MONITORING

THE
PRIVILEGED
USER

THE ESSENTIAL GUIDE INTRODUCING

THE CHALLENGES OF PRIVILEGED

ACCESS MANAGEMENT AND

SOLUTIONS FOR MONITORING

PRIVILEGED ACTIVITY

www.balabit.com
Why an Essential Guide?
One of the greatest challenges of IT is preventing privileged users from doing things in IT systems that are not
allowed. The activity of a web-site visitor might be limited, but employees—especially system administrators—
often have few restrictions. The greater the access privileges an employee has, the greater the risk they pose
to the company.

Regulatory requirements, a global IT supply chain and sophisticated cyber threats, are forcing companies to
provide more supervision of privileged users to mitigate these risks. Implementing a solution can be challenging,
but today’s technology can help you accomplish this.

Privileged User Monitoring (PUM) tools monitor and control the access of privileged users to IT assets.
This guide provides an overview of PUM, defining the key capabilities of PUM solutions and their benefits.
This guide examines the key challenges various industries face from privileged users and identifies best
practices for using a PUM solution to mitigate these risks.
 Privileged users can be categorized as:

Who Privileged users

1
Users Accessing

are not limited to IT Shared Administrative Accounts

are your
Shared administrative accounts exist in most devices and software
administrators. According
applications. These include the Administrator user on Microsoft
to the Glossary of Security
Windows, the root user on UNIX/Linux, or the SYS account on Oracle.
Terms, Definitions, and

Privileged
These accounts hold “superuser” privileges and are often shared
Acronyms Privileged users among IT staff such as system administrators or network admins.

are users of an Information

Users Accessing

Users? System who have more

2
Privileged Personal Accounts
authority and access to an Privileged personal accounts are powerful accounts used by business

Information System than users and IT personnel. They have a high level of privilege and their
use or misuse can significantly affect the organization’s business.
a general user. These can
Users accessing these accounts usually are business or IT managers.
range from “superusers”

who have all or almost all Users Accessing

3
Emergency Accounts
privileges on a system,
Also called fire-call IDs or break-glass users. Emergency accounts
to third party providers
are special generic accounts used when elevated privileges are
with elevated privileges required to fix urgent problems including business continuity or
and senior employees disaster recovery. Access to these accounts frequently requires

who have accumulated managerial approval. Users accessing these accounts are typically
administrators, help-desk personnel, or IT operators.
privileges over time.

Users Accessing
4
Sensitive Business Systems
These are employees who can access and manage sensitive data
stored in key applications, such as SAP or financial systems. Some
examples are the accountants, the HR managers, or the customer
service employees.

Taken together, these categories mean that almost any employee or contractor who has elevated privileges
to systems or data can be a “privileged user.” Compounding the challenges, access to these high-risk
accounts often are shared, making it more difficult to monitor and control use.
What are Key Security Business users Superusers accessing Cyber threats: Inadequate
improperly accessing “everything” Privileged accounts monitoring of user
Risks related to sensitive data under attack activity
At most companies, users at different Administrators, IT contractors Privileged accounts have emerged Many legacy systems or custom-

Privileged organizational levels can directly

access and manipulate sensitive
and C-level managers often have
practically unrestricted access
as a primary target for cyber
criminals and have been exploited to
developed applications do not
support logging. And although,
information, such as Customer to the information assets of your perpetrate devastating cyberattacks log management and Security

Users? Relationship Management (CRM)

data, personnel records or credit
company. While most employees
are trustworthy, some abuse the
and data breaches in recent
years. Cyberattacks today can be
Information and Event Management
(SIEM) tools are good at presenting
card numbers. These can include trust placed in them, and superusers sophisticated and customized to event data, they have limitations,
workers in the legal department, are no exception. These users can bypass traditional defenses. APT including:
human resources, accountants intentionally or accidentally damage (Advanced Persistent Threats) and • Many critical security events
and customer service. Improper your business by improperly spearphishing attacks leverage such as misconfiguration of
use of sensitive data can result in accessing or exposing sensitive privileged accounts where firewalls are not logged at all.
data loss or leakage, exposing your resources. possible. Hacktivists recently used
• Those events that are logged
company to liability and damaging social engineering to access and
typically do not show the
its reputation. download staff directories at the
IT STAFF complete activity flow.
U.S. departments of Justice and
Homeland Security. • Many times, the logs only show
obscure technical details about
TERMINAL
SERVICES USERS security events.

