by Tim Keeler, on Jun 20, 2022
Session recording has traditionally been considered one of the core capabilities of a mature Privilege Access Management implementation. The idea is novel - an administrator logs into a jump box/bastion host and that system brokers a connection to the system you're attempting to access. During this "session" it records the activity of the administrator - capturing a video of the screen activity, the mouse clicks and keystrokes. Some platforms even allow you to view the live session or terminate a session in progress.
Pretty cool, right?
I had the pleasure of sitting in a Gartner conference talk on PAM capabilities and they emphasized session recording as a critical capability. They made a pretty bold statement - you need to be recording and reviewing all administrator activity.
That struck a chord with me. That seems crazy hard (and expensive) to do. So I decided to spend the rest of the conference and the next few conferences (including RSA) talking to large and mid-size enterprises to see what they do. I've had nearly 100 conversations and here is what I resoundingly heard.
We record, but don't review
For companies that have a robust session recording infrastructure, nearly everyone said they archive their video recordings, but they never actively review what's been done. One CISO I spoke with laughed -
"Dedicate people to watch what admins have done? Ha - that's funny. I'm not wasting resources there."
And that was pretty much the consensus across the board. Organizations only review the activity in the event of a known malicious action. And by then it was too late. Largely, there was dissidence against the guidance that you need to be reviewing all admin activity.
It's expensive. Like really expensive. And hard.
I spoke to a number of companies that have spent millions on licensing alone to implement session recording. That didn't include the infrastructure that was built to support the tera/petabytes of storage and the servers needed to spin up the jump servers. For companies that have over 100,000 servers & workstations, session recording was only implemented to a few hundred or single thousand of servers. Ensuring the infrastructure scales to funnel all of that network traffic through the jump servers was a consistent technical barrier.
Due to the cost & implementation challenges, most companies are forced to pick and choose the servers they deem critical enough to be behind a jump box (session recording gateway). They make a risk-based decision to leave other servers unprotected and an open lateral movement threat.
It ticks the audit & compliance checkbox
Especially for regulated companies, this often meets the needs of regulatory and compliance requirements to ensure controls exist for admin level changes. Teams build this session recording infrastructure and dedicate a team to it and the audit folks stay off their back.
Here's what security teams are missing and wanting
One senior security architect I interviewed put it succinctly:
Reviewing admin recordings is completely archaic.It takes me back to the 90's - and not in a good way. Security teams want need to know immediately when something bad happens. Not when watching security footage that happened days or weeks ago. Watching a video (with key logging) misses a lot of the detail. How do I deal with something like this?
More importantly, session recording generally gives a false sense of security. What most people don't realize is admins use RDP, while attackers use RPC/SMB. If I'm looking for lateral movement and to compromise a server, I use a mimikatz/meterpreter shell directly and a jump box provides no defense against that if windows file sharing is allowed on the network.
And I get it. There’s a lot to be missed here.
Introducing Intelligent Session Capture
To recap what I overwhelmingly heard from my interviews, security teams need the following capabilities to add meaningful security value:
- Realtime automated alerting of malicious activity
- Forensics-level detail of activity - foreground, background, and network processes
- Scales to the entire infrastructure, not just to a confined set of systems
- Not cost prohibitive to scale
- Meet regulatory & compliance controls
Thinking upon these needs and my background in incident response, I realized EDR/XDR technologies contain a number of these core capabilities. Remediant is ecstatic to partner with some of the best EDR/XDR companies - SentinelOne, CrowdStrike, and Carbon Black and have introduced a new SecureONE integration we are calling Intelligent Session Capture.
EDR/XDR does a fantastic job at capturing forensics level activity detail. More importantly it has the context to understand when malicious activity occurs - whether from an external or internal actor. We wanted to tap into this power.
Intelligent Session Capture provides admin-level context to EDR/XDR so you can understand what activity occurred, when, and by whom. In the example above where you see a powershell script being executed and subsequently deleted, you have zero context of what actually occurred. With Intelligent Session Capture, you get a detailed analysis of what the script did, the chain of process execution, and what specific websites it reached out to:
Most importantly, you get a realtime alert detecting malicious behavior so you can immediately respond.
With this approach, you can leverage your existing EDR/XDR investment and instantly scale to every system in your company. You don't need to build and own a massive infrastructure. You also have instant visibility with historical tracing, which meets the vast majority of regulatory & compliance controls.
We believe Intelligent Session Capture provides superior security and compliance controls, while providing a major cost-saving benefit to customers.
If you'd like to learn more about Intelligent Session Capture, the principle of least privilege, drop us a note. We're always looking to expand our capabilities and partner with others. If you're looking for another EDR/XDR platform to be supported - let me know at tim@remediant.com and I'm happy to talk.