Decision Point: Alerts, Escalation and Review
Establish review and escalation procedures related to user activity data. Just because IT is essential to the evaluation and
implementation of your chosen solution does not mean you have to task them with reviewing all of the data. Determine
who in your organization should have access to the employee activity data, and under what circumstances.
Who Receives Alerts?
Here again, your goals and organizational structure will inform your decisions.
Anomaly alerts from your User Behavior Analytics solution should always be routed to the people in charge maintaining security
in your organization. Since User Behavior Analytics is all about insider threat, you need the people primarily charged with
response to receive the alerts.
In larger organizations, alerts are routing to your SIEM and to you Security Analysts in your SOC. Organizations that do not have a
SOC or might not be employing a SIEM will want these alerts to route, most likely, to your IT team.
User Activity Monitoring alerts related to securing resources and information should follow the same routing as User Behavior
Analytics alerts. Beyond that, if you are using alerts as part of an employee investigation, you will want to route them to the person
or team conducting that investigation. If you are monitoring for productivity purposes, the employee’s supervisor or manager is
likely the best person to receive alerts and reports.
As a general rule, alerts should be routed to the experts in your company who are in the best position to determine the severity of
a potential problem, so that the appropriate response can be formulated.
Who Receives Activity?
One of the compelling benefits of user activity monitoring is that review of what was done, by whom, and in what context,
can be conducted quickly, accurately, and efficiently. This does not mean that review should be taken lightly, however, or
that “anyone can do it.”
Perhaps the most important decision you will make is determining who has the ability to review detailed employee activity
In situations where user activity monitoring is being conducted, the review processes and procedures are in use continuously. A look back at the “causes” for active monitoring is useful here.
In the event of an investigation into a suspected incident, your company’s employee investigation procedures go into effect.
Who can initiate an employee investigation? Who needs to be informed that an investigation is needed? Starting? Concluded?
A best practice for companies conducting passive monitoring, that have determined sufficient probable cause exists to warrant
tilting the balance from employee privacy towards the needs of the company, is to employ a “two missile key” approach. Require
at least two approvals prior to kicking off an employee investigation – ideally one from HR or Legal, and the other from a
senior manager or their designee. Split the ability to access the employee activity data into two pieces as well, to insure proper
procedure is not circumvented.
Using the same highly privileged user example referenced earlier, consider having regular, random, reviews of sys admin or
database admin activity conducted by someone outside of the IT chain of command (your CISO, for example), if your company
structure allows for it. If that is not an option, have the most senior person in your organization that is directly responsible for
protecting the company’s data and sensitive information conduct the reviews. The disproportionate amount of damage highly
privileged users can cause requires a proportionate amount of scrutiny be applied.
Given the powerful statistical evidence that departing employees take corporate IP with them when they leave, having IT
security review the digital activity of employees in this high risk exit period is not only prudent – it should be mandatory.
Action Item: Ensure Adherence to Policies and Procedures
Whatever policies you put in place, make sure you are auditing compliance with those policies. And make sure you select a
solution that supports that need. By having controls in place that both prevent changes from being made by unauthorized
personnel and log (and alert on) any changes made, you gain the piece of mind that your controls are not being circumvented,
and the ability to confidently assure anyone who may have concerns that you’ve taken appropriate steps to implementing
employee activity monitoring the “right way.