Privileged User Analytics

Andy Harris

As part of the PxM Platform, you can view how your users are behaving. The ability to view user behaviour provides an opportunity to highlight any anomalous activity that could indicate an insider attack and privileged account compromise.
Our real-world analysis has made it clear that SysAdmins do a lot of work outside working hours, especially during incidents, but analysis of privileged user analytics can also help indicate a security breach or insider attack.
Although the start time of connections can be an indicator of malicious behaviour, for instance if someone is logging in outside of work hours, we have found that factors such as which systems are used and the length of time of the connection often have more correlation.
We built our analytics functionality around key factors like:
- Start time
- Session length
- Accounts used
- Originating IP addresses
All of these data points link back to Osirium’s reporting. Graphs show the trends, but reporting holds the specifics.
Its all about behaviour; these analytics show how individuals are working with the group. Using the PxM Platform’s privileged account analytics, you can see how the server and network team behave. Taking different views lets you see the outlying data points quickly.
Analytics Summary Page
The analytics summary page on the PxM Platform gives you an overview of all the logins or privileged users accounts, along with all the sessions they had with devices. By running the mouse over the sessions, a detail panel will appear giving the system, role and duration of the session.
The session IPS shows you which IP addresses were used to initiate sessions to systems and devices. The information is very much dependent on the DHCP policy and how addresses are reused, but you can generally tell the originating subnets, and where leases are long it can reveal account sharing.
If you’d like to find out more about the PxM Platform and privileged account analytics, get in touch.