Which login sessions should be recorded?
When deploying a session recording system, the first question is which sessions to record. There are several possibilities:
- All sessions, by all users.
- All sessions connected to sensitive systems.
- All sessions initiated by high-risk users.
- Sessions marked as unusual -- for example because of time-of-day, day-of-week, originating IP address or device type, or because the user in question has never before connected to the (type of) system in question.
- Capture all sessions where a regulator mandates this.
The cost and impact of session recording technology directly affects how this question is answered. If capturing more sessions is relatively inexpensive and if it does not noticeably slow down the work of the affected users, then it makes sense to record more sessions. As the cost of capture, transmission and storage increases, it makes sense to be more selective about what to record.
Since session recording can, in practice, have significant impact on the network and storage resources, Hitachi ID Systems recommends a risk-based approach, rather than trying to capture every session mediated by the privileged access management system.
What data should be captured?
The data that can be recorded from a modern, graphical user interface is extensive. It includes:
- Screen video -- i.e., image files of the contents of a single application or of a user's graphical desktop.
- Process information, such as the names of and arguments passed to running programs.
- User interface elements, such as window titles, labels and text from input fields.
- Keyboard events, such as key presses and releases.
- Pointer device (mouse) events, such as movement and button clicks.
- The contents of the operating system copy buffer.
- Filesystem events, such as mounting or detaching network drives or removable media.
- File transfers, such as copying files from one filesystem to another.
- Video or image streams from a video capture device such as a webcam.
- Network data transfers, such as e-mails or web pages.
At a minimum, when recording the login sessions of a user connecting to privileged accounts, it makes sense to capture what they typed and what the system displayed. This means video capture as well as capture of input from both the keyboard and copy buffer.
Regarding video capture, it may make sense to capture the user's entire desktop, so that in the event that the user downloaded a file with sensitive data to his computer, the recording will show what he then did with that file. For instance, if a sensitive file was briefly examined -- as would be normal in the context of troubleshooting -- and then deleted, the action can be interpreted as harmless. On the other hand, if a sensitive file was copied to a USB flash drive or sent to the user's personal GMail account, the action can be interpreted as malicious.
Regarding input capture, it makes sense to capture both keyboard events and copy buffer contents. This is because the user may have constructed commands in advance and pasted them into the login session, without generating any keyboard events.
Finally, it may make sense to capture webcam video. This is useful in the event of serious misconduct leading to legal proceedings. When this happens, the user in question may claim that the recorded actions were taken by someone else -- i.e., "that wasn't me -- someone must have stolen my password!" With webcam capture, this argument won't work, since images of the user who performed the actions in question will accompany screen captures and input events.