Monday, November 23, 2009

Protecting the Audit trail

I was on a phone call with a potential client, and they were indicating that one of their concerns was how to protect an audit trail from being altered.

Many auditing products store their audit trial in a commercial or external database, like SQL Server or Oracle. While handling gobs of uniform data is exactly what a database is very good at, it isn’t good for audit trails. Audit trails need to be written ‘forward only’ and not be alterable.

Commercial and external databases are powerful tools and provide ways for the data to be entered, sorted, displayed, deleted, altered, etc. Commercial databases also have database administrators (DBAs) and system administrators, which have complete access over all aspects of the database, including any audit log stored in them.

When we designed FileSure, we considered these issues along with the cost and maintenance requirements of using a commercial database before deciding to go with a file based engine. By using a file based engine, we were able to encrypt and compress the audit log, thereby protecting it from altering or even viewing from any source other than FileSure itself.

Friday, November 20, 2009

Auditing Noise pt. 3

One of the reasons that auditing noise is such a problem is that you can’t easily designate exactly what you’re interesting in and are instead forced to ‘watch everything’.

For example, let’s say you want to record people reading Acrobat (PDF) files in a certain folder. To make it more interesting, you also only want to record when they do it after-hours.

To do this with native tools, you could turn on file auditing on every PDF in the target folder, but that’s very cumbersome if there a lot of files or if new files are being created. The other, less onerous, option would be to turn on auditing for the entire folder. The problem with that approach is that you will pick not just PDF files but everything else in the folder too.
Both options have an additional problem of catching the unwanted accesses that occur during normal business hours.

FileSure allowing you to accurately define what you’re interested in with a combination of rule filters; in the above example, you would define a file filter like ‘D:\folder\*.pdf’ and then define a time slot filter to indicate when the rule should be active. You could make it even more targeted by excluding certain users, groups, process or even non-interesting files patterns.

Thursday, November 19, 2009

Auditing Noise pt. 2

Some activities cause lots of auditing records to be generated and, most of the time, it's just noise. For example, a 'Find in Files' will open and read every file that is being searched, which could be thousands of files.

We define this as an Audit Storm.

An audit storm occurs when the same user generates 100 or more file operations within 30 seconds. Another example is when a user copies several folders that contain many files.

To limit this noise, FileSure can automatically avoid an audit storm by temporarily excluding that user from the auditing rule until the storm is over, and then reactivating that user account in the rule.

By filtering out audit storms, FileSure is able to reduce the amount of noise that gets recorded.

Wednesday, November 18, 2009

Auditing Noise pt. 1

One of the major problems with any auditing system is Auditing Noise. FileSure's approach to addressing this problem is to "collapse" duplicate events within a certain time frame. By default, if the same user opens the same file, with the same program, requesting the same rights within 60 minutes of the first request, the second will be ignored.

In our conversations with Auditors, they said that if the same user accesses the same file in the same day, it only needs to be recorded once. FileSure is more granular than that by default (same file, same user, same program, same access within an hour) and can even be configured to be even more so, down to the point that only duplicate events will be ignored if they occur within the same minute. The default of 60 minutes seems to be to more that’s satisfactory for most companies.

Thursday, October 1, 2009

Remote control and file theft.

We got a call today from an Architect would needed to find a solution that would not only record what files are being accessed over remote desktop but also protect them from theft. He wanted people to be able to use the files but not be able to copy them to a pen drive or otherwise steal them.

After I got more details about what he was trying to accomplish, I told him that FileSure could handle all his requirements. His excitement bordered on disbelief but the more he learned about FileSure and watched a couple of ‘How to’ videos, he was convinced.


I just love calls like that.

Wednesday, March 11, 2009

Detecting Remote Accesses

"Can you send me an email when someone accesses a file from a remote computer?"
This request is happening more and more often, so I thought we would write about it.

The problem revolves around the fact that IT staffs need to be Administrators to do their jobs and Windows Administrative Shares allow access to Administrators. This means that a 'less than honest' IT staffer has the power to snoop around on the hard drives on an executives desktop (or anywhere else), via the Administrative shares...undetected.

Using FileSure for Workstations and creating a single rule, remote accesses to important files can be detected, recorded and alerted on. With FileSure Defend for Workstations, the remote access could have been have also been blocked.

The ability to determine remote accesses is just one unique ability of the FileSure line.

Tuesday, January 6, 2009

Stopping Zero Day Malware

This month the security news was all about a new vulnerability in Microsoft Internet Explorer. Here at ByStorm headquarters we were safe - we're using FileSure to identify and block malware. Of course it's easy - we added one rule to stop writing to executable files to the disk. Woohoo, no more malware! We're using a separate, permitted, user id for downloading program files and adding browser extensions, a bit of extra work but well worth it.

What's really cool is that we're protected against both known and unknown attacks. Antivirus programs are only good against known vulnerabilities - with our "no new executables" rule we're protected against malware that hasn't even been written yet!

I'll post the rule in the forum - try it out!