Privileged Session Management and Monitoring: Building a Real-Time Safety Net for Your Most Dangerous Access

In 2023, Okta's support system breach traced back to a service account session that should have been monitored but wasn't. It's a pattern repeated across countless incidents—organizations invest heavily in granting privileged access but barely whisper about watching what happens after authentication succeeds. Let's fix that gap with practical, deployable controls.

Why Privileged Session Management Matters

Privileged Access Management (PAM) conversations tend to fixate on vaulting credentials and rotating passwords. But the session itself—the window between login and logout—is where damage actually occurs. An attacker who compromises an admin session doesn't need your password vault. They need five unmonitored minutes.

Privileged Session Management (PSM) closes this gap by introducing real-time monitoring, recording, and control over active administrative sessions. It answers the questions your SIEM can't: What exactly did that domain admin type at 2:47 AM?

Core Components of a PSM Architecture

A mature PSM implementation has four pillars:

1. Session Brokering – Users never connect directly to targets. A jump server or proxy intermediates every session.
2. Keystroke and Screen Recording – Full session capture for forensic review.
3. Real-Time Monitoring and Alerting – Live oversight with the ability to flag or terminate suspicious sessions.
4. Command Filtering and Restriction – Blocking dangerous commands before they execute.

Here's how these look in practice.

Implementing a Session Proxy with SSH Command Filtering

A straightforward starting point is restricting SSH sessions through a bastion host with command whitelisting. Using OpenSSH's built-in ForceCommand and authorized_keys restrictions:

# /etc/ssh/sshd_config on the bastion host
Match Group db-admins
    ForceCommand /usr/local/bin/session-wrapper.sh
    AllowTcpForwarding no
    X11Forwarding no

The session-wrapper.sh script can log the session and restrict commands:

#!/bin/bash
LOG_FILE="/var/log/psm/$(whoami)_$(date +%Y%m%d_%H%M%S).log"
echo "Session started: $(date) | User: $(whoami) | Source: ${SSH_CLIENT}" >> "$LOG_FILE"

# Record full session with script utility
exec script -f -q "$LOG_FILE" -c "/bin/bash --restricted"

For enterprise environments, consider augmenting this with auditd rules targeting privileged users:

# /etc/audit/rules.d/privileged-sessions.rules
-a always,exit -F arch=b64 -F euid=0 -S execve -k privileged_cmd
-w /etc/shadow -p rwa -k shadow_access
-w /etc/sudoers -p rwa -k sudoers_modification

Real-Time Session Monitoring with CyberArk PSM (Enterprise Example)

For organizations running CyberArk, PSM can be configured to live-monitor RDP and SSH sessions. A critical but often-missed configuration is enabling PSM session termination policies based on risky commands:

<!-- In CyberArk PVWA, PSM Server Configuration -->
<AllowedSessions>
  <Session Id="PSM-SSH">
    <Property Name="RecordingEnabled" Value="Yes"/>
    <Property Name="MonitoringEnabled" Value="Yes"/>
    <Property Name="SuspendOnDetection" Value="Yes"/>
    <RestrictedCommands>
      <Command Pattern="rm -rf /*" Action="Terminate"/>
      <Command Pattern="chmod 777" Action="Alert"/>
      <Command Pattern="iptables -F" Action="Terminate"/>
    </RestrictedCommands>
  </Session>
</AllowedSessions>

This ensures that a session executing iptables -F on a production firewall gets killed instantly while an alert fires to your SOC.

Operationalizing PSM: Lessons From the Field

Start with your Tier-0 assets. Domain controllers, hypervisors, and cloud IAM consoles should be monitored first. Don't boil the ocean.

Integrate session metadata into your SIEM. Forward session start/stop events, command logs, and anomaly alerts into Splunk, Sentinel, or your platform of choice. A sample Splunk query to catch off-hours privileged sessions:

index=psm_logs action="session_start"
| where date_hour < 7 OR date_hour > 19
| stats count by user, dest_host, src_ip

Conduct quarterly session recording reviews. Randomly audit 5-10% of recorded sessions. This isn't about distrust—it's about accountability, and it demonstrably changes behavior.

Establish break-glass procedures. Emergency access must bypass PSM gracefully, with compensating controls like dual-approval and post-incident review within 24 hours.

Final Thought

The privileged session is the attack surface you already authorized. Managing it isn't optional—it's the difference between an incident you detect in minutes and one you discover in a breach report months later. Start recording. Start watching. Start today.

Have questions about privileged session management and monitoring? I'm always happy to talk shop — reach out or connect with me on LinkedIn.