EBOOK

The Hidden Gap in

Web Application Security:
User Sessions
 Table of Contents
Overview: Exploring Risks in App Sessions  3

The Benefits of Greater Visibility  5

User Actions: Low Visibility, High Risk  6

Top Concern: Unauthorized Access to High-value Apps  8

After the Fact: Incident Investigation in the Dark  10

Conclusion  11

213 The Hidden Gap in Web Application Security: User Sessions

 Everyday users have greater
access to resources attackers
deem high-value
Overview: Exploring Risks
in App Sessions
Today’s organizations are powered by hundreds of web applications that enable their end users to
drive success for major initiatives.

With every new initiative, the number of apps needed by users increases — resulting in a broader
scope of identities gaining access to valuable resources and systems.

Today, 63% of organizations give their typical end user access to between five and 10 (or more)
applications that are deemed high-value, according to a new global survey of 900 security decision
makers and leaders.1

These high-value apps contain sensitive resources such as financial data, customer information and
intellectual property.

63% give their end users access to between five

and 10 (or more) high-value business applications.1

1
 ommissioned by CyberArk, this research is based on a Censuswide survey of 900 security decision makers and leaders at
C
medium to enterprise-sized organizations in the United States, United Kingdom, France, Germany, Australia and Singapore.

313 The Hidden Gap in Web Application Security: User Sessions

 However, with access comes risk: 80% have experienced end users misusing or abusing access to
97%
of security leaders say credential theft attempts
these applications in the past year. This trend comes at a time when 97% of security leaders say
credential theft attempts are on the rise, with end-user credentials making up the most widely- are on the rise, with end-user credentials
reported increase.2 making up the most widely-reported increase.

When potential security issues emerge, security teams typically comb though user logs to discover
what happened. But nearly half (48%) of organizations surveyed have limited ability to view these
logs and audit user activity. This keeps them in the dark about potentially risky actions taken in web
application sessions.

This eBook presents findings that will help you evaluate how well — and how comprehensively —

Nearly half
you are protecting your users’ sessions in applications that contain sensitive resources, in
comparison with your peers. It also provides insights that you can implement immediately to

48%
improve your security posture.

have limited ability to view and audit

what’s happening within the
applications used by their end users.
2
C yberArk. “The CISO View 2021 Survey: Zero Trust and Privileged Access.” 2021.

413 The Hidden Gap in Web Application Security: User Sessions

 Benefits of Better Visibility into User
Activity in Sensitive Business Applications

The Benefits of
Greater Visibility 42% 38%
Demonstrate monitoring Timely incident response
capabilities to auditors and
With more insight into users’ actions within sensitive business customers
applications, security decision makers believe they’d gain a wide
range of benefits.

For example, 41% say it would enable them to identify the source
of a security incident more quickly.
41% 36%
Identify source of security Meeting compliance
incident more quickly requirements

38% 35%
More comprehensive More efficient use of IT
reporting to auditors resources

513 The Hidden Gap in Web Application Security: User Sessions

 User Actions: Low Visibility, High Risk
The research shows that most security decision makers have limited resources, visibility and control over how confidential data is
being handled, or what is being done, during users’ sessions within apps.

Nearly 40% of respondents can monitor and Nearly half of organizations (48%) have only
audit fewer than 50% of their organizations’ limited or no ability to view user logs and
apps containing high-value data. audit user activity.

613 The Hidden Gap in Web Application Security: User Sessions

 These organizations are at risk from both outsider and insider threats.

Undetected, external bad actors who’ve breached organizations can take control of a user’s
legitimate access rights to plant sophisticated threats that can dwell undetected in
systems, continuing to extract data and IP or bringing systems down. Insiders with
malicious intentions can pose these threats as well.

Meanwhile, organizations can also suffer significant damage from an employee’s honest
mistake or risky behavior.

For example, an employee could easily walk away from a workstation or device leaving
sensitive applications open, inadvertently exposing sensitive information to a bad actor. The
consequences? Data loss, fraud or abuse, to name a few. And many organizations lack the
capabilities to prevent such a scenario:

• They cannot continuously verify that a person who initiated a web app session is the
same one currently using it.

• Once an end user is authenticated and logs in to an application, their actions are
typically only restricted by their roles within that app.

• And most organizations have no means to forcibly reauthenticate an end user once
they’ve logged in to an application to mitigate these risks.

713 The Hidden Gap in Web Application Security: User Sessions

Top Concern: Unauthorized
Access to High-value Apps
Respondents were asked to name the top three categories of high-
value applications they were most concerned about protecting against
unauthorized access. Receiving the highest number of votes:

1 3
IT service management apps Marketing and sales
such as ServiceNow enablement applications such
as Salesforce

2
Cloud consoles such as No single category received a significantly higher or lower number of votes than
Amazon Web Services, Azure another, indicating that unauthorized access to applications was a universal
and Google Cloud Platform concern. Other categories highlighted include apps for financial services,
human resources, productivity, social media and virtual collaboration.

