The ability to monitor file access activity across file shares residing on NAS and Windows devices represents both a tremendous gap and opportunity for organizations looking to identify threats, achieve compliance, and streamline operations.
Unfortunately, most organizations can’t answer the most basic questions surrounding data activity, and it ultimately boils down to a handful of seemingly simple reasons:
- Volume – The volume of data is typically more than organizations can handle with manual auditing.
- System Performance – Native logging introduces massive performance issues.
- Noise – Native logging, once enabled, can quickly fill up file system logs with meaningless noise, and offers no effective means by which to search for answers.
- Complexity – For NAS devices specifically, native auditing is often so difficult to configure properly that most organizations don’t bother doing so.
- Inaccessibility – File Activity Monitoring technologies are often buried within larger solution suites, making them cost prohibitive.
The Verizon Data Breach Incident Report highlights the importance of file activity monitoring as it relates to the insider threat, outsider threat, and ransomware. An interesting scenario that should also be considered is that of the business. Take, for instance, employee turnover. It is an inevitability in business. Before an employee leaves an organization, there are typically several parties within the business (e.g. Human Resources and IT Security) that are interested in understanding what a user is doing or has done in the weeks or months preceding their departure or minutes after notice of their termination. End users aren’t cyber-criminals that can extract the contents of a database or application in minutes. If users are going to take anything, they’re likely going to grab files from file shares and attempt to upload them to cloud-based storage services like Dropbox and OneDrive, or to local storage like USB thumb drives. If the employee is disgruntled, they may even go to the lengths of destroying the data through a mass deletion. This data is the property of your organization, and being able to quickly determine what data was accessed or impacted is critical to continued business operations.
These gaps and challenges have caused many companies to fail audits and continue to struggle for months or years while waiting for program maturity. So what can be done to solve this dilemma?
STEALTHbits provides a simple solution designed for organizations that just want the data. STEALTHbits’ “stand-alone” File Activity Monitor immediately begins gathering activity information from Windows File Servers, NetApp, EMC, and Hitachi devices, without any reliance on native auditing, performance impact to target systems or complex configuration tasks to follow. A simple, yet powerful query interface allows users to search generated file activity logs to answer simple questions. Optionally, organizations can feed file activity in real-time from all or specific systems directly to their SIEM platform or alternative technologies for more advanced analysis, correlation, and reporting.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Brad Bussie is an award winning fifteen year veteran of the information security industry. He holds an undergraduate degree in information systems security and an MBA in technology management. Brad possesses premier certifications from multiple vendors, including the CISSP from ISC2. He has a deep background architecting solutions for identity management, governance, recovery, migration, audit, and compliance. Brad has spoken at industry events around the globe and has helped commercial, federal, intelligence, and DoD customers solve complex security issues.