Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION



Similar documents
End-user Security Analytics Strengthens Protection with ArcSight

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

Information Security for the Rest of Us

Host-based Protection for ATM's

Advanced Endpoint Protection Overview

Incident Response. Six Best Practices for Managing Cyber Breaches.

Teradata and Protegrity High-Value Protection for High-Value Data

THE EVOLUTION OF SIEM

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

SIEM is only as good as the data it consumes

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Desktop and Laptop Security Policy

Intelligent Security Design, Development and Acquisition

TOP REASONS WHY SIEM CAN T PROTECT YOUR DATA FROM INSIDER THREAT

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

5 Tools For Passing a

Incident Response. Proactive Incident Management. Sean Curran Director

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Cybersecurity Governance Update on New FFIEC Requirements

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Scalability in Log Management

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

The Cloud App Visibility Blindspot

Combating a new generation of cybercriminal with in-depth security monitoring

Software that provides secure access to technology, everywhere.

Advanced Threats: The New World Order

Logging In: Auditing Cybersecurity in an Unsecure World

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

SECURITY THREATS: A GUIDE FOR SMALL AND MEDIUM BUSINESSES

16 CLOUD APPS YOU NEED TO KNOW IF EMPLOYEES ARE USING

DEC Next Generation Security with Endpoint Detection and Response WHITE PAPER

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

Ahead of the threat with Security Intelligence

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Protecting Your Data From The Inside Out UBA, Insider Threats and Least Privilege in only 10 minutes!

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Verve Security Center

Advanced File Integrity Monitoring for IT Security, Integrity and Compliance: What you need to know

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

Securing OS Legacy Systems Alexander Rau

Pass-the-Hash. Solution Brief

Cybersecurity Awareness. Part 1

Enterprise Security Solutions

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Security Intelligence Services.

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

How we see malware introduced Phishing Targeted Phishing Water hole Download (software (+ free ), music, films, serialz)

Cybersecurity and internal audit. August 15, 2014

Protect Your Universe with ArcSight

Incident Response. Six Best Practices for Managing Cyber Breaches. Nick Pollard, Senior Director Professional Services EMEA / APAC, Guidance Software

Securing Remote Vendor Access with Privileged Account Security

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Information Security Services

Endpoint & Server Protection. Brent Biernat First Vice President Network Services May 13, 2014

Is your SIEM ready.???

Securing ephi with Effective Database Activity Monitoring. HIMSS Webcast 4/26/2011. p. 1

ITAR Compliance Best Practices Guide

Basic Techniques to prevent Identity Theft and Cybercrime

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Evolving Threat Landscape

Protecting Your Organisation from Targeted Cyber Intrusion

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

Addressing the United States CIO Office s Cybersecurity Sprint Directives

My CEO wants an ipad now what? Mobile Security for the Enterprise

Getting Started Guide

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

RSA Security Anatomy of an Attack Lessons learned

Check Point and Security Best Practices. December 2013 Presented by David Rawle

integrating cutting-edge security technologies the case for SIEM & PAM

Network Security. Intertech Associates, Inc.

About SecuPi. Your business runs on applications We secure them. Tel Aviv, Founded

Managing the Unpredictable Human Element of Cybersecurity

Security Solutions for HIPAA Compliance

Average annual cost of security incidents

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Guideline on Auditing and Log Management

McAfee Server Security

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Securing the Journey to the Private Cloud. Dominique Dessy RSA, the Security Division of EMC

Ovation Security Center Data Sheet

Persistence Mechanisms as Indicators of Compromise

Report on Cyber Security Alerts Processed by CERT-RO in 2014

Security Analytics The Beginning of the End(Point)

Seven Things To Consider When Evaluating Privileged Account Security Solutions

The Cloud App Visibility Blind Spot

CAS8489 Delivering Security as a Service (SIEMaaS) November 2014

Transcription:

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

MOST OF THE IMPORTANT DATA LOSS VECTORS DEPEND ON COPYING files in order to compromise security-sensitive data. However, detecting and investigating such incidents usually relies on object access logs or file monitoring solutions that only monitor basic file operations, such as read and write. These solutions can, at most, tell if someone accessed a file, but they cannot distinguish between cases where the file was output to the screen, or copied to another location. At the same time, they cannot identify the source of a data breach, in case multiple users had accessed the compromised records. In spite of these limitations, companies continue to rely on such solutions for their data security and compliance needs, in lack of technology that is able to detect more complex file operations, such as file copy or file rename. THE FOUNDATION OF DATA LOSS INCIDENTS - File copy and suspicious file activity Employee error and insider theft are the top two reasons for data breaches, according to the ACC Foundation s report on the state of cybersecurity. All the patterns where the main actor is the insider, significantly rely on file copy operations, attaching files to emails or instant messaging conversations, or uploading files to the internet, in order to compromise the data. At the same time, those vectors that involve outsider attacks (ransomware, malware, access through third parties, vulnerability Figure 1: Reasons for data breaches according to ACC Foundation: The State of Cybersecurity Report. exploits, etc.) usually generate suspicious file activity that can be detected if proper tools are being used for file activity monitoring.

