Privileged session management is a privileged access management (PAM) capability that controls, monitors, and records activities of privileged users—whether human or machine. A ‘privileged session’ consists of the actions performed while logged into a privileged account.
The aim of privileged session monitoring and management is to protect the applications, systems, and potentially sensitive data a privileged user has access to. Capabilities can include monitoring and auditing all privileged activity, as well as pausing, locking or terminating sessions that are suspicious or dangerous.
Additionally, privileged session management is an integral part of Privileged Account and Session Management (PASM), which analyst firm Gartner has defined as one of the primary traditional pillars of PAM. PASM pairs management of privileged accounts and credentials with session management.
Securing, monitoring, and managing privileged sessions is also an essential practice for enabling a zero-trust architecture (ZTA).
Enterprise privileged session management is comprised of three main parts—monitoring, management (control), and auditing and reporting.
Privileged session monitoring
Based on the protocol (depending on OS or runtime environment) all text on the screen and keystrokes may be recorded, excluding passwords. Video recording may also be used, with the ability to playback a session.
Robust monitoring may also entail real-time inspection for critical pattern matches—that can then perform automated actions like alerting, session locking or pausing, or even termination. While the list of actions is typically defined by an admin, most session management vendors provide a critical list of out-of-the-box governing database commands, lateral movement, sensitive operating system commands, and other suspicious behavior.
Due to the sensitivity of the data retained, it’s critical to ensure that recorded sessions are properly secured, and potentially disposed of, depending in line with policy and applicable regulations.
Auditing and reporting of privileged sessions
During monitoring, session data should be captured and indexed for future audit reviews. The data may be further processed via a SIEM, analytics engine, or identity security tools.
The privileged session management tool should provide a range of enterprise reporting capabilities to satisfy the needs of the business, such as addressing regulatory compliance, and even to qualify for and maintain cyber insurance.
Management of privileged sessions
Session management tools should also provide some controls over how sessions are initiated, and whether they are allowed to continue or not.
Many privileged session managers allow for live sessions to be paused or terminated if something suspicious arises. The problem with termination is that it can be destructive to user efficiency and create unnecessary friction. For example, while an RDP session can be reconnected, an SSH session is ‘killed’ – including any processes or scripts that were running. This is why pausing a session to allow for review is often a preferable intervention.
Once an activity can be identified as correct, the session can be resumed, or alternatively, terminated, if the activity is deemed as potentially malicious. This allows organizations to maintain user productivity, while still adhering to a zero trust security framework.
The primary goals of privileged session management are to limit the scope of access, maintain session oversight, and create an audit trail of usage. Below, we will explore each of these areas in more detail.
Limiting The Scope of Access
When only a session is privileged, and not the user itself, it drastically reduces the attack surface compared to an environment where privileged accounts proliferate. This is why managing privileged access at the session level is such an effective and proactive approach to limiting the scope of access. For example, which option do you find preferable?
A: Giving the password to an admin account outright, with no parameters on usage.
B: Setting up rules that only allow that password to be used on a specific server.
The clear winner is B, but why? Limiting access to servers through rules will assist in keeping password usage minimized to only approved machines. This would facilitate you still using native tools like MSTSC and PuTTY to gain access to systems. Ideally though, the privileged passwords would be obfuscated entirely from the user. This obfuscation can be accomplished using a privileged password management solution that facilitates access to a session without giving out the password itself.
Maintaining Session Oversight
Even if a user is logging into the appropriate server or environment, IT teams still need to know about the access, monitor, and potentially lock or kill the session. Of course, there are security teams that choose to manually set up these capabilities—logon/off auditing and alerts around event log entries (in Windows). This would bring awareness as to when a session is established. However, in environments with many concurrent privileged sessions, oversight can only be effectively achieved via third-party solutions that provide automation and workflows.
Creating an Audit Trail of Usage
The significance of creating and maintaining an audit trail can extend beyond organizational requirements; it is often a regulatory and compliance necessity, especially for industries handling sensitive information (Government, Healthcare, Education, etc.). Audit trails are a tangible demonstration of adherence to security policies, showcasing due diligence in safeguarding critical assets and data.
For organizations subject to compliance regulations mandating the logging and recording of user activity, Privileged Session Management is indispensable. It identifies unique users, records connected systems, and captures actions taken during remote access connections—creating an audit trail of the who, what, and when of privileged access or activity. This session monitoring serves as critical security oversight for activities involving sensitive and privileged access.
