Why FileAuditor? SearchInform customer gives an elaborate answer
SearchInform customer — scientific technological pharmaceutical company — has deployed FileAuditor, a DCAP system, and shared the first impression with the company. The purpose of file storage control became especially urgent after the company had introduced the concept of trade secret. The CEO emphasised a few reasons why the system had been purchased and what changes can still be made to FileAuditor to enhance its functions.
1. Detecting trade secret documents in a data flow
Everyone tries to prevent a data breach, although data at rest is as much of an issue. It is important to know both where corporate assets are located and whether they aren’t leaked. The problem of monitoring files stored on file servers and user workstations has always been crucial.
Especially urgent the issue arose after the introduction of trade secret when the move was made from cybersecurity to protection of particular information and data flow monitoring. Thus when the information security began to be perceived not as defense from imaginary hackers but as deploying comprehensive protection of quite real assets and specified data important for business.
During the introduction of trade secret it’s not enough to configure its control in a DLP system. There should be clear understanding who the owner of this information is, within what activities information is created and processed, which types of documents contain it. A unique information model should be built for each point from the list which comprises this trade secret.
In most cases it seems impossible to ask a data owner as people might not know the whole picture. They know only their part of work and have a slight idea which report falls into the trade secret category, which document is part of know-how. And therefore, it’s difficult to get the information what documents are really valuable for a company.
The quality of data protection is directly impacted. One can choose whether to protect something abstract while a DLP system deals with loads of false alerts or vice versa — overlooks incidents.
2. DCAP systems
There have been RMS (Rights Management Systems) present on the market which weren’t applied everywhere. Modern version of such, for example, Azure RMS, are conceptually alright but still aren’t that fitting or multipurpose and appear to demand a lot of effort.
Audit of requests to files could be done with the help of operating system tools together with log analysis systems. But this way the load on file servers is unacceptably high and it’s definitely not comfortable to operate like that.
Varonis is a solid solution, although it might be best for those whose information security is focused on file server security. The majority of businesses have to cover many potential security loopholes, and file server protection is only one of the tasks. Companies can’t afford purchasing several huge solutions for each vulnerable area.
Netwrix Auditor happened to exploit the same functional of operating system logging which overloaded servers and workstations.
That’s why opting for SearchInform FileAuditor allowed to obtain an integrated solution within the whole set of SearchInform internal threat mitigation platform.
3. How does FileAuditor work?
SearchInform DLP system has a workstation indexing component (e-Discovery mechanism) that finds files in accordance with specified rules in the entire array of workstations and servers. Analysis of the logs with the help of the FileController module which the DLP system incorporated used to give an idea of who was accessing them. The audit of access rights was performed using a self-written script and all this was uploaded to the data analytics system (Power BI). This allowed a specialist to draw up basic profiles of information objects: who used the information, where it was stored, where it was transmitted.
On the basis of the basic profile, together with the owners of the information, they determined the boundaries: where the file should and shouldn’t be stored; who can have access, how can information be transferred. All deviations were written into the DLP security policies, alerts were considered incidents.
That’s what the algorithm is — taking a list of what constitutes a trade secret in one company, and work through each item.
4. What are the minuses of such a method — solving the task with the DLP + log analysis?
This approach is useful sometimes. But it has considerable minuses, first of all, labour costs. Because of this, at a certain stage of the company’s development, the approach becomes inapplicable. Using DLP and log analysis to control file storage, you need to constantly combine data from different sources. It is not difficult in a company with 100 workstations and one file server, but what if there are dozens and hundreds of them?
Therefore, with the appearance of a single product — FileAuditor — working with file storages has helped to reach a new level, because this solution combines and expands all of the listed SearchInform developments. Plus, in FileAuditor, everything is brought together in one place for solving specific analyst tasks. Work has become faster, as a result — more incidents are eliminated. Conveniently, the functionality of accessing files is moved to the same panel as the directory tree, all in one place.
The fact that SearchInform DLP and FileAuditor seamlessly integrate with each other provides many possibilities. For us, this became the decisive factor when choosing a solution.
Of course, control of the transfer of information assets (through the basic DLP modules) and data at rest (via FileAuditor) are separate information security processes. But together they allow you to build the most complete information model around specific data. It is obvious where they are stored, who transfers them to whom, even in what order. As a consequence, with a full understanding of the “normal” process, it is easier to detect deviations that could appear to be security incidents.
5. What are the examples of tasks which was solved by FileAuditor?
One of the important assets of a company is the files with technical data for production. All employees of the department who worked with them were sure that they kept documents in one folder and followed a regulated process. When the audit using FileAuditor was conducted, it was revealed that users have unaccounted outdated copies on their computers. It turned out that the employees kept these documents for themselves merely due to convenience.
We stopped this process as unsafe. Firstly, classified documents were transferred from valid storage locations. Secondly, employees could use outdated documents in their work, which with regard to production was simply dangerous. At the same time, business units were able to revise the process, think about how to make it more convenient for employees. This is a side effect of audit — the optimization of business processes.
Another side effect is an improved culture of data handling. For example, it was evident that in most cases, when this or that file with a trade secret appears on someone else’s PC, the reason is not a malicious intent, but the negligence or laziness of an employee. But all the same, each situation is analysed together with the owner of the asset. This ultimately increases the technical security of the company. But organisational culture is also improving. Owners and users of information are beginning to better understand what data they are working with and what security requirements are imposed on them.
6. What should be added to FileAuditor?
More BI functionality would give better visibility of data and intense interactivity at work. A wider range of search types would be a nice enhancement of the system as SearchInform DLP has sufficient search tools, but not all of them have been implemented in FileAuditor yet.
7. How FileAuditor functionality can be used more efficiently?
Putting in order file servers and user workstations is an important task. But without the control of data transfer channels (using DLP), it can be impractical. FileAuditor should be a continuation of the company’s already fully integrated, DLP-based, security infrastructure.
One shouldn’t rush to protect file resources until it is decided on what should actually be protected. The company must have an understanding of which information assets are most critical.
In case information assets (at the level of information, not hardware and software) aren’t assigned to any owners from business units, then work on putting things in order with files will also be difficult. But this way the emergence of FileAuditor can help to find potential owners. The program will quickly and clearly show which employees and departments are most intensively working with information. They are most likely either the owner of the data or they know the most about this business process.
8. FileAuditor has recently released new features — blocking based on tags assigned to files. This allows a company to limit activity with files in any application. Is this feature important?
For many companies it’s a good feature, even unavoidable. But in some organisations it’s not a crucial option. For a number of information assets, this is easy to implement because the data is in clearly defined and standardized forms — hard to go wrong, but in most cases there are more false positives than the potential benefits if one chooses to enable blocking. Also, as regards information exchange with counterparties, including trade secrets, not every data transfer outside the office is a security incident.
Therefore, detection is more democratic than prevention, it has less negative impact on business processes. Yes, one could argue that with such a democratic approach, each employee has the opportunity to send out the company’s trade secrets, but, as they say, you can only jump off the roof once.