Modern user activity monitoring solutions must allow organizations to quickly identify actionable information from vast amounts of collected data based on associated risk, identity context, time of day and defined policies. These solutions should be able to provide near real-time identification of these nuggets of information while also supporting detailed analysis of historical activity. In both cases, real-time and historical, the solution must answer: Who did What, When and Where?

In the age of privacy nightmares, many employees are wondering why their organizations needs user activity monitoring in the first place.

Many organizations wonder why you need to monitor users when you have controlled what they have access to do. The answer is that privileges always allow room for abuse and very few systems provide granular enough control to come close to solving this issue.

User activity monitoring can address the abuse of privileged access. Any monitoring initiative must start with clear objectives and a charter that has been approved by executive management with the approval of the legal team. The charter must be specific and take into account the governing law in every related jurisdiction. The initiative must also include supervision of the team that will perform the monitoring. Without this level of governance, it is far too easy for even well intentioned programs to violate legal and ethical standards.


Pros:

• Mitigates the risk of inappropriate staff actions that can increase corporate risk to data theft, breach or downtime
• Reduces the cost of compliance by automating user monitoring (if not performed manually)
• Provides intelligence on how to refine processes and policies to improve security postures.

Cons:

• Added expense and labor at a time when budgets are tight
• Without sufficient governance, monitoring programs could produce privacy violations.

With SMBs, user monitoring is not a huge challenge, but with large enterprises it can become a daunting task to implement and manage. What advice would you give to those that still don’t use it and are wondering how to do it in the first place?

Any monitoring investments should be matched to the level of risk and the risk tolerance of the organization. The organization should start by clarifying the objectives of the program. Next, a charter and governance plan would be provided based on those objectives. With this in place the team would initiate monitoring to address a specific risk, allowing for initial success. From there the organization would expand the program to the extent required to meet the organizational objectives.

Active Directory monitoring is a common initial monitoring initiative. It is also common to leverage Security Information Event Management (SIEM) systems for user monitoring. SIEM is either used as the primary tool leveraging event logs or to provide additional analysis across both event logs and information from platform specific monitoring technologies.