- Mitigates the risk of inappropriate staff actions that can increase corporate risk to data theft, breach or downtime
- Reduces the cost of compliance by automating user monitoring (if not performed manually)
- Provides intelligence on how to refine processes and policies to improve security postures.
- Added expense and labor at a time when budgets are tight
- Without sufficient governance, monitoring programs could produce privacy violations.
Any monitoring investments should be matched to the level of risk and the risk tolerance of the organization. The organization should start by clarifying the objectives of the program. Next, a charter and governance plan would be provided based on those objectives. With this in place the team would initiate monitoring to address a specific risk, allowing for initial success. From there the organization would expand the program to the extent required to meet the organizational objectives.
Active Directory monitoring is a common initial monitoring initiative. It is also common to leverage Security Information Event Management (SIEM) systems for user monitoring. SIEM is either used as the primary tool leveraging event logs or to provide additional analysis across both event logs and information from platform specific monitoring technologies.
Once the user monitoring system is in place, it generates a wealth of data. How can an organization use this data to improve its security posture?
The greater intelligence provided by modern systems allows organizations to:
- Refine/tune policies and procedures
- Identify governance issues with defined roles
- Detect internal and external activity to identify and disrupt breaches
- Automate compliance reporting
- Avoid unplanned downtime do to administrative error.