IS Decisions logo

IS Decisions Blog

File monitoring: A data breach detection & prevention tool

Your file system is either a target or an asset for malicious activity. That’s what makes security at file access, and a data breach detection and prevention tool, so important. Put file monitoring in place, and you’ll be in a better position to identify bad actors and stop a data breach.

Updated Jan 17, 2018

Your sensitive enterprise data needs protection from improper access, potential theft, alteration, or deletion. To do that, you need effective file monitoring software IT can detect, respond to, and even stop suspicious activity quickly.

In this article, you’ll learn about:

  • The role of file monitoring in a data breach

  • How to detect a data breach with file monitoring

  • How to stop a data breach with file monitoring

  • How FileAudit's file monitoring software helps prevent a data breach

The role of file monitoring in data breaches today

External attacks are responsible for over 80% of data breaches. Cyber-criminal organizations focus on the highest payout possible. So the motivation behind breaching your organization's security is to get at your data. And once they exfiltrate hundreds of thousands of records containing credentials, personal information, or health data to be sold on the black market, it's payday.

In 2023, over 5 billion records were breached as part of publicly-known data breaches.

While that seems like a big number, that’s only the documented known number of exposed records the vast majority of breaches are attributed with an unknown number of exposed records. What makes this criminal activity more daunting is the fact that most data exfiltrations happen in minutes, while the discovery of data breaches can take months or years.

IT needs a simple way to detect inappropriate access and activity quickly to avoid becoming a data breach statistic.

Where does your data live?

Across almost all industry verticals, servers remain the primary asset of choice for attacks. This gives you have a clear signal as to where to place your preventative and protective efforts.

When it boils down, attackers are looking for one thing: files. Files that contain data of value, including:

  • Credit card or bank details

  • Personal health information (PHI)

  • Personally identifiable information (PII)

  • Trade secrets of corporations

  • Intellectual property

  • Credentials

Depending on the business processes of the organizations under attack, this data can live in databases, office documents, files used as part of data transfer operations, and more making files (and, therefore, file access) the focus of a data breach.

But, is accessing files as simple as making a copy?

The role of files in a data breach

There are two distinct roles files play in the data breach process.

  1. The first of these is very obvious. Attackers copy your files (which can be databases) containing data of value and transfer them externally using some form of file transfer. This is known as exfiltration.

  2. The second, and somewhat forgotten, is the manipulation of operating system files and file systems to provide access to a given endpoint. Malware used to gain initial access to an endpoint often places (and, in some cases, replaces) files that are called upon bootup to maintain persistence. Additionally, attackers use certain techniques that involve copying, replacing, and renaming files to provide access to additional endpoints. All this helps them facilitate lateral movement within your network.

You may be thinking you need a complex set of security solutions to identify and protect against a data breach endpoint detection, firewalls, vulnerability protection, data loss prevention, SIEM solutions, and more. And all of these are important in an overall security strategy.

But, at the end of the day, the file system will be used as either a target or an asset to further malicious activity, making file monitoring a key part of your data breach security strategy.

How to leverage file monitoring to help spot and stop a data breach?

At its core, file monitoring is simply the logging of every action taken against the file system. File access events such as copy, move, read, delete, as well as changes to names, permissions, and ownership all can be logged, analyzed, and reported on. This is the cornerstone of the value of file monitoring in a data breach situation.

Note that because file monitoring usually exists as an Operating System level exercise (that is the audit log data is processed and provided as individual acts as the OS sees it), the intelligence needed to see multiple file activities as a single action normally requires the use of third-party file monitoring solutions.

There are two points during a data breach where file monitoring can play a role detecting the breach and stopping it.

How to detect a data breach with file monitoring

A majority of data breaches are not discovered until long after the breach activity is over. With that in mind, the obvious goal is to reduce the time it takes an organization to identify a breach.

Despite claims by security solutions to identify data breaches, two simple truths apply to any exfiltration that involves lateral movement within the organization:

  1. The attacker MUST logon (that is, authenticate) at some point.

  2. The attacker MUST access an endpoint’s file system.

While the logon is a key indicator of compromise, file access is the leading indicator of real-time breach activity. This makes file monitoring a critical part of your data breach protection strategy.

So, what should you look for in a data breach detection & prevention tool like file monitoring software?

Look for signs of abnormal file access activity

In short, look for abnormal file activity. What does that mean for your organization? To figure that out, you'll need to look at the regular patterns of access around files with valuable data.

