Audit of user actions. Infowatch Software Solutions and Related Activities

Youtube

The need to implement audit systems for user actions in organizations of any level is confirmed by research from companies engaged in information security analysis.

A Kaspersky Lab study, for example, showed that two thirds of information security incidents (67%) are caused, among other things, by the actions of ill-informed or inattentive employees. At the same time, according to ESET research, 84% of companies underestimate the risks caused by the human factor.

Protecting against insider threats requires more effort than protecting against external threats. To counter external “pests”, including viruses and targeted attacks on an organization’s network, it is enough to implement the appropriate software or hardware-software system. Securing an organization from an insider attack will require greater investment in security infrastructure and deeper analysis. Analytical work includes identifying the types of threats that are most critical for business, as well as drawing up “portraits of violators,” that is, determining what damage a user can cause based on their competencies and powers.

The audit of user actions is inextricably linked not only with an understanding of exactly what “gaps” in the information security system need to be quickly closed, but also with the issue of business sustainability as a whole. Companies committed to continuous operations must take into account that with the complication and increase in the processes of informatization and business automation, the number of internal threats is only growing.

In addition to tracking the actions of an ordinary employee, it is necessary to audit the operations of “super users” - employees with privileged rights and, accordingly, greater opportunities to accidentally or intentionally realize the threat of information leakage. These users include system administrators, database administrators, and internal software developers. Here you can also add attracted IT specialists and employees responsible for information security.

The implementation of a system for monitoring user actions in a company allows you to record and quickly respond to employee activity. Important: the audit system must be comprehensive. This means that information about the activities of an ordinary employee, system administrator or top manager needs to be analyzed at the level of the operating system, use of business applications, at the level of network devices, access to databases, connecting external media, and so on.

Modern comprehensive audit systems allow you to monitor all stages of user actions from startup to shutdown of the PC (terminal workstation). True, in practice they try to avoid total control. If all operations are recorded in audit logs, the load on the organization's information system infrastructure increases many times: workstations hang, servers and channels work under full load. Paranoia regarding information security can harm a business by significantly slowing down work processes.

A competent information security specialist primarily determines:

what data in the company is the most valuable, since most internal threats will be associated with it;
who and at what level can have access to valuable data, that is, outlines the circle of potential violators;
the extent to which current security measures can withstand intentional and/or accidental user actions.

For example, information security specialists from the financial sector consider the threats of payment data leakage and access abuse to be the most dangerous. In the industrial and transport sector, the biggest fears are leakage of know-how and disloyal behavior of workers. There are similar concerns in the IT sector and telecommunications business, where the most critical threats are the leakage of proprietary developments, trade secrets and payment information.

AS THE MOST PROBABLE “TYPICAL” VIOLators, ANALYTICS INDICATE:

Top management: the choice is obvious - the broadest possible powers, access to the most valuable information. At the same time, those responsible for security often turn a blind eye to violations of information security rules by such figures.
Disloyal employees : to determine the degree of loyalty, the company’s information security specialists should analyze the actions of an individual employee.
Administrators: Specialists with privileged access and advanced authority, with deep knowledge in the IT field, are susceptible to the temptation to gain unauthorized access to important information;
Contractor employees / outsourcing : like administrators, “outside” experts, having extensive knowledge, can implement various threats while being “inside” the customer’s information system.

Determining the most significant information and the most likely attackers helps to build a system of not total, but selective user control. This “unloads” the information system and relieves information security specialists from redundant work.

In addition to selective monitoring, the architecture of audit systems plays a significant role in speeding up system operation, improving the quality of analysis and reducing the load on the infrastructure. Modern systems for auditing user actions have a distributed structure. Sensor agents are installed on end workstations and servers, which analyze events of a certain type and transmit data to consolidation and storage centers. Systems for analyzing recorded information based on parameters built into the system find in audit logs facts of suspicious or anomalous activity that cannot be immediately attributed to an attempt to implement a threat. These facts are transmitted to the response system, which notifies the security administrator of the violation.

If the audit system is able to independently cope with a violation (usually such information security systems provide a signature method for responding to a threat), then the violation is stopped automatically, and all the necessary information about the violator, his actions and the target of the threat ends up in a special database. In this case, the Security Administrator Console notifies you that the threat has been neutralized.

