For some, the mere mention of workplace monitoring may spark visions of surveillance gadgets and a pair of eyes watching from a dark corner.
But monitoring technologies today are providing companies with new capabilities to comply with mounting regulatory mandates and the increasing risk of insider threats.
Insurance firm Aegon Canada started adopting privileged user monitoring tools over a year ago as a means to address audit issues around controlling power users, such as IT administrators. Power users are typically IT staffers who are given access to all files and applications across the organization in order to build and maintain the IT system.
“There were gaps in controls that we needed to put in place. Monitoring powerful IDs is always a typical audit issue,” said Brian McPhedran, assistant vice-president, IT risk management at Aegon Canada in Toronto.
Aegon deployed a product called Consul InSight, a monitoring, auditing and reporting tool that logs privileged user access activities. Consul InSight was developed by Consul Risk Management Inc., a Hemdon, Va.-based firm that specializes in security audit and compliance technologies.
Consul InSight allows Aegon to manage monitoring and reporting activities across hundreds of servers by pulling all the logs and consolidating them into one central log database, explained McPhedran. Reports are then pulled from that one central server, making it easier to manage and track user activities.
Power users do not have access to this central log database, according to McPhedran. This policy prevents any malicious user from tampering with the logs to cover up an unauthorized access, he added.
“By extracting the log and putting it onto a machine where [power users] don’t have administrator access, privileged users can’t hide the fact that they did something, because they can’t delete their own log entry,” explained McPhedran.
Activities are logged either in passive or active mode. Active mode logging means security monitors are regularly tracking certain users and having “their managers confirm that the use of those privileges is appropriate to their position,” said McPhedran. Passive monitoring allows McPhedran’s team to easily pull out specific log entries as the need arises.
For Aegon, adopting Consul InSight is part of the company’s “good control” program, and a response to internal and external auditors wanting to know how the company is controlling powerful users.
In addition to corporate internal users, Aegon also uses the Consul tool to monitor and track activities by its external business partners who have access to the corporate system.
Pulling out logs and reports are made easier by establishing unique IDs for all users so that logs are easily identifiable by the system, according to McPhedran. For example, all external user IDs begin with zz, so that when McPhedran or anyone from his security team wants to look at user activities by external parties, the system is able to sort through its logs and return only the required results, he explained.
Users are also grouped by department. The HR users, for instance, are grouped so that only these users are authorized to access employee files such as salary information. With Consul InSight, Aegon is able to determine whether another user who doesn’t belong to the HR group accessed a confidential HR file.
THE INSIDE THREAT
McPhedran says privileged user monitoring tools also help in mitigating the risks of insider breaches. “First, you have to have trusted employees. Someone has to have the keys to the kingdom to build it, but one of the security mantras is, ‘Trust but check.’ I trust you but I have to check up on you,” McPhedran said.
According to the Insider Threat Survey 2005 released by the United States Secret Service and the Computer Emergency Readiness Team, 87 per cent of all insider attacks can be attributed to privileged users.
The National Fraud survey estimated that internal attacks cost U.S. businesses US$400 billion per year, said Marc van Zadelhoff, a vice-president at Consul Risk Management Inc.
“Privileged users can violate [acceptable use policies] like no one else in the company,” said van Zadelhoff. He said privileged user monitoring tools are not only driven by regulatory compliance but also by the increasing awareness of the risks of insider attacks.
“An unhappy employee is a problem, but an unhappy employee with privileged user access is an even bigger problem,” said van Zadelhoff, adding that establishing policies around acceptable use and change management procedures should go hand in hand with the technology that’s in place.
Aegon’s McPhedron agreed with van Zadelhoff, saying internal discipline is part of what makes the technology effective. “If you didn’t have the discipline, the tools (would) become onerous to work with.”