SlideShare a Scribd company logo

File Auditing in the Enterprise

Netwrix Corporation
Netwrix Corporation

Data housed in an organization's servers and storage devices contain massive amounts of information. Much of this information is sensitive and is not intended for all eyes. It is absolutely critical that at any point in time, the organization can provide an audit trail of who accessed what, when, and where this activity took place. This white paper explains why file auditing is important and describes required file auditing features.

Technology
1 of 10
Download to read offline
File Auditing in the Enterprise White Paper Written by Chris Rich, Product Manager, NetWrix Corporation
File Auditing in the Enterprise - White Paper Table of Contents 1. Why is File Auditing Important? ..................................................................................................................................... 3 1.1 A Real-World Example ............................................................................................................................................ 3 1.2 File Auditing to Reduce Risk .................................................................................................................................... 3 1.3 Change Auditing to Improve Security ..................................................................................................................... 4 1.4 File Auditing to Sustain Compliance ....................................................................................................................... 4 2. Required File Auditing Features ...................................................................................................................................... 6 2.1 Automatic Data Collection ...................................................................................................................................... 6 2.2 Efficient and Centralized Data Storage ................................................................................................................... 6 2.3 Scalability ................................................................................................................................................................ 7 2.4 Advanced Reporting Capabilities ............................................................................................................................ 7 2.5 File Auditing for Storage Appliances ....................................................................................................................... 8 2.6 File Integrity Monitoring ......................................................................................................................................... 8 2.7 Additional Considerations ....................................................................................................................................... 8 3. NetWrix Approach to File Auditing ................................................................................................................................. 9 About NetWrix Corporation .................................................................................................................................................... 9 About Chris Rich .................................................................................................................................................................... 10 Additional Resources ............................................................................................................................................................ 10 2
File Auditing in the Enterprise - White Paper 1. Why is File Auditing Important? 1.1 A Real-World Example The importance of comprehensive file auditing is best illustrated by a real-world example. Data housed in an organization’s servers and storage devices contain massive amounts of information. Much of this information is sensitive and is not intended for all eyes. It is absolutely critical that at any point in time, records can show an audit trail of who has accessed or attempted access to files and folders or have attempted to modify permissions of files and folders including the date and time when the attempt or change was made and on what server the change occurred. For organizations bound by regulations such as SOX, HIPAA, PCI, and FISMA, detailed file auditing showing who changed what, when, and where is a necessity. Without it, the organization risks non-compliance which may result in fines and sanctions. Consider all the information in any organization stored in various files: employee data, financial information, proprietary and trade information not meant for public or even selective internal access. One bad change can put that information and compliance at serious risk. Imagine a user browsing the network who finds various shares visible to them. Upon further examination, they stumble upon a file created by a senior executive outlining an upcoming merger including monetary transactions, leadership changes, and employee consolidations. Once opened by the casual user, the confidentiality of this information is lost. If this information were distributed, it may have serious negative consequences for the organization such as legal action or non-compliance. File access violations such as this have great potential of becoming much worse if information in sensitive files has been modified or removed or if the file were deleted altogether. Without an effective file auditing procedure in place, this organization has no way of providing an audit trail of who accessed what, when, and where this activity took place. With file access auditing, this information could have been quickly and easily discovered. The organization would then have been provided an opportunity to reduce the risks associated with this breach and improve their security. 1.2 File Auditing to Reduce Risk Detailed file access auditing delivers accountability and proof of regulatory compliance. Automatic collection and reporting of file change and file access information provides organizations with a steady stream of feedback regarding file activity in the enterprise. Using this information can greatly reduce risks. A file permission change may allow a user or group to see or modify sensitive information. A user repeatedly reviewing information they would not normally read may reveal an employee who is providing a competitor 3
File Auditing in the Enterprise - White Paper with upcoming product details. Important files deleted from a network share may explain why important reports were not submitted on time. File auditing is the vehicle by which access attempts and changes made to files, folders and permissions can be monitored to uncover security risks so they can be addressed. For file servers and storage appliances, auditing permissions helps to ensure rights to sensitive data are maintained properly. Effectively managing every aspect of user and administrator interaction with the multitude of files within the environment reduces risk while granting the appropriate access users need to perform their duties. Change may sometimes bring unpredictable results, one of which is unintentionally creating conditions that disrupt or put the organization at risk. File auditing provides actionable and historical forensic information to ensure risk factors are managed appropriately while delivering consistent service to the end-users. 1.3 Change Auditing to Improve Security Internal threats pose a greater immediate danger to the organization than ever before. News headlines, such as the July 2011 breach of Shionogi, Inc. by a former employee frequently depict the disgruntled employee who has exploited their knowledge of internal systems for their own purposes. The primary reason these events are so prevalent is because of trust. Employees are given a level of trust and when that trust is abused, organizations quickly become victims. File auditing provides organizations with the ability to establish a robust check-and-balance record for all file system activity thus greatly improving security. Security improvements through the use of traditional file auditing are most often reactionary. Security flaws and holes are often discovered after the fact and the reason for this is automatic file auditing and file audit reporting is not present. Monitor file activity frequently to improve security in the enterprise. File auditing using only native tools can be cumbersome because of the volume of information recorded and while the majority of events are legitimate. One of the easiest ways to improve file security is to extract and review change information automatically on a regular basis.Why is Group Policy Auditing Important? 1.4 File Auditing to Sustain Compliance Regulations such as SOX, PCI, FISMA, and HIPAA each have their own detailed explanations of security standard practices including what exactly needs to be tracked and recorded in files and file systems. These regulations exist to establish (IT) change auditing standards to protect both businesses and consumers. At the end of the day, these regulations and their enforcement strive to confirm the organization is securing, recording and monitoring change events that permit access to sensitive information such as banking information, social security numbers, and health records. Additionally, regulations exist to establish a minimum set of security standards as they apply to user access within the environment in which they operate. File and folder permissions are essential to segregating information so that only select groups and individuals can access it without having to locate the information on separate physical or virtual systems. Demonstrating compliance is an exercise in presenting this information to auditors upon request and to the level of detail as is interpreted by the law or standard and subject to the individual auditor’s discretion. Auditing files, folders 4
File Auditing in the Enterprise - White Paper and permission access attempts and changes provides the Who, What, When, and Where information most frequently requested by auditors and almost equally important is the need to store this information for sometimes up to 7 years or more to be considered compliant. For Windows file servers and storage appliances (such as NetApp Filer), this is extremely difficult and an entirely manual process with native functionality and thus gives rise to the demand for additional tools, especially in large environments with multiple levels of IT administration. 5