The INSIDER SUSPICIOUS FILE ACTIVITY When it comes to losing data because of insider theft or misuse, ability to see that someone has read or accessed a file is insufficient: - Reading files and outputting on the screen is part of everyday activities; - Multiple users may read the same file over a relatively small period of time; Hence, not looking deeper means that: - You will not know when data is put at risk by misuse or intentionally; - You cannot really enforce and monitor a corporate data management policy; - You cannot detect corporate policy breaches or employee privilege abuses; - In case of a data breach, you cannot accurately identify the culprit; Why? - For convenience: users like to keep at hand, the data they work with; - Because of lack of training and awareness; - For revenge, or when leaving the company; - For monetary benefits. How? - Copy files to unprotected network locations; - Copy files to removable media devices; - Copy files to local cloud sync folders; - Attach files to emails or messaging applications; - Upload files via web browsers. THE TOP ACTION WAS PRIVILEGE ABUSE - AT 55% OF INCIDENTS WHERE INTERNAL ACTORS ABUSE THE ACCESS THEY HAVE BEEN ENTRUSTED WITH. According to the Verizon Data Breach Investigation Report 2015 How can advanced file monitoring technology help? Advanced file monitoring technology can deliver insights into how files move within a company, and make a distinction between a user who reads a file to output its contents on the screen, and a user who appears to read a file as part of a file copy operation. Thus, you are informed when files are being copied to local cloud sync folders, removable devices or unsecure network locations. In addition, such a solution would be able to alert and report on files being attached to email clients or uploaded via the web browsers, enabling enforcement of corporate data management policies.

The INSIDER SUSPICIOUS FILE ACTIVITY Suspicious file activity is too important to ignore, when it comes to designing and implementing secure, corporate data management policies. Malware, misuse, cyberespionage generate suspicious activity which may help detecting such threats sooner. The hard part is the fact that, most of the times, you do not recognize suspicious file activity until you see it. This makes it very difficult to successfully detect such activity by having a static approach to file activity monitoring, relying on basic file operations. At most, monitoring basic file activity like file read and file write would contribute to detecting activity peaks or symmetrically recurring file access patterns, but are usually missing important pieces of information required to differentiate between normal activity and suspicious activity. They lack of depth when providing statistical trending information makes it impossible to determine if an activity peak is generated by an OS patch roll-out, or by a ransomware wreaking havoc on the file server. Also, no help comes from such solutions when it comes to real-time detection of more complex types of suspicious file activity, such as impersonated access to files or changes to files that should rarely (or never) change. Types of suspicious file activity Intense file access over a short period of time, by the same process or user (peaks); File activity occurring at the same time interval, by the same process (symmetrically recurring activity) Impersonated access to files, particularly when a privileged account is being used; File changes to files that should rarely, or never change (system files, configuration files, etc.) File activity outside work hours Files being archived in high numbers Threats it may be associated with Malware compromising data, ransomware, etc. Advanced Persistent Threats stealing data, hacker activity; Attempts to hide compromised accounts, hacker activity, APTs Web attacks like defacing (when web server configuration files or website source files are changed), malware (when OS system files are replaced, new drivers are installed, etc.) File activity outside work hours may indicate unauthorized access to data Such situations are prerequisites to data being prepared for exiting the perimeter and should be investigated How can advanced file monitoring technology help? Advanced file monitoring technology delivers enough information to detect real suspicious file activity like file access peaks or recurring file activity from the same process, impersonated access to files as well as file changes to important files, files being archived and activity outside work hours. All these which may help detecting potential threats to data security before it is too late.