DATA CENTER Consequently, traditional IT

Client data, Financial info, Personal records,
FWs, Network devices, Citrix servers, etc
systems are unable to audit user
“When the nature sessions. Logging is also limited
of their actions is known, in tracing user activity; moreover,
an attacker or rogue administrator
the general privilege abuse OUTSOURCING
can manipulate the logs to cover
is always at the top of the list PARTNERS
his tracks. If a monitored user
[of misuse actions].” can compromise the logs, this

Verizon 2016 Data Breach Investigations Report is an inadequate tool for reliable
UNLIMITED AND
UNCONTROLLED ACCESS! monitoring of privileged users.

MANAGERS
 How to monitor internal IT staff

“Insider incidents are the hardest (and take the longest) to detect. Of all the incidents,

Business these insider misuse cases are the most likely to take months or years to discover.”
Verizon 2016 Data Breach Investigations Report

System administrators are the most powerful users in an IT environment. Although they often sit at the bottom of the organizational hierarchy,

Challenges they have very high or even unrestricted access rights to operating systems, databases and applications. With superuser privileges on servers,
administrators can directly access and manipulate your company’s sensitive information, including financial and client data or HR records. But
their accountability often is low and they have opportunities to mask their activities.

Risky behavior of IT admins and other IT professionals includes:

Sharing administrative passwords - IT personnel often share Using “dead” accounts – Twenty-eight percent of respondents
passwords for privileged accounts, which is a violation of security have accessed systems belonging to employers after leaving the
best practices. A 2015 survey on insider risk by Intermedia found company.
that 65 percent of IT professionals share logins with multiple users.
Bypassing company policies – Intermedia found that 40 percent
This increases risks when an administrator leaves the organization
think it is all right to install applications without consulting IT.
or changes role and shared passwords are not changed.

How to Control third-party providers

“Office of Personnel Management attackers entered the agency’s network with a

username and password belonging to an external contractor. As a result, security
experts are renewing calls for stricter limits on this kind of privileged access.”
Christian Science Monitor

In a global economy, IT functions often are outsourced to contractors, hosting services and cloud providers. These third parties might provide
essential business and IT operations, including network infrastructure, websites, email, CRM services or Enterprise Resource Planning (ERP)
applications. Your organization must trust these third-party administrators with its data and the operation of business-critical systems.

Giving responsibility to an IT service provider always involves a risk. There will be contractual obligations, but actually monitoring third-party
employees cannot be done with a Service Level Agreement (SLA). There are few reliable and easy-to-use solutions for validating IT SLAs and
verifying billable activities. Measuring Key Performance Indicators (KPI) such as response times or restricting external administrator access
is also challenging. It is essential to actively monitor third-party activities to know what your partners do when they connect to your systems.
 How to achieve Compliance with Regulations

“Regulatory compliance is concerned with laws that a business must

Business obey, or risk legal sanctions, up to and including prison for its officers.”
Gartner

A growing body of laws, regulations and industrial standards mandate security policies and practices to ensure privacy and protect customer

Challenges data. Regulations such as the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standards (PCI-DSS), ISO 27001, and the
arriving EU General Data Protection Regulation (GDPR) require the protection of sensitive information - be it personally identifiable information,
credit card data, or other financial information. For example:

SOX requires CEOs and CFOs to certify that all financial data ISO27001 specifies controls for monitoring system use, system
provided to auditors is accurate. Management can even face administration and operations, and the management of security
prison for serious violations. incidents.

The Control Objectives for Information and Related Technology The PCI DSS requires auditing access to cardholder data and use
(COBIT), requires security monitoring, change management and data of an access control system.
security controls and the ability to monitor user activity and access.