813 The Hidden Gap in Web Application Security: User Sessions

 Inability to Enforce Consistent
Security Controls Across Every App
Q10. Does your organization have a process for enforcing the same level of
How much help do organizations get security controls over all types of business applications in your environment?
from security capabilities built into
the applications themselves?

The fact is that most web apps and

SaaS solutions provide only basic
audit trails that give security and
compliance professionals limited
visibility into how end users are
actually using web apps and
handling confidential data.

For now, the onus for protecting

against unauthorized access to
high-value apps falls on security
teams themselves.

No, we do not need universal auditing Yes, we need to enable the same Yes, we need to enable the same
and logging. The capabilities provided security controls across all security controls across all
by the applications themselves are applications to simplify incident applications since some apps have
enough. investigation. built-in advanced auditing features,
and some have none.

N=900. Source: Censuswide survey commissioned by CyberArk

913 The Hidden Gap in Web Application Security: User Sessions

After the Fact: Incident
Investigation in the Dark
Making a fast, informed determination between an honest mistake and risky behavior is easier said than done.
Investigating user activity takes a trifecta of time, resources and tools — things security and compliance teams
don’t always have.

42% of respondents say they need universal auditing and logging capabilities across all applications, to simplify
incident investigation.

The reason: For many security teams, investigating user activity requires:

• Complex app customizations

• Complicated integrations with third-party tools

42%
• Manual log reviews

Imagine if someone in the finance department with elevated access rights were to make a mistake when using
a payroll system that led to unauthorized payroll changes. In this scenario, a security team would have to sift
through thousands of lines of logs and recreate every step the user took to understand what happened.

That’s time that security teams can no longer spend on other priorities, from improving incident response to of security decision makers say they
enforcing consistent controls across apps to prevent credential theft. need universal auditing and logging
capabilities across all applications.
This can present a serious problem for the 54% of respondents who say they investigate user activity linked to
security incidents or compliance issues at least weekly.

10
13 The Hidden Gap in Web Application Security: User Sessions
Conclusion
As your organization deploys more apps and, in turn, more identities in its effort to grow and compete,
a new form of risk is emerging.

Everyday users are gaining access to resources that — while important for driving major initiatives — are
exactly what attackers are targeting.

How well are you protecting your users’ sessions in applications that contain sensitive resources? Learn More About
Can your team easily produce a record of what goes on during specific end-user activity? CyberArk
How quickly can you search for and identify security events by criteria like date or type of action? We hope you found this eBook helpful as you
address your organization’s security needs.
How confident are you that the person who initiated a web session is the person using the application?
You can learn how CyberArk is helping
How well do you protect web sessions from threats originating on endpoints? organizations secure their users’ web
Improving your capabilities in these four key areas will help you find the right balance in providing access that
application sessions through recording,
drives your business forward while ensuring the security of your most valuable assets. auditing and more.

LEARN MORE

11
13 The Hidden Gap in Web Application Security: User Sessions
CyberArk is the global leader in Identity Security. Centered on privileged access management,
CyberArk provides the most comprehensive security offering for any identity — human or
machine — across business applications, distributed workforces, hybrid cloud workloads and
throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help
secure their most critical assets. To learn more about CyberArk, visit www.cyberark.com,
read the CyberArk blogs or follow us on Twitter via @CyberArk, LinkedIn or Facebook.

©Copyright 2022 CyberArk Software. All rights reserved. No portion of this publication may be reproduced
in any form or by any means without the express written consent of CyberArk Software.
CyberArk ®, the CyberArk logo and other trade or service names appearing above are registered trademarks
(or trademarks) of CyberArk Software in the U.S. and other jurisdictions. Any other trade and service names
are the property of their respective owners.

CyberArk believes the information in this document is accurate as of its publication date. The information is
provided without any express, statutory, or implied warranties and is subject to change without notice.
THIS PUBLICATION IS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED “AS IS” WITH NO
WARRANTIES WHATSOEVER WHETHER EXPRESSED OR IMPLIED, INCLUDING WARRANTY OF
MERCHANTABILITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT OR OTHERWISE.
IN NO EVENT SHALL CYBERARK BE LIABLE FOR ANY DAMAGES WHATSOEVER, AND IN PARTICULAR
CYBERARK SHALL NOT BE LIABLE FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, OR INCIDENTAL
DAMAGES, OR DAMAGES FOR LOST PROFITS, LOSS OF REVENUE OR LOSS OF USE, COST OF
REPLACEMENT GOODS, LOSS OR DAMAGE TO DATA ARISING FROM USE OF OR IN RELIANCE ON THIS
PUBLICATION, EVEN IF CYBERARK HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
U.S., 02.22 Doc: TSK-597