INSIDER THREAT SECURITY BLOG

While we here at Stealthbits can’t help our customers with the personal part of 23 NYCRR 500 Compliance, we can make it easy to identify the reports that help with Section 500’s access and activity pieces. Starting with version StealthAUDIT v8.0 we’ve introduced report tagging, allowing you to easily organize the reports that are important to you. These can be named as desired, typically by their associated compliance standard. For this month’s ProTip I’ll be using the tag, ’23NYCRR500′. Fi…

In the first “Where did my file go?” post, we discussed locating files using StealthAUDIT’s Access Information Center. Now, with the STEALTHbits File Activity Monitor in place, this same question can be answered in real-time directly within the console. Not only can we identify what happened to a file, we can even show you where it ended up.  First, start a New Activity Search within the STEALTHbits File Activity Monitor by either pressing Ctrl+F or select the magnifying glass located in the…

Modeling access changes before enabling them allows you to clean up access with confidence. The Access Information Center makes this simpler than ever with easy-to-understand visuals and the ability to commit these changes on the spot. First, we’ll look at the Effective Access report on my PreSales Engineering Share. As you can see, Chris still has access although his account is disabled. In this situation, I want to clean up access to this one resource without impacting any other intended…

Utilizing StealthAUDIT Reporting This month I’d like to touch on a fairly unknown usability feature within StealthAUDIT. The Reports Only mode allows the console to be run without risk of triggering any collections or affecting any already existing data sets. There is an underused (but very useful) command line switch that allows you to run StealthAUDIT so that it can only generate reports. When run in Reports Only mode the Query, Analysis, and Action functions will be disabled. From t…

With the close of 2016 approaching, I looked back and realized that Ransomware could have been the subject of my ProTip every month this year! Not only has it been regularly grabbing headlines throughout the last twelve months, but I’m sure 2017’s threat-surface will be subject to even more attacks. And while I’ve already provided tips on ransomware twice, this time I’d like to talk about the methodology behind a competent defense as we close out 2016. Credential Abuse: this is the drum we b…

After identifying nefarious activity on your file servers, whether it’s massive data theft or activity associated with ransomware, taking action is the next step. StealthINTERCEPT v4.0 now gives us the tools to automatically Lockdown those critical file areas once the rule for the File System Attacks Analytic is met. Let’s get started. First, we need to select the File System Attack Analytic, then select the Configure icon: Once the Configure Analytics window is open you will see “E…

StealthAUDIT for Active Directory provides reporting features that give you great insight into your directory environment, but is there more usable information in a report than what is displayed by default? Yes. Most StealthAUDIT Jobs collect and record additional information that is not necessarily included in the default presentation of reports. However, recent improvements to the report interfaces make both filtering on, and utilization of, this data more accessible. Let’s use our St…

Need visibility into the mailbox activity by anyone other than the owner of a specific mailbox? In this ProTip, you will learn how to view Exchange Activity within StealthINTERCEPT and how to scope the policy to view only Non-Owner activity. Once you are licensed for Exchange Activity, you will need to ensure that you have agents deployed to all Exchange Role Hosts (HUB, CAS, & MBX). This is done by selecting the hosts to which you need to deploy the agent and selecting the Exchange Serv…

“Where did my file go?” With File System Activity in place for StealthAUDIT, this question can be answered easily within the Access Information Center. Not only can we identify what happened to the file, we can sometimes even show you where it ended up. The options menu while viewing an Activity Details Report in the AIC has a Target Path checkbox that, when enabled, can show moves and renames: *Due to monitoring limitations this can only be seen when the move is to a location on the same…

Entitlement Reviews are a great way to get feedback from your business owners, and now with StealthAUDIT 7.2 we can now also canvas these same business owners for Sensitive Data Reviews. There are two optional settings to consider enabling before beginning a Data Review process. The first option is to enable the collection of File Level Details by the 1-FSAA System Scans query, to record file sizes, last modified times, and ownership and permissions data for the files scanned. This is set w…