AUDITING AND COMPLIANCE

Threat Detection and Deep Forensics with Process-level Auditing

Advanced monitoring combines process-level with shell-based auditing to identify suspicious changes to configurations and files in real-time, and ensure all privileged activity is associated with an individual despite attempts to mask who a user is or what they are trying to do. Application and file monitoring at the process level on Linux systems is virtually impossible to spoof.

Monitor Changes to Critical Files

In recent history, high profile data breaches were made possible by insiders who created back door accounts that circumvented traditional password vault approaches to securing privileged access. Privileged users are also known to find ways to bypass the password vault in their environment to make their daily routine easier.

This type of rogue access, often leveraging SSH keys stored locally on servers, expands an organization’s attack surface and puts them at a higher risk of a security breach. Centrify file change and command execution monitoring identifies changes to configurations and critical files in real-time, enabling triggered security alerts within an organization’s SIEM system to warn of the creation of a backdoor to bypass the password vault.

Attribute All Activity to an Individual

Centrify’s advanced, gateway and host-based monitoring ensures accountability by delivering complete visibility of a user’s privileged activity. Advanced host-based auditing uniquely monitors at both the shell and process levels, attributing all activity to the individual versus a shared account. Monitoring process calls from the system kernel prevents spoofing techniques and enables deep forensic analysis for corrective action and compliance. Running commands as a different user, within a script, or leveraging command aliases are accurately detected, audited and attributed to the individual.

Benefits

  • Ensure accountability with complete visibility of a user’s activity
  • Prevent backdoor creation of SSH keys that enable bypassing the vault
  • Integration with SIEM for alerts and immediate incident response and remediation
  • Process-level monitoring for high-risk systems that is virtually impossible to spoof
  • Deep forensics and reporting on commands that were run and the resulting processes