Becoming and remaining compliant with this growing body of regulations means that your organization must have a reliable solution for monitoring
and auditing activities of all privileged users on a granular level.

How to Improve Troubleshooting & Forensics

“36% of the worst security breaches in the year were caused by inadvertent human error.”
Information Security Breaches Survey 2013

The question “Who did what on our server?” is one of the most important and most difficult in the wake of a security incident. Logs for a variety
of devices must be correlated, including the desktop PC, the firewall, and accessed servers. Analyzing thousands of text-based logs can be a
nightmare and might require costly external experts.

Many larger organizations have a Security Operation Center (SOC). But without adequate and reliable data of users’ working sessions, the
investigation of incidents can be expensive and inadequate.

System management tools are improving the ability to handle system errors, but the solution to human error, the number one cause for server
downtime, remains elusive. A tamper-proof session-recording solution is needed to determine who did what, and when.
Cyber Security

Industry Gaps:

The Most
Affected
Sectors
All organizations must pay attention to the security

of their data and other assets, and cybersecurity

is a basic business requirement. But some

sectors, because of the nature of their business

and the value of the data they hold, have

become high-profile targets.

Telecommunications Cloud- and Managed
Service Providers
“This year [Deutsche Telekom] registered close to “The worldwide public cloud services market is projected
one million hacker attacks daily, on its grids alone.” to grow 16.5 percent in 2016 to total $204 billion, up from $175

EurActive, 2015. billion in 2015, according to Gartner, Inc.” - Garner.

Great need for business continuity Accountability issues

Telecommunication firms operate complex, heterogeneous network which are difficult to manage. Adoption of cloud computing requires giving up some control over IT infrastructure. Customers expect
They need different monitoring products for different platforms which can be complex and expensive. their Cloud Service Provider (CSP) and Managed Service Providers (MSP) to be accountable and make IT
Large providers have tens of thousands of servers and networking devices managed by countless management and maintenance transparent and auditable to ensure both the reliability of the service and
administrators. Even an accidental misconfiguration of a mission-critical router can cause a serious protect the customer’s assets and reputation. This should include recording all administrative sessions
service outage leading to painful revenue loss and reputation damage. Consequently, fast resolution of affecting a customer’s assets and making these records available to the customer. This can also help the
network problems are crucial for providers to keep the service running and to meet the SLA requirements. CSP protect against malicious insiders.

Security Risk of Third-parties SLA verification

The network of a telecommunication provider is based on third-party infrastructure components which Verifying compliance with SLA is difficult, as there is no reliable solution to measure Key Performance
are typically managed by third-party vendors and contracted engineers. Third-parties require privileged Indicators such as response times and billable activities. A tamper-proof activity monitoring solution is
remote access to the provider’s critical IT and network resources. In addition, providers operate mass of needed to show compliance with the SLA.
legacy devices, such as obsolete routers, gateways, and so on. Typically, these devices are also remotely
Regulatory compliance
managed by accessing the hardcoded shared account (for example, “administrator”) of the device. These
MSPs and CSPs are subject to data security regulations ranging from the PCI DSS (Cloud Computing
accounts hold superuser privileges and are often shared among third-parties.
Guidelines) to Cloud Security Alliance (Security, Trust & Assurance Registry - STAR) and the U.S. Federal
Nation-wide impact of cyber-attacks Risk and Authorization Management Program (FedRAMP). These require service providers to protect
Large telecommunication networks are classified as critical national infrastructure, which are potential client data, separate roles, and to fully audit administrative access to data. This can require a tamper-
targets of cyber-terrorists and nation-sponsored cyber-attacks. Advanced Persistent Threats (APTs) use proof session-recording tool to pass compliance audits.
sophisticated methods which can easily bypass firewalls and other traditional protection lines. To mitigate
the risk of cyber-attacks, providers need to implement advanced security layers which can restrict and
monitor the privileged access to critical assets.
Financial services Government
“Britain’s top crime agency has warned internet banking “…in 2013 [Cyber Warfare] was, for the first time, considered
users to protect themselves against cyber attacks a larger threat than Al Qaeda or terrorism, by many U.S.
after hackers used a ‘particularly virulent’ virus to intelligence officials.” - Ken Dilanian, Los Angeles Times, March, 2013.
steal £20million from UK accounts.” - Daily Mail