File Auditing in the Enterprise - White Paper 2. Required File Auditing Features File auditing is the process of gathering file, folder and permission change and access attempt information, storing such information, and reporting on that information on a regular basis. It also includes analyzing the information, taking action and evaluating the results of those actions, to sustain compliance, secure information, and ensure consistent delivery of services to end-users. Windows file servers and storage appliances natively possess the ability to record audit information, however this information is dispersed throughout the various file servers and storage appliances in the environment and is not centrally aggregated. File reporting tools are also unavailable for audit data making the collection and reporting steps of change auditing for file, folder and permission access attempts and changes difficult and time consuming. There is also a risk of losing audit data if event log settings are not set properly to handle the volume of information logged and running out of disk space on servers if too much information is being captured or overwritten. Once native information is analyzed by an administrator experienced with the various system events and messages, the interpretation then would need to result in a decision to act. Combine these factors and the result is native file auditing is not feasible except for small to mid-sized environments that are adequately staffed to handle the workloads. The following information is a collection of must-have file auditing features. Additional deployment considerations are provided as well. 2.1 Automatic Data Collection In order to efficiently audit file servers, the process must be automated through scripting or 3rd-party tools. Without it, collecting the information in a timely manner is not feasible. This is especially true as the size of the organization will have a great impact on the raw volume of information collected making it even more challenging to track and report file changes. Special steps must also be taken on servers and domain controllers throughout the environment to facilitate auditing of the information which is by default not enabled. Additional scripting and/or a 3rd-party file server monitoring tool may also be employed to pre- configure systems in preparation of collecting event data. Furthermore, if audit data is not collected regularly, there is a risk of losing this information due to event log automatic overwrites or disk space issues. This is an important required feature to change auditing because without it, timely auditing is nearly impossible. 2.2 Efficient and Centralized Data Storage Automation of any kind typically requires additional resources and may negatively impact system performance which can lead to bigger problems. For this reason, it’s important that the impact of the method employed to automatically collect data is minimal. Furthermore, storage of data must also be a consideration during implementation. While it is possible to store event and audit data exclusively on the local system where the events are taking place, the preferred method will be to centralize this information in a data store that is both secure and readily available. This leads to numerous additional benefits over time as the need to analyze 6
File Auditing in the Enterprise - White Paper and report on this information becomes part of daily routine for the IT administrator or group responsible for the overall health of the various file services. Collection of information must also be reliable. Occasionally, each piece of the file auditing system should have a periodic check to ensure information is consistent when collected. The most advanced methods of reliably collecting this information will also have the ability to pre-screen data and filter for only essential information. During collection, preference should be given to methods that leverage the existing Windows Event Log and other native audit information as opposed to injected agents or modified core system code for event extraction. Doing so will eliminate any potential system stability issues or future incompatibility problems. For Windows systems especially, relying solely on event log data may introduce problems because this information is frequently incomplete. To completely understand an event, information from all sources involved must be aggregated and analyzed as a whole. Securing this information for short and long-term storage is also an important consideration and thus best-practices for securing audit data should be included pre-deployment such that no single power-user has access to or the ability to delete or tamper with information. Access to this information should be heavily restricted and monitored. 2.3 Scalability To audit file changes, access attempts and permission adjustments in the enterprise, the solution must be readily scalable to adjust to a constantly changing environment without the need for dramatic steps. Implementation and ongoing use of file auditing will be simplified when no additional software or extensive reconfigurations are required when adjusting to changes within the organization. File auditing should keep pace with all granular changes as the overall topology of the network, domain controllers and Active Directory changes to ensure consistent control to best serve end-users and provide an invaluable audit trail for the IT staff. 2.4 Advanced Reporting Capabilities Once data collection from various sources has been automated and stored securely, file auditing can assume a proactive role in sustaining compliance, securing information and improving overall stability. Advanced reporting is necessary to provide IT administrators, management and auditors with customizable summarized report output on every change and access attempt for any time period. Without the ability to produce clear information on change history for day-to-day modifications to files and folders, such as, who changed shared folder permissions or who deleted an important accounting spreadsheet, sustaining compliance, stability and security will be impossible and many opportunities to improve these functions will be surrendered. Using SQL to store data and leverage SQL Reporting Services prove obvious choices for storing and reporting on data in primarily Windows-based environments. SQL Server Express Edition with SQL Reporting 7
File Auditing in the Enterprise - White Paper Services can be downloaded for free from Microsoft and expertise with SQL is common and frequently available. Having the ability to customize ad-hoc and predefined 3rd-party reports will accelerate file auditing efforts by saving time and providing configuration options to suit the majority of needs. Using reports on a daily basis ensures complete visibility over the entire file infrastructure providing opportunities to improve security and sustain compliance. Additional reporting services such as e-mail alerts and subscription capabilities and will also add to the impact advanced reporting will have on overall file systems management effectiveness. Once established, advanced reporting will be the main driver behind a successful sustained file auditing and will become an important part of day-to-day management of the environment. 2.5 File Auditing for Storage Appliances Windows systems are predominant in most environments, however popular appliances such as EMC Celerra and NetApp Filer are also used extensively and require consideration in a comprehensive file reporting tool. These and other similar systems behave in their own unique ways and must be accounted for. Any chosen solution must also place appropriate emphasis on providing automatic, detailed file, folder and permission auditing as well as file access attempt auditing. Ignoring auditing of these popular storage appliances threatens security and compliance. For these reasons, any file auditing tool will need to include support for these and other platforms and must homogenize report output for administrators. This will save time, resources as well as the needs for additional software and/or vendors and having to learn additional software tools to facilitate file auditing across the enterprise. 2.6 File Integrity Monitoring File Integrity Monitoring, or FIM, ensures the integrity of files by monitoring a hash representation of a file instead of the entire file itself. This approach allows for fast detection of file changes facilitating timely alerting when a change occurs on a file. FIM is also required for PCI compliance. Using file integrity monitoring in a file auditing tool is necessary to provide the highest level of security and change control over data. 2.7 Additional Considerations Preferred solutions (and providers) should offer plug-in or add-on modules and software to help form a cohesive and comprehensive management suite to maximize the potential benefits of change auditing. Some additional types of systems may include firewalls, switches, database servers, SANs, storage appliances and other Microsoft technologies such as SQL and SharePoint and especially Active Directory and Group Policies. Real-time alerting and object restore features will also add great value to any selected file auditing solution. 8
File Auditing in the Enterprise - White Paper 3. NetWrix Approach to File Auditing The NetWrix approach incorporates all the necessary features for achieving effective file auditing in a software solution. The NetWrix File Change Reporter is a file auditing solution that tracks changes made to files, folders, permissions and access attempts across the entire enterprise including many popular filer appliances. It generates audit reports that include the four W’s: Who, What, When, and Where for every audited file change, permission change, or access attempt. It also automatically provides before and new setting values for each file, folder or permission to improve security and change control efforts. The automatic collection and reporting on file changes not only surpasses native capabilities in Windows and storage appliances but expands upon them eliminating the time and effort spent collecting change audit information manually or through complex scripting thereby making this information both reliable and actionable. It has the ability to sustain compliance through historical reporting for up to 7 years and more. File integrity monitoring further extends the oversight on files through advanced change detection methods. In addition to file auditing, NetWrix offers additional integrated modules for Active Directory, Group Policy and more helping protect existing investments in current NetWrix product installations. See how NetWrix File Server Change Reporter can help with your auditing and compliance needs. Download link: netwrix.com/fscr_download About NetWrix Corporation NetWrix Corporation is a highly specialized provider of solutions for IT infrastructure change auditing. Change auditing is the core competency of NetWrix and no other vendor focuses on this more extensively. With the broadest platform coverage available in the industry, innovative technology and strategic roadmap aiming to support different types of IT systems, devices and applications, NetWrix offers award-winning change auditing solutions at very competitive prices, matched with great customer service. Founded in 2006, NetWrix has evolved as #1 for Change Auditing and Compliance as evidenced by thousands of satisfied customers worldwide. The company is headquartered in Paramus, NJ, and has regional offices in Los Angeles, Boston and Tampa, FL. 9
File Auditing in the Enterprise - White Paper About Chris Rich As Senior Director of Product Management for NetWrix, located in the Boston office, I oversee all aspects of product management for the NetWrix family of products. I have been involved in numerous aspects of IT for over 16 years including help desk, systems administration, network management, network architecture, telecom and software sales and sales engineering, and product management. I am also a certified technical trainer, MCSA, Certified IBM Domino Administrator, avid runner, musician and happily married father of two. Additional Resources Information security professionals and trends - www.infosecisland.com Articles and commentary on a wide array of IT related topics - www.techrepublic.com Innovative tool and active community of IT practitioners - www.spiceworks.com Focused community on Windows security needs, trends, and information -www.windowssecurity.com 10 Immutable Laws of Security - http://technet.microsoft.com/en-us/library/cc722487.aspx NetWrix Corporate Blog - http://blog.netwrix.com ©2011 All rights reserved. NetWrix is trademark of NetWrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 10

