Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Complete Guide to Leveraging Session Recording to Improve Accountability and Meet PCI Compliance


Written by Barbara Hoffman

March 5th, 2019

You’ve set up policies. You’ve trained your team. You’ve vetted third parties. But, even the most proactive privilege security strategy can’t account for every situation and every type of risky behavior.  

Today many Thycotic customers rely on session recording and monitoring capabilities for added peace of mind. If any privileged user adds a backdoor account or makes an unauthorized configuration change, your team can identify who accessed the system, quickly review what they did, and respond accordingly. 

Session monitoring and recording capabilities give you an additional layer of oversight and help you hold users accountable for their actions when accessing privileged accounts.  

See Secret Server’s updated session recording in action 

Watch product manager Richard Wang’s on-demand Secret Server 10.6 webinar where he shares the latest advancements in session recording. With this latest release, we’ve enhanced session management and recording capabilities, making it three times faster to create a session video for review and audit and using one-tenth the bandwidth. 

Monitoring privileged sessions to meet PCI DSS 

Did you know 50% of organizations fail their annual PCI audit? Increasingly stringent compliance requirements call for companies to monitor actions performed by privileged accounts and this can be quite the challenge. Because privileged credentials are a prime target of hackers—they often unlock access to cardholder data—PCI DSS 3.2 focuses on controlling and protecting privileged accounts.

Of the 12 main sections of PCI DSS 3.2, 6 directly relate to privilege management.

How do session monitoring and reporting directly map to PCI DSS 3.2 requirements?

Requirement 2.6 – Protect hosted environment and cardholder data: Limit access to system components and cardholder data to only those individuals whose job requires such access

Session monitoring and reporting provides a critical level of protection for cardholder data by controlling and monitoring all access to hosted environments.

Requirement 7.2 – Establish access control system: Establish an access control system that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed

Implementing Role-Based Access Control (RBAC) to privileged credentials and setting up restrictions and monitoring to sensitive accounts through session recording and monitoring ensure your ability to meet these requirements and provide an immutable audit trail. Another important control aspect is the ability to quickly terminate a session if needed.

Requirement 10.1 – Link access to users: Implement audit trails to link all access to system components to each individual user

Through session monitoring and recording, your team maintains immutable logs as to who accessed what privileged credential and when.

Requirement 10.2 – Implement automated audit trails: Implement automated audit trails for all system components to reconstruct events

Reporting capabilities allow your team to record and review the exact actions that were taken on a session. This is extremely powerful should auditors need to reconstruct events.

Requirement 10.3 – Record specific audit events: Record at least the following audit trail entries for all system components for each event:
User  Identification, Type of Event, Date and time, Success or failure of indication, Origination of event, Identity or name of affected data, system component, or resource

All audit trails requirements are met with session recording and enable auditors and your security administrators to link a privileged event back to a single user.

Requirement 10.5 – Secure audit trails: Secure audit trails so they cannot be altered

A Privileged Access Management (PAM) solution should ensure session recordings can never be removed, deleted or altered.

Requirement 10.6 – Review logs and security events: Review logs and security events for all system components to identify anomalies or suspicious activity

Session monitoring capabilities give PAM administrators a view of all privileged user sessions in real time or after the fact. Many Thycotic customers prefer to set up alerts so they know when active sessions are initiated or they leverage their SIEM solution where these events can be correlated and logged with different alert levels depending on their severity. If an administrator sees something concerning, they can send a message directly to the user or quickly terminate a session if necessary.  

Requirement 10.7 – Retain audit history: Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup)

It’s critical to maintain accurate historical data and your team should make it a practice to never delete a record.

Get your complete guide to addressing PCI DSS requirements around privileged users and accounts.

Forensic audits of all privileged account activities 

Advanced PAM solutions allow for privileged sessions to be recorded, archived and played back whenever you need to review them, as part of compliance or forensic audits. All keystrokes during privileged sessions can also be recorded. You get an end-to-end audit trail from when users first checked out a secret to when they logged off after completing their session. Once a session is recorded, it can be stored on disk and archived based on your company’s retention policy. 

What do you and your auditors need to know? 

Simply knowing who logged into a system with administrator credentials isn’t sufficient for most compliance requirements. You need a complete record of privileged session activity. If someone adds a backdoor account or makes an unauthorized change, you MUST be able to review what happened and react quickly to prevent further damage. 

When setting up alerts or reviewing recorded sessions, you may want to search for specific red flags or potential high-risk activity, such as:  

  • Privileged sessions related to your most critical systems or highly sensitive data 
  • New contractors and third parties you want to watch with extra care 
  • Administrative commands, such as sudo on SSH sessions 
  • All sessions that had PowerShell running 
  • All sessions with custom applications 

Session recording and incident response plans 

Session recording helps cyber security, IT operations, and incident response teams share information and collaborate more closely. Many Thycotic customers integrate session recording capabilities with existing analytics or SIEM systems that alert their incident response teams of potential abuse or data breaches. As part of an incident response plan, the more visibility and clarity IT teams have into privileged sessions, the better coordinated they will be when resolving a problem. 



IT Admins: Our collection of free IT tools makes your life easy and your organization safer!



Like this post?

Get our top blog posts delivered to your inbox once a month.