Increasing Risk of Cyber-attacks and Frauds Cyber Warfare

Banks manage and store massive amounts of sensitive data, and the finance industry is a major target Government cybersecurity is a high-stakes game and a matter of national security. Cyber risks can range
for cyber-criminals who use sophisticated methods to steal client’s identity or hijack privileged employee from hacking to state-sponsored espionage and sabotage. It is of paramount importance to provide real-
accounts. Banks can be held responsible for financial losses from cyberattacks, and damage to reputation time response to security incidents in government and other critical infrastructure. Governments need
can be significant. advanced security technologies to enable continuous monitoring, activity reporting, data collection and
analysis.
Complex IT organizations
Regulatory compliance
International banks and insurers operate large, distributed IT enterprises, managed by hundreds of
U.S. government agencies must comply with the Federal Information Security Modernization Act (FISMA)
system administrators. Traditional solutions for logging cannot completely trace administrative activity and
using security controls catalogued in NIST SP 800-53, as well as with many other security mandates.
incident detection and investigation can require an investment of significant time and money. Complexity
The European Commission proposed a cybersecurity strategy for the European Union in 2013, and in
is increased by the outsourcing of many IT functions that must also be monitored and managed.
2015 the Parliament and Council agreed on the text of the Network and Information Security Directive
intended to:
Regulatory compliance
Besides strict internal IT security policies, financial institutions also must comply with industry and • Increase cybersecurity capabilities of EU member states,
government regulation such as Basel III, the Markets in Financial Instrument Directive (MiFID II), SOX,
• Enhance cooperation on cybersecurity, and
EuroSox, PCI DSS and others. Institutions must record all access to sensitive financial information to
protect investors, creditors, and clients. Financial institutions must pass compliance audits to continue • Ensure a high level of risk management across key sectors.
operations and to prevent financial losses and damage to their reputation.
Managing third-party IT providers
Public sector institutions often rely heavily on IT outsourcing. These third parties, as well as other
contractors, often have direct access to sensitive information and my hold government data. In these
cases, contractors must meet the same security requirements as agencies.
Achieving Privileged User Monitoring
Advanced “All organizations have to balance the security risks associated with

Cyber
privileged accounts against the operational efficiencies gained through

the use of such accounts.”

– Gartner

Security
Privileged User Monitoring (PUM) has various definitions, with each vendor defining it according to the functionality of its products. But there
are some common requirements:

Control privileged user access to IT

1 assets,
AUT
HENTICATION

Control and filter commands or A

2 actions a privileged user can

CC
TS

ES
OR
execute,
PR

SC
ZE

REP

ONT
Provide accountability by monitoring

LY

EV
ACTIVITY
3

ANA

ROL
and recording privileged access,

ENT
commands and actions,

Maintain a comprehensive view of

4

REA
what privileged users were doing

S
in the IT environment, through

L-T
SIC
dashboards, reporting and activity DET CT

I
E

M
E

EA
OR
replay. LE
F RT
& S
DIT
Basically, PUM technologies help companies protect AU
critical IT assets and meet compliance requirements by
securing, managing and monitoring privileged access.
Different Vendors – Different Approaches Monitoring
and replaying
user sessions

Privileged User Monitoring vendors approach this market from different directions and with various core competencies, such as password management, identity and There is a wide spectrum of monitoring and
access management, or network forensics. Some vendor’s technologies are marketed as parts of larger solutions. But all of these products are trying to meet the replaying capabilities in PUM solutions.
same challenge: controlling and monitoring the access of privileged users to critical IT assets. Some of the technologies used to do this are: Some collect syslog-like messages, which
can be displayed or replayed based on

Jump hosts (Hop gateways) Proxy gateways timestamps. Others log only keystrokes.