Recommended

File auditing on NetApp Filer
File auditing on NetApp Filer File auditing on NetApp Filer
File auditing on NetApp Filer
Netwrix Corporation
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 
A1802030104
A1802030104A1802030104
A1802030104
IOSR Journals
 
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
csandit
 
Log Management in the Age of Compliance
Log Management in the Age of ComplianceLog Management in the Age of Compliance
Log Management in the Age of Compliance
Anton Chuvakin
 
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity PlansThinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Jason Glass, CFA, CISSP
 

Recommended

File auditing on NetApp Filer
File auditing on NetApp Filer File auditing on NetApp Filer
File auditing on NetApp Filer
Netwrix Corporation
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and OperationsLog Analysis Across System Boundaries for Security, Compliance, and Operations
Log Analysis Across System Boundaries for Security, Compliance, and Operations
Anton Chuvakin
 
A1802030104
A1802030104A1802030104
A1802030104
IOSR Journals
 
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
csandit
 
Log Management in the Age of Compliance
Log Management in the Age of ComplianceLog Management in the Age of Compliance
Log Management in the Age of Compliance
Anton Chuvakin
 
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity PlansThinking Ahead to Litigation While Developing Cybersecurity Plans
Thinking Ahead to Litigation While Developing Cybersecurity Plans
Jason Glass, CFA, CISSP
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
Actian Corporation
 
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Aggregage
 
What To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations ProceduresWhat To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations Procedures
- Mark - Fullbright
 
Document Management System SharePoint
Document Management System SharePoint Document Management System SharePoint
Document Management System SharePoint
i2econsulting
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical Brief
Attivio
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
NextLabs, Inc.
 
