The Holy Grail of File Activity Auditing is very easily summarized with the well known 5 ‘Y’s and the ‘H’…or is it?
We can discount two of these straight away:
Why: The reason or sentiment behind why is virtually impossible to identify and certainly isn’t a binary, 1 or 0 thing. So let’s park this for another day.
How: This is certainly something that is important to data governance, but not specifically to activity auditing. Determining open access or compromised user accounts is also for another day. Please see the STEALTHbits Data Access Governance solutions for ‘How’.
Let’s take a look at what’s left, with a simple scenario:
An online retailer is concerned about the recently announced EU GDPR legislation. Despite being based in Canada, they hold personal data of European Citizens (among all other international customers). They have identified the location of this sensitive data but need to maintain a comprehensive audit of all activity.
The retailer needs to be able to identify who has accessed a sensitive file at any time along with the remaining four ‘W’s – the Holy Grail of File Activity Auditing (or is it?):
Who: What AD user object performed the activity?
What: What object was read/updated/deleted/created? What was the change, before and after value?
Where: Where is/was the affected object located? Where was the AD user account used from?
When: At what time did the activity occur?
I’m sure you’ll agree that the four points above are critical for data compliance.
One of the issues with File Activity Monitoring is that this function is not easily available using native auditing. It’s even harder when you have more than one platform with different activity platforms ie; Windows, EMC, NetAPP and Hitachi.
Another challenge can be expense. Imagine if you’ve invested significantly in a SIEM platform and want to collate activity across your many file platforms. The last thing you want to do is invest in another full suite of products when all you need is Who, What, Where and When.
Have you ever tried to use a SIEM vendor’s native log gathering platform? Not the easiest or most reliable thing you’ll ever work with. Not to mention having to enable native logging in the first place.
Let’s look at what’s involved in using native logs and a SIEM log collector for Windows:
Enable Native File Auditing
Ensure sufficient space for large log files
Enable the SIEM log collector
Ingest (not in real time) vast quantities of logs
Parse/Filter the logs for the useful data
Native file auditing can create 100+ events for a simple file action
Apply Context to the data
Create a Dashboard
Maybe pay for each event ingested (90-95% of which you have no interest in)
Report on the 5% of relevant data
Here’s what’s involved with STEALTHbits File Activity Monitor
Install the Activity monitor and configure for the relevant platform
Windows, EMC, NetAPP & Hitachi from a single point
Start the Dashboard or If IBM QRadar SIEM, download the dashboard from the X-Force App Exchange
Receive real-time alerts in the Monitor and SIEM
Pretty clear which list is more appealing don’t you think?
The File Activity Monitor can be used as an easy-to-implement and cost-effective tactical solution or as a complementary offering for SIEM. I often refer to it as the Triage for SIEM – only sending the pertinent data with quality context.
The technology is taken from the core of our StealthINTERCEPT product which won the 2015 IBM Beacon Award for Outstanding Security Solution.
This brings us back to the Holy Grail. Is it as simple as Who, What, Where, When? No.
It’s also about getting that data efficiently, in real-time and with quality context. It’s not about quantity, it IS all about Quality.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
I’m curious. Since your system uses an agent that is installed on the system being monitored, can this product be used to monitor file activity on a Windows server that is not joined to the domain? I can’t go into the details, but we have a server in our DMZ that can’t be joined to the domain, but it is critical that I develop or purchase an auditing solution for file access monitoring. This seems to be something that no one (no one that I’ve seen so far) does.
The File Activity Monitor product can be used completely stand alone, independent of an Active Directory Domain. It was designed for situations just like yours, where a full scale enterprise product isn’t required, but pure file activity auditing is critical.
We can also send this auditing data directly across in to a SIEM platform, depending on the configuration of your DMZ.
Here are a few of the File Activity Monitor queries you may find useful:
• Who accessed a particular folder/file on X day or during Y date range?
• Who renamed a particular folder/file on X day or during Y date range?
• Who deleted a particular folder/file on X day or during Y date range?
• Who created a particular folder/file?
• What did user x do on day y?
• What did user x do between days y and z?
• Administrator activity details?
We would be more than happy to organize a demonstration of File Activity Monitor, just let us know when would be good for you.
Senior Solution Architect