User Activity Monitoring (UAM) is the monitoring and recording of user actions the enhance information security. User Activity Monitoring tools and applications enable capturing and rapid analysis user actions, including the use of applications, windows opened, system commands executed, check boxes clicked, text entered/edited, URLs visited with nearly every other computer’s on-screen event to protect data by ensuring that employees and contractors are remaining within their assigned tasks, and posing no risk to the business or organization.
In other words, User activity monitoring answers who, which, what, and when by searching all network, server, and application logs for strange or unusual activities. UAM considerably helps in identifying the instigation and propagation of a security occurrence. User Activity Monitoring software completely eliminates the requirement of manually analyzing user activity log data in order to locate any issue, which otherwise, in a manual process, would take weeks or months due to the sheer volume of log data. Also, investigating different types of security logs and events can be impossible.
Veriato 360, the pioneers in User Activity Monitoring software delivers video-like playback of on-screen user activity. Moreover, it even processes and analyses such the videos automatically in order to investigate any unusual user behavior, and trigger appropriate alters whenever such events occur.
IT Security Risks
- Information Security: Critical Issues & Risks- The need for User Activity Monitoring (UAM) has increased in the past decade due to the surge in security incidents that directly or indirectly involve user credentials, exposing critical company information including sensitive data & files. In 2014 alone, there were about 761 data breaches in the United States, resulting in over 83 million exposed customer and employee information. With 76% of these breaches resulting from weak or misused user credentials, UAM has become a major element in IT infrastructure security.
- Risks with Third Party Contractors Access -It remains inevitable for most organization to hire several third party contractors to perform several IT and operational tasks. Most of the time, such contractors require remote or onsite access to critical and confidential company data in order to perform the jobs for which they have been hired. Even with no malicious intent, such an external user is always a major security liability. UAM tools effectively deter information misuse, and are usually programmed to display appropriate warning messages that they are being monitored whenever they access digital information.
- Everyday Corporate Users & Authorized Employees -Organizations need to provide access to several crucial information to their employees to perform their day-to-day functions. 70% of regular business users admitted to having access to more data than necessary. Generalized accounts may give regular business users or employees access to confidential company data. This makes insider threats a reality for any business that uses generalized employee access accounts.
- Privileged IT Users -Administrator accounts usually have full access to all information. As such, such administrator accounts need to be heavily monitored due to the high profile nature of their access privileges. But, current log tools can generate log overload on these admin accounts causing a “log fatigue” phenomenon. Log fatigue is the overwhelming sensation of trying to handle a vast amount of log data on a particular generalized account as a result of too many user actions using the same account credentials. Harmful user actions performed using such generalized administrator accounts can easily go unnoticed with thousands of user actions being compiled on a daily basis.
- Overall User Risk- According to the Verizon Data Breach Incident Reports, the first & most critical step in protecting your data is in knowing where the data is and who has the rights to access it. In today’s IT environment, there is a lack of oversight and control over how and who among employees has access to sensitive & confidential data. This apparent gap is one of many factors that have resulted in a major number of security issues for organizations.
UAM Components
UAM Components
The main aspects of UAM can be classified as below:
User Behavior Analytics
User behavior analytics add an additional layer of shield that helps IT security professionals to keep an eye on the weakest part in their networks. By monitoring user behavior, with the help of dedicated UAM software that analyzes exactly what the user does during their session, security professionals can attach a risk factor to the specific users and/or groups, and immediately be alerted with a red flag warning when a high-risk user does something that can be interpreted as a high-risk action such as exporting confidential client data, performing large database queries that are out of their scope of work, accessing information or resources that they shouldn’t be accessing and so on.
Visual Forensics
Visual Forensics involves constructing a visual summary of potentially hazardous user activity. Each user action is logged in detail, and recorded. By the time a user session has finished, UAM has already created both a written record and a visual record, whether it be screen-captures or video of accurately what a user has performed during the session. This written record differs from that of a SIEM or logging tool, because it captures data at a user-level not at a system level –providing plain English logs rather than Sys Logs. Sys logs are originally created for debugging purposes and will not give any insight to the risk factors. Such textual logs created by UAM software are paired with the corresponding screen-captures or video abstracts. Using these corresponding logs and images, the visual forensics module of UAM software allows organizations to search for precise user actions in case of a security breach. In the case of a security threat, i.e. a data breach, Visual Forensics are used to show exactly what a user did, and everything leading up to such a breach. Visual Forensics can also be used to provide evidence to any law enforcement that may examine the intrusion.
User Activity Alerting Feature
User Activity Alerting serves the purpose of notifying whoever operates the UAM software to a mishap or misstep concerning corporate data. Real-time alerting feature enables the desired managing administrator to be notified the moment a fault or intrusion occurs within his UAM periphery. Alerts are collected for each user to provide a user risk profile and threat ranking. Alerting is fully customizable based on combinations of users, access methods, actions, time, and location. Alerts can be programmed to be triggered simply such as opening an application, or entering a list of flagged keywords or visiting prohibited websites or web content. Alerts can also be customized based on user actions within an application, such as deleting or creating a user and executing specific commands.
UAM Features
Key Features of User Activity Monitoring (UAM)
Video-like Playback
UAM uses on-screen recording expertise that captures individual user activities. Each video-like playback is saved and attached to the related user activity log. Playbacks differ from traditional video playback to screen scraping, which is the compiling of sequential screen computer shots into a video-like replay. The user activity logs along with the video-like playback delivers a searchable summary of all user actions. This enables companies to not only read, but also view exactly what a particular user did on company systems.
Video Activity Analysis
The videos recorded by UAM can be lengthy and dull to watch. Advanced User Activity Monitoring software can analyze such vides to automatically find trouble spots and even automatically trigger alerts and detailed logs under such scenarios.
User Activity Logs
UAM solutions transcribe all documented activities into user activity log data. UAM logs match up with video-playbacks of parallel actions. Some examples of items logged are names of applications opened, titles of pages viewed, URLs visited, text (typed, edited, copied/pasted), commands and scripts executed.
Compliance Report Automation
Achieve perfect compliance by tracking every access to corporate servers and databases, with detailed usage reporting and total application coverage.
Zero Gap Recording
UAM software records & analyzes user activity in every application, Web page and system area, over any connection protocol (RDP, SSH, Telnet, ICA, direct console login, etc.). UAM even records sessions in Citrix published applications, Citrix virtual desktops and VMware environments, as well as stand-alone Windows, Unix, Linux desktops and servers.
Third Party Vendor or Contractor Monitoring
Learn exactly what third party vendors or contractors are doing on your company’s networks and servers. Improve security and ensure transparent operations.
Privileged User Monitoring
Monitor privileged users having high profile access to sensitive corporate data and other critical information.
Robust Security
Enhance information and data security across the corporate network with having the privilege to know who did what and when on your networks.