The role of file auditing in compliance

At the core of any compliance mandate is the desire to keep protected data secure, only allowing access to those who need it for business reasons. To both know and demonstrate that this is the case for your organization’s protected data, it requires visibility into who has access, who is using access, and what actions are being taken upon protected data.

The challenge to meet compliance objectives

Nothing is more confusing than trying to meet compliance objectives. They are generally written to apply to any operating system, any network, and any infrastructure. While it makes sense that it’s impractical to write standards that apply specifically to the way your organization operates, authors have had to be more technically specific in recent years to hone in on what’s required of regulated businesses.

Most compliance standards revolve around a particular protected data set (health records, credit card details, personal information, and more), guiding both optional and mandatory controls used to ensure proper access to, and usage of, that data.

Some standards remain “ancient” by IT standards, being even a few years old. With controls as unhelpful as “establish and maintain levels of security”, it’s no wonder IT organizations are left wondering if they’re meeting the requirement or not. The best examples of compliance mandates with easily applicable standards are the Payment Card Industry Data Security Standard (PCI DSS) v3.0 and the European Union’s forthcoming General Data Protection Regulation (GDPR).

But even with well-written standards, there’s still no way for the author to know exactly where each organization is storing its protected data. Thus, the standards, while written with technical specifications around the use of encryption, authentication methods, levels of access, and more, still require IT to determine the best way to ensure the intent of the standard is met.

Where’s your protected data?

To determine how to tactically best meet a given compliance standard, IT needs to look at what systems, applications, and platforms are used to store protected data.

Many Windows-based networks continue to host protected data server-based file systems, making these servers a primary target for external attackers resolved to exfiltrate data. And for those of you keeping protected data within a database, keep in mind those databases, at the end of the day, are still files – files that can be stolen and accessed offsite.

And, that’s where file auditing comes into play.

Defining file auditing

Let’s first look at what capabilities should be a part of file auditing that can apply to both native Windows tools, as well as third-party Windows file monitoring and auditing solutions.

1. Logging: All access and changes to files and folders, including data and permissions should be logged.

2. Visibility: All audit log data should be easily accessible to be reviewed, filtered, searched, etc.

3. Alerting: Notifications should be sent based on matching criteria to actions deemed suspect.

4. Reporting: This gets a bit tricky, but even native tools can export log data. So, even if it’s not pretty, the ability to generate sharable “reports” should be a part of file auditing.

In many cases, compliance requirements establish the security objective and then provide detail on how to test that the objective is being met. File auditing is your testing method to ensure the security you think you have around your protected data is doing its job.

So, how can you use file auditing to help meet your compliance objectives?

Using file auditing in compliance

The activity detail collected and monitored, as part of ongoing file auditing, is useful to meet several kinds of compliance objectives. Because this paper is not being written to demonstrate file auditing’s application to a specific mandate, let’s cover four generic use cases, discussing the role File Auditing plays in each.

1. Monitor assignment of secure access controls

Nearly every compliance mandate starts with putting protection in place around files containing protected data. Tactically this includes scrutinizing the establishment and assignment of least privilege permissions to users and groups. Are the permissions assigned correct for the job function/role? Is the right user or group being chosen during assignment? Is the user making the change approved to do so?

Note: At a time where external attackers seek to enjoy the maximum access possible within your network, one of the many possible steps taken is to create multiple users and assign them elevated permissions. This is done to ensure a level of persistent access within the network – should one account be discovered, there are 20 more accounts behind it the attacker can utilize.

The role of file auditing

File Auditing monitors changes – and attempted changes - to file or folder permissions, usually documenting what permissions have been changed, the object path, the user making the assignment, and other identifiable factors like machine name, IP address, etc. Alerting and reporting on changes made can provide both real-time and historical detail.

