Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Transcription

1 Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

2 MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise security-sensitive data. However, detecting and investigating such incidents usually relies on object access logs or file monitoring solutions that only monitor basic file operations, such as read and write. These solutions can, at most, tell if someone accessed a file, but they cannot distinguish between cases where the file was output to the screen, or copied to another location. At the same time, they cannot identify the source of a data breach, in case multiple users had accessed the compromised records. In spite of these limitations, companies continue to rely on such solutions for their data security and compliance needs, in lack of technology that is able to detect more complex file operations, such as file copy or file rename. THE FOUNDATION OF DATA LOSS INCIDENTS - File copy and suspicious file activity Employee error and insider theft are the top two reasons for data breaches, according to the ACC Foundation s report on the state of cybersecurity. All the patterns where the main actor is the insider, significantly rely on file copy operations, attaching files to s or instant messaging conversations, or uploading files to the internet, in order to compromise the data. At the same time, those vectors that involve outsider attacks (ransomware, malware, access through third parties, vulnerability Figure 1: Reasons for data breaches according to ACC Foundation: The State of Cybersecurity Report. exploits, etc.) usually generate suspicious file activity that can be detected if proper tools are being used for file activity monitoring.

3 The INSIDER SUSPICIOUS FILE ACTIVITY When it comes to losing data because of insider theft or misuse, ability to see that someone has read or accessed a file is insufficient: - Reading files and outputting on the screen is part of everyday activities; - Multiple users may read the same file over a relatively small period of time; Hence, not looking deeper means that: - You will not know when data is put at risk by misuse or intentionally; - You cannot really enforce and monitor a corporate data management policy; - You cannot detect corporate policy breaches or employee privilege abuses; - In case of a data breach, you cannot accurately identify the culprit; Why? - For convenience: users like to keep at hand, the data they work with; - Because of lack of training and awareness; - For revenge, or when leaving the company; - For monetary benefits. How? - Copy files to unprotected network locations; - Copy files to removable media devices; - Copy files to local cloud sync folders; - Attach files to s or messaging applications; - Upload files via web browsers. THE TOP ACTION WAS PRIVILEGE ABUSE - AT 55% OF INCIDENTS WHERE INTERNAL ACTORS ABUSE THE ACCESS THEY HAVE BEEN ENTRUSTED WITH. According to the Verizon Data Breach Investigation Report 2015 How can advanced file monitoring technology help? Advanced file monitoring technology can deliver insights into how files move within a company, and make a distinction between a user who reads a file to output its contents on the screen, and a user who appears to read a file as part of a file copy operation. Thus, you are informed when files are being copied to local cloud sync folders, removable devices or unsecure network locations. In addition, such a solution would be able to alert and report on files being attached to clients or uploaded via the web browsers, enabling enforcement of corporate data management policies.

4 The INSIDER SUSPICIOUS FILE ACTIVITY Suspicious file activity is too important to ignore, when it comes to designing and implementing secure, corporate data management policies. Malware, misuse, cyberespionage generate suspicious activity which may help detecting such threats sooner. The hard part is the fact that, most of the times, you do not recognize suspicious file activity until you see it. This makes it very difficult to successfully detect such activity by having a static approach to file activity monitoring, relying on basic file operations. At most, monitoring basic file activity like file read and file write would contribute to detecting activity peaks or symmetrically recurring file access patterns, but are usually missing important pieces of information required to differentiate between normal activity and suspicious activity. They lack of depth when providing statistical trending information makes it impossible to determine if an activity peak is generated by an OS patch roll-out, or by a ransomware wreaking havoc on the file server. Also, no help comes from such solutions when it comes to real-time detection of more complex types of suspicious file activity, such as impersonated access to files or changes to files that should rarely (or never) change. Types of suspicious file activity Intense file access over a short period of time, by the same process or user (peaks); File activity occurring at the same time interval, by the same process (symmetrically recurring activity) Impersonated access to files, particularly when a privileged account is being used; File changes to files that should rarely, or never change (system files, configuration files, etc.) File activity outside work hours Files being archived in high numbers Threats it may be associated with Malware compromising data, ransomware, etc. Advanced Persistent Threats stealing data, hacker activity; Attempts to hide compromised accounts, hacker activity, APTs Web attacks like defacing (when web server configuration files or website source files are changed), malware (when OS system files are replaced, new drivers are installed, etc.) File activity outside work hours may indicate unauthorized access to data Such situations are prerequisites to data being prepared for exiting the perimeter and should be investigated How can advanced file monitoring technology help? Advanced file monitoring technology delivers enough information to detect real suspicious file activity like file access peaks or recurring file activity from the same process, impersonated access to files as well as file changes to important files, files being archived and activity outside work hours. All these which may help detecting potential threats to data security before it is too late.

