What is User Activity Monitoring? How It Works, Benefits, Best Practices, and More



Learn about user activity monitoring solutions in Data Protection 101, our series on the fundamentals of information security.

A Definition of User Activity Monitoring

User activity monitoring (UAM) solutions are software tools that monitor and track end user behavior on devices, networks, and other company-owned IT resources. Many organizations implement user activity monitoring tools to help detect and stop insider threats, whether unintentional or with malicious intent. The range of monitoring and methods utilized depends on the objectives of the company.

By implementing user activity monitoring, enterprises can more readily identify suspicious behavior and mitigate risks before they result in data breaches, or at least in time to minimize damages. Sometimes called user activity tracking, user activity monitoring is a form of surveillance, but serves as a proactive review of end user activity to determine misuse of access privileges or data protection policies either through ignorance or malicious intent.

How User Activity Monitoring Works

The purpose of user activity monitoring is to protect information while ensuring availability and compliance with data privacy and security regulations. UAM goes beyond simply monitoring network activity. Instead, it can monitor all types of user activity, including all system, data, application, and network actions that users take – such as their web browsing activity, whether users are accessing unauthorized or sensitive files, and more.

There are various methods implemented to monitor and manage user activity such as:

  • Video recordings of sessions
  • Log collection and analysis
  • Network packet inspection
  • Keystroke logging
  • Kernel monitoring
  • File/screenshot capturing

All of the information gathered must be looked at within the boundaries of company policy and the user role to figure out if inappropriate activity is in play. What constitutes “inappropriate user activity” is up to the company deploying the UAM solution, and can include anything from visiting personal sites or shopping during work hours to theft of sensitive company data such as intellectual property or financial information.

The Benefits of User Activity Monitoring

Any level of monitoring can accumulate large amounts of data. The goal of any user activity monitoring program should be to find and filter out actionable information that’s valuable in data protection efforts. With effective processes in place, you can immediately detect and investigate suspicious user activity. You can also find out if users are uploading sensitive data to public clouds, utilizing non-approved services and applications, or engaging in any other type of risky activity while using the company network or resources. User activity monitoring tools are also helpful in ensuring that employees do not take any of your company's confidential information when they are leaving the company.

In order to make the data collected by user activity monitoring solutions as useful as possible, that data must be analyzed for several items, including:

  • Associated risk
  • Defined policies
  • Time of day
  • Identity context

It also helps to have real-time identification along with detailed reporting of historical activity. Questions to answer are: Who did what, when and where? User activity monitoring helps to identify abuse to help reduce the risk of inappropriate actions that can lead to malware infections or data breaches. It also helps to decrease the cost of compliance, while offering intelligence needed to improve security measures.

User Activity Monitoring Tools

There are a variety of tools that can be used to aid in or support user activity monitoring. These tools range from general security software applications to targeted tools designed to track sessions and activity, creating a complete audit trail for every user. There are also tools known as privileged account security solutions, which aim to monitor and secure privileged account activity and centralize the management of policies.

The best user activity monitoring tools include real-time alerting systems. These tools monitor user activity in the background in real-time and notify IT and security teams the moment suspicious activity occurs. Without the real-time element, risks may go unnoticed while your IT department addresses other known issues. Thanks to today’s technology, it’s not necessary to have entire IT teams dedicated to live-monitoring user activity; a good security solution that supports user activity monitoring can do most of the heavy lifting.

User Activity Tracking and Monitoring Best Practices

User activity monitoring is an important line of defense against data breaches and other cybersecurity compromises. Many IT security teams lack visibility into how their users are accessing and utilizing sensitive data, leaving them susceptible to insider threats or outside attackers who have gained access to systems. Best practices for user activity monitoring include:

  1. Be open about user monitoring. Users should be aware of the use of monitoring and agree to have their sessions recorded and monitored. Often, this acknowledgement is included in contractual agreements or user agreements.
  2. Allow privileged access only to important users who need it for effective work production – a practice known as the principle of least privilege. Besides that, all other activities not required for a user’s work role should be restricted. It is not necessary to give privileged users unlimited access. In addition, restrictions should be implemented for admin tools and system protocols.
  3. Decrease the number of shared accounts and implement robust password policies. Enforce policies to ensure that account passwords are complex, unique, and are never shared or reused. Be vigilant about identifying stolen credentials.
  4. Create strong authentication procedures for privileged accounts, such as two or multi-factor authentication.
  5. Manage remote access through company-based protocols. Deny protocol channels such as file transfers between group members, port-forwarding, and disk sharing.
  6. Collect and preserve chain-of-custody forensic evidence including capture files, screenshots and keystrokes. Reconstruct incidents in their full context.
  7. In addition to implementing user activity monitoring solutions, organizations should establish and enforce data protection policies, such as appropriate file sharing activity, handling instructions for sensitive data, authorized services and applications, and other policies outlining acceptable use. Educate users on these policies as well as effective cybersecurity habits through ongoing information security awareness programs.

If a risky action is performed, such as downloading sensitive customer information, the security team should have the ability to score the severity of the activity. This way, the focus can be placed on users who are putting the organization at risk on a large scale.

User activity monitoring is an important component of data protection for enterprises today. While there are dedicated “point solutions” for monitoring user behavior, organizations should look to data protection tools that can combine user activity monitoring features with data discovery and classification, policy-based controls, and advanced reporting capabilities.

Nate Lord

ANALYST REPORTS

Gartner 2017 Magic Quadrant for Enterprise Data Loss Prevention (DLP)