Remediant Blog

Privileged user accounts have elevated privileges such as Domain Administrator rights or root privileges. PAM solutions were developed to monitor and record privileged user account activity or sessions. They monitor this privileged access to network devices such as Windows, Linux and Macs. These PAM solutions help organizations meet audit and compliance requirements, conduct forensic analysis and protect critical assets against external and insider threats.

Traditional and well-known PAM vendors such as CyberArk, ThycoticCentrify and BeyondTrust achieve this goal by creating detailed session audits and video recordings of the on-screen activity of all IT administrator privileged sessions, including keystrokes and mouse movements.

But, what happens when you have large media files, threat activities that are not recorded, or controls and compliance personnel such as auditors that struggle to find the time and resources to work through all those video recordings?  

The Challenge with Current Privileged Session Recordings

Traditional session monitoring and recordings present challenges to IT security personnel as well as compliance and controls experts. For example, they:

• Produce large media files that complicate searching and data analysis
• Create a lot of work for auditors, compliance officers and security admins when they review and analyze video recordings for suspicious activity
• Do not provide comprehensive and near real-time visibility into all threat activity (privileged and non-privileged users) on endpoints: for example, a background download is not recorded
• Require additional infrastructure costs to manage and store information
• Are complex to deploy, use and manage and have security blind spots (The session recording server acts as a man-in-middle (MIM) system.)

To address these challenges, Remediant has taken a novel, innovative approach to enhance the recording and monitoring of a privileged user’s activity during a session. 

Solution: Remediant Intelligent Session Capture (ISC)

Many companies have invested in Endpoint Detection and Response (EDR) solutions. EDR vendors such as CrowdStrike, VMware Carbon Black and SentinelOne monitor and record all endpoint activity including downloaded files (even those downloaded in the background that cannot be captured in screen recordings), network connections, OS processes and end-user activities.

They achieve this through EDR agents installed at each endpoint that collect this information and send it to the EDR console for analysis and reporting. EDR vendors also provide the ability to either isolate the infected endpoints and/or quarantine them.

Remediant SecureONE software uses an agentless approach to discover and revoke unnecessary standing privileged access sprawl on Windows, Linux and Mac systems. It then administers Just-in-Time (JIT) privileged access as needed and MFA to enable Zero Standing Privilege (ZSP) and implement Zero-Trust security.

Remediant is the first in the industry to recognize the advantage of partnering with an EDR vendor to provide privileged session monitoring and recording capability that provides near real-time alerts to any external and insider threat activity during the JIT session. Through this integration, you can now pivot from the SecureONE console through an embedded “Investigate” link to the EDR console. From there, you can proactively explore for any suspicious threat activity during the JIT session at the endpoints and mitigate it through a combination of Remediant and the EDR solution.

This unique capability offered by Remediant is called Intelligent Session Capture (ISC). Remediant ISC with EDR provides a more complete session monitoring and recording by:    

• Providing context around the time a privileged session started and ended. This, correlated with EDR continuous detection, helps better identify, confirm and respond to a nefarious incident in near-real time during the JIT session
• Giving you more actionable alerts on privileged session monitoring and automatic intervention of endpoint threat activity
• Tracking everything that happened before, during and after the privileged session to fully understand the attack. This includes network connection, downloaded files, processes and other activities

Remediant Intelligent Session Capture (ISC)

USE CASE: Malicious insider is leveraging their privileged JIT session to exfiltrate sensitive data

• The insider admin signs into an endpoint with sensitive data, browses a website and, in the background, downloads malware
• The EDR captures this event
• To investigate, the IR team leverages Remediant Intelligent Session Capture (ISC) to determine that during a privileged session the malware activates on the endpoint and sends sensitive information to a C&C site (provides context during the privileged session)
• Remediant ISC helps the IR team pivot to the EDR console from within the Remediant SecureONE console to view all other systems the user has admin rights to during this JIT session
• At this stage, the IR team may either isolate or quarantine the malware-infected endpoint using their EDR solution
• Now the audit and compliance teams can easily search, review and analyze this JIT session and similar sessions without the complexity and limitation of screen recordings 

Benefits of Intelligent Session Capture (ISC)

Remediant Intelligent Session Capture offers a new and more effective approach to session recording by partnering with EDR vendors. Here are some key benefits:

• Leverage your existing investment in an EDR solution. Obtain contextual data into privileged session activity while eliminating the need for additional infrastructure for recording and PAM agents
• Correlate privileged account activity by accessing the recordings of all endpoint activity from your EDR solution to expedite incident response and remediation in near-real time
• EDR recordings of endpoint activities are an easy and cost-effective way to access, search and analyze for auditing, forensics and compliance purposes

To learn about Remediant Intelligent Session Capture and its current integration with EDR solutions, check out the video and visit our Partner page.