Hardware and software setup

home office
office

Automated system of audit (monitoring) of user actions. Infowatch software solutions and related activities Integration with authentication systems

Annotation: In the final lecture, latest recommendations implementation technical means protecting confidential information, discusses in detail the characteristics and principles of operation of InfoWatch solutions

InfoWatch Software Solutions

aim this course It is not a detailed acquaintance with the technical details of the operation of InfoWatch products, so we will consider them from the side of technical marketing. InfoWatch products are based on two fundamental technologies - content filtering and auditing user or administrator actions at the workplace. Also, an integral part of the InfoWatch integrated solution is a repository of information that has left the information system and a single internal security management console.

Content filtering of information traffic channels

The main distinguishing feature of InfoWatch content filtering is the use of a morphological core. Unlike traditional signature filtering, InfoWatch content filtering technology has two advantages - insensitivity to elementary coding (replacing one character with another) and higher performance. Since the core does not work with words, but with root forms, it automatically cuts off roots that contain mixed encodings. Also, working with roots, of which there are less than ten thousand in each language, and not with word forms, of which there are about a million in languages, allows you to show significant results on rather unproductive equipment.

User activity audit

To monitor user actions with documents on workstation InfoWatch offers several interceptors in one agent on a workstation - interceptors for file operations, print operations, operations within applications, operations with attached devices.

Storage of information that has left the information system through all channels.

InfoWatch offers a repository for information that has left the information system. Documents passed through all channels leading outside the system - e-mail, Internet, printing and removable media, are stored in the *storage application (until 2007 - module Traffic Monitor Storage Server) indicating all the attributes - full name and position of the user, his electronic projections (IP address, account or postal address), date and time of the operation, name and attributes of documents. All information is available for analysis, including content analysis.

Related activities

The introduction of technical means of protecting confidential information seems to be ineffective without the use of other methods, primarily organizational ones. We have already discussed some of them above. Now let's take a closer look at other necessary actions.

Behavior patterns of offenders

By deploying a monitoring system for actions with confidential information, in addition to increasing functionality and analytical capabilities, you can develop in two more directions. The first is the integration of protection systems against internal and external threats. Incidents in recent years show that there is a distribution of roles between internal and external intruders, and the combination of information from monitoring systems of external and internal threats will make it possible to detect the facts of such combined attacks. One of the points of contact between external and internal security is the management of access rights, especially in the context of simulating an industrial need to increase the rights of disloyal employees and saboteurs. Any requests for access to resources outside of job duties must immediately include a mechanism for auditing actions with this information. It is even safer to solve problems that have suddenly arisen without opening access to resources.

Let's take an example from life. The system administrator received a request from the head of the marketing department to open access to the financial system. As a substantiation of the application, the task of the general director for marketing research of the processes of purchasing goods produced by the company was attached. Insofar as financial system- one of the most protected resources and permission to access it is given by the general director, head of department information security on the application, he wrote an alternative solution - not to give access, but to upload anonymized (without specifying clients) data to a special database for analysis. In response to the objections of the chief marketer that it was inconvenient for him to work this way, the director asked him a direct question: "Why do you need the names of clients - do you want to merge the database?" After that everyone went to work. Whether this was an attempt to leak information, we will never know, but whatever it was, the corporate financial system was protected.

Prevention of leaks during the preparation phase

Another direction in the development of a monitoring system for internal incidents with confidential information is the construction of a leak prevention system. The algorithm of operation of such a system is the same as in intrusion prevention solutions. First, a model of the intruder is built, and a "violation signature" is formed from it, that is, the sequence of actions of the intruder. If several user actions match the violation signature, the user's next step is predicted, if it also matches the signature, an alarm is generated. For example, a confidential document was opened, part of it was selected and copied to the clipboard, then a new document and the contents of the buffer were copied into it. The system assumes that if a new document is saved further without the "confidential" label, this is an attempted abduction. The USB drive has not yet been inserted, the letter has not been generated, and the system informs the information security officer, who decides whether to stop the employee or track where the information goes. By the way, models (in other sources - "profiles") of the offender's behavior can be used not only by collecting information from software agents. If you analyze the nature of queries to the database, you can always identify an employee who tries to get a specific piece of information with a series of consecutive queries to the database. It is necessary to immediately trace what he does with these requests, whether he saves them, whether he connects removable storage media, etc.

