IS Decisions logo

IS Decisions Blog

File monitoring: A data breach detection & prevention tool

Your file system is either a target or an asset for malicious activity. That’s what makes security at file access so important. Put that in place, and you’ll be better-positioned to identify bad actors and stop a data breach.

Published January 17, 2018

Sensitive enterprise data needs protecting from improper access, potential theft, alteration or deletion. IT organizations need file monitoring software as a means by which to detect, respond to and even stop any inappropriate activity quickly.

In this article, you’ll learn about:

  • The role of files in a data breach

  • Spotting a data breach with file monitoring

  • Stopping a data breach with file monitoring

  • How FileAudit will help

Data breaches today

External attacks are responsible for over 80% of data breaches. With cyber-criminal organizations focused on the highest payout possible, the lure of exfiltrating hundreds of thousands of records containing credentials, personal information, or health data to be sold on the black market means the focus is on breaching your organization’s security and, ultimately, your data.

In 2023, over 5 billion records have been breached as part of publically-known data breaches. While that seems like a very large number, that’s only the documented known number of exposed records the vast majority of breaches are attributed with an unknown number of exposed records. What makes this criminal activity more daunting is the fact that most data exfiltrations are measured in minutes, while the discovery of data breaches is more often measured in terms of months or years.

IT organizations need a means by which to detect inappropriate access and activity quickly to avoid becoming a statistic.

Where does all this data reside?

In almost every industry vertical, servers remain the primary asset of choice for attacks, giving organizations a clear choice in where to place their preventative and protective efforts. When it boils down, attackers are looking for one thing: files. Files that contain data of value, which includes:

  • Credit card or bank details

  • Personal health information (PHI)

  • Personally identifiable information (PII)

  • Trade secrets of corporations

  • Intellectual property

  • Credentials

Depending on the business processes of the organizations being attacked, this data can reside in databases, office documents, files used as part of data transfer operations, and more making files (and, therefore, file access) the focus of a data breach.

But, is it as simple as making a copy?

The role of files in a data breach

There are two distinct roles files play in the data breach process.

  1. The first of these is very obvious the files (which can be databases) containing data of value are copied by attackers and are transferred externally by some form of file transfer. This is known as exfiltration.

  2. The second, and somewhat forgotten, is the manipulation of Operating System files and file systems to provide access to a given endpoint. Malware used to gain initial access to an endpoint often places (and, in some cases, replaces) files that are called upon bootup to maintain persistence. Additionally, certain techniques that involve the copying, replacing, and renaming of files are used to provide access to additional endpoints to facilitate lateral movement within your network.

You may be thinking you need a complex set of security solutions to identify and protect against a data breach endpoint detection, firewalls, vulnerability protection, data loss prevention, SIEM solutions and more (all, of which are important in an overall security strategy).

But, at the end of the day, the file system will be used as either a target or an asset to further malicious activity, making file monitoring a key part of your data breach security strategy.

How to leverage file monitoring to help spot and stop a Data Breach?

At its core, file monitoring is simply the logging of every action taken against the file system. Copies, moves, reads, deletes, as well as changes to names, permissions, and ownership all can be logged, analyzed, and reported on. This is the basis of its usefulness in a data breach situation.

It should be noted that because file monitoring usually exists as an Operating System level exercise (that is the audit log data is processed and provided as individual acts as the OS sees it), the intelligence needed to see multiple file activities as a single action normally requires the use of third party solutions.

There are two points within a data breach where file monitoring can play a role spotting the breach and stopping one.

Spotting a data breach with file monitoring

With a majority of data breaches not being discovered until well-after the breach activity has ceased, the obvious goal is to reduce the time it takes to identify a breach.

Despite claims by security solution to identify data breaches, two simple truths exist that apply to any exfiltration that involves lateral movement within the organization:

  1. The attacker MUST logon/authenticate at some point

  2. The attacker MUST access an endpoint’s file system

Logons can be viewed as a leading indicator of breach activity, with file access an indicator of present breach activity which makes file monitoring a viable part of your data breach protection strategy.

So, what should you be looking for?

