User Activity Management

What is “User Activity Management”?

Gartner’s “Top 10 Strategic Technologies for 2010”* contains one security technology:
“Activity Monitoring”. As explained by Gartner:

“Traditionally, security has focused on putting up a perimeter fence to keep others out, but it has evolved to monitoring activities and identifying patterns that would have been missed before. Information security professionals face the challenge of detecting malicious activity in a constant stream of discrete events that are usually associated with an authorized user and are generated from multiple network, system and application sources. At the same time, security departments are facing increasing demands for ever-greater log analysis and reporting to support audit requirements. A variety of complimentary (and sometimes overlapping) monitoring and analysis tools help enterprises better detect and investigate suspicious activity – often with real-time alerting or transaction intervention. By understanding the strengths and weaknesses of these tools, enterprises can better understand how to use them to defend the enterprise and meet audit requirements.”

User Activity Management is an approach to enterprise network security and compliance that captures and saves detailed user transactions across the enterprise, correlates this activity to identity management systems, indexes the data for quick access, and applies comprehensive reporting and proactive rules to the transaction data.

UAM systems have a “rule engine” that enables very specific security and compliance rules to be defined that can “blacklist” or “whitelist” user behavior and alert or (optionally) block user actions that are suspicious or out of the norm.

What Level of Detail is Captured in a UAM System?

In order to fully understand what users are doing on an enterprise network the following information is needed:

1. Details of each user transaction including:
   • file names, and folders names
   • database names and database table names, and database queries
   • the email addresses, “Subject” lines and attachment names from all major email program
   • chat and Instant Messenger names from major chat and IM programs
   • login attempts (failed and successful)
   • all of the transaction data from other important applications and protocols used in the enterprise
2. The ability to correlate these transactions with the enterprise's identity management system
   • So that transactions performed by known users are identified as such and NOT displayed as IP addresses and port numbers
   • So that transaction performed by intruders that are NOT in the enterprises' identity system are clearly identified and recorded

In a UAM solution the information described above is contained in “User Activity Records” - simple records that state who the user was and what they did.

For example, when a user accesses a file server, the “User Activity Record” contains the user name, the file name accessed, the folder in which it resided, the host on which it is located, the operation performed (open, read, write, delete), and many other items.

A database access produces a record in the UAM system that contains the user name, the database name, the table name, the operation performed (Select, Insert, Update, Delete, etc.), the host, the query string, the time/date, and many others.

How Are “User Activity Records” Used?

There are three primary ways that the records in a UAM system are used:

• First, UAM systems make all transaction records available through a “Google® -like” search function. All transaction data is full-text indexed which allows it to be quickly searched. The ability to rapidly search the history of all user actions in an enterprise is a capability that has not previously been available.
• Second, UAM systems store all User Activity Records in a SQL (relational) database and provide a reporting engine that delivers pre-defined reports on security, compliance, and network performance.
• Third, UAM systems provide a rule system that operates on all of the data contained in the User Activity Record. These rules run in real-time and can optionally block transactions. Full white-listing and black-listing support is critical. Examples of rules that a UAM system can execute include:
• “Do not allow Joe Wilson to delete excel files on any server”
• “The Executive Assistants group may only access this group of sub-directories (white-listing a group of users to a group of information assets)”
• “Alert if any user attempts to access database records from the 'payroll' table”

What Organizations Need “User Activity Management”?

UAM systems provide a single information source about detailed insider behavior across the enterprise. This approach delivers immediate benefits:

• Dramatic reduction in compliance reporting costs
• Automation of security controls and reports
• Rapid investigation of past behavior of user or rogue user actions
• Detection and remediation of improper or suspicious insider activity

Does “User Activity Management” Complement or Replace Other Systems?

UAM systems can do both, depending on your environment. UAM systems deliver more detail than log management systems but with the added benefit of a real-time rules capability. UAM's store and display all data as “User Actions” instead of “traffic records” that consist of hard to interpret port numbers, and IP addresses.

Like Data Leak Prevention (DLP), UAM provides visibility of detailed user actions at the edge of your network but UAM also provides information about transaction inside the enterprise network.

Also UAM systems do not rely on agent-based technology so they do no slow down servers or clients, are not deployed “in-line” so they do not add risk, and completely install in 2 to 4 hours.

*Gartner Identifies the Top 10 Strategic Technologies for 2010
Gartner Press Release, October 20, 2009
http://www.gartner.com/it/page.jsp?id=1210613