Preventing Data Theft with File Activity Monitoring
If you ask most folks who pay attention to cybersecurity what the recent big-name breaches and headline-grabbing malware have in common, you would get many answers. Some would say they were next-generation ransomware like NotPetya or WannaCry. Others would say that the HBO and Sony breaches started with a phishing email and ballooned from there. Even more would say that next-generation firewalls should have helped but didn’t. While these are all true, they miss a key factor: all these big cyber incidents – and many more – involved the hunting and theft of everyday files and folders that contained sensitive data. That’s where file activity monitoring can help.
There are many reasons, however, why that part of the story doesn’t get the attention it deserves— despite the fact that it is a big part of this market trend. One reason is that files and folders aren’t as sexy as network-hopping malware and next-generation firewalls. The more important reason, though, is that talking about stealing sensitive data from ordinary files and folders would shed light on the flaws in processes and infrastructure that leave this data vulnerable.
Ironically, it is the compliance world, not the security world, that is taking note of this data and calling for it to have better protections. That’s because of things like EU GDPR compliance – forcing organizations to survey their data, understand who has access and take control of those access rights through a well-defined, audited process, which include file activity monitoring.
What most organizations are finding is they are so far outside the realm of what GDPR requires, that these vulnerabilities explain why recent attacks have been so successful at stealing sensitive information from regular files. Access to shares, folders, and other places that these files live grows wild over time. This leaves all the information in those files exposed to every ransomware or exfiltration scheme that comes along. The work to find, assess, analyze, and remediate all the security issues with access to this data is a daunting task for many organizations to take on without the right tools or assistance. And, unfortunately, it’s only half their problem.
Even in organizations with a decent security posture around their unstructured data, there is still a blind spot that attackers are exploiting. The sophisticated malware and attack methods they use to impersonate the few users that do have access so they can get the credentials they need to access data –even when it’s locked down. Sometimes, they just go right to the top and grab admin rights.
The good news is a watchful eye can still catch them. An attacker slurping up gigabytes of data to steal is not acting as a normal user would. Monitoring the activity generated by use of unstructured data would show that. While many are deploying user behavior solutions to watch activity, most do not watch that kind of activity. They are looking at network and application activity. So while the CRM system may be well protected, the hundreds of exported spreadsheets from CRM reports with the same sensitive information are left unwatched. Even when user behavior solutions are watching file activity around unstructured data, these solutions may be filled with data noise—or lacking in knowledge of sensitive data—making it hard for organizations to isolate real threats.
The bad guys know this; they sneak past these guards to the files that have the goods they want.
To learn more about file activity monitoring, click here: https://www.stealthbits.com/file-activity-monitoring-solution
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Jonathan Sander is STEALTHbits’ Chief Technology Officer (CTO). As CTO, he is responsible for driving technical innovation, ensuring that STEALTHbits is well positioned in their current and emerging markets, and he will also lead corporate development efforts. Jonathan also plays the role of evangelist at STEALTHbits venues large and small. Prior to STEALTHbits, Jonathan was VP of Product Strategy for Lieberman Software.
As part of Quest Software from 1999 through 2013, he worked with the security and ITSM portfolios. He helped launch Quest’s IAM solutions, directing all business development and product strategy efforts. Previous to that, Mr. Sander was a consultant at Platinum Technology focusing on the security, access control and SSO solutions. He graduated from Fordham University with a degree in Philosophy.