Index data protection
Index data protectionIndex data protection
Index data protection
yourlegalconsultants
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_Policy
Mrinal Dutta
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IK
Ilgın Kavaklıoğulları
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ defined
Enterprise Technology Management (ETM)
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Jerimi Soma
 
Sudo is no longer enough
Sudo is no longer enoughSudo is no longer enough
Sudo is no longer enough
Ryan Gallavin
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity Management
Don Lovett
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
harshadthakar
 
Ass3201 cyber securityassignment
Ass3201 cyber securityassignmentAss3201 cyber securityassignment
Ass3201 cyber securityassignment
harinathinfotech
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
jayussuryawan
 
Mapping palestine
Mapping palestineMapping palestine
Mapping palestine
Friends of Sabeel – North America
 
Short stories
Short storiesShort stories
Short stories
Hend Youssef
 
Bidthreads
BidthreadsBidthreads
Bidthreads
CollegeStartup
 
Spirituality
SpiritualitySpirituality
Spirituality
Valeriu Cismas
 
Market Update4 2012
Market Update4 2012Market Update4 2012
Market Update4 2012
Summitfunding
 
Content Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationContent Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentation
Sue Duris, MBA
 

More Related Content

What's hot

Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Aggregage
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_Policy
Mrinal Dutta
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
harshadthakar
 

What's hot (16)

Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
Back to the Office: Privacy and Security Solutions to Compliance Issues for 2...
 
What To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations ProceduresWhat To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations Procedures
 
Document Management System SharePoint
Document Management System SharePoint Document Management System SharePoint
Document Management System SharePoint
 
Attivio Active Security Technical Brief
Attivio Active Security Technical BriefAttivio Active Security Technical Brief
Attivio Active Security Technical Brief
 
Data-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended EnterpriseData-Centric Security for the Extended Enterprise
Data-Centric Security for the Extended Enterprise
 
Index data protection
Index data protectionIndex data protection
Index data protection
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_Policy
 
Database Security - IK
Database Security - IKDatabase Security - IK
Database Security - IK
 
Content Aware SIEM™ defined
Content Aware SIEM™ definedContent Aware SIEM™ defined
Content Aware SIEM™ defined
 
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
Personally Identifiable Information (ISO27701) on cloud and PCI DSS Conformit...
 
Sudo is no longer enough
Sudo is no longer enoughSudo is no longer enough
Sudo is no longer enough
 
The Role of Government in Identity Management
The Role of Government in Identity ManagementThe Role of Government in Identity Management
The Role of Government in Identity Management
 
Sans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software EncryptionSans Tech Paper Hardware Vs Software Encryption
Sans Tech Paper Hardware Vs Software Encryption
 
Ass3201 cyber securityassignment
Ass3201 cyber securityassignmentAss3201 cyber securityassignment
Ass3201 cyber securityassignment
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 

Viewers also liked

Content Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationContent Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentation
Sue Duris, MBA
 
Excel charts
Excel chartsExcel charts
Excel charts
Jesse911_
 
Practica de photoshop 4
Practica de photoshop 4Practica de photoshop 4
Practica de photoshop 4
JF-Navii-Alex
 
Vos Olie en Gas BV
Vos Olie en Gas BVVos Olie en Gas BV
Vos Olie en Gas BV
Rickhoekstra
 
Presentacion jamaica
Presentacion jamaicaPresentacion jamaica
Presentacion jamaica
Vivis Espitia
 
Html shows 1213
Html shows 1213Html shows 1213
Html shows 1213
crazymen
 
Eskolako lh koak santa ageda kantatzera etorri ziren
Eskolako lh koak santa ageda kantatzera etorri zirenEskolako lh koak santa ageda kantatzera etorri ziren
Eskolako lh koak santa ageda kantatzera etorri ziren
ELIZALDE
 

Viewers also liked (20)

Mapping palestine
Mapping palestineMapping palestine
Mapping palestine
 
Short stories
Short storiesShort stories
Short stories
 
Bidthreads
BidthreadsBidthreads
Bidthreads
 
Spirituality
SpiritualitySpirituality
Spirituality
 
Market Update4 2012
Market Update4 2012Market Update4 2012
Market Update4 2012
 
Content Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentationContent Marketing, Content Creation and Content Curation presentation
Content Marketing, Content Creation and Content Curation presentation
 
Excel charts
Excel chartsExcel charts
Excel charts
 
Practica de photoshop 4
Practica de photoshop 4Practica de photoshop 4
Practica de photoshop 4
 
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark JamesAppalachian Power WV ED Forum - AEP ED Program of Work - Mark James
Appalachian Power WV ED Forum - AEP ED Program of Work - Mark James
 
Howtousediscover
HowtousediscoverHowtousediscover
Howtousediscover
 
Product lifecycle
Product lifecycleProduct lifecycle
Product lifecycle
 
Vos Olie en Gas BV
Vos Olie en Gas BVVos Olie en Gas BV
Vos Olie en Gas BV
 
Christmas in the uk
Christmas in the ukChristmas in the uk
Christmas in the uk
 
INWESTPROJEKT Grudziądz
INWESTPROJEKT GrudziądzINWESTPROJEKT Grudziądz
INWESTPROJEKT Grudziądz
 
