Issues
The need for UAM rose due to the increase in security incidents that directly or indirectly involve user credentials, exposing company information or sensitive files. In 2014, there were 761 data breaches in the United States, resulting in over 83 million exposed customer and employee records. With 76% of these breaches resulting from weak or exploited user credentials, UAM has become a significant component ofContractors
Contractors are used in organizations to completeUsers
70% of regular business users admitted to having access to more data than necessary. Generalized accounts give regular business users access to classified company data. This makesIT users
Administrator accounts are heavily monitored due to the high-profile nature of their access. However, current log tools can generate “log fatigue” on these admin accounts. Log fatigue is the overwhelming sensation of trying to handle a vast amount of logs on an account as a result of too many user actions. Harmful user actions can easily be overlooked with thousands of user actions being compiled every day.Overall risk
According to the Verizon Data Breach Incident Report, “The first step in protecting your data is in knowing where it is and who has access to it.” In today's IT environment, “there is a lack of oversight and control over how and who among employees has access to confidential, sensitive information.” This apparent gap is one of many factors that have resulted in a major number of security issues for companies.Components
Most companies that use UAM usually separate the necessary aspects of UAM into three major components.Visual forensics
Visual Forensics involves creating a visual summary of potentially hazardous user activity. Each user action is logged, and recorded. Once a user session is completed, UAM has created both a written record and a visual record, whether it be screen-captures or video of exactly what a user has done. This written record differs from that of a SIEM or logging tool, because it captures data at a user-level not at a system level –providing plain English logs rather than SysLogs (originally created for debugging purposes). These textual logs are paired with the corresponding screen-captures or video summaries. Using these corresponding logs and images, the visual forensics component of UAM allows for organizations to search for exact user actions in case of a security incident. In the case of a security threat, i.e. a data breach, Visual Forensics are used to show exactly what a user did, and everything leading up to the incident. Visual Forensics can also be used to provide evidence to anyUser activity alerting
User activity alerting serves the purpose of notifying whoever operates the UAM solution to a mishap or misstep concerning company information. Real-time alerting enables the console administrator to be notified the moment an error or intrusion occurs. Alerts are aggregated for each user to provide a user risk profile and threat ranking. Alerting is customizable based on combinations of users, actions, time, location, and access method. Alerts can be triggered simply such as opening an application, or entering a certain keyword or web address. Alerts can also be customized based on user actions within an application, such as deleting or creating a user and executing specific commands.User behavior analytics
Features
Capturing activity
UAM collects user data by recording activity by every user on applications, web pages and internal systems and databases. UAM spans all access levels and access strategies (RDP, SSH, Telnet, ICA, direct console login, etc.). Some UAM solutions pair withUser activity logs
UAM solutions transcribe all documented activities into user activity logs. UAM logs match up with video-playbacks of concurrent actions. Some examples of items logged are names of applications run, titles of pages opened, URLs, text (typed, edited, copied/pasted), commands, and scripts.Video-like playback
UAM uses screen-recording technology that captures individual user actions. Each video-like playback is saved and accompanied by a user activity log. Playbacks differ from traditional video playback toPrivacy
Whether user activity monitoring would jeopardize one's privacy depends on how privacy is defined under different theories. While in "control theory," privacy is defined as the levels of control that an individual has over his or her personal information, the "unrestricted access theory" defines privacy as the accessibility of one's personal data to others. Using the control theory, some argues that the monitoring system decreased people's control over information, and therefore, regardless of what whether the system is actually put into use, will lead to a loss of privacy.Audit and compliance
Many regulations require a certain level of UAM while others only require logs of activity for audit purposes. UAM meets a variety of regulatory compliance requirements (Appliance vs. software
UAM has two deployment models. Appliance-based monitoring approaches that use dedicated hardware to conduct monitoring by looking at network traffic. Software-based monitoring approaches that use software agents installed on the nodes accessed by users. More commonly, software requires the installation of an agent on systems (servers, desktops, VDI servers, terminal servers) across which users you want to monitor. These agents capture user activity and reports information back to a central console for storage and analysis. These solutions may be quickly deployed in a phased manner by targeting high-risk users and systems with sensitive information first, allowing the organization to get up and running quickly and expand to new user populations as the business requires.References
{{reflist Data security Crime prevention National security Regulatory compliance Secure communication