The right way to deploy file and folder access auditing for the first time

As more companies find themselves in regulated spaces, controls around data access must become stricter. One way to achieve this is to enable file and folder access auditing. This is a great feature because it enhances accountability. You can catch people attempting to circumvent controls or violate policy. This audit data can be used to support investigations, such as ligation holds or security incidents. However, enabling this feature is not without drawbacks.

The biggest negative can be a performance impact.  Those deploying should also be aware of a steep drop at the point of diminishing returns. After that point, significant investment is required if you want the benefit curve to keep rising.

For maximum benefit with less effort, here’s how you should deploy file and folder access auditing for the first time.

Things to know

Some facts and assumptions

• This type of logging can generate an enormous amount of log activity.
• The volume of logs can become so great with every Read / Write / Execute that logs roll (old logs are deleted) quickly.
• The only way to know about success and failures is if you look at each endpoint manually.
• Without a log forwarder sending this data to a central Log Server or SIEM for retention and alerting, it’s likely the audit data won’t be available for investigations into the past. What’s worse, real-time alerts on failed access attempts won’t occur.
• Deploying log forwarders or audit solutions to user endpoints is associated with higher complexity and costs.

For these reasons

1. It is optimal to enable on file shares that reside on servers rather than local user endpoints.
2. Typically, file and folder-level logging is turned on for specific files or folders rather than entire file systems.
3. We gain efficiency by collecting data from fewer sources. Having fewer sources and only key events means less noise upon ingestion to the solution. Therefore, we optimize correlation and reporting.

Follow this model to success

The Technical Part

1. Set up a basic central logging system that supports log forwarding agents.
   • The most common choices for SIEM would be OSSEC or the ELK Stack.
   • For a pure Log Server we recommend Nagios or Greylog.
2. Deploy your central Log Server. Test your forwarding agents on your central file shares.
3. Configure your audit policy.
   • For Windows, follow Microsoft’s guidance to enable your audit policy (find it here).
   • For Mac, one of the best options is OpenBSM.
   • For Linux, it will depend on your distribution. There are a number of good packages out there, such as this one found on GitHub.
4. Configure your forwarders to send the logs containing file and folder access events.
5. On your log server, create dashboards showing things like failed access attempts per data source.
6. On your log server, create alerts for “access denied” and make sure they are emailed to IT or Infosec personnel. Test to verify that it works.

Fundamentally change the way you store and protect data

You may need to shift your approach to storing sensitive data. A central repository is ideal. Not only will you enhance auditing, but you can institute advanced security controls. Backups also become less complicated.

Keep in mind, you do not want sensitive information on laptops. Workstations that remain at office locations could be scoped into the audit solution. If workstations do not contain sensitive data, it doesn’t make sense to include them. On the other hand, if there are dedicated workstations for working on regulated data, definitely include them in the solution.

Create policy changes and compensating controls

It is an easier lift to institute written policies to accomplish objectives related to this type of monitoring. For instance, a policy might prevent users from storing sensitive data locally. Further, users may be required to store important data only on a central server. When it comes to the access control policy, require that folders and files should be managed from the top-down. Roles / groups must exist to grant and deny access.

Compensating controls, such as periodic audit activities, should be conducted to ensure policy compliance. To illustrate a balanced method, a few activities should suffice.

• Top-level folders should be locked for changes – only management or IT can grant or remove access at this level.
• Once per year, review the structure of the shares and spot check the content inside of folders.
• Twice per year, review all access for each group and person.
• Once per year, randomly select a few user endpoints for audit. Sweep through all files, checking for sensitive data that by policy should not be there.
• Create a brief audit report, review with management, and take action to make improvements and correct things.
• Once per year, send a company-wide email reminding people about the policy.
• Consider adding a slide to the training deck for new hires and annual training.

We’re here to help!

When it comes to cybersecurity most businesses need expert advice to navigate the waters. By engaging with a company like Secureside, you get it exactly that.

Please reach out to us directly or visit our website:

info@secureside.io
www.secureside.io