Signs of abnormal file activity

In short, look for abnormal file activity. What that is, for your organization, needs to be determined by looking at the regular patterns of access around files with data of value. The same user accounts will largely access the same files, with the same regularity, during the same periods of day and days of week, from the same systems so anything outside this should be considered potential red flags.

Some of the unusual activity aspects you should be looking for include:


Are files being accessed multiple times more than is normal? An unsure insider having second thoughts about stealing data may make several access attempts before finally taking data.


Normal user access can likely revolve around an average daily use. The presence of a mass copying or bulk deletion or movement of data is worth looking into.


A user accessing data at 10pm on Friday night who normally only accesses files Monday - Friday during business hours seems suspect.

Endpoint/IP Address

Access from a machine outside the company network, or one that doesn’t normally access a given set of files can be a clear sign of improper use.

Permission changes

Attackers like to ensure persistence, both on endpoints and to data. The reassignment of permissions to accounts (those recently created in specific) is a tactic regularly used.


Attackers may use their own tools to exfiltrate data, so seeing processes other than Explorer, Word, etc. accessing files can indicate a problem.

File monitoring, mixed with an ability to alert IT and security teams of the presence of suspicious file access activity can easily put proper attention on what may equate to a data breach.

Alert abnormal file activity

But spotting a breach even minutes after it has occurred may be a case of too little, too late. What IT organizations most need is the ability to stop a breach before damage is done.

Stopping a data breach with file monitoring

To get to a place where IT is stopping a breach, we first need to look at file share monitoring as a, typically, reactive exercise. As with any monitoring, an action in question must be taken, the OS must log the activity, and the monitoring solution must trigger an alert based on the already-occurred action. So, it initially stands to reason that file monitoring can’t stop a data breach.

Or can it?

There is one clear way to stop a breach – spot it before the actual data theft takes place. Sounds easy enough. And there are ways file monitoring can help stop a data breach, but it involves changing IT’s thinking about how they go about file monitoring.

So, what can IT do to leverage file monitoring to stop a data breach?

Changing file monitoring from a reactive to proactive security measure involves three steps:

  1. React to activity with an automated response: In addition to threat identification and notifying administrators, something needs to happen to act on alerts. An immediate action, without waiting for an IT administrator to intervene is preferred. For example, a script that can be run whenever a specific alert is triggered; to shut down a machine, or logoff a user off. An organization is far better off running and monitoring solutions that offer automated responses in addition to threat identification and real-time notifications.

    Alert execution script
  2. Stop thinking about monitoring only critical files: Every IT organization does it: they identify the critical files and folders and configure file monitoring on those files and folders only. That’s like staring constantly at your one really expensive watch, unaware that someone is stealing everything else in your house. Once you’re informed those files have been accessed, it may be too late.

  3. Start widening the monitoring scope: Think like a hacker on this one. They don’t know where the “good data” is, so they’re going to be looking around a bit to identify data of value. Additionally, lateral movement activity (as previously mentioned) often requires the manipulation of OS files to provide the attacker proper access. File monitoring that looks at OS-specific files, as well as a broader spectrum of data files (not just the “important” ones) will help to identify an attacker potentially before they find your data of value.

By putting these three steps into play, you effectively change file monitoring from a reactive “they’ve already got our data” exercise, to one where IT gets a notification of any suspicious leading behavior (e.g., a user looking at many, many folders they normally don’t look at), empowering IT to temporarily (and automatically) disable the account and ... well, stop the data breach before it happens.

Get a handle on data breaches ... before and after they happen

It’s a simple fact: those determined to steal data must access the files they wish to steal. It’s like your server’s most precious files are sitting in one of those clear bulletproof glass boxes in the middle of a large gallery with a light shining down on it. You know exactly where the thief needs to strike. But you want to catch the thief before they ever reach the box, so you need to watch the entire room.

File monitoring when done correctly can be used to both identify a data breach (watching the glass box) as well as to potentially stop a breach (watching the room). It will require some changes in the way IT approaches the use of file monitoring as part of a data breach security strategy, as well as the use of a third-party solution to provide the centralized monitoring and analysis of file activity data necessary to quickly and intelligently identify and report on potential breach activity.

Try FileAudit for free

3000+ organizations like yours use FileAudit to protect data, prevent ransomware and meet compliance requirements.

Download a free trial