I was on a phone call with a potential client, and they were indicating that one of their concerns was how to protect an audit trail from being altered.
Many auditing products store their audit trial in a commercial or external database, like SQL Server or Oracle. While handling gobs of uniform data is exactly what a database is very good at, it isn’t good for audit trails. Audit trails need to be written ‘forward only’ and not be alterable.
Commercial and external databases are powerful tools and provide ways for the data to be entered, sorted, displayed, deleted, altered, etc. Commercial databases also have database administrators (DBAs) and system administrators, which have complete access over all aspects of the database, including any audit log stored in them.
When we designed FileSure, we considered these issues along with the cost and maintenance requirements of using a commercial database before deciding to go with a file based engine. By using a file based engine, we were able to encrypt and compress the audit log, thereby protecting it from altering or even viewing from any source other than FileSure itself.
Monday, November 23, 2009
Friday, November 20, 2009
Auditing Noise pt. 3
One of the reasons that auditing noise is such a problem is that you can’t easily designate exactly what you’re interesting in and are instead forced to ‘watch everything’.
For example, let’s say you want to record people reading Acrobat (PDF) files in a certain folder. To make it more interesting, you also only want to record when they do it after-hours.
To do this with native tools, you could turn on file auditing on every PDF in the target folder, but that’s very cumbersome if there a lot of files or if new files are being created. The other, less onerous, option would be to turn on auditing for the entire folder. The problem with that approach is that you will pick not just PDF files but everything else in the folder too.
Both options have an additional problem of catching the unwanted accesses that occur during normal business hours.
FileSure allowing you to accurately define what you’re interested in with a combination of rule filters; in the above example, you would define a file filter like ‘D:\folder\*.pdf’ and then define a time slot filter to indicate when the rule should be active. You could make it even more targeted by excluding certain users, groups, process or even non-interesting files patterns.
For example, let’s say you want to record people reading Acrobat (PDF) files in a certain folder. To make it more interesting, you also only want to record when they do it after-hours.
To do this with native tools, you could turn on file auditing on every PDF in the target folder, but that’s very cumbersome if there a lot of files or if new files are being created. The other, less onerous, option would be to turn on auditing for the entire folder. The problem with that approach is that you will pick not just PDF files but everything else in the folder too.
Both options have an additional problem of catching the unwanted accesses that occur during normal business hours.
FileSure allowing you to accurately define what you’re interested in with a combination of rule filters; in the above example, you would define a file filter like ‘D:\folder\*.pdf’ and then define a time slot filter to indicate when the rule should be active. You could make it even more targeted by excluding certain users, groups, process or even non-interesting files patterns.
Thursday, November 19, 2009
Auditing Noise pt. 2
Some activities cause lots of auditing records to be generated and, most of the time, it's just noise. For example, a 'Find in Files' will open and read every file that is being searched, which could be thousands of files.
We define this as an Audit Storm.
An audit storm occurs when the same user generates 100 or more file operations within 30 seconds. Another example is when a user copies several folders that contain many files.
To limit this noise, FileSure can automatically avoid an audit storm by temporarily excluding that user from the auditing rule until the storm is over, and then reactivating that user account in the rule.
By filtering out audit storms, FileSure is able to reduce the amount of noise that gets recorded.
We define this as an Audit Storm.
An audit storm occurs when the same user generates 100 or more file operations within 30 seconds. Another example is when a user copies several folders that contain many files.
To limit this noise, FileSure can automatically avoid an audit storm by temporarily excluding that user from the auditing rule until the storm is over, and then reactivating that user account in the rule.
By filtering out audit storms, FileSure is able to reduce the amount of noise that gets recorded.
Wednesday, November 18, 2009
Auditing Noise pt. 1
One of the major problems with any auditing system is Auditing Noise. FileSure's approach to addressing this problem is to "collapse" duplicate events within a certain time frame. By default, if the same user opens the same file, with the same program, requesting the same rights within 60 minutes of the first request, the second will be ignored.
In our conversations with Auditors, they said that if the same user accesses the same file in the same day, it only needs to be recorded once. FileSure is more granular than that by default (same file, same user, same program, same access within an hour) and can even be configured to be even more so, down to the point that only duplicate events will be ignored if they occur within the same minute. The default of 60 minutes seems to be to more that’s satisfactory for most companies.
In our conversations with Auditors, they said that if the same user accesses the same file in the same day, it only needs to be recorded once. FileSure is more granular than that by default (same file, same user, same program, same access within an hour) and can even be configured to be even more so, down to the point that only duplicate events will be ignored if they occur within the same minute. The default of 60 minutes seems to be to more that’s satisfactory for most companies.
Subscribe to:
Posts (Atom)
