128:
visual forensics component of UAM allows for organizations to search for exact user actions in case of a security incident. In the case of a security threat, i.e. a data breach, Visual forensics are used to show exactly what a user did, and everything leading up to the incident. Visual
Forensics can also be used to provide evidence to any
144:
User activity alerting serves the purpose of notifying whoever operates the UAM solution to a mishap or misstep concerning company information. Real-time alerting enables the console administrator to be notified the moment an error or intrusion occurs. Alerts are aggregated for each user to provide
127:
tool, because it captures data at a user-level not at a system level –providing plain
English logs rather than SysLogs (originally created for debugging purposes). These textual logs are paired with the corresponding screen-captures or video summaries. Using these corresponding logs and images, the
97:
According to the
Verizon Data Breach Incident Report, “The first step in protecting your data is in knowing where it is and who has access to it.” In today's IT environment, “there is a lack of oversight and control over how and who among employees has access to confidential, sensitive information.”
161:
add an additional layer of protection that will help security professionals keep an eye on the weakest link in the chain. By monitoring user behavior, with the help of dedicated software that analyzes exactly what the user does during their session, security professionals can attach a risk factor to
88:
Administrator accounts are heavily monitored due to the high-profile nature of their access. However, current log tools can generate “log fatigue” on these admin accounts. Log fatigue is the overwhelming sensation of trying to handle a vast amount of logs on an account as a result of too many user
252:
is defined under different theories. While in "control theory", privacy is defined as the levels of control that an individual has over his or her personal information, the "unrestricted access theory" defines privacy as the accessibility of one's personal data to others. Using the control theory,
298:
More commonly, software requires the installation of an agent on systems (servers, desktops, VDI servers, terminal servers) across which users you want to monitor. These agents capture user activity and reports information back to a central console for storage and analysis. These solutions may be
149:
and threat ranking. Alerting is customizable based on combinations of users, actions, time, location, and access method. Alerts can be triggered simply such as opening an application, or entering a certain keyword or web address. Alerts can also be customized based on user actions within an
215:
UAM solutions transcribe all documented activities into user activity logs. UAM logs match up with video-playbacks of concurrent actions. Some examples of items logged are names of applications run, titles of pages opened, URLs, text (typed, edited, copied/pasted), commands, and scripts.
285:
tools, UAM can help speed up an audit process by building the controls necessary to navigate an increasingly complex regulatory environment. The ability to replay user actions provides support for determining the impact on regulated information during security incident response.
281:, and others). UAM is typically implemented for the purpose of audits and compliance, to serve as a way for companies to make their audits easier and more efficient. An audit information request for information on user activity can be met with UAM. Unlike normal log or
38:
User activity monitoring software can deliver video-like playback of user activity and process the videos into user activity logs that keep step-by-step records of user actions that can be searched and analyzed to investigate any out-of-scope activities.
31:(UAA) is the monitoring and recording of user actions. UAM captures user actions, including the use of applications, windows opened, system commands executed, checkboxes clicked, text entered/edited, URLs visited and nearly every other on-screen event to
294:
UAM has two deployment models. Appliance-based monitoring approaches that use dedicated hardware to conduct monitoring by looking at network traffic. Software-based monitoring approaches that use software agents installed on the nodes accessed by users.
454:
162:
the specific users and/or groups, and immediately be alerted with a red flag warning when a high-risk user does something that can be interpreted as a high-risk action such as exporting confidential customer information, performing large
299:
quickly deployed in a phased manner by targeting high-risk users and systems with sensitive information first, allowing the organization to get up and running quickly and expand to new user populations as the business requires.
236:. The user activity logs combined with the video-like playback provides a searchable summary of all user actions. This enables companies to not only read, but also view exactly what a particular user did on company systems.
