Oh, $#!t Where’s the user activity monitoring when you need it? Or why it needs to be part of any 10 essential enterprise security tools

What does 31 terabytes look like?

  1. 4,919,700,000 single-spaced, two-sided printed pages
  2. 1,240 25GB Blu-rays of Solo: A Star Wars Story
  3. 4.5 pickup trucks hauling your 4.9B single-spaced, two-sided printed pages
  4. $3 billion in stolen intellectual property, data and emails

Answer: Any of the above is an accurate representation of 31 TBs of data; but to 300 American and foreign universities, answer D is the value of what was taken from them by state-sponsored Iranian bad guys using stolen insider credentials.

Data has value — $3 billion in the above example. For Waymo, the self-driving car innovator, 14,000 files containing confidential schematics stolen by a former employee was worth at least $245 million

Corporate data retains and grows in value when it’s accessed and used by employees or partners as it was intended to be used. But that same data can cripple an organization when it falls into the hands of competitors, hackers or is maliciously — or accidentally — abused or deleted by those same users or cyber criminals with coopted user credentials.

So when I read CSO’s article 10 essential enterprise security tools (and 11 nice-to-haves), I was surprised to see that user activity monitoring wasn’t listed as an essential enterprise security tool.

It wasn’t even 1, 2, 3, 4 or 5 of the nice-to-haves.

The items that made it onto Mr. Vijayan’s list are worthy and should be considered in any company’s security posture review, but when the cause for over half of all data breaches is abuse of user access (i.e., insider threats), user activity monitoring shouldn’t be #6 in the nice-to-have category. 

I bet those 300 universities mentioned above didn’t say, “Oh, user activity monitoring would have been nice to have during that three-year hacking campaign.”

No, they were saying, “Oh sh!t! Why didn’t we notice that Professor X was downloading information he normally doesn’t access? We could have stopped this.”

And they could have because user activity monitoring is defined as the ability for administrators to monitor user activity and behavior on enterprise applications, systems and networks to look out for abnormal behavior. You can monitor through log collection and analysis, keystroke logging, session recordings or other means.

Mr. Vijayan correctly states why organizations need user activity monitoring: “Any organization at high risk for insider threats or compromised privileged user accounts needs to be on the lookout for the appropriate red flags.”

Did I mention that 51% of all data breaches are caused by insider threats? So yeah, every organization is at risk for insider threats or compromised privileged user accounts.

We’re not talking about side-channel attacks through microprocessor or hyperthreading vulnerabilities that only eight people in the world would figure out how to do. We’re talking about good ol’ fashioned abuse of legitimate insider credentials that can happen anywhere to anyone.

All too often we leave our data wide open with too much access, and we give our privileged users even more effective permissions to grant, revoke or generally cause mayhem by accident (accidental user deletion or ransomware infection) or maliciously (i.e., former Waymo chief engineer who took those files to competitor Uber).

Mergers and acquisitions, cloud adoption that layers on even more data on top of on-premises data, growing remote employee populations and more all add to the complexity of securing user access.

All of this is begging for more robust user activity monitoring — reporting on user permissions and access, monitoring and alerting on all user and administrator activity, identifying over-privileged users and removing unnecessary access and more — so you can secure your internal environment as tightly as your perimeter.

To learn more about using user activity monitoring with behavior analytics in your own environment, be sure to read our informative white paper Tackling Insider Threat Detection with User Behavior Analytics.

Download the White Paper

Anonymous