User Activity Monitoring

Gartner recommends that organizations implement user activity monitoring as part of a strategy to manage external and internal threats, and for regulatory compliance. Gartner suggests integrating Identity and Access Management (IAM) capabilities with a SIEM system to achieve user activity monitoring, but other approaches work as well if not better as I explain below.

Why is user activity monitoring needed? Since all major regulatory frameworks -- including SOX, PCI DSS, GLBA, and HIPAA -- require least privilege access controls, thousands of companies are obligated to prevent excessive access rights and yet, according to Deloitte, have failed to adequately do so. The reason this is a hard problem has to do with the dynamic nature of the enterprise-especially in an economic downturn -- with layoffs, restructurings, aggressive use of contractors and other service providers, along with the need for federated identity and access management as enterprises collaborate.

Conventional wisdom holds that the best practice for resolving this issue is to adopt an IAM system with role-based access control (RBAC) capabilities. Unfortunately, such systems provide no user activity monitoring or other assessment mechanisms and as a result are notoriously ineffective. While these systems ensure that only authorized users may log in to critical resources, they fail to consistently determine which users should be authorized to access those resources. As a result, as reported by a Dartmouth field study and by IDC, over-entitlement is the norm. In many organizations over 50% of access rights are dormant, representing a huge security vulnerability as well as a significant compliance exposure.

This is where user activity monitoring comes in. Organizations can assess user privileges, or entitlements, through user activity monitoring in order to identify excess entitlements. That few organizations do so is indicated by the high rate of audit findings for such access controls. Two additional methods of implementing user activity monitoring, besides the SIEM+IAM integration suggested by Gartner, are network-based activity monitoring and log-based activity monitoring.

Many organizations collect NetFlow data for IP traffic analysis reasons, and analyze this data for user activity monitoring. While NetFlow shows source and destination IP address and port number, it doesn't show authenticated user names nor application names (applications can in many cases be deduced with destination IP address and port number, but it's practically impossible to link source IP address to user names). NetFlow is therefore inadequate in most cases for tracking user access to audited applications.

Some organizations have adopted a network-based user activity monitoring system which goes beyond NetFlow to record, not just source and destination IP addresses, but authenticated user names and which application was accessed. While far superior to a NetFlow-only approach, network based activity monitoring has several challenges:

• Span port scarcity - span ports are used for a variety of applications, and without a network monitoring system such as one from Gigamon span port availability could be a constraint;
• Span port data loss - most switches are vulnerable to packet loss on their span ports during peak traffic bursts. Even a data loss rate of under 1% can render such a solution inadequate for forensic purposes;
• Application-side scalability - network activity monitoring requires a probe on every ingress span into the application infrastructure;
• User-side scalability - a probe must be placed in every subnet with its own AD or other authorization system, which can make for a very expensive deployment in a distributed environment or one with many remote offices;
• Encryption - as the percentage of encrypted sessions inside the data center increases, it leaves a larger blind spot for network-based approaches;
• Technical challenges with today's DPI silicon in monitoring 10G links - the latest generation network processor with DPI (deep packet inspection ) capabilities can monitor 4-5 Gbps, far short of the 20 Gbps required for full-duplex traffic monitoring of a 10G link; and
• No visibility to access from behind the monitored span port - network activity monitoring is blind to local access, e.g. from the application server's console port. It also can't see application-to-application access.

Despite these challenges, enterprises are deploying network-based access activity monitoring system because they otherwise do not have effective solutions for preventing excessive access rights.

An alternate approach to network-based access activity monitoring is log-based user activity monitoring, also known as Identity and Access Assessment (IdAA), which does not suffer from the limitations and constraints listed above. Cloud Compliance, my prior company, read log files for audited applications in order to prevent excessive access rights and other access audit violations. The log-based approach precludes the need for hardware to be deployed, is scalable, detects 100% of access activity (regardless of encryption, 10G links, and source of access) and, when deployed as a SaaS solution, eliminates the need for installation, software maintenance, and a large upfront capital outlay.