118:
involves creating a visual summary of potentially hazardous user activity. Each user action is logged, and recorded. Once a user session is completed, UAM has created both a written record and a visual record, whether it be
51:
in the United States, resulting in over 83 million exposed customer and employee records. With 76% of these breaches resulting from weak or exploited user credentials, UAM has become a significant component of
253:
some argues that the monitoring system decreased people's control over information, and therefore, regardless of what whether the system is actually put into use, will lead to a loss of privacy.
47:
The need for UAM rose due to the increase in security incidents that directly or indirectly involve user credentials, exposing company information or sensitive files. In 2014, there were 761
76:
70% of regular business users admitted to having access to more data than necessary. Generalized accounts give regular business users access to classified company data. This makes
228:
technology that captures individual user actions. Each video-like playback is saved and accompanied by a user activity log. Playbacks differ from traditional video playback to
68:
operational tasks. Remote vendors that have access to company data are risks. Even with no malicious intent, an external user like a contractor is a major security liability.
266:
278:
558:
543:
261:
Many regulations require a certain level of UAM while others only require logs of activity for audit purposes. UAM meets a variety of
196:
146:
428:
548:
35:
by ensuring that employees and contractors are staying within their assigned tasks, and posing no risk to the organization.
553:
308:
166:
queries that are out of the scope of their role, accessing resources that they shouldn't be accessing and so forth.
538:
133:
533:
98:
This apparent gap is one of many factors that have resulted in a major number of security issues for companies.
89:
actions. Harmful user actions can easily be overlooked with thousands of user actions being compiled every day.
184:
158:
274:
528:
65:
373:
320:
262:
106:
Most companies that use UAM usually separate the necessary aspects of UAM into three major components.
180:
20:
124:
115:
504:
245:
53:
496:
314:
225:
229:
129:
32:
183:
and internal systems and databases. UAM spans all access levels and access strategies (
233:
77:
522:
123:
of exactly what a user has done. This written record differs from that of a SIEM or
188:
344:
150:
application, such as deleting or creating a user and executing specific commands.
48:
500:
402:
120:
508:
270:
179:
UAM collects user data by recording activity by every user on applications,
484:
317: – Legal tradition restraining actions threatening individual privacy
56:. The main populations of users that UAM aims to mitigate risks with are:
163:
249:
232:, which is the compiling of sequential screen shots into a video-like
204:
200:
192:
282:
199:, direct console login, etc.). Some UAM solutions pair with
455:"Corporate Data: A Protected Asset or a Ticking Time Bomb?"
311: – Software to monitor and supervise employee activity
80:
a reality for any business that uses generalized accounts.
325:
Pages displaying short descriptions of redirect targets
483:
Martin, Kirsten; Freeman, R. Edward (April 1, 2003).
429:"Virtualisation: Exposing the Intangible Enterprise"
368:
366:
323: – Monitoring of computer or network activity
64:Contractors are used in organizations to complete
8:
345:"What is User Activity Monitoring Software?"
485:"Some Problems with Employee Monitoring"
403:"2014 Data Breach Investigation Report"
336:
244:Whether user activity monitoring would
7:
14:
433:Enterprise Management Associates
381:Identity Theft Resource Center
1:
559:Social information processing
16:Information security practice
544:Online analytical processing
309:Employee monitoring software
575:
489:Journal of Business Ethics
246:jeopardize one's privacy
121:screen captures or video
25:user activity monitoring
501:10.1023/A:1023014112461
159:User behavior analytics
154:User behavior analytics
290:Appliance vs. software
140:User activity alerting
66:information technology
29:user activity analysis
549:Regulatory compliance
374:"Data Breach Reports"
321:Computer surveillance
263:regulatory compliance
132:that investigate the
554:Secure communication
257:Audit and compliance
21:information security
383:. December 31, 2014
351:. February 17, 2019
220:Video-like playback
211:User activity logs
175:Capturing activity
539:National security
462:Ponemon Institute
435:. August 14, 2014
54:IT infrastructure
566:
534:Crime prevention
513:
512:
480:
474:
473:
471:
469:
459:
451:
445:
444:
442:
440:
425:
419:
418:
416:
414:
409:. April 14, 2014
399:
393:
392:
390:
388:
378:
370:
361:
360:
358:
356:
341:
326:
315:Right to privacy
226:screen recording
110:Visual forensics
19:In the field of
574:
573:
569:
568:
567:
565:
564:
563:
519:
518:
517:
516:
482:
481:
477:
467:
465:
464:. December 2014
457:
453:
452:
448:
438:
436:
427:
426:
422:
412:
410:
401:
400:
396:
386:
384:
376:
372:
371:
364:
354:
352:
343:
342:
338:
333:
324:
305:
292:
259:
248:depends on how
242:
230:screen scraping
222:
213:
177:
172:
156:
142:
130:law enforcement
112:
104:
95:
86:
78:insider threats
74:
62:
45:
17:
12:
11:
5:
572:
570:
562:
561:
556:
551:
546:
541:
536:
531:
521:
520:
515:
514:
495:(4): 353–361.