If the system does not have ways to automatically respond to suspicious activity, then all information to neutralize the threat or to analyze its consequences is transferred to the information security administrator console to perform operations manually.

IN THE MONITORING SYSTEM OF ANY ORGANIZATION THE OPERATIONS SHOULD BE CONFIGURED:

Audit the use of workstations, servers, as well as the time (by hours and days of the week) of user activity on them. In this way, the feasibility of using information resources is established.

Sometimes events happen that require us to answer a question. "who did it?" This can happen “rarely, but accurately,” so you should prepare for the answer to the question in advance.

Almost everywhere, there are design departments, accounting departments, developers and other categories of employees working together on groups of documents stored in a publicly accessible (Shared) folder on a file server or on one of the workstations. It may happen that someone deletes an important document or directory from this folder, as a result of which the work of an entire team may be lost. In this case, the system administrator faces several questions:

When and what time did the problem occur?

What is the closest backup to this time to restore the data from?

Maybe there was a system failure that could happen again?

Windows has a system Audit, allowing you to track and log information about when, by whom and using what program documents were deleted. By default, Audit is not enabled - tracking itself requires a certain percentage of system power, and if you record everything, the load will become too large. Moreover, not all user actions may interest us, so Audit policies allow us to enable tracking only of those events that are really important to us.

The Audit system is built into all operating systems MicrosoftWindowsNT: Windows XP/Vista/7, Windows Server 2000/2003/2008. Unfortunately, in Windows Home series systems, auditing is hidden deeply and is too difficult to configure.

What needs to be configured?

To enable auditing, log in with administrator rights to the computer that provides access to shared documents and run the command Start→Run→gpedit.msc. In the Computer Configuration section, expand the folder Windows Settings→ Security Settings→ Local Policies→ Audit Policies:

Double click on policy Audit object access (Object access audit) and select the checkbox Success. This setting enables a mechanism to monitor successful access to files and the registry. Indeed, we are only interested in successful attempts to delete files or folders. Enable Auditing only on computers where the monitored objects are directly stored.

Simply enabling the Audit policy is not enough; we must also specify which folders we want to monitor. Typically, such objects are folders of common (shared) documents and folders with production programs or databases (accounting, warehouse, etc.) - that is, resources with which several people work.

It is impossible to guess in advance who exactly will delete the file, so tracking is indicated for Everyone. Successful attempts to delete monitored objects by any user will be logged. Call the properties of the required folder (if there are several such folders, then all of them in turn) and on the tab Security → Advanced → Auditing add subject tracking Everyone his successful access attempts Delete And Delete Subfolders and Files:

Quite a lot of events can be logged, so you should also adjust the log size Security(Safety), in which they will be recorded. For
run this command Start→ Run→ eventvwr. msc. In the window that appears, call the properties of the Security log and specify the following parameters:

Maximum Log Size = 65536 K.B.(for workstations) or 262144 K.B.(for servers)

Overwrite events as needed.

In fact, the indicated figures are not guaranteed to be accurate, but are selected empirically for each specific case.

Windows 2003/ XP)?

Click Start→ Run→ eventvwr.msc Security. View→ Filter

Event Source:Security;
Category: Object Access;
Event Types: Success Audit;
Event ID: 560;

Browse the list of filtered events, paying attention to the following fields within each entry:

ObjectName. The name of the folder or file you are looking for;
ImageFileName. The name of the program that deleted the file;
Accesses. The set of rights requested.

A program can request several types of access from the system at once - for example, Delete+ Synchronize or Delete+ Read_ Control. A significant right for us is Delete.

So, who deleted the documents (Windows 2008/ Vista)?

Click Start→ Run→ eventvwr.msc and open the magazine to view Security. The log may be filled with events that are not directly related to the problem. Right-click the Security log and select View→ Filter and filter your viewing by the following criteria:

Event Source: Security;
Category: Object Access;
Event Types: Success Audit;
Event ID: 4663;

Do not rush to interpret all deletions as malicious. This function is often used during normal program operation - for example, executing a command Save(Save), package programs MicrosoftOffice First, they create a new temporary file, save the document into it, and then delete the previous version of the file. Likewise, many database applications first create a temporary lock file when launched (. lck), then delete it when exiting the program.

