Monitoring and auditing privileged accounts are critical for businesses in several ways. It’s a fundamental security tenet. It’s a must-have to comply with security and regulatory compliance requirements. It’s also a critical tool in the Security and Incident Response teams’ arsenal during a breach investigation.
Due to their access to sensitive systems and services, privileged accounts are attractive targets for threat actors. We know how to protect them using a vault, like Secret Server. But effective monitoring of their use requires continuous visibility and reporting that ties all privileged activity back to a specific user.
Two ways to monitor privileged accounts
There are two approaches to monitoring privileged account activity in a Privileged Access Management (PAM) context: gateway-based and host-based.
With a gateway-based approach, a best practice is to use the vault as the single, trusted doorway through which legitimate admins access privileged accounts. Visibility comes from the vault logging all activity that touches vaulted privileged accounts (such as a password checkout). IT can generate reports of such activity on-demand or on a schedule.
The vault records activity to visually analyze interactive SSH and RDP login sessions to servers and network devices. It also transcribes these sessions, extracting relevant information such as typed commands into a searchable index to aid in rapid analysis of the root cause.
Both methods provide organizations with detective (after-the-fact) intel tied to a unique user. For random sampling or suspicious activity where IT Security needs to spot-check, they can open a monitor window showing activity as if through the eyes of the user. They can terminate the session and start an investigation if they observe something strange.
There are situations, however, where we can lose visibility into privileged activity. For example, an admin needs to log in to a server. Instead of initiating it through the vault, they check out the password, exit it and then log in to the server directly. The vault logs the checkout but loses visibility into all subsequent privileged activity on the server. Similarly, a rogue insider or external threat actor will commonly attempt direct access to servers and lateral movement from server to server. Again, this circumvents the vault’s auditing and monitoring.
With host-based monitoring, however, we eliminate that blind spot. Host-based monitoring is a feature of Server PAM. Server PAM complements the vault, protecting the servers and providing visibility into the server-level activity that cyber attackers and rogue insiders can’t bypass.
Host-based monitoring provides forensic-level detail into privileged activities, capturing events at the file system and process levels. Even if a threat actor attempts to obfuscate activity by hiding privileged commands inside innocuous batch files or alias commands – that a session recording would not reveal – Server PAM captures these events and can trigger an alert off them.
Organizations can bolster these capabilities by enriching data in their Security Information and Event Management (SIEM) system or Cloud Access Security Broker (CASB) service with PAM events. These integrations are supported by modern PAM tools and enable organizations to mine activity data and discover correlations to identify malicious behavior that might fly under the radar.
Privileged account monitoring is also essential when building a successful compliance program. Multiple regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) require detailed audit logs.
A best practice for privileged account sessions is to keep video recordings for security or audit team review, or that forensic investigators can use as evidence of activity involving critical assets in regulated industries.
As industry and regulatory initiatives evolve, the ability to provide information about activity involving sensitive accounts will remain an essential part of security and compliance efforts.