Delinea | Privileged Access Management Blog

Session Monitoring and Recording | Accountability for Compliance

Written by Barbara Hoffman | Mar 5, 2019 8:00:00 AM

You’ve set up policies. You’ve trained your team. You’ve vetted third parties. But, even the most proactive privilege security strategy can’t account for every situation and every type of risky behavior.  

Today many Delinea customers rely on session recording and monitoring capabilities for added peace of mind. If any privileged user adds a backdoor account or makes an unauthorized configuration change, your team can identify who accessed the system, quickly review what they did, and respond accordingly. 

Session monitoring and recording capabilities give you an additional layer of oversight and help you hold users accountable for their actions when accessing privileged accounts.  

Monitoring privileged sessions to meet PCI DSS 

Did you know 50% of organizations fail their annual PCI audit? Increasingly stringent compliance requirements call for companies to monitor actions performed by privileged accounts and this can be quite the challenge. Because privileged credentials are a prime target of cybercriminals—they often unlock access to cardholder data—PCI DSS 3.2 focuses on controlling and protecting privileged accounts.

Of the twelve main sections of PCI DSS 3.2, six directly relate to privilege management.

How do session monitoring and reporting directly map to PCI DSS 3.2 requirements?

Requirement 2.6 – Protect hosted environment and cardholder data: Limit access to system components and cardholder data to only those individuals whose job requires such access

Session monitoring and reporting provide a critical level of protection for cardholder data by controlling and monitoring all access to hosted environments.

Requirement 7.2 – Establish access control system: Establish an access control system that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed

Implementing Role-Based Access Control (RBAC) to privileged credentials and setting up restrictions and monitoring sensitive accounts through session recording and monitoring ensure your ability to meet these requirements and provide an immutable audit trail. Another important control aspect is the ability to quickly terminate a session if needed.

Requirement 10.1 – Link access to users: Implement audit trails to link all access to system components to each individual user

Through session monitoring and recording, your team maintains immutable logs as to who accessed what privileged credential and when.

Requirement 10.2 – Implement automated audit trails: Implement automated audit trails for all system components to reconstruct events

Reporting capabilities allow your team to record and review the exact actions that were taken in a session. This is extremely powerful should auditors need to reconstruct events.

Requirement 10.3 – Record specific audit events: Record at least the following audit trail entries for all system components for each event:
User  Identification, Type of Event, Date and time, Success or failure of indication, Origination of event, Identity or name of affected data, system component, or resource

All audit trails requirements are met with session recording and enable auditors and your security administrators to link a privileged event back to a single user.

Requirement 10.5 – Secure audit trails: Secure audit trails so they cannot be altered

A Privileged Access Management (PAM) solution should ensure session recordings can never be removed, deleted, or altered.

Requirement 10.6 – Review logs and security events: Review logs and security events for all system components to identify anomalies or suspicious activity

Session monitoring capabilities give PAM administrators a view of all privileged user sessions in real-time or after the fact. Many Delinea customers prefer to set up alerts so they know when active sessions are initiated or they leverage their SIEM solution where these events can be correlated and logged with different alert levels depending on their severity. If an administrator sees something concerning, they can send a message directly to the user or quickly terminate a session if necessary.  

Requirement 10.7 – Retain audit history: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)

It’s critical to maintain accurate historical data and your team should make it a practice to never delete a record.

Related Reading:
Implement Privileged Access Management best practices to pass your next cybersecurity compliance audit.

Forensic audits of all privileged account activities 

Advanced PAM solutions allow for privileged sessions to be recorded, archived, and played back whenever you need to review them, as part of compliance or forensic audits. All keystrokes during privileged sessions can also be recorded. You get an end-to-end audit trail from when users first checked out a Secret to when they logged off after completing their session. Once a session is recorded, it can be stored on a disk and archived based on your company’s retention policy. 

 

What do you and your auditors need to know? 

Simply knowing who logged into a system with administrator credentials isn’t sufficient for most compliance requirements. You need a complete record of privileged session activity. If someone adds a backdoor account or makes an unauthorized change, you MUST be able to review what happened and react quickly to prevent further damage. 

When setting up alerts or reviewing recorded sessions, you may want to search for specific red flags or potential high-risk activity, such as:  

  • Privileged sessions related to your most critical systems or highly sensitive data 
  • New contractors and third parties you want to watch with extra care 
  • Administrative commands, such as sudo on SSH sessions 
  • All sessions that had PowerShell running 
  • All sessions with custom applications 

Session recording and incident response plans 

Session recording helps cybersecurity, IT operations, and incident response teams share information and collaborate more closely. Many Delinea customers integrate session recording capabilities with existing analytics or SIEM systems that alert their incident response teams of potential abuse or data breaches. Within your cyber incident response solution, the more visibility and clarity IT teams have into privileged sessions, the better coordinated they will be when resolving a problem.