Blog

Introduction to File Activity Monitoring

By Rich

A new approach to an old problem

One of the more pernicious problems in information security is allowing someone to perform something they are authorized to do, but catching when they do it in a potentially harmful way. For example, in most business environments it’s important to allow users broad access to sensitive information, but this exposes us to all sorts of data loss/leakage scenarios. We want to know when a sales executive crosses the line from accessing customer information as part of their job, to siphoning it for a competitor.

In recent years we have adopted tools like Data Loss Prevention to help detect data leaks of defined information, and Database Activity Monitoring to expose deep database activity and potentially detect unusual activity. But despite these developments, one major blind spot remains: monitoring and protecting enterprise file repositories.

Existing system and file logs rarely offer the level of detail needed to truly track activity, generally don’t correlate across multiple repository types, don’t tie users to roles/groups, and don’t support policy-based alerts. Even existing log management and Security Information and Event Management tools can’t provide this level of information.

Four years ago when I initially developed the Data Security Lifecycle, I suggested to a technology called File Activity Monitoring. At the time I saw it as similar to Database Activity Monitoring, in that it would give us the same insight into file usage as DAM provides for database access. Although the technology didn’t yet exist it seemed like a very logical extension of DLP and DAM.

Over the past two years the first FAM products have entered the market, and although market demand is nascent, numerous calls with a variety of organizations show that interest and awareness are growing. FAM addresses a problem many organizations are now starting to tackle, and the time is right to dig into the technology and learn what it provides, how it works, and what features to look for.

Imagine having a tool to detect when an administrator suddenly copies the entire directory containing the latest engineering plans, or when a user with rights to a file outside their business unit accesses it for the first time in 3 years. Or imagine being able to hand an auditor a list of all access, by user, to patient record files. Those are merely a few of the potential uses for FAM.

Defining FAM

We define FAM as:

Products that monitor and record all activity within designated file repositories at the user level, and generate alerts on policy violations.

This leads to the key defining characteristics:

  • Products are able to monitor a variety of file repositories, which include at minimum standard network file shares (SMB/CIFS). They may additionally support document management systems and other network file systems.
  • Products are able to collect all activity, including file opens, transfers, saves, deletions, and additions.
  • Activity can be recorded and centralized across multiple repositories with a single FAM installation (although multiple products may be required, depending on network topology).
  • Recorded activity is correlated to users through directory integration, and the product should understand file entitlements and user/group/role relationships.
  • Alerts can be generated based on policy violations, such as an unusual volume of activity by user or file/directory.
  • Reports can be generated on activity for compliance and other needs.

You might think much of this should be possible with DLP, but unlike DLP, File Activity Monitoring doesn’t require content analysis (although FAM may be part of, or integrated with, a DLP solution). FAM expands the data security arsenal by allowing us to understand how users interact with files, and identify issues even when we don’t know their contents. DLP, DAM, and FAM are all highly complementary.

Through the rest of this series we will dig more into the use cases, technology, and selection criteria.

Note – the rest of the posts in the series will appear in our Complete Feed.

No Related Posts
Comments

Hi,
Interesting concept FAM and well explained. But I have a slight correction to make in my opinion. In real world there are quite a few open source repository vendors and they do facilitate most of aforementioned facts. i.e JackRabbit, WSO2 G-Reg etc. And they do support subscription to certain events on the repository. But monitoring is critical and it should not coupled with the repository!. Hence I would think a product that is easily interfaced with any repository vendor (through their extension points) is ideal for this and it will provide a loosely coupled production ready FAM system. i.e WSO2 Business Activity Monitor is such an example where we can write our own event publishers using Apache Thrift protocol and publish events externally and WSO2 BAM is a very scalable and has so many features to interms of monitoring.

By Subash Chaturanga


Hi Rich,
I think your definition for FAM is great.
However, I do think real-time alerting and blocking is important and should be part of the FAM definition. I agree that not many people will start with blocking, but I think the numbers will be bigger than on the DAM side since people “understand” files and are less afraid that blocking will interfere with regular business processes.

Also, I saw you mentioned user rights management. It’s true that the definition of File Activity Monitoring should not necessarily include user rights management, but I think that currently the driver for most organizations looking for a FAM solution involves user rights management (finding excessive rights and managing the ACLs). They use the monitoring, alerting and blocking capabilities of FAM for the following reasons:
1. A second layer of protection on top of the ACLs
2. Once the ACLs are in order, they use FAM for alerting the file owners when file permissions change
3. Finding unused file permissions – these permissions might be excessive and in some cases can be removed
4. Finding file owners – this is a huge problem for customers as the “owner” information on files is usually not up-to-date and finding the owners is the first step in defining who should get access to the file and how should the file be secured. This is a problem DLP vendors are struggling with from our conversations with them. Using FAM we can find the most active users accessing the files, which are either the owners or can point to the owners.

By Ayal Yogev


>>
AM has been around for a long, long time. There are/were a bunch of products that could watch everything a user does, and most of them failed.
<<

I fondly remember using a fancy 3D trackball and SGI Oxygen’s to support my Silent Runner installation (Pre-Raytheon aquisiton) after cutting my teeth writing filters for use in Shadow.  Ah, the bad old days.

Anyway, looking forward to this series.

 

By ds


ds,

AM has been around for a long, long time. There are/were a bunch of products that could watch everything a user does, and most of them failed.

I think we still need to compartmentalize FAM because, in practical terms, that is people’s focus.

Varonis was the first product in this space, but although they offered entitlement management for many years the full FAM capabilities are relatively (past couple of years) recent.

I count Sharepoint in with FAM (as you’ll see) and other document management systems. Not Exchange though, since that’s typically managed differently (not always, you sound like you do it, but typically).

By Rich


I think you are a bit late, defining a segment that has expanded somewhat over the last few years to the point that your definition doesn’t apply.  I’d just call it AM. 

I’m most familiar with Varonis, a product I’ve been using for some time now.  While it started out monitoring file activity, it now also covers SharePoint and even Exchange email boxes and calendars. 

Essentially, any repository of data that has a potential for multi-user access poses a problem of “who did what when”.  Activity Monitoring solves that in a comprehensive way only when it has comprehensive visibility and any product limited to only files isn’t worth considering.

By ds


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.