What to Look for When Monitoring File Activity on File Server

Aidan Simister by   09.16.2019   Auditing

Monitoring file activity is not as straight forward as it sounds. After all, in order to detect and respond to suspicious or troublesome file activity, we need to know in advance what it is we are actually looking for. Below are 8 of the most common scenarios that can compromise either the security or integrity of our critical files, along with a brief summary describing how LepideAuditor can help us resolve them.

1. An employee copies valuable business data onto a portable drive

An employee decides to leave the company. However, before leaving they decide to copy lots of valuable business data onto a portable drive, in order to sell, or share with a competitor.

Using LepideAuditor we can view a summary of a specific employee’s activity within a given timeframe to see what files they may have copied. We can also setup a real-time alert if a certain number of files are copied in quick succession.

2. A privileged user accidentally modifies the permissions of a file

A privileged user accidentally modifies the permissions of a given file, thus preventing other users from accessing it.

Using LepideAuditor we can receive real-time alerts when file permissions are changes, and/or view a summary of activity to see who modified the permissions, and when.

3. An employee accidentally deletes, renames or moves a file

An employee accidentally deletes, renames or moves a file to a different location, thus preventing other users from finding it.

Using LepideAuditor we can view a summary of events to see why the file is no longer accessible.

4. An employee modifies file’s content

An employee modifies the contents of a file such that it destroys the integrity of the data contained within it.

Using LepideAuditor we can see who modified the contents of the file, and when.

5. A large number of files have been encrypted

A large number of files have been encrypted within a short period of time indicating that a ransomware attack may have been initiated.

Using LepideAuditor we can automatically detect and respond to events that match a pre-defined threshold condition. If X number of files have been encrypted within a short period of time, a custom script can be executed to prevent the attack from spreading. Actions may include disabling a user account, stopping a specific process, changing the firewall settings, shutting down the affected server, and more.

6. An administrator wants to restrict file access

An administrator wants to restrict access to a file to ensure that access is only granted to those who need it. However, he/she doesn’t know who should or shouldn’t have access to that file.

Using LepideAuditor we can see who has access to a specific file, why, and how often. This information can also be correlated with the reasons why they were granted access in first place. Using this information, the administrator can make an informed choice about who should or shouldn’t have access to the file. Naturally, access rights can be granted or revoked on an ad-hoc basis.

7. A sensitive file accessed outside of typical work hours

A file containing sensitive data is accessed outside of typical work hours, indicating that something suspicious could be taking place.

In the event that someone is accessing sensitive data during hours that are unusual for that particular user, LepideAuditor can send a real-time alert to the administrator’s inbox or mobile phone, enabling them to quickly investigate the situation.

8. Administrator wants to revoke file access

An employee leaves the company and the administrator wants to ensure that the employee can no longer access any of the files.

LepideAuditor can automatically detect and manage inactive user accounts, and thus revoke access to the files their account had access to.

Naturally, when monitoring file activity, it is important to prioritize. After all, we do not have unlimited resources, and thus we don’t want to be receiving real-time alerts every time a file is accessed, removed, modified or deleted. However, providing we are able to quickly answer questions pertaining to who, what, where and when, critical changes are made to our sensitive files, we will be in a much better position to keep them secure and accessible, as well as satisfy the relevant compliance requirements.

If you want to check for yourself how LepideAuditor helps improve file activity monitoring, download its 15-day free trial now.

If you liked this, you might also like...