What Is User Activity Monitoring?

User Activity Monitoring (UAM) tracks the behavior of internal end-users—employees, subcontractors, partners, and so on—on a company’s networks, devices, and other IT resources. UAM, sometimes also called employee monitoring, may be deployed for a number of reasons, such as providing insight into the productivity of both individual employees and the company as a whole. Is Employee X spending too much time browsing the internet for non-business purposes during work time? From the HR point of view, are employees progressing in their professional development programs? Are the company’s apps being used effectively, and are they contributing to productivity? 

However, perhaps the most compelling use case for UAM is to secure the company’s systems and assets against insider threats, whether unintentional or malicious. This blog post will explore how UAM is used to protect against insider threats and what the legal and ethical implications of deploying UAM are. In addition, we’ll look at UAM best practices that can enhance the positive effects of UAM without causing undue tension and disgruntlement among an organization’s staff.

User Activity Monitoring for Insider Threats

The Extent and Cost of Insider Threats

The Insider Threat 2018 Report from Cybersecurity Insiders found that more than half (53%) of organizations experienced insider attacks over the previous 12 months, with more than a quarter (27%) indicating that these attacks have become more frequent. Verizon’s 2019 Data Breach Investigations Report indicates that 34% of data breaches in public and private organizations across all sectors involved internal actors.

The Ponemon Institute 2018 Cost of Insider Threats Report attributes 64% of insider threat attacks to employee or contractor ignorance or negligence. Actions that fall into that category include storing sensitive data on unsecured personal devices for convenience and falling for a phishing exploit. In 23% of the cases, the attacks were malicious. The perpetrators were attempting to steal sensitive data, exfiltrate user credentials, or bring down systems through exposure to malware infections. Sometimes these were disgruntled or greedy employees acting on their own; but, there have also been plenty of cases of insiders colluding with external attackers.

Whether the attacks are inadvertent or malicious, the same Ponemon Institute report cited above claims that the average cost of insider-related incidents stands at $8.7 million per year. The average cost of a single attack is $607,745 per incident, and that number goes up to $648,845 if the incident involves credential theft.

How User Activity Monitoring Helps

For a full description of five of the leading UAM solutions available for organizations of all sizes, see our blog post “Five Tools for User Activity Monitoring”.  In general, UAM software monitors the full range of a user’s behavior on company-provided or company-sanctioned devices connected to the organization’s network. UAM logs keystrokes, captures screenshots, makes video recordings of sessions, inspects network packets, monitors kernels, tracks web browsing and searching, and records the uploading and downloading of files. In addition to this device-specific data, many UAM solutions also monitor system logs for a more comprehensive picture of activity across the network and other IT resources.

The more robust UAM tools analyze the collected data in realtime in order to extract actionable insights and quickly alert the IT team to anomalous or risky activity through dashboards, reports, and proactive notifications. These tools also retain historical data for offline auditing and compliance purposes.

Many UAM tools have modules for deploying and enforcing authentication and access control, with a particular emphasis on privileged user accounts. For the highest security against insider threats, these UAM modules implement multi-factor authentication. They can also identify and authenticate users who have been given access to shared accounts such as Google Drives—a common and highly risky practice often exploited by malicious attackers. These authentication and access control modules can also establish and uphold corporate rules regarding password management as well as blocked websites and apps. 

The Legal and Ethical Aspects of User Activity Monitoring

User activity monitoring is a form of surveillance and, as such, it is subject to both legal and ethical considerations. 

In most European countries and most US states, it is legal for the entity that owns a network or a device to monitor the activities of individuals using those assets. The same general rule applies to personal devices that have been formally sanctioned for work use within a BYOD (bring your own device) program. The memo on Workplace Privacy and Employee Monitoring maintained by the Privacy Rights Clearinghouse (last revised March 25, 2019) states clearly in its introduction that, whether or not workplace surveillance policies are transparent, the courts have generally ruled that employees on the job should expect little to no privacy. 

There are, however, broader laws that restrict the monitoring and storing of electronic communications that need to be taken into account when implementing user activity monitoring. In the US, the relevant federal law is the Electronic Communications Privacy Act (ECPA) of 1986, which also includes the Stored Wire Electronic Communications Act. The ECPA safeguards “wire, oral, and electronic communications while those communications are being made, are in transit; and when they are stored on computers.” In the European Union, the General Data Protection Regulation (GDPR) enacted in May 2018 includes clauses that restrict when and how personal data can be collected, stored, and used. Since collected UAM data may contain personal data, the GDPR requires that care should be taken to store it safely—obfuscated and encrypted—and retain it only for as long as minimally necessary. 

Another example of a legal consideration surrounding UAM relates to a prohibition enacted by half of the states in the US that prohibits employers from requiring or even requesting that an employee verify a personal online account. However, when logging keystrokes or capturing screens during user activity monitoring, personal account credentials may be recorded. To stay within legal bounds, the UAM tool should be able to identify and discard this kind of protected personal information. 

In addition to strict legality, however, there are also ethical considerations that should govern user activity monitoring. A company’s user activity monitoring should be implemented for legitimate business needs only, i.e., ensuring that digital assets are being used safely and responsibly by employees and any other parties given access to them. Monitoring content, for example, is not essential to assessing an employee’s performance or risk profile. Hence, monitoring should be based on open data, such as which website has been accessed, rather than the actual content viewed on the website. It is also important to limit who has access to monitored data. It should be on a need-to-know basis only.

User Activity Monitoring Best Practices

The Importance of Transparency

Nobody likes to have “big brother” looking over their shoulder. As a result, UAM can be a cause of mistrust and tension in the workplace. Perhaps the most important UAM best practice, therefore, is transparency. In most US states, for example, employers are not required to get user consent for monitoring. Regardless, companies should consider getting consent anyway. If the reasons for the monitoring are properly explained, most employees will respect the company’s needs to promote productivity and protect its assets.

Even if a company does not seek formal user consent, it should ensure that its user activity monitoring practices are clearly set out within the context of an Acceptable Use Policy.

Other Best Practices

Other best practices that can enhance the effectiveness of user activity monitoring include:

• Positioning user activity monitoring as part of the company’s overall security policy. Placed in this context, employees will be more understanding about the need for surveillance.
• Creating an environment whereby employees view security as everyone’s responsibility, not just the IT team’s. Educate all employees about the damage caused by insider threats, intentional or not, and how they can adopt good cybersecurity habits to minimize risk. 
• Monitoring everyone. It can be tempting to limit user activity monitoring to privileged users who have access to more sensitive digital assets. In addition to creating hard feelings among the employees singled out for surveillance, limited implementation will miss the activities of non-privileged users who still expose the company to external threats through ignorance or negligence.
• Implementing robust authentication (at least two-factor) for privileged accounts and enforcing strong password policies for all users.
• Harnessing advanced technologies such as machine learning and user behavior analytics so that user activity monitoring is focused more on identifying and managing anomalous risky behavior rather than massive recording and storing of monitored data.

Summary

Although user activity monitoring has its dark side, companies have the right to ensure that their employees are working productively, responsibly, and safely. When implemented transparently and with sensitivity, UAM tools can achieve their objectives without creating bad feelings in the workplace. 

In any case, UAM should be only one component of a company’s broader security efforts. As such, the data gathered from UAM tools can and should be included in an organization’s security analytics practice to help paint a full picture of its security posture.

Each of the five leading UAM solutions described in our blog post “Five Tools for User Activity Monitoring” can integrate seamlessly with an organization’s existing SIEM and security analytics stack.