Example: (1) Investigating a data loss incidents with classic tools For this case study, we will consider an organization manipulating security sensitive information residing in files. Users access the files on the company s file server for everyday activities. This organization uses file monitoring solutions to record and report on access to important files on the file server. At some point, the company is made aware that a file containing security sensitive information has leaked out. What did actually happen? STAGE 1 FILE TRAVELES to an unsecure location by breach of corporate policy Joe, one of the 82 users who accessed the file in issue during last week, has copied the file to his machine, although he was supposed to work with the file directly on the file server; He wanted better performance when editing the file. STAGE 2 misuse and convenience lead to FILE BEING COPIED to a removable device. Joe has not finish his work in time, and copies the file to a memory stick. He plans to continue working from home; STAGE3 DATA IS LOST Joe loses his memory stick, on his way home.

What did the file monitoring solutions on the file server report? STAGE 1 file travels to unsecure location causing a corporate policy breach At this stage, analyzing the object access events in the logs on the file server will show at least 82 events similar to the one in figure 4, all belonging to at least 82 users. Similarly, dedicated file monitoring solutions will report 82+ file read events from various users happening in the relevant time interval. There will be no indication that the file was copied, nor about the corporate policy breach In lack of endpoint file monitoring or log management, the analysis will end here with an inconclusive result. Figure 2: Object access event logged when reading a file as part of a copy operation Assuming that basic monitoring solutions were also deployed on Joe s workstation STAGE 1 file travels to unsecure location because of corporate policy breach At this stage, a similar events with the one in figure 4, containing file create and file write access types, will be recorded in the logs, or signaled by file monitoring solutions on Joe s workstation. But this is not out of the ordinary, as file editors use temporary local copies when working with files. Correlating the file read on the file server with the file write on the workstation, is a very difficult task, particularly when multiple users are involved. There will still be no indication that the file was copied, nor about the corporate policy breach STAGE 2 the file is being copied to the USB device Another read event will be recorded when the file is copied on the USB stick, together with a file create and a file write event, (depending on the type and capabilities of the monitoring solution). But it will be impossible to make a distinction between these and the frequent file reads and file writes that happen when the user edited the file as part of his job. There will be no indication of the file exiting the perimeter

(2) The same story, using advanced file monitoring technology Advanced file monitoring technology would have prevented such a data lost event from occurring. Such technology would enable alerting on corporate data management breaches, such as files being copied to unsecure locations, and would record all the relevant information in order to identify the entire context. How would an advanced file monitoring solution behave? STAGE 1 FILE TRAVELES to an unsecure location by breach of corporate policy - Advanced file monitoring solution detects the copy operation from the volume of file read operations; - An alert is triggered on file being copied, in real time; - The event is recorded in the file activity database. STAGE 2 should not occur anymore IF STAGE 2 STILL OCCURS misuse and convenience lead to FILE BEING COPIED to a removable device. - Advanced file monitoring solution detects file being copied to USB; - An alert is triggered signaling that a file has been copied to a USB device; - The event is recorded in the file activity database. STAGE 3 should not occur anymore. IF STAGE 3 STILL OCCURS DATA IS LOST - Advanced file monitoring solution delivers forensic investigation capabilities to accurately identify the context and the user responsible for the incident.

Conclusion Monitoring file activity is vital for data protection and compliance, but at the same time, it is a challenging task. Analyzing logs or monitoring basic file operations does not deliver true insight into what is happening with your files. Employee education is a good starting point and is always helpful in reducing the data loss risks, however, corporate data protection policies need to be enforced by proper monitoring processes in order to be effective. Advanced file monitoring technology can deliver functionality like: - Report on file copy and file movement; - Detect impersonated file access and the activity of users with administrative privileges; - Detect files being uploaded by browsers, copied to file sharing cloud sync folders, attached to email clients or instant messaging conversations; - Detect files being archived and file activity outside work hours; - Filterable statistical trends for file activity; - Real-time alerting and advanced reporting; Such functionality can make the difference in preventing or investigating data loss incidents and can also integrate with existing SIEM solutions, in order to maintain single-point of reporting for compliance and data security processes. About TEMASOFT FileMonitor TEMASOFT FileMonitor is a real-time file access monitoring and change detection tool that delivers unique functionality. It relies on advanced technology built around a file system driver that performs low-level detection of file activity, and an in-memory correlation engine that looks at how data is manipulated by various processes. All these allow TEMASOFT FileMonitor to deliver accurate detection of complex file operations and all the corresponding information about who, when, where and how. For more information, please visit www.filemonitor.net About TEMASOFT TEMASOFT is a provider of network security solutions with over 15years experience in the field. TEMASOFT is a Microsoft Gold ISV Partner since 2006. For more information, please visit www.temasoft.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information