It is difficult to know what happens to critical resources if no one is monitoring them.
Definition of access monitoring
Access monitoring consists of proactively or reactively observing and analyzing what happened while a user was in a session. A session is defined as a single event in which a user exercised his or her access rights, or the period of time in which a user was "logged in" to a resource, presumably to perform work.
In short, access monitoring is the process of double-checking to ensure that an organization's access policies and controls are working as they should.
Components of access monitoring.
Proactive monitoring consists of observing or analyzing a session without a predefined reason for review. This type of monitoring is often conducted in real time, or as close as possible, to a large set of sessions. This type of monitoring is a real-time type of observation, providing a broad and comprehensive view of what is happening in a system.
Reactive monitoring is observation or analysis after a session due to a specific reason. Reactive monitoring requires the presence of systems and tools to record sessions. It typically applies to a single session or a small subset of sessions and is most commonly used as part of an incident investigation. It is an activity after the fact and very focused on what the monitor is observing.
Observation is the passive collection or review of information from the session. Observation is necessary for analysis, but not vice versa. Access monitoring does not exist without observation.
Analysis is the querying of collected information or data. It can be used in both proactive and reactive use cases. Once observation is completed, analysis of a particular session or data can be performed.
Good access monitoring practices
1. Complete the analysis with observation
As mentioned above, you can have observation without analysis, but you cannot have analysis without observation. An effective access monitoring strategy uses both, which can work together to create a complete picture of what is happening within a system. Proactive record analysis can flag a suspicious event, but reactive observation of a session can provide additional context and highlight the details of what happened.
2. Use proactive observation sparingly
Because it often occurs in real time, proactive observation is the most time-consuming and often ineffective form of access monitoring. Without parameters, a user might observe too much and too long in real time without understanding what they are observing. However, it has advantages if used sparingly and strategically. For high-risk, low-frequency access points and resources, using a different set of eyes can protect what is most critical to an organization.
3. Proactive monitoring of high-frequency and high-risk access
High-frequency and high-risk accesses, such as those to patient records, should be proactively monitored as a best practice. Using proactive analysis of session data, instances of anomalies, threats, or abuse can be quickly identified. In addition, subsequent reactive observation can confirm or disprove suspicion and provide more critical context as part of an investigation.