How to Use UBUNTU 1304 Ver Khmer Canbodia
How to Use UBUNTU 1304 Ver Khmer CanbodiaHow to Use UBUNTU 1304 Ver Khmer Canbodia
How to Use UBUNTU 1304 Ver Khmer Canbodia
 
SF SANIT Oława
SF SANIT OławaSF SANIT Oława
SF SANIT Oława
 
Presentacion jamaica
Presentacion jamaicaPresentacion jamaica
Presentacion jamaica
 
Html shows 1213
Html shows 1213Html shows 1213
Html shows 1213
 
Eskolako lh koak santa ageda kantatzera etorri ziren
Eskolako lh koak santa ageda kantatzera etorri zirenEskolako lh koak santa ageda kantatzera etorri ziren
Eskolako lh koak santa ageda kantatzera etorri ziren
 
2012-03-06 Cyflwyniad TermCymru Presentation
2012-03-06 Cyflwyniad TermCymru Presentation2012-03-06 Cyflwyniad TermCymru Presentation
2012-03-06 Cyflwyniad TermCymru Presentation
 

Similar to File Auditing in the Enterprise

Question 1Discuss why those in the human resource development po.docx
Question 1Discuss why those in the human resource development po.docxQuestion 1Discuss why those in the human resource development po.docx
Question 1Discuss why those in the human resource development po.docx
makdul
 
File Integrity Monitoring Data Sheet
File Integrity Monitoring Data SheetFile Integrity Monitoring Data Sheet
File Integrity Monitoring Data Sheet
jordagro
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
CARMEN ALCIVAR
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
Michelle Singh
 

Similar to File Auditing in the Enterprise (20)

Optimizing Your Physical Files Part 1
Optimizing Your Physical Files Part 1Optimizing Your Physical Files Part 1
Optimizing Your Physical Files Part 1
 
Active Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the EnterpriseActive Directory Change Auditing in the Enterprise
Active Directory Change Auditing in the Enterprise
 
Records Governance, Part 1: Preserve the Value of Your Information
Records Governance, Part 1: Preserve the Value of Your InformationRecords Governance, Part 1: Preserve the Value of Your Information
Records Governance, Part 1: Preserve the Value of Your Information
 
I Series User Management
I Series User ManagementI Series User Management
I Series User Management
 
Question 1Discuss why those in the human resource development po.docx
Question 1Discuss why those in the human resource development po.docxQuestion 1Discuss why those in the human resource development po.docx
Question 1Discuss why those in the human resource development po.docx
 
Why Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdfWhy Regular Audits are Necessary in IT Asset Management.pdf
Why Regular Audits are Necessary in IT Asset Management.pdf
 
Wp security-data-safe
Wp security-data-safeWp security-data-safe
Wp security-data-safe
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of Compliance
 
Exchange Auditing in the Enterprise
Exchange Auditing in the EnterpriseExchange Auditing in the Enterprise
Exchange Auditing in the Enterprise
 
EFFICIENCY MEETS ACCURACY IN M&A DUE DILIGENCE WITH VIRTUAL DATA ROOMS.pdf
EFFICIENCY MEETS ACCURACY IN M&A DUE DILIGENCE WITH VIRTUAL DATA ROOMS.pdfEFFICIENCY MEETS ACCURACY IN M&A DUE DILIGENCE WITH VIRTUAL DATA ROOMS.pdf
EFFICIENCY MEETS ACCURACY IN M&A DUE DILIGENCE WITH VIRTUAL DATA ROOMS.pdf
 
eDiscovery and Records Oh...My!
eDiscovery and Records Oh...My!eDiscovery and Records Oh...My!
eDiscovery and Records Oh...My!
 
Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?Logs & The Law: What is Admissible in Court?
Logs & The Law: What is Admissible in Court?
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Brian Dirking Software Selection For Records Management
Brian Dirking Software Selection For Records ManagementBrian Dirking Software Selection For Records Management
Brian Dirking Software Selection For Records Management
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Brian Dirking Knowing Your Organizations Goals Before Choosing A Product
Brian Dirking Knowing Your Organizations Goals Before Choosing A ProductBrian Dirking Knowing Your Organizations Goals Before Choosing A Product
Brian Dirking Knowing Your Organizations Goals Before Choosing A Product
 
File Integrity Monitoring Data Sheet
File Integrity Monitoring Data SheetFile Integrity Monitoring Data Sheet
File Integrity Monitoring Data Sheet
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
 
The Federal Information Security Management Act
The Federal Information Security Management ActThe Federal Information Security Management Act
The Federal Information Security Management Act
 

More from Netwrix Corporation

File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and where
Netwrix Corporation
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
Netwrix Corporation
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal Regulations
Netwrix Corporation
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
Netwrix Corporation
 
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingHow the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
Netwrix Corporation
 
Ensuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaEnsuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable Media
Netwrix Corporation
 
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Netwrix Corporation
 

More from Netwrix Corporation (16)

File system auditing who accessed what files and where
File system auditing who accessed what files and whereFile system auditing who accessed what files and where
File system auditing who accessed what files and where
 
Top 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructureTop 10 critical changes to audit in your it infrastructure
Top 10 critical changes to audit in your it infrastructure
 
Top 5 identity management challenges and solutions
Top 5 identity management challenges and solutionsTop 5 identity management challenges and solutions
Top 5 identity management challenges and solutions
 
Top 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directoryTop 5 critical changes to audit for active directory
Top 5 critical changes to audit for active directory
 
How to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT InfrastructureHow to Effectively Audit your IT Infrastructure
How to Effectively Audit your IT Infrastructure
 
NetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don JonesNetWrix Change Reporter Suite - Product Review by Don Jones
NetWrix Change Reporter Suite - Product Review by Don Jones
 
Auditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal RegulationsAuditing Active Directory to Comply with State and Federal Regulations
Auditing Active Directory to Comply with State and Federal Regulations
 
Auditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases AuditorsAuditing Solution Enables Coaching of Staff and Pleases Auditors
Auditing Solution Enables Coaching of Staff and Pleases Auditors
 
Automated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users AccountsAutomated De-provisioning of Inactive Users Accounts
Automated De-provisioning of Inactive Users Accounts
 
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines ComplianceUSB Port Protection that Hardens Endpoint Security and Streamlines Compliance
USB Port Protection that Hardens Endpoint Security and Streamlines Compliance
 
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server AuditingHow the World's Largest Date Agriculture Company "Planted" File Server Auditing
How the World's Largest Date Agriculture Company "Planted" File Server Auditing
 
Ensuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable MediaEnsuring Data Protection by controlling the Use of Removable Media
Ensuring Data Protection by controlling the Use of Removable Media
 
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
Leading Emergency Software Solution Provider Automates HIPAA and SOX Complian...
 
Extending Change Auditing to Exchange Server
Extending Change Auditing to Exchange ServerExtending Change Auditing to Exchange Server
Extending Change Auditing to Exchange Server
 
Staying Abreast of Group Policy Changes
Staying Abreast of Group Policy ChangesStaying Abreast of Group Policy Changes
Staying Abreast of Group Policy Changes
 
The Business Case for Account Lockout Management
The Business Case for Account Lockout ManagementThe Business Case for Account Lockout Management
The Business Case for Account Lockout Management
 