I have had to deal with malicious actions of users in practice. For example, a conflicted employee of a certain company, upon leaving his job, decided to destroy all the results of his work, deleting files and folders to which he was related. Events of this kind are clearly visible - they generate tens, hundreds of entries per second in the security log. Of course, restoring documents from ShadowCopies(Shadow Copies) or an automatically created archive every day is not difficult, but at the same time I could answer the questions “Who did this?” and “When did this happen?”

Annotation: The final lecture provides the latest recommendations for the implementation of technical means of protecting confidential information, and discusses in detail the characteristics and operating principles of InfoWatch solutions

InfoWatch software solutions

The purpose of this course is not a detailed acquaintance with the technical details of the operation of InfoWatch products, so we will consider them from the technical marketing side. InfoWatch products are based on two fundamental technologies - content filtering and auditing of user or administrator actions in the workplace. Also part of the comprehensive InfoWatch solution is a repository of information that has left the information system and a unified internal security management console.

Content filtering of information flow channels

The main distinctive feature of InfoWatch content filtering is the use of a morphological core. Unlike traditional signature filtering, InfoWatch content filtering technology has two advantages - insensitivity to elementary encoding (replacing some characters with others) and higher performance. Since the kernel works not with words, but with root forms, it automatically cuts off roots that contain mixed encodings. Also, working with roots, of which there are less than ten thousand in each language, and not with word forms, of which there are about a million in languages, allows one to show significant results on rather unproductive equipment.

Audit of user actions

To monitor user actions with documents on a workstation, InfoWatch offers several interceptors in one agent on the workstation - interceptors for file operations, print operations, operations within applications, and operations with attached devices.

A repository of information that has left the information system through all channels.

The InfoWatch company offers a repository of information that has left the information system. Documents passed through all channels leading outside the system - e-mail, Internet, printing and removable media - are stored in the *storage application (until 2007 - module Traffic Monitor Storage Server) indicating all attributes - full name and position of the user, his electronic projections (IP address, account or postal address), date and time of the transaction, name and document attributes. All information is available for analysis, including content analysis.

Related Actions

The introduction of technical means of protecting confidential information seems ineffective without the use of other methods, primarily organizational ones. We have already discussed some of them above. Now let's take a closer look at other necessary actions.

Patterns of behavior of violators

By deploying a system for monitoring actions with confidential information, in addition to increasing functionality and analytical capabilities, you can develop in two more directions. The first is the integration of protection systems against internal and external threats. Incidents in recent years show that there is a distribution of roles between internal and external attackers, and combining information from external and internal threat monitoring systems will make it possible to detect such combined attacks. One of the points of contact between external and internal security is the management of access rights, especially in the context of simulating a production need to increase rights by disloyal employees and saboteurs. Any requests for access to resources beyond the scope of official duties must immediately include a mechanism to audit actions taken with that information. It’s even safer to solve problems that suddenly arise without opening access to resources.

Let's give an example from life. The system administrator received a request from the head of the marketing department to open access to the financial system. As a substantiation of the application, an assignment from the general director was attached for marketing research into the processes of purchasing goods produced by the company. Since the financial system is one of the most protected resources and permission to access it is given by the general director, the head of the information security department wrote an alternative solution on the application - not to give access, but to upload anonymized (without specifying clients) data into a special database for analysis. In response to the objections of the chief marketer that it was inconvenient for him to work like this, the director asked him a question “head-on”: “Why do you need the names of clients - do you want to merge the database?” -after which everyone went to work. Whether this was an attempt to leak information, we will never know, but whatever it was, the corporate financial system was protected.

Preventing leaks during preparation

Another direction for developing a system for monitoring internal incidents with confidential information is building a leak prevention system. The operating algorithm of such a system is the same as in intrusion prevention solutions. First, a model of the intruder is built, and a “violation signature” is formed from it, that is, the sequence of actions of the intruder. If several user actions coincide with the violation signature, the user's next step is predicted, and if it also matches the signature, an alarm is raised. For example, a confidential document was opened, part of it was selected and copied to the clipboard, then a new document was created and the contents of the clipboard were copied to it. The system assumes: if a new document is then saved without the “confidential” label, this is an attempt to steal. The USB drive has not yet been inserted, the letter has not been generated, and the system informs the information security officer, who makes a decision - to stop the employee or to track where the information goes. By the way, models (in other sources - “profiles”) of the offender’s behavior can be used not only by collecting information from software agents. If you analyze the nature of queries to the database, you can always identify an employee who, through a series of sequential queries to the database, is trying to obtain a specific piece of information. It is necessary to immediately monitor what it does with these requests, whether it saves them, whether it connects removable storage media, etc.