Organization of information storage

Principles of data anonymization and encryption - required condition organization of storage and processing, and remote access can be organized according to the terminal protocol, leaving no information on the computer from which the request is organized.

Integration with authentication systems

Sooner or later, the customer will have to use a confidential document monitoring system to resolve personnel issues - for example, dismissal of employees based on the facts documented by this system, or even legal prosecution of leakers. However, all that the monitoring system can give is the electronic identifier of the violator - the IP address, account, email address, etc. In order to legally charge an employee, you need to link this identifier to a person. Here, a new market opens up for the integrator - the introduction of authentication systems - from simple tokens to advanced biometrics and RFID - identifiers.

Victor Chutov
Project Manager INFORMSVYAZ HOLDING

Prerequisites for the implementation of the system

Conducted in 2007, the first open global study of internal threats to information security by Infowatch (based on the results of 2006) showed that internal threats are no less common (56.5%) than external ones ( malware, spam, hacker activities, etc.). At the same time, in the vast majority (77%), the reason for the implementation internal threat is the negligence of the users themselves (failure to job descriptions or neglect of elementary means of information protection).

Dynamics of changes in the situation in the period 2006-2008 reflected in fig. one.

The relative decrease in the share of leaks due to negligence is due to the partial implementation of information leak prevention systems (including a system for monitoring user actions), which provide a fairly high degree of protection against accidental leaks. In addition, it is due to the absolute increase in the number of deliberate thefts of personal data.

Despite the change in statistics, it is still safe to say that the priority is to combat unintentional information leaks, since it is easier, cheaper to counteract such leaks, and as a result, most of the incidents are covered.

At the same time, the negligence of employees, according to the analysis of the results of research by Infowatch and Perimetrix for 2004-2008, ranks second among the most dangerous threats (summary research results are presented in Fig. 2), and its relevance continues to grow along with the improvement of software and hardware automated systems (AS) of enterprises.

Thus, the introduction of systems to eliminate the possibility of an employee’s negative impact on IS in the enterprise’s AS (including monitoring programs), provide IS employees with evidence base and materials for investigating an incident, will eliminate the threat of leakage due to negligence, significantly reduce accidental leaks, as well as somewhat reduce intentional. Ultimately, this measure should make it possible to significantly reduce the implementation of threats from insiders.

Modern AS for auditing user actions. Advantages and disadvantages

Automated systems for auditing (monitoring) user actions (ASADP) AS, often referred to as monitoring software products, are designed to be used by AS security administrators (the organization's information security service) to ensure its observability - "properties computing system, which allows you to record the activities of users, as well as unambiguously establish the identifiers of users involved in certain events in order to prevent violations of security policies and / or ensure responsibility for certain actions.

The property of AS observability, depending on the quality of its implementation, allows to one degree or another to control the observance by employees of the organization of its security policy and established rules. safe work on computers.

Application of monitoring software products, including in real time, is designed to:

  • determine (localize) all cases of attempts of unauthorized access to confidential information with an exact indication of the time and network workplace from which such an attempt was made;
  • detect facts of unauthorized software installation;
  • determine all cases of unauthorized use of additional hardware (for example, modems, printers, etc.) by analyzing the facts of launching unauthorized specialized applications;
  • determine all cases of typing critical words and phrases on the keyboard, preparing critical documents, the transfer of which to third parties will lead to material damage;
  • control access to servers and personal computers;
  • control contacts when surfing in Internet networks;
  • conduct research related to determining the accuracy, efficiency and adequacy of personnel response to external influences;
  • determine the workload of the computer workplaces of the organization (by time of day, by day of the week, etc.) for the purpose of scientific organization of the work of users;
  • control use cases personal computers during non-working hours and identify the purpose of such use;
  • receive the necessary reliable information, on the basis of which decisions are made to adjust and improve the organization's information security policy, etc.

The implementation of these functions is achieved by introducing agent modules (sensors) on workstations and AS servers with further status polling or receiving reports from them. Reports are processed in the Security Administrator Console. Some systems are equipped with intermediate servers (consolidation points) that process their own areas and security groups.

The system analysis of the solutions presented on the market (StatWin, Tivoli Configuration Manager, Tivoli Remote Control, OpenView Operations, "Uryadnik/Enterprise Guard", Insider) made it possible to identify a number of specific properties that, if added to a promising ASADP, will increase its performance indicators compared to the studied samples. .

