What do audit logs that track user activity on an information system provide group of answer choices?

As an IT administrator, knowing the precise sequence of activities that affect a specific operation, procedure, or event within a company is very valuable. This is where audit logging (sometimes called event logging or system logging) comes in. Logging creates an “audit trail”—a security-relevant chronological record, or set of records, that documents an organization’s digital footsteps day to day. Keeping detailed records of daily activities allows further visibility into employees' actions and helps to keep that company more secure. For example, audit logs act as a detective control because their trails provide evidence if a hacker or user engages in unauthorized activity.

Audit logging is also helpful when it comes to SSL Certificate management. If a certificate is misissued, lost, or needs to be renewed, audit logging gives administrators and other users the ability to retrace their steps. Having a log of user activities helps companies remain organized and also helps when dealing with unforeseen circumstances, including security violations, performance problems, and system flaws.

Audit Logging Reinforces Enterprise Security

This article from WeLiveSecurity states “logging user actions can help [companies] improve security in a variety of ways” because it provides a way for administrators to “reconstruct events, detect intrusions, and analyze problems such as poor performance or unexpected system behavior.” The following includes other ways audit logging can reinforce an enterprise’s security.

Detect Security Breaches

Having detailed audit logs helps companies monitor data and keep track of potential security breaches or internal misuses of information. They help to ensure users follow all documented protocols and also assist in preventing and tracking down fraud. Any sort of intrusion can be detected in real-time by examining audit records as they are created. Importantly, to maximize the security benefits of audit logging, the logs should be reviewed often enough to detect security incidents as early as possible.

Assess System Damages

Audit trails can be used to reconstruct events after a problem has occurred. “Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased,” according to The National Institute of Standards and Technology in outlining how and why organizations should use audit logging.

Aid in Recovery Processes

Understanding how and why a system crash or an intrusion occurred is pertinent to avoiding similar outcomes in the future. Audit logs can help in situations regarding data loss or corruption by allowing administrators to reconstruct data files through the changes recorded in the logs.

Audit Logging with CertCentral®

DigiCert CertCentral® is a platform created to consolidate certificate monitoring, SSL deployment, certificate inspection, and PKI management. With CertCentral®, administrators can also access audit logs within the account. These logs capture important details such as when a certificate is requested, if a certificate is mis-issued, when a certificate is approved, and other actions.  

By using the “action” bar, a user can look up recorded logs of their choosing, and all records show the date and time an action was performed, the user that performed the action, the user’s division, and more, with all information organized conveniently on the intuitive dashboard.

Keeping detailed audit logs provides a company many different benefits. If an enterprise makes sure to track and review the logs regularly rather than allowing them to pile up, audit logs can be utilized to reconstruct events, detect intrusions, and analyze problems such as poor performance or unexpected system behavior. Audit logging is an efficient way to help enterprises observe their environment more effectively and to keep their data secure.

Learn about user activity monitoring solutions in Data Protection 101, our series on the fundamentals of information security.

User activity monitoring (UAM) solutions are software tools that monitor and track end user behavior on devices, networks, and other company-owned IT resources. Many organizations implement user activity monitoring tools to help detect and stop insider threats, whether unintentional or with malicious intent. The range of monitoring and methods utilized depends on the objectives of the company.

By implementing user activity monitoring, enterprises can more readily identify suspicious behavior and mitigate risks before they result in data breaches, or at least in time to minimize damages. Sometimes called user activity tracking, user activity monitoring is a form of surveillance, but serves as a proactive review of end user activity to determine misuse of access privileges or data protection policies either through ignorance or malicious intent.

How User Activity Monitoring Works

The purpose of user activity monitoring is to protect information while ensuring availability and compliance with data privacy and security regulations. UAM goes beyond simply monitoring network activity. Instead, it can monitor all types of user activity, including all system, data, application, and network actions that users take – such as their web browsing activity, whether users are accessing unauthorized or sensitive files, and more.