5 Example: (1) Investigating a data loss incidents with classic tools For this case study, we will consider an organization manipulating security sensitive information residing in files. Users access the files on the company s file server for everyday activities. This organization uses file monitoring solutions to record and report on access to important files on the file server. At some point, the company is made aware that a file containing security sensitive information has leaked out. What did actually happen? STAGE 1 FILE TRAVELES to an unsecure location by breach of corporate policy Joe, one of the 82 users who accessed the file in issue during last week, has copied the file to his machine, although he was supposed to work with the file directly on the file server; He wanted better performance when editing the file. STAGE 2 misuse and convenience lead to FILE BEING COPIED to a removable device. Joe has not finish his work in time, and copies the file to a memory stick. He plans to continue working from home; STAGE3 DATA IS LOST Joe loses his memory stick, on his way home.

6 What did the file monitoring solutions on the file server report? STAGE 1 file travels to unsecure location causing a corporate policy breach At this stage, analyzing the object access events in the logs on the file server will show at least 82 events similar to the one in figure 4, all belonging to at least 82 users. Similarly, dedicated file monitoring solutions will report 82+ file read events from various users happening in the relevant time interval. There will be no indication that the file was copied, nor about the corporate policy breach In lack of endpoint file monitoring or log management, the analysis will end here with an inconclusive result. Figure 2: Object access event logged when reading a file as part of a copy operation Assuming that basic monitoring solutions were also deployed on Joe s workstation STAGE 1 file travels to unsecure location because of corporate policy breach At this stage, a similar events with the one in figure 4, containing file create and file write access types, will be recorded in the logs, or signaled by file monitoring solutions on Joe s workstation. But this is not out of the ordinary, as file editors use temporary local copies when working with files. Correlating the file read on the file server with the file write on the workstation, is a very difficult task, particularly when multiple users are involved. There will still be no indication that the file was copied, nor about the corporate policy breach STAGE 2 the file is being copied to the USB device Another read event will be recorded when the file is copied on the USB stick, together with a file create and a file write event, (depending on the type and capabilities of the monitoring solution). But it will be impossible to make a distinction between these and the frequent file reads and file writes that happen when the user edited the file as part of his job. There will be no indication of the file exiting the perimeter

7 (2) The same story, using advanced file monitoring technology Advanced file monitoring technology would have prevented such a data lost event from occurring. Such technology would enable alerting on corporate data management breaches, such as files being copied to unsecure locations, and would record all the relevant information in order to identify the entire context. How would an advanced file monitoring solution behave? STAGE 1 FILE TRAVELES to an unsecure location by breach of corporate policy - Advanced file monitoring solution detects the copy operation from the volume of file read operations; - An alert is triggered on file being copied, in real time; - The event is recorded in the file activity database. STAGE 2 should not occur anymore IF STAGE 2 STILL OCCURS misuse and convenience lead to FILE BEING COPIED to a removable device. - Advanced file monitoring solution detects file being copied to USB; - An alert is triggered signaling that a file has been copied to a USB device; - The event is recorded in the file activity database. STAGE 3 should not occur anymore. IF STAGE 3 STILL OCCURS DATA IS LOST - Advanced file monitoring solution delivers forensic investigation capabilities to accurately identify the context and the user responsible for the incident.

8 Conclusion Monitoring file activity is vital for data protection and compliance, but at the same time, it is a challenging task. Analyzing logs or monitoring basic file operations does not deliver true insight into what is happening with your files. Employee education is a good starting point and is always helpful in reducing the data loss risks, however, corporate data protection policies need to be enforced by proper monitoring processes in order to be effective. Advanced file monitoring technology can deliver functionality like: - Report on file copy and file movement; - Detect impersonated file access and the activity of users with administrative privileges; - Detect files being uploaded by browsers, copied to file sharing cloud sync folders, attached to clients or instant messaging conversations; - Detect files being archived and file activity outside work hours; - Filterable statistical trends for file activity; - Real-time alerting and advanced reporting; Such functionality can make the difference in preventing or investigating data loss incidents and can also integrate with existing SIEM solutions, in order to maintain single-point of reporting for compliance and data security processes. About TEMASOFT FileMonitor TEMASOFT FileMonitor is a real-time file access monitoring and change detection tool that delivers unique functionality. It relies on advanced technology built around a file system driver that performs low-level detection of file activity, and an in-memory correlation engine that looks at how data is manipulated by various processes. All these allow TEMASOFT FileMonitor to deliver accurate detection of complex file operations and all the corresponding information about who, when, where and how. For more information, please visit About TEMASOFT TEMASOFT is a provider of network security solutions with over 15years experience in the field. TEMASOFT is a Microsoft Gold ISV Partner since For more information, please visit