Now that we have defined File Activity Monitoring it’s time to talk about why people are buying it, how it’s being used, and why you might want it.
Market Drivers
As I mentioned earlier the first time I saw FAM was when I dropped the acronym into the Data Security Lifecycle. Although some people were tossing the general idea around, there wasn’t a single product on the market. A few vendors were considering introducing something, but in conversations with users there clearly wasn’t market demand.
This has changed dramatically over the past two years; due to a combination of indirect compliance needs, headline-driven security concerns, and gaps in existing security tools. Although the FAM market is completely nascent, interest is slowly growing as organizations look for better handles on their unstructured file repositories.
We see three main market drivers:
- As an offshoot of compliance. Few regulations require continuous monitoring of user access to files, but quite a few require some level of audit of access control, particularly for sensitive files. As you’ll see later, most FAM tools also include entitlement assessment, and they monitor and clearly report on activity. We see some organizations consider FAM initially to help generate compliance reports, and later activate additional capabilities to improve security.
- Security concerns. The combination of APT-style attacks against sensitive data repositories, and headline-grabbing cases like Wikileaks, are driving clear interest in gaining control over file repositories.
- To increase visibility. Although few FAM deployments start with the goal of providing visibility into file usage, once a deployment starts it’s not uncommon use it to gain a better understanding of how files are used within the organization, even if this isn’t to meet a compliance or security need.
FAM, like its cousin Database Activity Monitoring, typically starts as a smaller project to protect a highly sensitive repository and then grows to expand coverage as it proves its value. Since it isn’t generally required directly for compliance, we don’t expect the market to explode, but rather to grow steadily.
Business Justifications
If we turn around the market drivers, four key business justifications emerge for deployment of FAM:
- To meet a compliance obligation or reduce compliance costs. For example, to generate reports on who has access to sensitive information, or who accessed regulated files over a particular time period.
- To reduce the risk of major data breaches. While FAM can’t protect every file in the enterprise, it provides significant protection for the major file repositories that turn a self-constrained data breach into an unmitigated disaster. You’ll still lose files, but not necessarily the entire vault.
- To reduce file management costs. Even if you use document management systems, few tools provide as much insight into file usage as FAM. By tying usage, entitlements, and user/group activity to repositories and individual files; FAM enables robust analysis to support other document management initiatives such as consolidation.
- To support content discovery. Surprisingly; many content discovery tools (mostly Data Loss Prevention), and manual processes, struggle to identify file owners. FAM can use a combination of entitlement analysis and activity monitoring to help determine who owns each file.
Example Use Cases
By now you likely have a good idea how FAM can be used, but here are a few direct use cases:
- Company A deployed FAM to protect sensitive engineering documents from external attacks and insider abuse. They monitor the shared engineering file share and generate a security alert if more than 5 documents are accessed in less than 5 minutes; then block copying of the entire directory.
- A pharmaceutical company uses FAM to meet compliance requirements for drug studies. The tool generates a quarterly report of all access to study files and generates security alerts when IT administrators access files.
- Company C recently performed a large content discovery project to locate all regulated Personally Identifiable Information, but struggled to determine file owners. Their goal is to reduce sensitive data proliferation, but simple file permissions rarely indicate the file owner, which is needed before removing or consolidating data. With FAM they monitor the discovered files to determine the most common accessors – who are often the file owners.
- Company D has had problems with sales executives sucking down proprietary customer information before taking jobs with competitors. They use FAM to generate alerts based on both high-volume access and authorized users accessing older files they’ve never touched before.
As you can see, the combination of tying users to activity, with the capability to generate alerts (or block) based on flexible use policies, makes FAM interesting. Imagine being able to kick off a security investigation based on a large amount of file access, or low-and-slow access by a service or administrative account.
File Activity Monitoring vs. Data Loss Prevention
The relationship between FAM and DLP is interesting. These two technologies are extremely complementary – so much that in one case (as of this writing) FAM is a feature of a DLP product – but they also achieve slightly different goals.
The core value of DLP is its content analysis capabilities; the ability to dig into a file and understand the content inside. FAM, on the other hand, doesn’t necessarily need to know the contents of a file or repository to provide value. Certain access patterns themselves often indicate a security problem, and knowing the exact file contents isn’t always needed for compliance initiatives such as access auditing.
FAM and DLP work extremely well together, but each provides plenty of value on its own.
Reader interactions
3 Replies to “FAM: Market Drivers, Business Justifications, and Use Cases”
Bly-
1. Varonis, Imperva, and Symantec (via the DLP product).
2. No- first, it’s a new tech with only a few references. Second, the one’s I *do* now haven’t given me permission to mention them by name. This is early market, so if your company tends to lag they may resist FAM.
3. Creating new file shares? No, I’m unaware if the products can handle that scenario. We’ll need the vendors to speak up.
Bly,
On #1: We (Imperva) have a FAM solution. There are a couple of other vendors, which I think have been mentioned in previous posts, but we are the only one that has policy-based alerts, as far as I know.
On #2: We can provide customer references, feel free to contact us. We’re preparing some customer case studies for public consumption, but they’re not posted yet.
On #3: You didn’t really specify this, but I assume these are “internal users”, which are really the only people with access your internal network and file systems; otherwise you are presumably dealing with them via a perimeter solution like a firewall. Once a user is accessing/trying to access your files, our FAM solution can alert in real-time on these events. We know the user name, source IP, file and path—as well as other details. At that point, your admin can take the alert and begin a workflow process. For example, if they did not have sufficient rights, you could initiate a dialog with them to see if they need/want those rights.
Hope that helps,
Raphael
Hi Rich,
Your posts on File Activity Monitoring are very helpful, and have convinced me that our organization needs a FAM system. I would appreciate your feedback (and the feedback of other readers) on the following questions:
1) What companies are currently providing FAM systems? And, what are the names of their respective products?
2) Can you identify some actual companies that are using FAM systems? Your post gives some example use cases, but to convince the “powers that be” to allocate more money for FAM, we will need to demonstrate that other companies are already doing (i.e., we aren’t trailblazers, but will invest in upgrades when other companies are doing the same—even when they are in different industries)
3) Are you aware of FAM systems (or any other systems for that matter) that will allow us to achieve the following:
When a remote user attempts to begin a file share session on our network for access to certain pre-defined files, a real-time alert is sent to the network manager. The alert provides identification information about the remote device and the files the user is attempting to access. The network manager responds to the alert by granting access (i.e., allowing user to create a file share session) or by denying access.
* Do you know systems that will let us do this?
Thanks in advance!