A Holy Grail….
The Holy Grail of File Activity Auditing is very easily summarized with the well known 5 ‘Y’s and the ‘H’…or is it?
We can discount two of these straight away:
Let’s take a look at what’s left, with a simple scenario:
An online retailer is concerned about the recently announced EU GDPR legislation. Despite being based in Canada, they hold personal data of European Citizens (among all other international customers). They have identified the location of this sensitive data but need to maintain a comprehensive audit of all activity.
The retailer needs to be able to identify who has accessed a sensitive file at any time along with the remaining four ‘W’s – the Holy Grail of File Activity Auditing (or is it?):
Who: What AD user object performed the activity?
What: What object was read/updated/deleted/created? What was the change, before and after value?
Where: Where is/was the affected object located? Where was the AD user account used from?
When: At what time did the activity occur?
I’m sure you’ll agree that the four points above are critical for data compliance.
One of the issues with File Activity Monitoring is that this function is not easily available using native auditing. It’s even harder when you have more than one platform with different activity platforms ie; Windows, EMC, NetAPP and Hitachi.
Another challenge can be expense. Imagine if you’ve invested significantly in a SIEM platform and want to collate activity across your many file platforms. The last thing you want to do is invest in another full suite of products when all you need is Who, What, Where and When.
Have you ever tried to use a SIEM vendor’s native log gathering platform? Not the easiest or most reliable thing you’ll ever work with. Not to mention having to enable native logging in the first place.
Let’s look at what’s involved in using native logs and a SIEM log collector for Windows:
Here’s what’s involved with STEALTHbits File Activity Monitor
Pretty clear which list is more appealing don’t you think?
The File Activity Monitor can be used as an easy-to-implement and cost-effective tactical solution or as a complementary offering for SIEM. I often refer to it as the Triage for SIEM – only sending the pertinent data with quality context.
The technology is taken from the core of our StealthINTERCEPT product which won the 2015 IBM Beacon Award for Outstanding Security Solution.
This brings us back to the Holy Grail. Is it as simple as Who, What, Where, When? No.
It’s also about getting that data efficiently, in real-time and with quality context. It’s not about quantity, it IS all about Quality.
Mark Wilson is a Director of Product Management at STEALTHbits Technologies.
He is lead Pre-Sales consultant in the EMEA region and a key member of the global Product Marketing team.
Mark has 18 years’ experience working in virtually all technical support and consulting roles across both public and private sectors in the UK, EMEA and Globally.
Areas of specialism include compliance, data governance, IAM, migrations and consolidations.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.
Read more© 2022 Stealthbits Technologies, Inc.
Hi Mark,
I’m curious. Since your system uses an agent that is installed on the system being monitored, can this product be used to monitor file activity on a Windows server that is not joined to the domain? I can’t go into the details, but we have a server in our DMZ that can’t be joined to the domain, but it is critical that I develop or purchase an auditing solution for file access monitoring. This seems to be something that no one (no one that I’ve seen so far) does.
Hi Patrick
We can certainly help!
The File Activity Monitor product can be used completely stand alone, independent of an Active Directory Domain. It was designed for situations just like yours, where a full scale enterprise product isn’t required, but pure file activity auditing is critical.
We can also send this auditing data directly across in to a SIEM platform, depending on the configuration of your DMZ.
Here are a few of the File Activity Monitor queries you may find useful:
• Who accessed a particular folder/file on X day or during Y date range?
• Who renamed a particular folder/file on X day or during Y date range?
• Who deleted a particular folder/file on X day or during Y date range?
• Who created a particular folder/file?
• What did user x do on day y?
• What did user x do between days y and z?
• Administrator activity details?
We would be more than happy to organize a demonstration of File Activity Monitor, just let us know when would be good for you.
Kind Regards
Mark Wilson
Senior Solution Architect