Netwrix Enterprise Auditor (formerly StealthAUDIT) 11.6 has been released LEARN MORE

ProTip – Protecting Sensitive Data Step-up Authentication

Blog >ProTip – Protecting Sensitive Data Step-up Authentication
STEALTHbits ProTip, STEALTHbits Blog

In prior ProTips we have explored discovering sensitive data throughout the environment, managing access to that data and monitoring it. Today’s ProTip focuses on adding an additional layer of protection that protects sensitive data in the event of a Ransomware outbreak, or compromised credentials being used to steal data.

Step-Up Authentication

Creating the Investigation

First, we create an investigation that looks for users accessing sensitive data. There are several things that happen behind the scenes – first data is discovered, classified and tagged. We could scope this investigation to just PCI data, or GDPR data, etc., however, for the purpose of this ProTip we have simply tagged all of the PII as “Sensitive Data” and will be triggering the rule when anyone attempts to read the data.

In the investigations tab, we scope the users that we want to apply the rule to, the location(s) of the sensitive data, and the data type(s).

The great thing about investigations is that they are not only reusable but can be saved as alerts and will trigger anytime the condition is met. These alerts sit alongside the more sophisticated machine learning-generated alerts and give analysts another tool for identifying insider threats.

alert filters

Action Groups & Playbooks

Now that we have the threat configured we need to create the automated response and assign it to the threat.

Navigate to the Actions Engine and configure your Multi-Factor Authentication (MFA) solution. Here additional actions can be grouped, such as e-mailing additional notifications, alerting the SOC, etc. Any number of services can be integrated into threat responses and several are already configured out of the box.

Playbook configuration

Actions can be grouped to create playbooks, and just like the threat we created earlier, can be reused and applied to other threats.

Threat Response Configuration

We have configured our threat to trigger when sensitive data is accessed, as well as the action we want to execute when the threat is triggered–in this case prompting the user for additional authentication–now we need to tie the two together by navigating to the Threat Configuration page and choosing the Threat Response that we want.

Threat configuration


That’s it! You have just created a custom threat and response that will prompt a user for additional authentication when attempting to access sensitive data. Again, we could have scoped this threat in many different ways – narrowed to just one sensitive data type, just a particular file or folders, or added exceptions for specific users or groups. Additionally, we had the option of linking multiple actions into a Playbook that would execute a series of responses which could have included locking the user out if they failed the step-up authentication check.


You can learn more about StealthDEFEND here. If you’re not already a STEALTHbits customer, click here to request a trial of StealthDEFEND.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:


Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *




© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.