Recently uploaded

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

File Auditing in the Enterprise

  • 1. File Auditing in the Enterprise White Paper Written by Chris Rich, Product Manager, NetWrix Corporation
  • 2. File Auditing in the Enterprise - White Paper Table of Contents 1. Why is File Auditing Important? ..................................................................................................................................... 3 1.1 A Real-World Example ............................................................................................................................................ 3 1.2 File Auditing to Reduce Risk .................................................................................................................................... 3 1.3 Change Auditing to Improve Security ..................................................................................................................... 4 1.4 File Auditing to Sustain Compliance ....................................................................................................................... 4 2. Required File Auditing Features ...................................................................................................................................... 6 2.1 Automatic Data Collection ...................................................................................................................................... 6 2.2 Efficient and Centralized Data Storage ................................................................................................................... 6 2.3 Scalability ................................................................................................................................................................ 7 2.4 Advanced Reporting Capabilities ............................................................................................................................ 7 2.5 File Auditing for Storage Appliances ....................................................................................................................... 8 2.6 File Integrity Monitoring ......................................................................................................................................... 8 2.7 Additional Considerations ....................................................................................................................................... 8 3. NetWrix Approach to File Auditing ................................................................................................................................. 9 About NetWrix Corporation .................................................................................................................................................... 9 About Chris Rich .................................................................................................................................................................... 10 Additional Resources ............................................................................................................................................................ 10 2
  • 3. File Auditing in the Enterprise - White Paper 1. Why is File Auditing Important? 1.1 A Real-World Example The importance of comprehensive file auditing is best illustrated by a real-world example. Data housed in an organization’s servers and storage devices contain massive amounts of information. Much of this information is sensitive and is not intended for all eyes. It is absolutely critical that at any point in time, records can show an audit trail of who has accessed or attempted access to files and folders or have attempted to modify permissions of files and folders including the date and time when the attempt or change was made and on what server the change occurred. For organizations bound by regulations such as SOX, HIPAA, PCI, and FISMA, detailed file auditing showing who changed what, when, and where is a necessity. Without it, the organization risks non-compliance which may result in fines and sanctions. Consider all the information in any organization stored in various files: employee data, financial information, proprietary and trade information not meant for public or even selective internal access. One bad change can put that information and compliance at serious risk. Imagine a user browsing the network who finds various shares visible to them. Upon further examination, they stumble upon a file created by a senior executive outlining an upcoming merger including monetary transactions, leadership changes, and employee consolidations. Once opened by the casual user, the confidentiality of this information is lost. If this information were distributed, it may have serious negative consequences for the organization such as legal action or non-compliance. File access violations such as this have great potential of becoming much worse if information in sensitive files has been modified or removed or if the file were deleted altogether. Without an effective file auditing procedure in place, this organization has no way of providing an audit trail of who accessed what, when, and where this activity took place. With file access auditing, this information could have been quickly and easily discovered. The organization would then have been provided an opportunity to reduce the risks associated with this breach and improve their security. 1.2 File Auditing to Reduce Risk Detailed file access auditing delivers accountability and proof of regulatory compliance. Automatic collection and reporting of file change and file access information provides organizations with a steady stream of feedback regarding file activity in the enterprise. Using this information can greatly reduce risks. A file permission change may allow a user or group to see or modify sensitive information. A user repeatedly reviewing information they would not normally read may reveal an employee who is providing a competitor 3
  • 4. File Auditing in the Enterprise - White Paper with upcoming product details. Important files deleted from a network share may explain why important reports were not submitted on time. File auditing is the vehicle by which access attempts and changes made to files, folders and permissions can be monitored to uncover security risks so they can be addressed. For file servers and storage appliances, auditing permissions helps to ensure rights to sensitive data are maintained properly. Effectively managing every aspect of user and administrator interaction with the multitude of files within the environment reduces risk while granting the appropriate access users need to perform their duties. Change may sometimes bring unpredictable results, one of which is unintentionally creating conditions that disrupt or put the organization at risk. File auditing provides actionable and historical forensic information to ensure risk factors are managed appropriately while delivering consistent service to the end-users. 1.3 Change Auditing to Improve Security Internal threats pose a greater immediate danger to the organization than ever before. News headlines, such as the July 2011 breach of Shionogi, Inc. by a former employee frequently depict the disgruntled employee who has exploited their knowledge of internal systems for their own purposes. The primary reason these events are so prevalent is because of trust. Employees are given a level of trust and when that trust is abused, organizations quickly become victims. File auditing provides organizations with the ability to establish a robust check-and-balance record for all file system activity thus greatly improving security. Security improvements through the use of traditional file auditing are most often reactionary. Security flaws and holes are often discovered after the fact and the reason for this is automatic file auditing and file audit reporting is not present. Monitor file activity frequently to improve security in the enterprise. File auditing using only native tools can be cumbersome because of the volume of information recorded and while the majority of events are legitimate. One of the easiest ways to improve file security is to extract and review change information automatically on a regular basis.Why is Group Policy Auditing Important? 1.4 File Auditing to Sustain Compliance Regulations such as SOX, PCI, FISMA, and HIPAA each have their own detailed explanations of security standard practices including what exactly needs to be tracked and recorded in files and file systems. These regulations exist to establish (IT) change auditing standards to protect both businesses and consumers. At the end of the day, these regulations and their enforcement strive to confirm the organization is securing, recording and monitoring change events that permit access to sensitive information such as banking information, social security numbers, and health records. Additionally, regulations exist to establish a minimum set of security standards as they apply to user access within the environment in which they operate. File and folder permissions are essential to segregating information so that only select groups and individuals can access it without having to locate the information on separate physical or virtual systems. Demonstrating compliance is an exercise in presenting this information to auditors upon request and to the level of detail as is interpreted by the law or standard and subject to the individual auditor’s discretion. Auditing files, folders 4
  • 5. File Auditing in the Enterprise - White Paper and permission access attempts and changes provides the Who, What, When, and Where information most frequently requested by auditors and almost equally important is the need to store this information for sometimes up to 7 years or more to be considered compliant. For Windows file servers and storage appliances (such as NetApp Filer), this is extremely difficult and an entirely manual process with native functionality and thus gives rise to the demand for additional tools, especially in large environments with multiple levels of IT administration. 5