There are various methods implemented to monitor and manage user activity such as:

• Video recordings of sessions
• Log collection and analysis
• Network packet inspection
• Keystroke logging
• Kernel monitoring
• File/screenshot capturing

All of the information gathered must be looked at within the boundaries of company policy and the user role to figure out if inappropriate activity is in play. What constitutes “inappropriate user activity” is up to the company deploying the UAM solution, and can include anything from visiting personal sites or shopping during work hours to theft of sensitive company data such as intellectual property or financial information.

The Benefits of User Activity Monitoring

Any level of monitoring can accumulate large amounts of data. The goal of any user activity monitoring program should be to find and filter out actionable information that’s valuable in data protection efforts. With effective processes in place, you can immediately detect and investigate suspicious user activity. You can also find out if users are uploading sensitive data to public clouds, utilizing non-approved services and applications, or engaging in any other type of risky activity while using the company network or resources. User activity monitoring tools are also helpful in ensuring that employees do not take any of your company's confidential information when they are leaving the company.

In order to make the data collected by user activity monitoring solutions as useful as possible, that data must be analyzed for several items, including:

• Associated risk
• Defined policies
• Time of day
• Identity context

It also helps to have real-time identification along with detailed reporting of historical activity. Questions to answer are: Who did what, when and where? User activity monitoring helps to identify abuse to help reduce the risk of inappropriate actions that can lead to malware infections or data breaches. It also helps to decrease the cost of compliance, while offering intelligence needed to improve security measures.

User Activity Monitoring Tools

There are a variety of tools that can be used to aid in or support user activity monitoring. These tools range from general security software applications to targeted tools designed to track sessions and activity, creating a complete audit trail for every user. There are also tools known as privileged account security solutions, which aim to monitor and secure privileged account activity and centralize the management of policies.

The best user activity monitoring tools include real-time alerting systems. These tools monitor user activity in the background in real-time and notify IT and security teams the moment suspicious activity occurs. Without the real-time element, risks may go unnoticed while your IT department addresses other known issues. Thanks to today’s technology, it’s not necessary to have entire IT teams dedicated to live-monitoring user activity; a good security solution that supports user activity monitoring can do most of the heavy lifting.

User Activity Tracking and Monitoring Best Practices

User activity monitoring is an important line of defense against data breaches and other cybersecurity compromises. Many IT security teams lack visibility into how their users are accessing and utilizing sensitive data, leaving them susceptible to insider threats or outside attackers who have gained access to systems. Best practices for user activity monitoring include:

1. Be open about user monitoring. Users should be aware of the use of monitoring and agree to have their sessions recorded and monitored. Often, this acknowledgement is included in contractual agreements or user agreements.
2. Allow privileged access only to important users who need it for effective work production – a practice known as the principle of least privilege. Besides that, all other activities not required for a user’s work role should be restricted. It is not necessary to give privileged users unlimited access. In addition, restrictions should be implemented for admin tools and system protocols.
3. Decrease the number of shared accounts and implement robust password policies. Enforce policies to ensure that account passwords are complex, unique, and are never shared or reused. Be vigilant about identifying stolen credentials.
4. Create strong authentication procedures for privileged accounts, such as two or multi-factor authentication.
5. Manage remote access through company-based protocols. Deny protocol channels such as file transfers between group members, port-forwarding, and disk sharing.
6. Collect and preserve chain-of-custody forensic evidence including capture files, screenshots and keystrokes. Reconstruct incidents in their full context.
7. In addition to implementing user activity monitoring solutions, organizations should establish and enforce data protection policies, such as appropriate file sharing activity, handling instructions for sensitive data, authorized services and applications, and other policies outlining acceptable use. Educate users on these policies as well as effective cybersecurity habits through ongoing information security awareness programs.

If a risky action is performed, such as downloading sensitive customer information, the security team should have the ability to score the severity of the activity. This way, the focus can be placed on users who are putting the organization at risk on a large scale.

User activity monitoring is an important component of data protection for enterprises today. While there are dedicated “point solutions” for monitoring user behavior, organizations should look to data protection tools that can combine user activity monitoring features with data discovery and classification, policy-based controls, and advanced reporting capabilities.

Tags: Data Protection 101