze employee performance
- Improve employee productivity
- Protect sensitive data and critical systems
- Mitigate insider and outsider threats
- Meet compliance requirements
On the other hand, as privileged users have access to sensitive data and systems, they’re often monitored to:
- Check who can access what
- See what changes are made in the system
- Protect sensitive data and critical systems
- Mitigate insider and outsider threats
- Meet compliance requirements
Whereas regular users are often monitored to evaluate their performance, privileged users are watched closely to make sure they don’t misuse their privileges. Now you may ask, “How do I monitor privileged accounts effectively?” Let’s consider the following top 10 best practices for PUM.
The Top 10 Best Practices for Privileged User Monitoring
Even one small action can make a difference.
Today’s user activity monitoring solutions and approaches are quite flexible, allowing you to focus on what matters most. But there’s always room for improvement. We’ve prepared a list of the top 10 best practices for PUM that can help make your cybersecurity procedures more effective and productive.
1. Forget about partial monitoring
User activity monitoring is resource-intensive. You need to collect large amounts of all kinds of data, transfer it from monitored endpoints to a server or cloud, and store it. And the more users you need to watch over, the more resources you use. For this reason, many organizations choose partial monitoring, to only keep an eye on specific types of data, systems, events, and activities.
However, halfway measures are a poor choice when it comes to privileged users. As these users may have permanent and near-unlimited access to the most important parts of your corporate network, you need to closely watch every action they take.
When given a choice, go for a solution that records data in light formats, including for screenshots or video recordings. Being able to search such records is also a big plus.
2. Say no to unlimited privileges
Maintaining a sufficient level of privileged user monitoring can be resource-intensive. Put another way, the fewer privileged users that are in your organization, and the fewer privileges they possess, the easier it is to monitor them appropriately.
Cyber attackers often target privileged users, as these types of accounts hold the keys to valuable information. Also, with unlimited privileges, malicious insiders might change system logs to conceal their crimes. Therefore, consider giving limited privileges only to a narrow circle of employees and only for a limited period of time, while keeping a close eye on each and every one of them.
There are several approaches you can implement: the principle of least privilege, a zero trust architecture, just-in-time PAM, and so on. The key is to make sure that even for privileged users, access permissions aren’t unlimited or permanent.
3. Get rid of shadow admins
Privileged users are often able to assign the same (or lower) levels of privileges that they themselves have, to other users. However, assigning privileges in this way is not always properly monitored and managed. Accounts that have the same access permissions as admins but aren’t included in monitored admin groups (e.g. domain admins) are usually called shadow admins.
Poorly monitored and managed accounts with admin access rights pose a significant threat. The 2021 IBM Security X-Force Insider Threat Report shows that 80% of security incidents caused by insiders were directly or indirectly related to accounts having elevated privileges. For this reason, ensuring full visibility over all privileged accounts is essential for ensuring an organization’s cybersecurity.
It’s crucial not only to pay attention to the activity of privileged accounts, but also to their creation and deletion. Look for solutions that can analyze all network accounts and discover those with admin-level permissions. Once you’ve found all privileged accounts, make sure you delete the unused ones, and configure the rest in a way that makes delegating a user’s privileges or creating new shadow admins impossible.
4. Track the usage of USB devices
A malicious insider may use a USB drive as a tool for leaking and compromising sensitive data, stealing your company’s intellectual property, or carrying out a pre-programmed attack strategy. To ensure the utmost protection of your organization’s data files, it is vital to monitor all the USB devices plugged into your network.
You may want to consider deploying USB device monitoring tools to allow you to get alerts each time a suspicious USB device is plugged in, approve or prohibit certain types of USB devices, and continuously monitor all USB devices connected.
5. Pay close attention to shared privileged accounts
Some companies use shared privileged accounts to simplify their administration workflow, thereby inadvertently introducing cybersecurity risks into their IT infrastructures.
Despite being convenient, shared accounts hinder the process of user activity monitoring and auditing, as it’s hard to differentiate the actions of one user from another without using specific tools.
Leveraging secondary user authentication as an additional security measure can help you clearly distinguish between all users of a shared account, while monitoring and effectively auditing their activity.
