How to Detect and Prevent Insider Threats in a Virtual Environment [Hands-on Guide]

The rising use of virtual environments (VEs) has transformed the ways we work, offering increased flexibility and accessibility. However, this shift also introduces new security challenges. Traditional security measures may not work as effectively in VEs, which creates an opportunity for insider threat actors to exploit vulnerabilities to steal sensitive data, disrupt critical systems, or commit fraud.

This article reveals the importance of monitoring user activity in virtual environments. We’ll explore the unique challenges of virtual machine threat detection and show you how Ekran System can become your powerful ally in addressing these challenges. You’ll learn how to:

• Monitor user activity in virtual environments
• View and block user sessions
• Receive alerts on suspicious user activity
• Promptly respond to insider threats

Why monitor user activity in a virtual environment?

Managing insider threats in virtual environments is critical, as they leave the door open for potential privilege abuse, data exfiltration, and financial loss in your organization. However, traditional security measures might not be enough in VEs.

User activity monitoring (UAM) is an effective way to detect insider threats and other human-related risks on both physical machines and virtual ones. Here are the main benefits of user activity monitoring in virtual environments:

• Improved security posture
• Enhanced visibility into user actions with sensitive assets
• Prompt response to insider threats 
• IT security compliance adherence

While UAM in virtual environments is beneficial, it presents some unique challenges. Here are the key issues to consider:

Data overload

Virtual environments can be highly dynamic, with users spawning and deleting virtual machines (VMs) on demand. These constant changes can generate a massive amount of data about user activity, making it difficult to identify important security events or trends.

Attribution of user actions

In a virtual environment, it can be difficult to definitively link activity to a specific user. This can happen if many users share a VM or if a user logs into several VMs. Unclear attribution can make it hard to hold users accountable for their actions.

Limited visibility

Traditional monitoring tools may not capture all user actions within a VM. For example, activity within specific applications or data manipulation might be invisible, blocking you from seeing the bigger picture.

Privacy concerns

Employers must be careful about what user activity data they collect and how they use it. Finding the balance between monitoring for security or productivity reasons and respecting user privacy can take time and effort.

Recognizing user intent

Virtual environments can be used for various tasks, making it challenging to distinguish between normal and malicious user activity. A user copying a large amount of data could just be backing up their work — but they could also be exfiltrating sensitive information. Monitoring tools need to be sophisticated enough to consider context and user behavior patterns.

Cross-platform inconsistencies

VEs can encompass a mix of operating systems and applications. Monitoring solutions must be compatible with this variety, continuously tracking user activity data across different platforms.

Security risks from monitoring tools

The very tools used to monitor user activity can become security vulnerabilities themselves. If not properly secured, attackers can exploit these tools to gain access to user data or manipulate the virtual environment.

Impact on performance

Monitoring user activity can add overhead to the virtual environment, potentially impacting user performance. Striking a balance between comprehensive monitoring and maintaining a smooth user experience is crucial.

These challenges require careful planning and effective monitoring solutions that balance functionality with system performance, user privacy, and other considerations. Ekran System is one such product that can help you monitor your VE and address these issues.

About Ekran System

As a universal insider risk management platform, Ekran System can help your organization monitor user activity, manage access to critical endpoints, receive real-time alerts on user activity, respond to threats, and much more.

Ekran System is ideal for diverse IT environments with various operating systems and deployment architectures:

Monitoring virtual environments with Ekran System

Ekran System is suitable for virtual environments like VMware Horizon, Microsoft Hyper-V, and Citrix. Each Ekran System component supports virtual desktop infrastructure.

Ekran System is also the ideal solution for monitoring Citrix XenApp (Citrix Virtual Apps). If you’re dealing with a terminal server hosting multiple user sessions, you can install just one Ekran System software agent on the server to monitor all user sessions hosted on it.

Ekran System’s software agent can record Citrix sessions selectively: for example, you can record only a specified range of users or host IP addresses, or just record sessions that aren’t whitelisted.

If you want to audit work on virtual desktops and control access to them, you can install an Ekran System software agent directly on any live Citrix XenDesktop.

Ekran System can record and control any connection to the virtual machine performed by any protocol, including:

• RDP
• ICA/HDX
• VNC
• LogMeIn
• SSH
• TeamViewer

Note: To monitor both terminal and RDP sessions, you can install Ekran System’s software agent on a jump server.

