Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Network Monitoring

Posted on 2014-04-08
14
Medium Priority
?
369 Views
Last Modified: 2014-07-22
I am looking for recommendations for something I'm not sure exists. I want a one stop shop application that will allow me to:

1) Monitor outside threats (i.e. attacks on our network)

2) Be able to keep track of what documents people are opening and what they are downloading to their laptops. We are on a Windows 2008 Active directory domain. Our employees have access to thousands of Names, Addresses and SS#'s. While they are told this data should never be stored on their laptops I am looking for a way to ensure that they don't. For example, someone downloads a list of names and SS#'s from our SQL database and exports it to excel, is there anyway for me to know when that happens?

This is probably not possible but thought I would ask.

Thanks.
0
Comment
Question by:clifford_m71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
14 Comments
 
LVL 17

Assisted Solution

by:James H
James H earned 668 total points
ID: 39985996
Imperva will most definitely help prevent the data theft you are referring to. All of those items you listed, it does when it comes to file/SQL security and auditing.

http://www.imperva.com/index.html

There is no one box solution for external attacks but any NextGen firewall will help in that case.
Palo Alto, SourceFire, CheckPoint, TippingPoint.
0
 
LVL 17

Expert Comment

by:Sikhumbuzo Ntsada
ID: 39986020
There are applications that can do that of course.

Here is an example.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 664 total points
ID: 39987035
You are asking about DLP more than anything, and what it catches is people doing stupid things, it does not catch someone doing something more purposefully. If someone wants to get the data out, they probably can. But it is nice to get a Demo of these products and find out the dumb things people are doing. You may only need the demo or PoC evaluation to do it:
http://www.computerlinks.de/FMS/22876.magic_quadrant_for_content_aware_data_loss_prevent.pdf
I do not agree with this magic quadrant, I think Fidelis found more issues for us than Symantec did, and we tried 3 others, not worth mentioning.

Most of our data is in a DB, so file based solutions don't help us much, we have tight controls on the DB and it's logging. If you want file access logging, look at Varonis, they are pretty good, but you probably shouldn't have data that valuable sitting in shares... but a tool like Varonis can help you manage that much better than Windows itself can. There is a free DLP that is pretty nice, esp for free:
http://code.google.com/p/opendlp/ it's just not being worked on much anymore

As to number 1, don't monitor the outside fully, you want to monitor the inside, so if an attack succeeds you will know for sure. You can try something like a Web Application Firewall or an IPS to try to reset any threatening connections, but they are not 100% and often rely on signatures that can be bypassed with a little padding or stream fragmentation. Again you can get a demo from Breach, Imperva, Sourcefire and others WAF/IPS providers to see what's outside your network.
-rich
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 27

Expert Comment

by:skullnobrains
ID: 39991225
if you don't want data leak from your db, a good start would be to provide access to the db from diskless machines with no external media support, no internet access and no printers.

evry DLP software i ever came across is trivial to bypass even for non technical users.

limiting and auditing queries on the database should also let you know that someone is trying to export stuff before they actually compile a file

---

as far as outside threats are concerned, your existing firewall probably has a module to do that. anyway, it's quite a loss of time : all hosts are under dumb automated attacks like 99% of the time. better focus on achieving proper security and monitor attacks on services that you provide to the WAN
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39995369
Palo Alto firewalls will perform this.

It has a built in IPS which includes exploits, AV and AS. It has has file monitoring so you can have it record every file going in and out of your network. You can also create dynamic file policies.. e.g. block JAR files at the perimeter.

It also has Wildfire so it can run MS Office files, Java files and PDFS inside a Windows Xp/Windows 7 VM to see if the file does anything malicious.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39995371
Palo Alto also has DLP-lite built in.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39995768
i have nothing against palo alto which is a great product, but i cannot stress enough how impossible this is.

stick the file in a password-protected rar, and there is no way to determine it's type, export it as hex, and it is a binary, export it as pdf, copy-paste in word document, or directly in a mail body as an html table... much worse, aggregate the first 2048 bytes of a picture and a huge excel sheet and it magically turns into a picture (try it). send an encrypted email with an attachment and say goodbye to file type detection... and that's far from exhaustive. many users, many ideas

additionally transfering over ssl also makes file detection impossible, meaning that secure access to dropbox, or gmail are NOT monitorable and any user can do them. who can afford to forbid all SSL traffic ?

and palo does not protect from users with an usb key, floppy, camera, mobile phone... either
0
 

Author Comment

by:clifford_m71
ID: 40050326
I apologize for taking so long to reply. I had other projects that took precedence. Thank you to everyone for the great information. I am aware that someone intent on getting our data will most likely find a way. I want to make that as difficult as possible but am more concerned with our own employees acting stupid or malicious and being able to monitor that.

Imperva looks like something that will work for us as far as monitoring our DB and file sharing.

For monitoring attacks I am going to work with our current firewall provider (we use watchguard) and purchase some of their add-on applications.

Thanks again for the advice and information and sorry again for the delay.
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 668 total points
ID: 40055864
regarding 2)
can't you make your db accessible through something like a vnc or rdp connection with copy-paste disabled ? this would at least prevent downloading whole chunks of the db. (obviously, retyping the whole thing or taking a number of screenshots would still be doable but loooong)
0
 

Author Comment

by:clifford_m71
ID: 40195300
I've requested that this question be deleted for the following reason:

We have decided not to spend the money on this. I therefore have not tested any of the solutions provided.
0
 

Author Closing Comment

by:clifford_m71
ID: 40211431
Even though we do not have the budget to move forward with this project at this time I appreciate the help. I have accepted multiple solutions because I believe they all offered some help.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40211539
Have a look at OpenDLP just to get your "beak wet" when it comes to DLP: https://code.google.com/p/opendlp/
It's free :)
-rich
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question