Security and regulatory compliance requirements make the monitoring and auditing of privileged accounts a must-have for businesses. Due to their access to critical systems and services, privileged accounts are attractive targets for threat actors. Keeping them secure requires both continuous visibility as well as the ability to report on privileged account activity in a way where actions can be traced back to specific users and sessions.
There are two approaches to monitoring privileged account activity: gateway-based and host-based. With a gateway-based approach, organizations can monitor when a user logs into a password vault and checks out a password. However, if attackers can bypass the gateway/jump box and directly access a critical server, they could effectively circumvent this method. In addition, there is an inherent gap in visibility regarding the actions the user took after checking out the password. With host-based monitoring solutions, however, that blind spot is eliminated, and organizations can detect and report on suspicious activity using process launch and file system change auditing.
Organizations can bolster these capabilities by integrating this audit data with data from their Security Information and Event Management (SIEM) system or Cloud Access Security Broker (CASB) service. These integrations are supported by modern privileged access management (PAM) tools and enable organizations to mine activity data and discover correlations that may identify malicious behavior.
Privileged account monitoring capabilities are also an essential part of building a successful compliance program. Detailed audit logs are a necessity for forensic investigations and analysis and are required by multiple compliance regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA). A best practice for privileged account sessions is to keep a video recording of the session that can be reviewed or used as evidence of activity involving critical assets in regulated industries. As industry and regulatory initiatives evolve, the ability to provide information about activity involving sensitive accounts will remain an important part of security and compliance efforts.