Insider Threat Management

Enhancing Your SIEM with User Activity Logs and Session Recording

(Updated on 02/22/2021)

Security information and event management (SIEM) systems help organizations aggregate, correlate and analyze log data from numerous sources, such as network devices, servers and security systems (e.g., firewalls, anti-virus and IDS/IPS).

Why Employ a SIEM System?

There are a few common reasons why an organization would employ SIEM, including the following;

  1. To analyze and alert on anomalous events or suspicious trends in real time (or near real time)
  2. To speed post-incident IT forensics
  3. To assist with regulatory compliance and reporting

However, despite these key functionalities, there are several SIEM limitations that may result in security risks going undetected.

3 Noteworthy Limitations of SIEM

While SIEM systems provide significant value in these three areas, they are actually much more limited than many IT administrators, security officers and auditors realize. There are a number of reasons for these limitations:

  1. Disparate SIEM Logs: Correlating large sets of disparate logs based on timestamps or other markers does not make them magically useful. While simple alerts can be defined using rules which look at one or two details, conducting root cause analysis or trying to prove regulatory compliance can be impossible (or at last extremely time consuming). It is usually extremely difficult—even when the organization has dedicated SIEM monitoring staff – to figure out exactly who did what just by looking through long lists of system events across multiple logs.
  2. Difficulty Mapping Technical Events to Business Risks: Most (sometimes all) of the log data processed by these systems are generated by hardware devices and operating systems. Yet, mapping how these technical events relate to particular business risks is difficult, if not impossible, and is rarely accomplished successfully. This means that the sources of most data breaches and other security incidents will never be identified by a SIEM.
  3. Lack of App Data Integration: One of the biggest roadblocks to SIEM success lies in the fact that many important applications simply do not generate log data that can be incorporated into the SIEM. User activity within legacy, cloud, system and consumer-oriented applications are examples of gaping SIEM “blind spots.”

Improving SIEM with User Activity Logs and Session Recordings

Fortunately, there is a straightforward and easy-to-implement solution that addresses the abovementioned limitations: adding user activity logs to the data processed by SIEMs, as well as linked screen video recordings of all user activity.

User activity logs, which are generated by User Activity Monitoring systems, focus on the actual activity of users (administrators, business users, remote vendors, etc.) within applications, websites, operating system areas and network device configuration interfaces. They generate user activity logs—which describe what users did in which applications, dialog boxes, console commands, webpages, etc.—as well as video recordings of the screens seen by users. Adding this user-focused data provides the SIEM with four “magic wands” that dramatically increase the value of the system.

Key Benefits of User Activity Logs in SIEM

  • Valuable Log Data: Integrating User Activity logs help the SIEM to analyze data and alert on findings. With it, the SIEM can detect anomalous, suspicious and out-of-policy user behavior directly, without relying on inferences from system logs. Furthermore, by correlating user activity logs with system event logs, administrators can quickly and effortlessly understand the meaning of system events.
  • Video Recordings: When integrated into the SIEM, video recordings link log events to full video recordings of exactly what every user actually did. Any time a particular action of interest occurred (e.g., an account was created or a system setting was changed), administrators and compliance auditors can call up actual video of actions taken with a single click from within the
  • Aggregate All Application Data: User session recording captures video and generates text event logs of every user action in every application, system area and on all platforms (e.g., Windows, Unix, Linux) via all modes of connectivity. The result is user activity auditing with no holes or gaps. This is a perfect solution for organizations running legacy, cloud and other applications that do not generate their own logs.
    • This capacity obviates the need for time-consuming and expensive re-auditing and re-correlations every time an application is updated. As user session logging is external to the application, there is no need to determine if the new version provides the required level of logging.
  • Insight into IT Infrastructure: The addition of user session data to SIEM dashboards and reports provides SIEM users a new way to observe what is occurring within the organization’s IT infrastructure. It is easy to incorporate lists of every application run, charts showing active users/servers and detailed listings of user actions—all linked directly to video recordings of each user action.

Final Thoughts

The end result of incorporating user activity logs and session recording into the SIEM is a far more valuable SIEM deployment! This integration also makes it significantly easier to get compliant and stay compliant for security regulations (e.g., PCI, HIPAA, NERC, FISMA), while reducing security auditing costs. Most auditor requests can be instantly answered by searching for user actions or watching a portion of a recorded session video – without the need for complex research and correlation projects.

Subscribe to the Proofpoint Blog