These are web-based interfaces for accessing servers. The jump host is Proxy gateways are the most mature solutions in terms of control granularity Some capture screenshots from user

accessed from a browser, and connects to the target server using a web- and auditing quality. They are placed between the client and the server to sessions, or even record the entire session

based client application. The jump host logs activity on the application. inspect the traffic on the application level. They can be used to selectively in an AVI file. But unless there is a way

However, integration into an existing infrastructure can be difficult and there permit or deny access to protocol-specific channels, to authenticate users and to process and analyze the content of the

can be compatibility issues with server applications. enforce policies. screenshots and video files, these might
not be as useful as they seem.
PROXY

Agent based solutions GATEWAY

With the right tools, session recording and
Agent based solutions install small applications or agents on monitored servers playback can give auditors the ability to
to collect information about user activity. They provide detailed monitoring, but review all administrator activity exactly
have some disadvantages: they appeared on their monitor. This
Agents must be installed and maintained on each server. can be useful for incident investigations
CLIENT
and reporting, if it can be processed
Monitoring is limited to the platforms supported by the agent. Typically, they
automatically to extract the executed
run only on the most common operating systems, leaving other systems SERVER
commands, applications, and the contents
and devices unmonitored.
Client connects to the server routed through a proxy gateway. of the screen. To do this, advanced PUM

They do not control the remote connection used to access the server and The gateway has full access to the traffic and can even transparently record its full content. solutions index the commands on terminal

cannot restrict file transfers, port-forwarding, file redirection on Windows screens and use Optical Character
Proxy gateways are independent from the client and the monitored server, Recognition (OCR) on graphical screens.
or other activities.
preventing modification of audit information. Audit information can be time-
There is no separation between the agent and its host, so agents can be stamped, encrypted, and digitally signed to prevent tampering. As transparent The monitoring and auditing of user
manipulated. This is essentially the same problem as using the system solutions, proxy gateways require minimum change to existing IT environment. sessions make it possible to conduct
logs to check activities of a superuser, who can influence the system logs. Also, since they operate on the network level, the users can keep using the ad-hoc forensics investigations, analyze
client applications they are familiar with, and do not have to change their recorded data in detail, and create custom
working processes. reports.
 1 Control Privileged Access
Access management needs to be developed based on formal policies and processes. When developing access control/
management systems, legal regulations and standards should be taken into consideration, and it is often worth treating
users with privileged access separately.

2 Grant Minimum Privileges Necessary

Each user, including privileged users, should only be granted the rights absolutely necessary to perform their duties. Even
system administrators should only have access to those systems they absolutely need for business and operational reasons.

3 “God Mode Only” in Emergencies

Built-in administrator accounts of the various systems (like “root,” “Administrator” and “System” accounts) are not generally
required for daily operation. Access to these accounts should be restricted, and use of these accounts should be strictly
controlled.

4 Use Named Users

Use named user accounts properly for personal accountability. There needs to be careful assessment of users other than
named users, when and why these accounts are in use, and how such options can be eliminated. Should technical reasons
justify the use of shared user accounts, it’s then important to investigate what solutions can help mitigate the associated
risks.

5 Implement a Central User Monitoring Solution

Log management systems are not always capable of recording events and activities performed by privileged users.
This gap is filled by Privileged User Monitoring (PUM) solutions, providing detailed and traceable records of actions
performed by privileged users. More advanced solutions operate transparently; therefore implementation of these systems
does not interfere with daily operation.

6 Require Strong Authentication for Privileged Users

Employing sufficiently strong and secure identification for privileged user access is of key importance, since these users
User Monitoring Essentials may have a significant impact on the operation of the system. Some PUM systems support authentication methods giving
stronger security by default. Other systems, however, do not support this, and supplementary solutions become necessary.

Employing 7 Develop Real-time Protection Mechanisms

It is practical to determine whether privileged users have access to systems which are accessed only occasionally, yet pose

Best Practices a risk for the organization. If such a situation is discovered, protection measures should be taken. User activity monitoring
systems which feature real-time alerts or can prevent execution of unwanted commands/actions provide much higher added
value than analyzing logs retrospectively.
 1
2
Cyber Security
Wrap-up
Privileged users include not just administrators, but a wider group of
employees in an enterprise. Users with high-level privileges present a
security risk for organizations with their access to sensitive systems and
data, and their accounts are subject to compromise by outside attackers.
SIEM tools can be useful, but they have limitations.