475:
446:
420:
394:
362:
335:
334:
332:
329:
328:
327:
318:
312:
304:
301:
291:
288:
265:requirements (
258:
255:
241:
238:
221:
218:
212:
209:
207:environments.
176:
173:
171:
168:
155:
152:
141:
138:
111:
108:
103:
100:
94:
91:
85:
82:
73:
70:
61:
58:
44:
41:
15:
13:
10:
9:
6:
4:
3:
2:
571:
560:
557:
555:
552:
550:
547:
545:
542:
540:
537:
535:
532:
530:
529:Data security
527:
526:
524:
510:
506:
502:
498:
494:
490:
486:
479:
476:
463:
456:
450:
447:
434:
430:
424:
421:
408:
404:
398:
395:
382:
375:
369:
367:
363:
350:
346:
340:
337:
330:
322:
319:
316:
313:
310:
307:
306:
302:
300:
296:
289:
287:
284:
280:
276:
272:
268:
264:
256:
254:
251:
247:
239:
237:
235:
231:
227:
219:
217:
210:
208:
206:
202:
198:
194:
190:
186:
182:
174:
169:
167:
165:
160:
153:
151:
148:
139:
137:
135:
131:
126:
122:
117:
109:
107:
101:
99:
92:
90:
83:
81:
79:
71:
69:
67:
59:
57:
55:
50:
49:data breaches
42:
40:
36:
34:
30:
26:
22:
492:
488:
478:
466:. Retrieved
461:
449:
437:. Retrieved
432:
423:
411:. Retrieved
406:
397:
385:. Retrieved
380:
353:. Retrieved
348:
339:
297:
293:
260:
243:
223:
214:
178:
157:
145:a user risk
143:
113:
105:
96:
93:Overall risk
87:
75:
63:
46:
37:
33:protect data
28:
24:
18:
468:January 19,
439:January 19,
413:January 19,
387:January 19,
60:Contractors
523:Categories
331:References
102:Components
43:Background
509:1573-0697
349:ActivTrak
271:ISO 27001
224:UAM uses
181:web pages
134:intrusion
116:forensics
27:(UAM) or
355:March 5,
303:See also
170:Features
164:database
84:IT users
407:Verizon
250:privacy
240:Privacy
147:profile
125:logging
114:Visual
507:
234:replay
205:VMware
201:Citrix
193:Telnet
458:(PDF)
377:(PDF)
267:HIPAA
72:Users
505:ISSN
470:2015
441:2015
415:2015
389:2015
357:2019
283:SIEM
203:and
497:doi
279:PCI
275:SOX
197:ICA
189:SSH
185:RDP
525::
503:.
493:43
491:.
487:.
460:.
431:.
405:.
379:.
365:^
347:.
277:,
273:,
269:,
195:,
191:,
187:,
136:.
23:,
511:.
499::
472:.
443:.
417:.
391:.
359:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.