Heads-up security world: There’s a new acronym on the horizon! file activity monitoring (FAM) products are designed to plug a hole in existing data loss prevention (DLP) products by monitoring
Introducing file activity monitoring
File activity monitoring products are designed to monitor the patterns of legitimate users accessing enterprise file stores and alert security administrators to unusual activity. FAM is designed to go above and beyond the access control and logging capabilities built-in to operating systems, providing a usable way to perform both proactive and reactive security monitoring.
FAM solutions could be used to:
- Track file access in real time and take action when abnormal activity is detected. The definition of "abnormal" may be customized to individual users, groups or the entire organization.
- Audit all accesses to a file in the event of a data leak to assist with the investigation.
- Identify all files accessed by a particular user who is suspected of corporate espionage.
- Identify users that have access permissions but are not using them. This may be especially helpful when performing audits designed to identify permissions that have accumulated as a result of privilege creep but are no longer necessary.
FAM products typically integrate with other products in your environment, including Active Directory/LDAP information stores, DLP and other elements of your security infrastructure. For example, the FAM might leverage Active Directory groups to assign role-based policies to users without requiring the roles to be populated on the FAM itself.
File activity monitoring vs. other technologies
At first glance, many security administrators ask, “Why do I need FAM? Doesn’t DLP do that?” While FAM products have much in common with their DLP counterparts, they do fill a distinctly different role in the enterprise. Here are a few of the major distinctions:
- FAM is targeted specifically at file stores. DLP products, on the other hand, only search for data in the process of leaving the organization.
- FAM may provide early warning of a user who is accumulating files for a large-scale theft and, in the case of technologies not monitored by your DLP implementation (these will vary depending upon your DLP product, but may include databases, desktops and Web applications), may be the only way to detect exfiltration.
- FAM products normally maintain an audit trail of all access to the file store, while DLP products typically only log rule violations. The FAM audit trail may prove especially useful during incident investigations.
- DLP products, however, can detect information leaving the organization, but is not being taken from an enterprise file store. Users may have copies of sensitive data stored in locations not monitored by FAM.
Vendors are starting to roll out FAM and DLP products that are tightly integrated. Expect to see more along these lines in the coming year as enterprises begin to demand solutions that can be easily monitored and correlated.
The bottom line: Do you need FAM?
While the FAM market is certainly in its early stages, it may be worthwhile to begin thinking about the role it could play in your security infrastructure. These products are especially well suited to industries where the protection of intellectual property is paramount. Government agencies and research and development organizations might find themselves good candidates for early adopter status, while the rest of us will probably sit on the sidelines to see how the market evolves.
About the author:
Mike Chapple, Ph.D., CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
This was first published in September 2011