What is Session Monitoring?

What is session monitoring exactly?

 

In essence, session monitoring enables administrators or security officers to monitor critical environments within an organization. Administrative users must keep an eye on sensitive and critical systems within their organizations to ensure the security and supervision of their resources. Session monitoring allows oversight of resources, users, and their access. Increasing accountability and decreasing intentional or unintentional misuse of privileged accounts. Common areas of session monitoring are within Privileged Access Management (PAM) systems. Most common use comes from secure remote access connections to valuable or privileged systems, usually initiated by RDP, SSH, VNC, or HTTP/S protocols.

PAM systems that have Session Monitoring enable the recording of user access sessions and real-time connection supervision. A web-based session player allows administrative users to join a session and pause or terminate the connection. Moreover, a session stream can be shared, allowing other administrators, supervisors, or employees to see the recorded session and allow collaboration between users. Furthermore, session monitoring enables proactive monitoring through configurable policies. Whereupon detection of certain or specific expressions can automatically send email notifications to pause or terminate the connection and even block the user, disconnecting them from the active session to IT infrastructures.

Session Monitoring can be described as a proxy between the users and the monitored servers while registering user actions and activity, including mouse pointer moves, keystrokes, and transferred files. Furthermore, session monitoring module records all of the network traffic with the metadata, allowing for precise session playback with text content search. Ranging from a variety of common command-line interface and graphical protocols, including database communication standards, web protocols, and production infrastructure protocols. With this setup, at any time, an administrator can connect and intervene with an active session and act accordingly to any misuse or potential access rights abuse.

Benefits of having a Session Monitoring module within your PAM systems.

Transparency and Security: Administrators can take a look at what employees or 3rd party contractors are doing. If any misuse occurs, they can intervene at any time and terminate or block the user for further misuse.
Session Collaboration: Sharing a session enables the system administrator to join a given connection and work alongside a remote user while their actions are recorded separately. A third-party user may be invited to join and collaborate or view the live session via an expirable link.
Session Timestamping: Can provide an in-depth analysis. A trusted timestamp makes recorded sessions invaluable for use as forensic evidence in court. In addition, the feature supports trusted time-stamping services provided by external institutions.
Archives: Monitor and archive user actions instead of server logs (which may be hard to interpret) while maintaining complete separation between the user end-point and an organization’s IT infrastructure.
Optical Character Recognition: enables easier search control for specific elements and improves searching functionality.

Furthermore, session monitoring can be used in simple business practices. Users can record or let others monitor their work activity which is excellent for onboarding processes and training. Allows easy archiving of data which can be played back for new employees to learn from and used as training materials to assist in any admin development or specific configurations. Even recordings of failures count as experience for users on what NOT to do in certain situations. Moreover, it can protect your employees from certain risks. For example, recorded sessions safeguard your administrators by playing back the recording and proving that no mistakes occurred over the administration side. It ensures administrator accountability.

Privileged Session Manager & PCI DSS

PSM is a great feature not just for security but also for compliance oversight. The Payment Card Industry Data Security Stanard (PCI DSS) benefits from session monitoring by addressing key PCI DSS 3.2 requirements. The requirements below represent how session monitoring within a Privileged Access Management system helps meet the PCI DSS requirements.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters.
PSM uses secured technologies such as SSH, RDP, and SSLTSL to establish connections to systems and ensure that only authorized persons can configure the harden system. Additionally, it provides features to help inventory the assets in the CDE. The strict policy contains all allowed access relations and managed assets.

Requirement 7: Restrict access to cardholder data by business need to know.
PSM enables to limit access to system components that hold cardholder data to only specific individuals with appropriate access or role.

Requirement 8: Identify and authenticate access system components
Session monitoring ensures the assignment of unique user IDs before allowing privileged access to systems with cardholder data. With authorized users being able to control deletion, addition, or modification of users IDs, credentials, and other identifier objects. Additionally, PSM allows managing IDs issued to vendors who remotely access, support, or maintain system components. Lastly, it will enable an option to require single-factor two-factor authentication to access CDE components.

Requirement 10: Track and monitor all access to network resources and cardholder data
Session Monitoring provides reliable audit trails that link all access to system components to individual users. Session recording can be digitally signed to provide tamper-proof documentation of events. PSM can also be configured to securely archive all administrator functions, including the creation of new accounts and elevation of privileges and all changes, additions, or deletions to accounts with root or administrator privileges. Assists with audits of all audit log administration, activities, installation, pausing and stopping on virtually any system components with the CDE. Providing a limit viewing of audit trails on native platforms to those with appropriate assigned rights by authorized administrators. Lastly, it uses strong cryptography (AEX-XTS-256) to render both the records captured and its own audit logs unreadable to unauthorized access.

Requirement 11: Regularly test security systems and processes.
Session monitoring can provide supporting evidence that security policies and operational procedures for monitoring access to network resources and cardholder data are in use.

Requirement 12: Maintain a policy that addresses information security for all personnel.
Ensure delegated responsibility for administrating privileged users’ accounts and authentication management is formally assigned.

Appendix A, Requirement A.1: Additional PCI DSS Requirements for Shared Hosting Providers
– Session Monitoring can further assist technical personnel with a timely forensics investigation process in the event of a compromise. Loggin and audit trails are enabled and unique to each entity’s CDE.

Overall, session monitoring is a great feature that introduces an additional layer of oversight. Works fundamentally with a Zero Trust framework holding users with privileged access accountable while at the same time safeguarding them, at the same time, assisting in PCI DSS compliances and audit requirements, working as a significant security factor within your organization.

Written by: Damian Borkowski – Technical Marketing Specialist