Ekran System provides efficient virtual desktop infrastructure monitoring, including auditing of both the terminal server and each virtual machine.

Monitoring cloud environments with Ekran System

With Ekran System, you can monitor user activity on cloud desktops provided by Amazon WorkSpaces (for Windows and Linux). Moreover, you can monitor the use of non-persistent desktops and applications accessed via Amazon AppStream 2.0 from any desktop.

As with Amazon WorkSpaces, Ekran System can help you secure your Microsoft Azure cloud environment.

Leveraging Ekran System floating licensing

The unique floating licenses for Ekran System software agents are automated for dynamically changing virtual desktops. When a new desktop is created, a new Ekran System software agent delivered with the Golden Image is registered and gets a license from the general pool. When the desktop is shut down, this license is released and returned to the pool.

Thus, Ekran System allows for licenses from disconnected non-persistent virtual desktops to be automatically unassigned and further removed from the database. This ensures simplified maintenance and reduced software licensing costs.

Monitoring, viewing, and blocking user sessions

Mitigating insider threats in virtual environments is hard to ensure without monitoring user activity.

When the Ekran System software agent is installed on an endpoint, Ekran System monitors the activity of each user by default. Ekran System captures all user actions irrespective of whether they log in from a remote location, from a local workstation, or on a virtual machine:

The Monitoring Results page in the Ekran System Management Tool contains a list of all monitored user sessions.

To find the session you need, you can filter by various parameters, including operating system, target workstation, user name, IP address, remote host name, and more.

Suppose you need to find a session initiated by the remote ADMIN host on one of your workstations.

First, click the Where button and select the workstation you are interested in. Then, click More Criteria and select the Remote Host Name option from the drop-down list. On the Remote Host Name button that appears, select the ADMIN host.

To view the session you need, double-click it in the list of filtered sessions.

Once the Session Player opens, you can view the recorded screen captures along with metadata on different user actions. The Search field in the upper right allows you to search within user actions, such as typed keystrokes, visited URLs, or launched apps.

If the session contains potentially harmful user activity, it is marked with an Alert icon on the progress bar and highlighted in the activity log on the right. You can hover over the icon to view the alert details or click it to start playing the session from the moment the alert was triggered.

The image below depicts a scenario in which a user tries to run unauthorized software that could be used for file sharing and enabling remote access to the workstation.

If the user is still in the session, clicking the Live button lets you see what the user is doing in real time. If you consider the user’s actions suspicious, you can stop them by clicking the Block User button.

Promptly detecting and responding to insider threats

Software that detects and responds to suspicious user activity can enhance insider threat monitoring in virtual environments.

Ekran System’s real-time alerts allow you to automate insider threat detection and response. By enabling these alerts, you can get instant notifications and take immediate action whenever suspicious user activity is detected.

Built into Ekran System is a variety of default alerts, which cover the most common indicators of malicious activity. Ekran System’s comprehensive alert rule system also allows you to create custom alerts to detect specific user activity scenarios.

Say you need an alert that detects when any user creates a new virtual machine instance on a monitored endpoint (this scenario is included in the list of Ekran System’s default alerts).

On the Alert Management page, enter the alert name in the Search field and click the Edit icon to open its configurations.

The rules of each default alert are already predefined, so you just need to specify:

1. Endpoints you want to enable an alert for
2. A person to be notified via email when the alert is triggered
3. Automated response actions, if applicable

Response actions include displaying a warning message to the user that triggered the alert, blocking the user, or killing a suspicious process.

When you have finished specifying all the options, click Finish to save the alert configurations.

You can check the list of triggered alerts on the Alerts tab of the Monitoring Results page.Click the Play icon to start playing the session from the moment an alert was triggered.

Conclusion

Traditional security solutions struggle to keep pace with the dynamic nature, limited visibility, and cross-platform inconsistencies of virtual environments. By employing UAM solutions for virtual environments, your organization can gain an unparalleled view of all user activity. Real-time insights into user actions allow for the early detection and prevention of insider threats, significantly reducing the risk of data breaches and system disruptions.

Ekran System goes beyond UAM by providing real-time alerting and automated incident response capabilities, streamlining your security team’s workflow and minimizing damage. Moreover, Ekran System ensures secure access management to your critical endpoints, automates password management, and provides incident investigation capabilities to ensure all-around security in your virtual environment.