While hacking attacks against organisations are on the rise the impact of the insider threat is even greater. PowerBroker is seeking to minimise this by making it possible to capture all the session activity for privileged user accounts and provide a review process.
According to the press release the new capability enables designated viewers the ability to do four things:
- Access the session review capability
- Watch a session recording
- Indicate they have reviewed the session
- Acknowledge that the session was authorised
Once a session has been signed off by the authorised viewer the approval is logged for auditing purposes. This is a significant step forward for those who work in regulated environments as it provides a much easier way to check activity. At the same time, reviewers can make notes around what they see in a session such as querying an action or marking up parts of the session for further investigation.
For example, in a busy hospital pharmacy it would allow a senior pharmacist to ensure that drugs dispensed and logged in the system were correctly recorded. Alternatively in a financial brokerage company it would provide an easier way for managers to identify approved transactions by giving them the ability to see what the broker actually did potentially reducing the risk of fraud.
Security teams the more likely PowerBroker Password Safe users
The main use of the product however is likely to come from security teams who may have seen something suspicious on the network and want to do further investigation. This might be a logon at an unexpected time, from a previous unused location or where they have accessed data they don’t normally use. In these circumstances they would be interested in exactly who initiated the session and the passwords used.
Reviewing the session will show whether there was any hesitation in how the password was entered or whether there were mistakes. It will also show if the session user went straight to the data or spent time walking the directories of servers in order to find data. All of these would be indicators of the session being conducted by someone other than the privileged user indicating that their security credentials had been compromised.
Conversely if the session user goes straight to the data and begins to download it or move it outside of the company it would indicate that the authorised user carried out the action. At this point security could suspend the account or send the session data over to a manager for further review.
According to Brad Hibbert, CTO, BeyondTrust: “The PowerBroker Password Safe solution is all about providing greater insight and visibility for our end users to help stop internal threats and the use of privileged credentials, whether actions are malicious in nature or occur accidentally, The added capability of session review and monitoring that’s incorporated into the latest version of the solution gives IT admins very easy and clean review capabilities when suspicious activity is detected.”
Will it help track customer behaviour?
It’s an interesting question. Most banks already record user session data and can replay it when there is an account query. For example, I personally had a problem with a VAT return some time ago. When I asked my bank why money hadn’t been paid when I expected it to be they were able to review the session and show that I failed to click the final submit button to send the money. This was a quick and easy way to identify where the error occurred.
In the case of the bank, they were using a product that cost thousands of pounds and which was able to obfuscate personal data such as passwords and account data. PowerBroker Password Safe does not go that far so it may not be suitable for that type of use. It may also be a problem using it in some environments to prevent managers seeing the security credentials of users.
This ability to use the data for detailed forensic analysis of what privileged users are doing is a significant step forward for many companies. It will certainly improve their forensic ability to deal with the aftermath of attacks. At the same time, the threat of the process may well deter a number of employees from doing things such as stealing data.