Privileged User Monitoring (PUM) tools can be an ideal solution for effectively
monitoring and controlling the activities of privileged users. They can collect
4 audit information for incident investigations and compliance reports. By
implementing PUM, your organization can control the activities of internal
3 IT administrators, powerful business users, and outside partners. Advanced
PUM tools support playback and fast, free-text search of user activities to
dramatically speed up troubleshooting and investigations.

PUM tools also help to fulfill the monitoring requirements of local and
industry regulations, helping you to pass compliance audits quickly and
efficiently. PAM solutions can help you significantly increase your security
posture and regulatory compliance.
More about the Solution Balabit’s
Contextual Security
Intelligence Suite

Balabit Shell Control Box The Balabit Contextual Security Intelligence

Suite has been designed using the

A Leading PUM Tool

experience gained as a leader in the field
IT STAFF of enterprise security. It integrates class
leading log management, privileged user
activity monitoring and user behavior
analytics tools to provide a platform for
Shell Control Box (SCB) is an activity monitoring TERMINAL
end-to-end discovery, investigation and
appliance that controls access to remote servers, SERVICES USERS
response to previously unknown threats.
virtual desktops and networking devices, and It provides a forensic-level of visibility into
DATA CENTER
records the activities of users. It is an external, fully Client data, Financial info, Personal records, user activities, and the impact on applications
FWs, Network devices, Citrix servers, etc
transparent proxy gateway, completely independent and data. Using machine-learning algorithms
of the clients and the servers. Recorded audit trails it maintains a digital footprint of normal user
can be replayed like a movie to review the events and system behavior. This footprint is then
exactly as they occurred. The recorded content used in real-time to analyze user activity and
OUTSOURCING
is indexed to enable searching and automatic identify potential threats when a user acts
PARTNERS
reporting. SCB is especially suited to supervise out of context. Highly visual user interfaces
provide seamless integration between threat
privileged-user access as mandated by government
detection and investigation together with
and industry regulations. The server- and client PRIVILEGED
deep levels of visibility into the context of
applications do not have to be modified to use ACTIVITY MONITORING
BY SHELL CONTROL BOX activity, including video replay of individual
SCB — it integrates smoothly into your existing
MANAGERS user sessions. All this happens transparently
infrastructure. Learn More
to existing end-user workflows. This means
that Balabit solutions do not introduce
additional business constraints while they
“All statements in this report attributable to Gartner represent Balabit interpretation of data, research
Learn More accelerate the time to detect and investigate
opinion or viewpoints published as part of a syndicated subscription service by Gartner, Inc., and have not
malicious user activities.
been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of Shell Control Box homepage Request a callback
the date of this document). The opinions expressed in Gartner publications are not representations of fact,
Request an online demo Find a reseller
and are subject to change without notice.”
WANT MORE About Balabit

Balabit is an international IT security vendor, founded

INFORMATION?
in Budapest, Hungary. Balabit is a leading provider
of contextual security technologies with the mission
of preventing data breaches without constraining
business. Balabit operates globally through a network
of local offices across the United States and Europe
together with partners.

Balabit’s Contextual Security Intelligence™ strategy

Take a guided tour!
protects organizations in real-time from threats posed
by the misuse of high risk and privileged accounts.
Solutions include reliable system and application
CONTACT ME
Log Management with context aware data ingestion,
Privileged User Monitoring and User Behavior
Analytics. Together they can identify unusual user
activities and provide deep visibility into potential
Download more premium content! threats. Working in conjunction with existing control-
based strategies Balabit enables a flexible and
people-centric approach to improve security without
RESOURCE LIBRARY adding additional barriers to business practices.

Founded in 2000 Balabit has a proven track record

including 23 Fortune 100 customers among over
1,000,000 corporate users worldwide.

Connect with us! For more information, visit www.balabit.com or

call +1 555 5555 555