6. Watch for unapproved remote logins
Upwork reported that 37% of the U.S. labor market worked entirely remotely, and that 21% of employees used a hybrid work model, in 2022. The more remote workers in your company, the more related security concerns may arise.
Organizations provide different groups of users with remote access to their data: regular employees, part-time workers, and subcontractors. And if these users have access to any kind of sensitive information in your network, they must be closely monitored.
For privileged users, you should also monitor and record remote desktop protocol (RDP) sessions in the same way as local sessions. Also, consider setting strict rules, specifying which systems and data remote logins are allowed for, and creating whitelists of IP or MAC addresses.
7. Prevent logs and records from being modified
Depending on the level of their permissions, privileged users might be able to alter or delete various logs and records. At the network level, this concern can be addressed by providing unrestricted access to system logs only to a specific role or to a strictly limited group of users.
But when it comes to choosing a user activity monitoring solution, it’s important to pick one in which modifying logs or reports is prevented by default. Only then can you be sure that records haven’t been tampered with.
8. Watch for anomalies
When a wolf hides in a sheep’s clothing, it still acts like a wolf! The behavior of a legitimate user differs significantly from the behavior of an outside attacker or malicious insider. Common examples of user behavior anomalies include:
- Logging in or out of the system at unusual hours
- Attempting to access previously-unused or restricted systems
- Using suspicious software
- Connecting suspicious removable devices
- Uploading large volumes of data to unknown destinations
User and entity behavior analytics (UEBA) is a technology used for detecting abnormal behavior by network users. It builds a baseline behavior profile for every user or entity in the system. Then, based on these profiles, it analyzes user and entity activity and distinguishes normal (safe) activity from abnormal (potentially suspicious) activity.
Consider implementing such a technology to catch any anomalies in the activities of your privileged users.
9. Conduct regular cybersecurity training
Organizing security awareness training is critical for effective privileged user monitoring. Users without proper cybersecurity knowledge may not understand the necessity to monitor them, and can even try to trick or sabotage the security tools and policies implemented.
Raising privileged users’ cybersecurity awareness can make them more mindful of the privileges given to them, and increase their willingness to adhere to the cybersecurity procedures established in your company.
Also, when aware of how to identify cybersecurity threats, your employees are more likely to notice suspicious activity and alert you to it.
10. Never take a break
Last, but not least, privileged user monitoring should never be treated as a one-time event. When carried out only periodically, user activity monitoring cannot ensure full visibility of a user’s actions or properly protect critical data.
PUM is a continuous process, and should constantly be improved. Make sure you revise your privileged user monitoring and management procedures and enhance them with PUM best practices and cutting-edge technology solutions.
Monitor privileged users with Ekran System
Ekran System is the ultimate insider risk management platform that allows monitoring of all types of users and managing access to critical systems, applications, and data. It enables all the best practices for PUM that we described above to be implemented in an easy-to-use and comprehensive manner, and provides a rich set of features for insider threat management, including:
- Continuous monitoring of all servers (including jump servers), endpoints, and remote workstations
- Context-rich recording of local, terminal, SSH, and RDP sessions, in searchable video and audio formats
- Monitoring and management of USB devices connected, including flash drives and USB modems
- Gathering additional data such as names of applications run, files opened, URLs visited, and keystrokes entered, while exercising control over privileges and elevated access to critical data assets for employees, third-party vendors, and contractors
- Responding to cybersecurity incidents with custom alerts, real-time notifications, blocking of suspicious users, and termination of processes
- Creating detailed reports and exporting them for forensic investigation
All these capabilities are essential for keeping an eye on your privileged accounts and the assets that they have access to. Ekran System’s functionality can also help your organization comply with SOX, HIPAA, PCI, and other requirements for privileged user monitoring.
Privileged users play an essential part in an organization’s lifecycle. People assigned elevated access rights work with sensitive data, critical systems, and valuable assets. They therefore need to be comprehensively monitored.
Ekran System is an insider threat management platform that can assist you in monitoring and managing the privileged users and accounts, regular users, and third-party vendors in your organization.