In the general case, along with a fairly wide functionality and a large package of options, existing systems can be used to track the activities of only individual AS users on the basis of a mandatory cyclic poll (scan) of all specified AS elements (and, first of all, AWP users).

At the same time, the distribution and scale of modern AS, including enough a large number of Workstation, technology and software, greatly complicates the process of monitoring the work of users, and each of the network devices is capable of generating thousands of audit messages, reaching large enough volumes of information that require maintaining huge, often duplicating databases. These tools, among other things, consume significant network and hardware resources, load a common AS. They turn out to be inflexible to reconfiguration of hardware and software. computer networks unable to adapt to unknown types violations and network attacks, and the effectiveness of their detection of security policy violations will largely depend on the frequency of scanning AS elements by the security administrator.

One way to improve work efficiency specified systems is a direct increase in scan rate. This will inevitably lead to a decrease in the efficiency of performing those main tasks for which, in fact, this AS is intended, due to a significant increase in the computational load both on the administrator's workstation and on the computers of user workstations, as well as with an increase in traffic local network AS.

In addition to the problems associated with the analysis of a large amount of data, existing monitoring systems have serious limitations on the efficiency and accuracy of decisions made, caused by the human factor, which is determined by the physical capabilities of the administrator as a human operator.

The presence in existing monitoring systems of the possibility of real-time notification of explicit unauthorized actions of users does not fundamentally solve the problem as a whole, since it allows tracking only previously known types of violations (signature method), and is not able to provide counteraction to new types of violations.

The development and use of extensive methods of information security in information security systems, which provide for an increase in the level of its protection due to the additional "selection" of the computing resource from the AS, reduces the capabilities of the AS to solve the tasks for which it is intended, and / or increases its cost. The failure of such an approach in the rapidly developing IT-technologies market is quite obvious.

Automated system of audit (monitoring) of user actions. Promising Properties

From the results of the analysis given earlier, there is an obvious need to impart the following properties to promising monitoring systems:

  • automation, excluding routine "manual" operations;
  • combinations of centralization (based on the workstation of the security administrator) with management at the level individual elements(intellectual computer programs) systems for monitoring the work of users of the AU;
  • scalability, which allows increasing the capacity of monitoring systems and expanding their capabilities without a significant increase in the computing resources necessary for their effective functioning;
  • adaptability to changes in the composition and characteristics of nuclear power plants, as well as to the emergence of new types of security policy violations.

The generalized structure of ASADP AS, which has the noted distinctive features, which can be implemented in AS for various purposes and accessories, shown in fig. 3.

The above structure includes the following main components:

  • software components-sensors placed on some AS elements (user workstations, servers, network equipment, means of information security), which are used to capture and process audit data in real time;
  • log files containing intermediate information about user experience;
  • data processing and decision-making components that receive information from sensors through log files, analyze it and make decisions on further actions (for example, on entering some information into the database, notifying officials, creating reports, etc.);
  • an audit database (DB) containing information about all registered events, on the basis of which reports are created and the state of the AU is monitored for any given period of time;
  • components for generating reports and certificates based on information recorded in the audit database and filtering records (by date, by user IDs, by workstation, by security events, etc.);
  • component of the interface of the security administrator, which is used to manage the work of ASADP AS from its workstation, view and print information, create different kind queries to the database and generating reports, which allows real-time monitoring of the current activities of AS users and assessing the current level of security of various resources;
  • additional components, in particular, software components for configuring the system, installing and placing sensors, archiving and encrypting information, etc.

Information processing in ASADP AS includes the following stages:

  • fixation by sensors of registration information;
  • collection of information from individual sensors;
  • exchange of information between the corresponding agents of the system;
  • processing, analysis and correlation of registered events;
  • presentation of the processed information to the security administrator in a normalized form (in the form of reports, diagrams, etc.).

In order to minimize the required computing resources, increase the secrecy and reliability of the system, information can be stored on various elements of the AS.

Based on the task of giving ASADP AS fundamentally new (compared to existing systems audit of the work of AS users) properties of automation, a combination of centralization and decentralization, scalability and adaptability, one of the possible strategies for its construction is seen modern technology intelligent multi-agent systems, implemented through the development of an integrated community of agents various types(intelligent autonomous programs that implement certain functions of detecting and counteracting user actions that contradict the security policy) and organizing their interaction.