The same user accounts usually access the same files, with the same regularity, during the same periods of day and days of the week, and from the same systems. So, you should raise the red flag for any file access outside these patterns.

Some of the unusual file activity you'll want to look for include:


Are files being accessed multiple times more than is normal? An unsure insider having second thoughts about stealing data may make several access attempts before finally taking data.


Normal user access can likely revolve around an average daily use. The presence of a mass copying or bulk deletion or movement of data is worth looking into.


A user accessing data at 10pm on Friday night who normally only accesses files Monday - Friday during business hours seems suspect.

Endpoint/IP Address

Access from a machine outside the company network, or one that doesn’t normally access a given set of files can be a clear sign of improper use.

Permission changes

Attackers like to ensure persistence, both on endpoints and to data. The reassignment of permissions to accounts (those recently created in specific) is a tactic regularly used.


Attackers may use their own tools to exfiltrate data, so seeing processes other than Explorer, Word, etc. accessing files can indicate a problem.

File monitoring, mixed with an ability to alert IT and security teams of the presence of suspicious file access activity can easily put proper attention on what may equate to a data breach.

Alert abnormal file activity

But spotting a breach even minutes after it has occurred may be a case of too little, too late. What IT organizations most need is the ability to stop a breach before damage is done.

How to stop a data breach with file monitoring

For IT to stop a breach, we first need to look at file share monitoring as a typically, reactive exercise. As with any monitoring, an action in question must be taken, the operating system (OS) must log the activity, and the monitoring solution must trigger an alert based on the already-past action. So, it initially stands to reason that file monitoring can’t stop a data breach.

Or can it?

There is one clear way to stop a breach. Detect it before the actual data theft takes place. Sounds easy enough. And there are ways file monitoring can help stop a data breach, but it involves changing IT’s thinking about how they go about file monitoring.

So, how can IT use file monitoring to stop a data breach?

For the IT team, it starts with a mindset shift around file monitoring from a reactive to proactive security measure. This shift usually involves three steps:

  1. React to activity with an automated response: In addition to threat identification and notifying administrators, something needs to happen to act on alerts. An immediate action, without waiting for an IT administrator to intervene is the best. For example, a script that admins can program to run whenever a specific alert is triggered. This script can shut down a machine, or logoff a user. An organization is far better off running file monitoring solutions that offer automated responses in addition to threat identification and real-time notifications.

    Alert execution script
  2. Stop thinking about monitoring only critical files: Every IT organization does it. They identify the critical files and folders and configure file monitoring on those files and folders only. That’s like staring constantly at your one really expensive watch, unaware that someone is stealing everything else in your house. Once you realize those files have been accessed, it may be too late.

  3. Widen the file monitoring scope: Think like a hacker on this one. They don’t know where the “good data” is, so they’re going to be looking around a bit to identify data of value. Also, lateral movement activity (as previously mentioned) often requires the manipulation of OS files to provide the attacker proper access. File monitoring that looks at OS-specific files, as well as a broader spectrum of data files (not just the “important” ones) will help to identify an attacker potentially before they find your data of value.

By putting these three steps into play, you effectively change file monitoring from a reactive “they’ve already got our data” exercise, to one where IT gets a notification of any suspicious leading behavior (e.g., a user looking at many, many folders they normally don’t look at). This empowers IT to temporarily (and automatically) disable the account and, well, stop the data breach before it happens.

Get a handle on data breaches with file monitoring

It’s simple logic: attackers determined to steal data must first access the files they want to steal.

It’s like your server’s most precious files are sitting in one of those clear bulletproof glass boxes in the middle of a large gallery with a light shining down on it. You know exactly where the thief needs to strike. But you want to catch the thief before they ever reach the box, so you need to watch the entire room.

File monitoring when done correctly can help IT to identify a data breach (watching the glass box) as well as potentially stop a breach (watching the room). Granted, that will require some changes in the way IT approaches file monitoring as part of a data breach security strategy. And if your files live in Windows file servers or in cloud storage, you'll also need a third-party file monitoring solution to provide the centralized monitoring and analysis of file activity data necessary to quickly and intelligently identify and report on potential breach activity.

Try FileAudit for free

3000+ organizations like yours use FileAudit to protect data, prevent ransomware and meet compliance requirements.

Download a free trial