A Holy Grail….
The Holy Grail of File Activity Auditing is very easily summarized with the well known 5 ‘Y’s and the ‘H’…or is it?
We can discount two of these straight away:
- Why: The reason or sentiment behind why is virtually impossible to identify and certainly isn’t a binary, 1 or 0 thing. So let’s park this for another day.
- How: This is certainly something that is important to data governance, but not specifically to activity auditing. Determining open access or compromised user accounts is also for another day. Please see the STEALTHbits Data Access Governance solutions for ‘How’.
Let’s take a look at what’s left, with a simple scenario:
An online retailer is concerned about the recently announced EU GDPR legislation. Despite being based in Canada, they hold personal data of European Citizens (among all other international customers). They have identified the location of this sensitive data but need to maintain a comprehensive audit of all activity.
The retailer needs to be able to identify who has accessed a sensitive file at any time along with the remaining four ‘W’s – the Holy Grail of File Activity Auditing (or is it?):
Who: What AD user object performed the activity?
What: What object was read/updated/deleted/created? What was the change, before and after value?
Where: Where is/was the affected object located? Where was the AD user account used from?
When: At what time did the activity occur?
I’m sure you’ll agree that the four points above are critical for data compliance.
One of the issues with File Activity Monitoring is that this function is not easily available using native auditing. It’s even harder when you have more than one platform with different activity platforms ie; Windows, EMC, NetAPP and Hitachi.
Another challenge can be expense. Imagine if you’ve invested significantly in a SIEM platform and want to collate activity across your many file platforms. The last thing you want to do is invest in another full suite of products when all you need is Who, What, Where and When.
Have you ever tried to use a SIEM vendor’s native log gathering platform? Not the easiest or most reliable thing you’ll ever work with. Not to mention having to enable native logging in the first place.
Let’s look at what’s involved in using native logs and a SIEM log collector for Windows:
- Enable Native File Auditing
- Specify Scope
- Ensure sufficient space for large log files
- Enable the SIEM log collector
- Ingest (not in real time) vast quantities of logs
- Parse/Filter the logs for the useful data
- Native file auditing can create 100+ events for a simple file action
- Apply Context to the data
- Create a Dashboard
- Maybe pay for each event ingested (90-95% of which you have no interest in)
- Report on the 5% of relevant data
Here’s what’s involved with STEALTHbits File Activity Monitor
- Install the Activity monitor and configure for the relevant platform
- Windows, EMC, NetAPP & Hitachi from a single point
- Specify Scope
- Start the Dashboard or If IBM QRadar SIEM, download the dashboard from the X-Force App Exchange
- Receive real-time alerts in the Monitor and SIEM
Pretty clear which list is more appealing don’t you think?
The File Activity Monitor can be used as an easy-to-implement and cost-effective tactical solution or as a complementary offering for SIEM. I often refer to it as the Triage for SIEM – only sending the pertinent data with quality context.
The technology is taken from the core of our StealthINTERCEPT product which won the 2015 IBM Beacon Award for Outstanding Security Solution.
This brings us back to the Holy Grail. Is it as simple as Who, What, Where, When? No.
It’s also about getting that data efficiently, in real-time and with quality context. It’s not about quantity, it IS all about Quality.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Mark Wilson is a Director of Product Management at STEALTHbits Technologies.
He is lead Pre-Sales consultant in the EMEA region and a key member of the global Product Marketing team.
Mark has 18 years’ experience working in virtually all technical support and consulting roles across both public and private sectors in the UK, EMEA and Globally.
Areas of specialism include compliance, data governance, IAM, migrations and consolidations.