To audit access to files and folders in Windows Server 2008 R2, you must enable the auditing feature and specify the folders and files that you want to lock access to. After setting up the audit, the server log will contain information about access and other events on the selected files and folders. It is worth noting that access to files and folders can only be audited on volumes with the NTFS file system.

Enable auditing for file system objects in Windows Server 2008 R2

Auditing access to files and folders is enabled and disabled using group policies: Domain policy for an Active Directory domain or local security policies for standalone servers. To enable auditing on a single server, you need to open the management console local politician Start ->AllPrograms ->administrativeTools ->LocalsecurityPolicy. In the local policy console, expand the local policy tree ( Localpolicies) and select element auditPolicy.

Select an item in the right pane auditObjectAccess and in the window that appears, specify what types of access events to files and folders need to be recorded (successful / unsuccessful access):


After selection necessary settings need to press OK.

Selecting files and folders, access to which will be fixed

After auditing access to files and folders is activated, you need to select specific objects file system, access to which will be audited. Just like NTFS permissions, default audit settings are inherited on all child objects (unless configured otherwise). In the same way as when assigning access rights to files and folders, inheritance of audit settings can be enabled both for all and only for selected objects.

To set up auditing for a specific folder/file, you must click on it right click mouse and select Properties ( Properties). In the properties window, go to the Security tab ( security) and press the button Advanced. In the advanced security settings window ( AdvancedsecuritySettings) go to the Audit tab ( Auditing). Setting up an audit, of course, requires administrator rights. At this stage, the audit window will display a list of users and groups for which audit is enabled for this resource:

To add users or groups whose access to this object will be fixed, click the button Add... and specify the names of these users/groups (or specify Everyone– to audit the access of all users):

Immediately after applying these settings in the Security system log (you can find it in the computerManagement -> Events Viewer), each time you access objects for which auditing is enabled, corresponding entries will appear.

Alternatively, events can be viewed and filtered using the PowerShell cmdlet − Get-EventLog For example, to display all events with eventid 4660, run the command:

Get-EventLog security | ?($_.eventid -eq 4660)

Advice. Can be assigned to any event in Windows log certain actions, such as sending email or script execution. How it is configured is described in the article:

UPD from 08/06/2012 (Thanks to the commentator).

In Windows 2008/Windows 7, audit management introduced special utility auditpol. Full list types of objects that can be audited can be seen using the command:

auditpol /list /subcategory:*

As you can see these objects are divided into 9 categories:

  • System
  • Logon/Logoff
  • Object Access
  • Privilege Use
  • Detailed Tracking
  • policy change
  • Account management
  • D.S.Access
  • Account Logon

And each of them, respectively, is divided into subcategories. For example, the Object Access audit category includes the File System subcategory, and to enable auditing for file system objects on a computer, run the command:

Auditpol /set /subcategory:"File System" /failure:enable /success:enable

It is disabled by the command:

Auditpol /set /subcategory:"File System" /failure:disable /success:disable

Those. If you turn off auditing of unnecessary subcategories, you can significantly reduce the volume of the log and the number of unnecessary events.

After auditing access to files and folders is activated, you need to specify the specific objects that we will control (in the properties of files and folders). Keep in mind that, by default, audit settings are inherited on all child objects (unless otherwise specified).

Sometimes events happen that require us to answer a question. "who did this?" This can happen "rarely, but aptly", so you should prepare in advance to answer the question.

Almost everywhere, there are design departments, accounting departments, developers, and other categories of employees working together on groups of documents stored in a public (Shared) folder on a file server or on one of the workstations. It may happen that someone deletes an important document or directory from this folder, as a result of which the work of the whole team may be lost. In that case, before system administrator several questions arise:

    When and what time did the problem occur?

    From what is the closest to this time backup should you recover your data?

    Maybe it took place system failure, which can be repeated again?

Windows has a system audit, which allows you to track and log information about when, by whom and with what program documents were deleted. By default, Auditing is not enabled - tracking itself requires a certain percentage of the system's capacity, and if you record everything in a row, the load will become too large. Moreover, not all user actions may be of interest to us, so the Audit policies allow us to enable tracking only those events that are really important to us.

