Solved

Network Monitoring

Posted on 2014-04-08
14
313 Views
Last Modified: 2014-07-22
I am looking for recommendations for something I'm not sure exists. I want a one stop shop application that will allow me to:

1) Monitor outside threats (i.e. attacks on our network)

2) Be able to keep track of what documents people are opening and what they are downloading to their laptops. We are on a Windows 2008 Active directory domain. Our employees have access to thousands of Names, Addresses and SS#'s. While they are told this data should never be stored on their laptops I am looking for a way to ensure that they don't. For example, someone downloads a list of names and SS#'s from our SQL database and exports it to excel, is there anyway for me to know when that happens?

This is probably not possible but thought I would ask.

Thanks.
0
Comment
Question by:clifford_m71
  • 3
  • 3
  • 2
  • +3
14 Comments
 
LVL 17

Assisted Solution

by:Spartan_1337
Spartan_1337 earned 167 total points
Comment Utility
Imperva will most definitely help prevent the data theft you are referring to. All of those items you listed, it does when it comes to file/SQL security and auditing.

http://www.imperva.com/index.html

There is no one box solution for external attacks but any NextGen firewall will help in that case.
Palo Alto, SourceFire, CheckPoint, TippingPoint.
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
Comment Utility
There are applications that can do that of course.

Here is an example.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 166 total points
Comment Utility
You are asking about DLP more than anything, and what it catches is people doing stupid things, it does not catch someone doing something more purposefully. If someone wants to get the data out, they probably can. But it is nice to get a Demo of these products and find out the dumb things people are doing. You may only need the demo or PoC evaluation to do it:
http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf
I do not agree with this magic quadrant, I think Fidelis found more issues for us than Symantec did, and we tried 3 others, not worth mentioning.

Most of our data is in a DB, so file based solutions don't help us much, we have tight controls on the DB and it's logging. If you want file access logging, look at Varonis, they are pretty good, but you probably shouldn't have data that valuable sitting in shares... but a tool like Varonis can help you manage that much better than Windows itself can. There is a free DLP that is pretty nice, esp for free:
http://code.google.com/p/opendlp/ it's just not being worked on much anymore

As to number 1, don't monitor the outside fully, you want to monitor the inside, so if an attack succeeds you will know for sure. You can try something like a Web Application Firewall or an IPS to try to reset any threatening connections, but they are not 100% and often rely on signatures that can be bypassed with a little padding or stream fragmentation. Again you can get a demo from Breach, Imperva, Sourcefire and others WAF/IPS providers to see what's outside your network.
-rich
0
 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
if you don't want data leak from your db, a good start would be to provide access to the db from diskless machines with no external media support, no internet access and no printers.

evry DLP software i ever came across is trivial to bypass even for non technical users.

limiting and auditing queries on the database should also let you know that someone is trying to export stuff before they actually compile a file

---

as far as outside threats are concerned, your existing firewall probably has a module to do that. anyway, it's quite a loss of time : all hosts are under dumb automated attacks like 99% of the time. better focus on achieving proper security and monitor attacks on services that you provide to the WAN
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
Comment Utility
Palo Alto firewalls will perform this.

It has a built in IPS which includes exploits, AV and AS. It has has file monitoring so you can have it record every file going in and out of your network. You can also create dynamic file policies.. e.g. block JAR files at the perimeter.

It also has Wildfire so it can run MS Office files, Java files and PDFS inside a Windows Xp/Windows 7 VM to see if the file does anything malicious.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
Comment Utility
Palo Alto also has DLP-lite built in.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 26

Expert Comment

by:skullnobrains
Comment Utility
i have nothing against palo alto which is a great product, but i cannot stress enough how impossible this is.

stick the file in a password-protected rar, and there is no way to determine it's type, export it as hex, and it is a binary, export it as pdf, copy-paste in word document, or directly in a mail body as an html table... much worse, aggregate the first 2048 bytes of a picture and a huge excel sheet and it magically turns into a picture (try it). send an encrypted email with an attachment and say goodbye to file type detection... and that's far from exhaustive. many users, many ideas

additionally transfering over ssl also makes file detection impossible, meaning that secure access to dropbox, or gmail are NOT monitorable and any user can do them. who can afford to forbid all SSL traffic ?

and palo does not protect from users with an usb key, floppy, camera, mobile phone... either
0
 

Author Comment

by:clifford_m71
Comment Utility
I apologize for taking so long to reply. I had other projects that took precedence. Thank you to everyone for the great information. I am aware that someone intent on getting our data will most likely find a way. I want to make that as difficult as possible but am more concerned with our own employees acting stupid or malicious and being able to monitor that.

Imperva looks like something that will work for us as far as monitoring our DB and file sharing.

For monitoring attacks I am going to work with our current firewall provider (we use watchguard) and purchase some of their add-on applications.

Thanks again for the advice and information and sorry again for the delay.
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 167 total points
Comment Utility
regarding 2)
can't you make your db accessible through something like a vnc or rdp connection with copy-paste disabled ? this would at least prevent downloading whole chunks of the db. (obviously, retyping the whole thing or taking a number of screenshots would still be doable but loooong)
0
 

Author Comment

by:clifford_m71
Comment Utility
I've requested that this question be deleted for the following reason:

We have decided not to spend the money on this. I therefore have not tested any of the solutions provided.
0
 

Author Closing Comment

by:clifford_m71
Comment Utility
Even though we do not have the budget to move forward with this project at this time I appreciate the help. I have accepted multiple solutions because I believe they all offered some help.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Have a look at OpenDLP just to get your "beak wet" when it comes to DLP: https://code.google.com/p/opendlp/
It's free :)
-rich
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now