Organization of information storage

The principles of anonymization and encryption of data are a prerequisite for organizing storage and processing, and remote access can be organized using a terminal protocol, without leaving any information on the computer from which the request is organized.

Integration with authentication systems

Sooner or later, the customer will have to use a system for monitoring actions with confidential documents to resolve personnel issues - for example, dismissing employees based on facts documented by this system or even prosecuting those who leaked. However, all that the monitoring system can provide is the electronic identifier of the offender - IP address, account, email address, etc. In order to legally accuse an employee, this identifier must be linked to an individual. Here a new market opens up for the integrator - the implementation of authentication systems - from simple tokens to advanced biometrics and RFID identifiers.

To audit access to files and folders in Windows Server 2008 R2, you must enable the audit function and also specify the folders and files to which access should be recorded. After setting up auditing, the server log will contain information about access and other events on selected files and folders. It is worth noting that auditing of access to files and folders can only be carried out on volumes with the NTFS file system.

Enable auditing of file system objects in Windows Server 2008 R2

Access auditing for files and folders is enabled and disabled using group policies: domain policies for an Active Directory domain or local security policies for individual servers. To enable auditing on an individual server, you must open the Local Policy management console Start ->AllPrograms ->AdministrativeTools ->LocalSecurityPolicy. In the local policy console, you need to expand the local policy tree ( LocalPolicies) and select an element AuditPolicy.

In the right panel you need to select an element AuditObjectAccess and in the window that appears, specify what types of access events to files and folders need to be recorded (successful/unsuccessful access):

After selecting the required setting, click OK.

Selecting files and folders to which access will be recorded

After auditing access to files and folders is activated, you need to select specific file system objects to audit access to. Just like NTFS permissions, audit settings are inherited by default to all child objects (unless configured otherwise). Just like when assigning access rights to files and folders, inheritance of audit settings can be enabled for all or only selected objects.

To set up auditing for a specific folder/file, you need to right-click on it and select Properties ( Properties). In the properties window, go to the Security tab ( Security) and press the button Advanced. In the advanced security settings window ( AdvancedSecuritySettings) go to the Audit tab ( Auditing). Setting up auditing, of course, requires administrator rights. At this stage, the audit window will display a list of users and groups for which auditing for this resource is enabled:

To add users or groups whose access to this object will be recorded, click the button Add… and specify the names of these users/groups (or specify Everyone– to audit access of all users):

Immediately after applying these settings in the Security system log (you can find it in the ComputerManagement -> Events Viewer), each time you access objects for which auditing is enabled, corresponding entries will appear.

Alternatively, events can be viewed and filtered using the PowerShell cmdlet − Get-EventLog For example, to display all events with eventid 4660, run the command:

Get-EventLog security | ?($_.eventid -eq 4660)

Advice. It is possible to assign specific actions to any event in the Windows log, such as sending an email or executing a script. How this is configured is described in the article:

UPD from 06.08.2012 (Thanks to the commentator).

In Windows 2008/Windows 7, a special utility appeared to manage auditing auditpol. A complete list of object types for which auditing can be enabled can be seen using the command:

Auditpol /list /subcategory:*

As you can see, these objects are divided into 9 categories:

System
Logon/Logoff
Object Access
Privilege Use
Detailed Tracking
Policy Change
Account Management
DS Access
Account Logon

And each of them, accordingly, is divided into subcategories. For example, the Object Access audit category includes the File System subcategory, and to enable auditing for file system objects on the computer, run the command:

Auditpol /set /subcategory:"File System" /failure:enable /success:enable

It is disabled accordingly with the command:

Auditpol /set /subcategory:"File System" /failure:disable /success:disable

Those. If you disable auditing of unnecessary subcategories, you can significantly reduce the log volume and the number of unnecessary events.

After auditing access to files and folders is activated, you need to specify the specific objects that we will monitor (in the properties of files and folders). Keep in mind that by default, audit settings are inherited to all child objects (unless otherwise specified).