Establishment of a single, unimpeachable audit trail of all privileged actions helps ensure a robust security posture and facilitates swift responses to evolving cybersecurity challenges, by providing clear forensics. This level of auditability is also increasingly required by cyber insurers, in order to qualify for or renew a policy.
Session monitoring data serves as a powerful tool for bolstering accountability within organizations. It not only aids incident response by investigating and addressing security breaches or data loss involving privileged credentials, but also helps troubleshoot issues related to privileged user activities, such as system configuration changes or file transfers.
By automating the tracking and recording of privileged user activity, organizations can improve operational efficiency – the reviewing of when, where, and how passwords were used, as well as the actions taken during logged sessions, session monitoring ensures a comprehensive and unambiguous record of all privileged actions, providing the highest level of accountability (as opposed to native tools).
Oftentimes, users’ awareness of being recorded is an effective deterrent to curb some malicious behavior, or more innocent misuse.
Security teams need to be able to audit privileged activity for both security and to meet regulations from PCI, HIPAA, ISO, GDPR, SOC2 and more. Cyber insurers also usually demand these capabilities be present and correctly implemented as well. Auditing activities may also include capturing keystrokes and screens (allowing for live view and playback).
Compliance standards around data security, like those found in PCI, HIPAA, and others, require an organization to not just establish a secure environment that protects data, but to also maintain proof that protection is actually established. Enterprise-class Privileged Session Management allows organizations to prove compliance by having an audit trail that shows only appropriate activity occurred, adhering to and staying within compliance standards.
Exercising control over sessions is an important method for ensuring the enforcement of least privilege.
The degree of control over the generation and usage of sessions is dependent on how you implement Privileged Session Management. Should organizations use a mix of native solutions, they will end up with minimal control and, therefore, minimal benefit. However, third-party privileged session management solutions are specifically built for enterprise use cases. Often, these session management capabilities are paired with the ability to manage privileged accounts and credentials, as in Privileged Account and Session Management (PASM) solutions, also known as Privileged Password Management solutions. A PASM solution can inject managed credentials directly to initiate a session, without ever revealing the credentials to the end user. This provides a seamless and secure end-user experience.
Organizations should look for the ability to proxy access to RDP, SSH, and Windows, Unix, and Linux applications. Dynamic assignment of just-in-time privileges allows organizations to lock down access to resources based upon the day, date, time, and location. Limiting the scope of access to specific runtime parameters condenses the window of opportunity where someone might be able to hijack or misuse a session.
Common session controls include the ability to:
Even outside of privileged session management; the principle of least privilege (PoLP) should be enforced across your security estate. By controlling, monitoring, and recording the actions of privileged users, organizations can quickly identify and prevent potential security threats or misuse of privileges.
Additionally, it’s important to think about customizability when it comes to privileged session management. Depending on the specific needs of your organization, you might want to enable or disable certain data capture, i.e - sensitive customer information. So, choosing a privileged session management software that has enables customization to your need-specific use case is paramount.
Note: Not all solutions that have privileged session monitoring capabilities are created equal. Text-based sessions like SSH can be easily retrieved, recorded, and alerted based on characters on the screen or entered on the keyboard (including keystrokes and command prompts). Graphical and web-based sessions are a different scenario. Remote sessions are typically via RDP, VNC, or HTTPS. Any session with embedded graphics displayed across multiple screens, or even rendered with a flash plugin, would benefit from session monitoring that has capture capabilities for mouse clicks, processes launched, and detecting titles in application frames. This helps provide the visibility necessary to determine (in a remote session) whether actions are appropriate, incorrect, or potentially malicious.
Privileged session management and monitoring is a critical requirement when organizations are working with the cloud. When privileged sessions are initiated remotely, it is the only surefire method to monitor, record, and proactively detect inappropriate behavior, while also keeping a record for review and audits.
While other techniques can monitor other protocols or API-based access to the cloud, only privileged session monitoring can capture the real-time behavior of user activities and interactions.
Privileged session management provides organizations with transparency, oversight, and responsibility regarding the activities performed by privileged users within privileged accounts. This enhanced visibility contributes to the enhancement of the overall security estate’s hardiness, compliance, and operational efficiency.