The Audit system is built into all OS MicrosoftWindowsNT: Windows XP/Vista/7, Windows Server 2000/2003/2008. Unfortunately, in systems of the series Windows home auditing is hidden deep, and it is too difficult to configure it.

What needs to be configured?

To enable auditing, log in with administrator rights to a computer that provides access to common documents, and run the command StartRungpedit.msc. In the Computer Configuration section, expand the folder Windows settingsSecurity SettingsLocal PoliciesAudit Policies:

Double click on a policy Audit object access (Audit of access to objects) and select checkbox success. This setting turns on the mechanism for tracking successful file and registry access. Indeed, we are only interested in successful attempts to delete files or folders. Enable Auditing only on computers that directly store monitored objects.

Simply enabling the Audit policy is not enough, we also need to specify which folders we want to access. Usually such objects are folders of common (shared) documents and folders with production programs or databases (accounting, warehouse, etc.) - that is, resources that several people work with.

It is impossible to guess in advance who exactly will delete the file, so tracking is indicated for Everyone (Everyone). Successful attempts to delete monitored objects by any user will be logged. Call the properties of the required folder (if there are several such folders, then all of them in turn) and on the tab Security → Advanced → Auditing add subject tracking Everyone (All), his successful access attempts Delete and Delete Subfolders and Files:


A lot of events can be logged, so you should also adjust the log size security(Safety) to which they will be written. For
this run the command StartRuneventvwr. msc. In the window that appears, call the properties of the Security log and specify the following parameters:

    Maximum Log Size = 65536 KB(for workstations) or 262144 KB(for servers)

    Overwrite events as needed.

In fact, these figures are not guaranteed to be accurate, but are selected empirically for each specific case.

Windows 2003/ XP)?

Click StartRuneventvwr.msc Security (Security). viewfilter

  • Event Source:Security;
  • Category: Object Access;
  • Event Types: Success Audit;
  • Event ID: 560;


Review the list of filtered events, paying attention to the following fields within each entry:

  • ObjectName. Name of the searched folder or file;
  • ImageFileName. The name of the program that deleted the file;
  • accesses. The set of requested rights.

The program can request several types of access from the system at once - for example, Delete+ Synchronize or Delete+ read_ control. Right for us is Delete.


So, who deleted the documents (Windows 2008/ Vista)?

Click StartRuneventvwr.msc and open the log Security (Security). The log may be filled with events that are not directly related to the problem. By right-clicking on the Security log, select the command viewfilter and filter the view by the following criteria:

  • Event Source: Security;
  • Category: Object Access;
  • Event Types: Success Audit;
  • Event ID: 4663;

Don't rush to interpret all deletions as malicious. This function is often used during the normal operation of programs - for example, executing the command Save(Save), package programs Microsoftoffice first create a new temporary file, save the document into it, and then delete it previous version file. Likewise, many database applications first create a temporary lock file on startup. (. lck), then delete it when exiting the program.

In practice, I had to deal with malicious user actions. For example, a conflict employee of a certain company, upon leaving his place of work, decided to destroy all the results of his work by deleting the files and folders to which he was related. Events of this kind are clearly visible - they generate tens, hundreds of entries per second in the security log. Of course, recovering documents from ShadowCopies (Shadow Spears) or an automatically created daily archive is not difficult, but at the same time I could answer the questions “Who did this?” and “When did this happen?”.

Liked the article? Share with friends!
Twitter
print
Was this article helpful?
Yes
Not
Thanks for your feedback!
Something went wrong and your vote was not counted.
Thank you. Your message has been sent
Did you find an error in the text?
Select it, click Ctrl+Enter and we'll fix it!
Related Tips
Package of federal programs Orion Express (Viva TV) How to set up Orion Express yourself
Package of federal programs Orion Express (Viva TV) How to set up Orion Express yourself
Entering the personal account of the telecard by card number
Entering the personal account of the telecard by card number
Promotion telecard.
Promotion telecard. "Telecard": reviews. "Telecard" - a set of satellite television. The subscriber can connect additional channel packages
Satellite receivers telecard
Satellite receivers telecard
Telekarta - channels Additional packages Telekarta TV
Telekarta - channels Additional packages Telekarta TV
Equipment for digital television - this is what you can buy in our store Telecard evo 07 hd update on
Equipment for digital television - this is what you can buy in our store Telecard evo 07 hd update on