  • 6. File Auditing in the Enterprise - White Paper 2. Required File Auditing Features File auditing is the process of gathering file, folder and permission change and access attempt information, storing such information, and reporting on that information on a regular basis. It also includes analyzing the information, taking action and evaluating the results of those actions, to sustain compliance, secure information, and ensure consistent delivery of services to end-users. Windows file servers and storage appliances natively possess the ability to record audit information, however this information is dispersed throughout the various file servers and storage appliances in the environment and is not centrally aggregated. File reporting tools are also unavailable for audit data making the collection and reporting steps of change auditing for file, folder and permission access attempts and changes difficult and time consuming. There is also a risk of losing audit data if event log settings are not set properly to handle the volume of information logged and running out of disk space on servers if too much information is being captured or overwritten. Once native information is analyzed by an administrator experienced with the various system events and messages, the interpretation then would need to result in a decision to act. Combine these factors and the result is native file auditing is not feasible except for small to mid-sized environments that are adequately staffed to handle the workloads. The following information is a collection of must-have file auditing features. Additional deployment considerations are provided as well. 2.1 Automatic Data Collection In order to efficiently audit file servers, the process must be automated through scripting or 3rd-party tools. Without it, collecting the information in a timely manner is not feasible. This is especially true as the size of the organization will have a great impact on the raw volume of information collected making it even more challenging to track and report file changes. Special steps must also be taken on servers and domain controllers throughout the environment to facilitate auditing of the information which is by default not enabled. Additional scripting and/or a 3rd-party file server monitoring tool may also be employed to pre- configure systems in preparation of collecting event data. Furthermore, if audit data is not collected regularly, there is a risk of losing this information due to event log automatic overwrites or disk space issues. This is an important required feature to change auditing because without it, timely auditing is nearly impossible. 2.2 Efficient and Centralized Data Storage Automation of any kind typically requires additional resources and may negatively impact system performance which can lead to bigger problems. For this reason, it’s important that the impact of the method employed to automatically collect data is minimal. Furthermore, storage of data must also be a consideration during implementation. While it is possible to store event and audit data exclusively on the local system where the events are taking place, the preferred method will be to centralize this information in a data store that is both secure and readily available. This leads to numerous additional benefits over time as the need to analyze 6
  • 7. File Auditing in the Enterprise - White Paper and report on this information becomes part of daily routine for the IT administrator or group responsible for the overall health of the various file services. Collection of information must also be reliable. Occasionally, each piece of the file auditing system should have a periodic check to ensure information is consistent when collected. The most advanced methods of reliably collecting this information will also have the ability to pre-screen data and filter for only essential information. During collection, preference should be given to methods that leverage the existing Windows Event Log and other native audit information as opposed to injected agents or modified core system code for event extraction. Doing so will eliminate any potential system stability issues or future incompatibility problems. For Windows systems especially, relying solely on event log data may introduce problems because this information is frequently incomplete. To completely understand an event, information from all sources involved must be aggregated and analyzed as a whole. Securing this information for short and long-term storage is also an important consideration and thus best-practices for securing audit data should be included pre-deployment such that no single power-user has access to or the ability to delete or tamper with information. Access to this information should be heavily restricted and monitored. 2.3 Scalability To audit file changes, access attempts and permission adjustments in the enterprise, the solution must be readily scalable to adjust to a constantly changing environment without the need for dramatic steps. Implementation and ongoing use of file auditing will be simplified when no additional software or extensive reconfigurations are required when adjusting to changes within the organization. File auditing should keep pace with all granular changes as the overall topology of the network, domain controllers and Active Directory changes to ensure consistent control to best serve end-users and provide an invaluable audit trail for the IT staff. 2.4 Advanced Reporting Capabilities Once data collection from various sources has been automated and stored securely, file auditing can assume a proactive role in sustaining compliance, securing information and improving overall stability. Advanced reporting is necessary to provide IT administrators, management and auditors with customizable summarized report output on every change and access attempt for any time period. Without the ability to produce clear information on change history for day-to-day modifications to files and folders, such as, who changed shared folder permissions or who deleted an important accounting spreadsheet, sustaining compliance, stability and security will be impossible and many opportunities to improve these functions will be surrendered. Using SQL to store data and leverage SQL Reporting Services prove obvious choices for storing and reporting on data in primarily Windows-based environments. SQL Server Express Edition with SQL Reporting 7
  • 8. File Auditing in the Enterprise - White Paper Services can be downloaded for free from Microsoft and expertise with SQL is common and frequently available. Having the ability to customize ad-hoc and predefined 3rd-party reports will accelerate file auditing efforts by saving time and providing configuration options to suit the majority of needs. Using reports on a daily basis ensures complete visibility over the entire file infrastructure providing opportunities to improve security and sustain compliance. Additional reporting services such as e-mail alerts and subscription capabilities and will also add to the impact advanced reporting will have on overall file systems management effectiveness. Once established, advanced reporting will be the main driver behind a successful sustained file auditing and will become an important part of day-to-day management of the environment. 2.5 File Auditing for Storage Appliances Windows systems are predominant in most environments, however popular appliances such as EMC Celerra and NetApp Filer are also used extensively and require consideration in a comprehensive file reporting tool. These and other similar systems behave in their own unique ways and must be accounted for. Any chosen solution must also place appropriate emphasis on providing automatic, detailed file, folder and permission auditing as well as file access attempt auditing. Ignoring auditing of these popular storage appliances threatens security and compliance. For these reasons, any file auditing tool will need to include support for these and other platforms and must homogenize report output for administrators. This will save time, resources as well as the needs for additional software and/or vendors and having to learn additional software tools to facilitate file auditing across the enterprise. 2.6 File Integrity Monitoring File Integrity Monitoring, or FIM, ensures the integrity of files by monitoring a hash representation of a file instead of the entire file itself. This approach allows for fast detection of file changes facilitating timely alerting when a change occurs on a file. FIM is also required for PCI compliance. Using file integrity monitoring in a file auditing tool is necessary to provide the highest level of security and change control over data. 2.7 Additional Considerations Preferred solutions (and providers) should offer plug-in or add-on modules and software to help form a cohesive and comprehensive management suite to maximize the potential benefits of change auditing. Some additional types of systems may include firewalls, switches, database servers, SANs, storage appliances and other Microsoft technologies such as SQL and SharePoint and especially Active Directory and Group Policies. Real-time alerting and object restore features will also add great value to any selected file auditing solution. 8
  • 9. File Auditing in the Enterprise - White Paper 3. NetWrix Approach to File Auditing The NetWrix approach incorporates all the necessary features for achieving effective file auditing in a software solution. The NetWrix File Change Reporter is a file auditing solution that tracks changes made to files, folders, permissions and access attempts across the entire enterprise including many popular filer appliances. It generates audit reports that include the four W’s: Who, What, When, and Where for every audited file change, permission change, or access attempt. It also automatically provides before and new setting values for each file, folder or permission to improve security and change control efforts. The automatic collection and reporting on file changes not only surpasses native capabilities in Windows and storage appliances but expands upon them eliminating the time and effort spent collecting change audit information manually or through complex scripting thereby making this information both reliable and actionable. It has the ability to sustain compliance through historical reporting for up to 7 years and more. File integrity monitoring further extends the oversight on files through advanced change detection methods. In addition to file auditing, NetWrix offers additional integrated modules for Active Directory, Group Policy and more helping protect existing investments in current NetWrix product installations. See how NetWrix File Server Change Reporter can help with your auditing and compliance needs. Download link: netwrix.com/fscr_download About NetWrix Corporation NetWrix Corporation is a highly specialized provider of solutions for IT infrastructure change auditing. Change auditing is the core competency of NetWrix and no other vendor focuses on this more extensively. With the broadest platform coverage available in the industry, innovative technology and strategic roadmap aiming to support different types of IT systems, devices and applications, NetWrix offers award-winning change auditing solutions at very competitive prices, matched with great customer service. Founded in 2006, NetWrix has evolved as #1 for Change Auditing and Compliance as evidenced by thousands of satisfied customers worldwide. The company is headquartered in Paramus, NJ, and has regional offices in Los Angeles, Boston and Tampa, FL. 9
  • 10. File Auditing in the Enterprise - White Paper About Chris Rich As Senior Director of Product Management for NetWrix, located in the Boston office, I oversee all aspects of product management for the NetWrix family of products. I have been involved in numerous aspects of IT for over 16 years including help desk, systems administration, network management, network architecture, telecom and software sales and sales engineering, and product management. I am also a certified technical trainer, MCSA, Certified IBM Domino Administrator, avid runner, musician and happily married father of two. Additional Resources Information security professionals and trends - www.infosecisland.com Articles and commentary on a wide array of IT related topics - www.techrepublic.com Innovative tool and active community of IT practitioners - www.spiceworks.com Focused community on Windows security needs, trends, and information -www.windowssecurity.com 10 Immutable Laws of Security - http://technet.microsoft.com/en-us/library/cc722487.aspx NetWrix Corporate Blog - http://blog.netwrix.com ©2011 All rights reserved. NetWrix is trademark of NetWrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 10