File System Auditing
Adequately and efficiently capturing file system access and change activities can dramatically increase an organization’s ability to detect insider threats, prevent data breaches, and mitigate the damage that can be done by advanced threats like crypto ransomware. Native file system auditing functions within file repositories like Windows file servers and NAS devices like NetApp and Dell/EMC, however, are highly challenging to work with – sometimes impossible – often resulting in a significant blind spot for security practitioners and IT operations personnel.
Top Use Cases for File System Auditing
The importance of capturing file system activity cannot be understated, having far-reaching benefits from Ransomware detection to forensic investigations, all of which lead to greater security and efficiency for an organization.
- File Auditing for Governance – In the context of a properly crafted Data Access Governance program, file activity can tell you just as much about what users don’t need access to, as it does about what they do need access to. Capturing and analyzing file activity over an extended period of time, provides invaluable insight into how users are actually leveraging their access privileges, enabling the proactive removal of unused access rights that overexpose organizations to insider threats, and of course, Ransomware.
- File Auditing for Forensics – Because so many organizations struggle to even turn native file system auditing on (let alone tune it properly), most SIEM deployments are void of file activity information from all the places file activity is occurring. Outside of file system data being involved in a high number of data breaches cases, the lack of file activity data within SIEM means forensic investigations are often foiled by a significant lack of evidence. Adding insult to injury, the data generated out of file system auditing logs is often missing key event attributes, is cluttered with noise events, and in some cases is entirely incomprehensible. Nevertheless, getting file system activity into SIEM is a boon for security and critical to knowing what data was taken, if successfully exfiltrated.
- File Auditing for Storage Operations – Storage Admins have a difficult job. As if ensuring file storage availability isn’t tough enough, storage teams are often bombarded with questions originating from end-users like, “Where’d my file go?” or “I could access this folder yesterday. Why can’t I today?” These seemingly simple questions are hardly simple to answer without file system auditing enabled. However, with a clean audit trail of activity, Storage Admins won’t need to answer these questions anymore because the helpdesk could easily accomplish the task on their behalf.
- File Auditing for Ransomware Detection – Ransomware can present itself and potentially be caught at multiple levels within the attack chain (e.g. Phishing email, AV at the endpoint, etc.), but there’s no more telltale sign of a Ransomware attack underway than observing troves of files encrypted in seconds. Literally every second counts in the midst of a Ransomware assault and monitoring file activity is arguably the most logical type of activity to be monitoring for in a Ransomware context.
Just in these examples alone, there are at least three major beneficiaries of the visibility file system auditing can provide, including Security, Storage Operations, and Governance teams.
Top File System Auditing Challenges
It’s easy to see that auditing file system activity is a worthwhile concept and for multiple reasons; so why doesn’t everyone do it? Here’s what it ultimately boils down to, but I’d highly suggest reading this White Paper called “5 Challenges with Monitoring Windows File Activity” for some specifics:
- Performance – Enabling file system auditing is like turning on a fire hose. The number of events generated through native file system audit logging is staggering, causing logs to roll and disks to fill up. Just the act of a single user opening, editing, saving, and closing a Word document on a Windows File Share generates 230 events in the event log! Furthermore, there are very limited filtration capabilities, making it impossible to exclude something like a noisy process or individual account from being logged. Essentially, the events pile up, machine performance degrades, people complain, and the opportunity is lost.
- Data Quality – If enabling file system auditing is like turning on a fire hose, then trying to understand the data it produces is like drinking from one (except more painful). First, it’s important to note that a large portion of the data generated through native file system auditing is garbage. Temporary Files with their fancy tilde’s (~) top the list. Second, the necessity to correlate multiple events to figure out a file moved from one folder to another or translate Security Descriptor Definition Language (SDDL) to decipher the details of a permissions change, is just plain difficult to do.
So, that’s why everyone doesn’t do it. It causes them grief and understanding the output is like another full-time job.
File System Auditing Alternatives
So far, we’ve discussed many of the merits of monitoring file activity on your Windows and NAS devices, as well as some of the hurdles to making it happen.
You can dedicate the time, resources, and money to ensure critical systems have the horsepower they need to churn out the data, stuff it all into SIEM (even the garbage data), brush up on your Event Log knowledge, and write your rules and correlation routines, but that’s a pretty expensive proposition.
Alternatively, you could use a highly tuned, intelligent file system auditing alternative like STEALTHbits File Activity Monitor. It’s lightweight, easy-to-use, scalable, configurable, affordable, and interoperable with your SIEM (check out the IBM QRadar and Splunk apps that come along with it for free).
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Adam Laub is the Senior Vice President of Product Management at STEALTHbits Technologies. He is responsible for setting product strategy, defining future roadmap, driving strategic sales engagements, supporting demand generation activities, enabling the sales organization and all aspects of product evangelism.
Since joining STEALTHbits in 2005, Adam has held multiple positions within the organization, including Sales, Marketing, and Operational Management roles.
Adam holds a Bachelor of Science degree in Business Administration from Susquehanna University, Selinsgrove, PA.