2. Monitor access to and usage of protected data

Compliance is not a destination; it’s a continual journey where each day IT must be certain its environment remains compliant. Therefore, IT needs to have constant visibility into what protected data is being accessed, by whom, when, from where, etc. This real-time information is absolutely necessary to remain vigilant against inappropriate access by malicious insiders and external attackers leveraging compromised credentials.

Additionally, some auditors like to follow the audit trail beginning with those that have access all the way down to being shown specifically what actions were taken with the access provided. To provide this information, a historical record of all activity is required to satisfy auditor requirements.

The role of file auditing

File auditing detail is used to demonstrate only approved access has occurred. Alerting and reporting can provide both real-time and historical detail - including identifiable factors like machine name, IP address, etc. Robust filtering capabilities help quickly answer the questions posed by auditors.

3. Measuring access control strength

It’s not unusual for IT to allow Active Directory to organically evolve on its own. Rarely are group memberships attested to, permissions even less so, and nested group memberships checked – all resulting in 71% of users stating they are over-permissioned and have access to data they should not see.

So, when it comes to assigning access controls, it’s possible that users who aren’t intentionally supposed to have access, actually do. And, given the need for least privilege in an environment housing protected data, it makes sense to identify which users are attempting access.

The role of file auditing

File Auditing can provide details of user accounts that have taken steps to access protected data, documenting the actions taken and the files and folders impacted. This can be cross-referenced with the intended security controls to ensure they are correct.

4. Detect breaches

While no organization wants to experience a data breach (and, therefore, a breach of compliance in the case of protected data being stolen), it remains a definite possibility. Should protected data reside on a file server, obvious leading indicators of a breach will exist. Abnormalities in file activity will occur such as nonstandard access times or large amounts of data accessed.

The role of file auditing

By watching the access and usage of protected data on file servers, it’s possible to detect a data breach based on unusual activity. The ability to analyze audit log data allows suspicious actions to be spotted, notifying IT of a potential breach and ensuring a quick reaction when necessary.

When to evaluate a third-party solution vs. native Windows file auditing

Unless you’re new to IT, you already know the ability to audit Windows file systems has been an integrated component of the Windows Server operating system for the last 20 years. The Event Viewer tool provides functionality to centralize, view, filter, and sort file audit data. It even has a rudimentary ability to set up notifications.

So, why use a third-party file auditing solution?

The answer lies in the gaps in functionality, performance, and detail available with native Windows tools.

You need intelligence and insights more than just information

The native log data provides all the detail needed. In fact, many third-party solutions simply leverage the very same detail you can find in Event Viewer. But Microsoft isn’t in the auditing business, and so the log data is nothing but raw information.

For example, the moving of files from one partition to another takes up between 6-10 event entries and is seen as a copy and a delete – not a “move.” Third-party solutions turn information into intelligence, figuring out those 10 or so events are actually a single event, and display or alert on it as such.

Additionally, some solutions don’t just stop with intelligence; they analyze patterns of activity, looking for anything out of the ordinary, taking intelligence, and turning it into insight – empowering IT to make decisions around whether activity is appropriate or not, whether they are compliant or not, and what actions they need to take next.

You need (lots) more functionality

We previously mentioned “Microsoft isn’t in the auditing business," and it’s true. They provide tools for those that only need the most basic of functionality. Third-party solutions focus on automating much of the auditing work, with augmented capabilities around collection, consolidation, presentation, searching, filtering, alerting, reporting, and even task automation.

All of these enhanced capabilities increase IT productivity, speeding up the auditing process, and assisting with improving the overall security of your protected data.

You need an easy-to-use, audit-ready solution

Unlike native tools, which simply address the task of consolidating and presenting event data, 3^rd-party solutions are purpose-built, improving the audit experience by focusing on the specific needs around compliance audits, the use of solutions by IT and auditors alike, and the detail necessary to ensure compliance.

Being easy to use and intuitive, monitoring can even be delegated to non-IT colleagues who hold a better understanding of data across their business line. This helps ensure more effective auditing system.