Monitoring File Activity: Want the needle? Take a flamethrower to the haystack.

I know it’s so cliché, but it’s a great analogy. Trying to find the events that matter in your native file activity logs on Windows and NAS devices is like finding a needle in a haystack. These logs are so verbose, so performance-intensive, and so difficult to manage that most organizations don’t even bother with them.

But, anything can be in any file. Any file can be the one that sinks you. As a result, every file equals risk. And if I’m trying to manage my risk, I want information. I want to know who is accessing my data, who’s not, and which files aren’t being accessed at all. I want to know who is accessing data successfully and unsuccessfully. I also want to be able to identify patterns of activity indicative of bad actors doing bad things, like crypto ransomware attacks and data exfiltration activities.

In order to answer any of these questions, you first need to understand why relying on native logging is a fruitless effort.

1. Enablement – Turning on file activity audit logging isn’t as easy as flicking a switch. Simply enabling these logs can place so much performance burden on the system that it could just as easily bring it to its knees than provide any meaningful output.  Causing a system outage is good for security as no one can actually access the data, but I think we can all agree that’s bad for business.
2. Configuration – Even if we imagine all the systems you needed to enable auditing on were resourced well enough to handle the load, there’s still no central control panel within Microsoft’s or any NAS vendor’s technology to allow you to configure and tune the log output properly for all systems from a single place. This means you need to manage each system individually and monitor those systems via some other means to ensure the configurations you’ve set stay intact. This may be alright for a really small shop, but this doesn’t scale otherwise.
3. Comprehension – Did you know that simply opening, editing, saving, and closing a Microsoft Word document on a Windows file system will generate 230 events in the event log? What are you supposed to do with that? Additionally, many events lack complete detail, randomly omitting critical event attributes such as source and destination IP Addresses and Host Names. Furthermore, unless you’re an expert in various log sources, how would you know that seemingly disparate events spattered throughout the log actually correspond to one another to make up a higher-level activity? You won’t.

If you’re looking for a better approach and perhaps are tired of dealing with these aforementioned shortcomings, STEALTHbits has scalable, comprehensive, and affordable options for you. Depending on the questions you’re trying to answer and the other technologies you may have already invested in (like SIEM for example), you may need more or less of what STEALTHbits has to offer. Regardless of the option you choose, however, STEALTHbits’ file activity monitoring solutions eliminate the challenges associated with native logging and put you in complete control. Here’s a quick synopsis of what we have to offer:

It’s worth mentioning that any of STEALTHbits’ solutions can be easily integrated with other solutions like SIEM, DLP, IAM, and ITSM to fill critical gaps with concern to the visibility and capabilities needed to make these programs truly successful.

To learn more about STEALTHbits’ file activity monitoring capabilities, check out our File Activity Monitoring page.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Name

Email*