Monitoring file activity is not as straight forward as it sounds. After all, in order to detect and respond to suspicious or troublesome file activity, we need to know in advance what it is we are actually looking for. Below are 8 of the most common scenarios that can compromise either the security or integrity of our critical files, along with a brief summary describing how LepideAuditor can help us resolve them.
1. An employee copies valuable business data onto a portable drive
An employee decides to leave the company. However, before leaving they decide to copy lots of valuable business data onto a portable drive, in order to sell, or share with a competitor.
Using LepideAuditor we can view a summary of a specific employee’s activity within a given timeframe to see what files they may have copied. We can also setup a real-time alert if a certain number of files are copied in quick succession.
2. A privileged user accidentally modifies the permissions of a file
A privileged user accidentally modifies the permissions of a given file, thus preventing other users from accessing it.
Using LepideAuditor we can receive real-time alerts when file permissions are changes, and/or view a summary of activity to see who modified the permissions, and when.
3. An employee accidentally deletes, renames or moves a file
An employee accidentally deletes, renames or moves a file to a different location, thus preventing other users from finding it.
Using LepideAuditor we can view a summary of events to see why the file is no longer accessible.
4. An employee modifies file’s content
An employee modifies the contents of a file such that it destroys the integrity of the data contained within it.
Using LepideAuditor we can see who modified the contents of the file, and when.
5. A large number of files have been encrypted
A large number of files have been encrypted within a short period of time indicating that a ransomware attack may have been initiated.
Using LepideAuditor we can automatically detect and respond to events that match a pre-defined threshold condition. If X number of files have been encrypted within a short period of time, a custom script can be executed to prevent the attack from spreading. Actions may include disabling a user account, stopping a specific process, changing the firewall settings, shutting down the affected server, and more.
6. An administrator wants to restrict file access
An administrator wants to restrict access to a file to ensure that access is only granted to those who need it. However, he/she doesn’t know who should or shouldn’t have access to that file.
Using LepideAuditor we can see who has access to a specific file, why, and how often. This information can also be correlated with the reasons why they were granted access in first place. Using this information, the administrator can make an informed choice about who should or shouldn’t have access to the file. Naturally, access rights can be granted or revoked on an ad-hoc basis.
7. A sensitive file accessed outside of typical work hours
A file containing sensitive data is accessed outside of typical work hours, indicating that something suspicious could be taking place.
In the event that someone is accessing sensitive data during hours that are unusual for that particular user, LepideAuditor can send a real-time alert to the administrator’s inbox or mobile phone, enabling them to quickly investigate the situation.
8. Administrator wants to revoke file access
An employee leaves the company and the administrator wants to ensure that the employee can no longer access any of the files.
LepideAuditor can automatically detect and manage inactive user accounts, and thus revoke access to the files their account had access to.
Naturally, when monitoring file activity, it is important to prioritize. After all, we do not have unlimited resources, and thus we don’t want to be receiving real-time alerts every time a file is accessed, removed, modified or deleted. However, providing we are able to quickly answer questions pertaining to who, what, where and when, critical changes are made to our sensitive files, we will be in a much better position to keep them secure and accessible, as well as satisfy the relevant compliance requirements.