Network Monitoring

I am looking for recommendations for something I'm not sure exists. I want a one stop shop application that will allow me to:

1) Monitor outside threats (i.e. attacks on our network)

2) Be able to keep track of what documents people are opening and what they are downloading to their laptops. We are on a Windows 2008 Active directory domain. Our employees have access to thousands of Names, Addresses and SS#'s. While they are told this data should never be stored on their laptops I am looking for a way to ensure that they don't. For example, someone downloads a list of names and SS#'s from our SQL database and exports it to excel, is there anyway for me to know when that happens?

This is probably not possible but thought I would ask.

clifford_m71IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

James HIT DirectorCommented:
Imperva will most definitely help prevent the data theft you are referring to. All of those items you listed, it does when it comes to file/SQL security and auditing.

There is no one box solution for external attacks but any NextGen firewall will help in that case.
Palo Alto, SourceFire, CheckPoint, TippingPoint.
Sikhumbuzo NtsadaIT AdministrationCommented:
There are applications that can do that of course.

Here is an example.
Rich RumbleSecurity SamuraiCommented:
You are asking about DLP more than anything, and what it catches is people doing stupid things, it does not catch someone doing something more purposefully. If someone wants to get the data out, they probably can. But it is nice to get a Demo of these products and find out the dumb things people are doing. You may only need the demo or PoC evaluation to do it:
I do not agree with this magic quadrant, I think Fidelis found more issues for us than Symantec did, and we tried 3 others, not worth mentioning.

Most of our data is in a DB, so file based solutions don't help us much, we have tight controls on the DB and it's logging. If you want file access logging, look at Varonis, they are pretty good, but you probably shouldn't have data that valuable sitting in shares... but a tool like Varonis can help you manage that much better than Windows itself can. There is a free DLP that is pretty nice, esp for free: it's just not being worked on much anymore

As to number 1, don't monitor the outside fully, you want to monitor the inside, so if an attack succeeds you will know for sure. You can try something like a Web Application Firewall or an IPS to try to reset any threatening connections, but they are not 100% and often rely on signatures that can be bypassed with a little padding or stream fragmentation. Again you can get a demo from Breach, Imperva, Sourcefire and others WAF/IPS providers to see what's outside your network.
Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

if you don't want data leak from your db, a good start would be to provide access to the db from diskless machines with no external media support, no internet access and no printers.

evry DLP software i ever came across is trivial to bypass even for non technical users.

limiting and auditing queries on the database should also let you know that someone is trying to export stuff before they actually compile a file


as far as outside threats are concerned, your existing firewall probably has a module to do that. anyway, it's quite a loss of time : all hosts are under dumb automated attacks like 99% of the time. better focus on achieving proper security and monitor attacks on services that you provide to the WAN
Schuyler DorseyCommented:
Palo Alto firewalls will perform this.

It has a built in IPS which includes exploits, AV and AS. It has has file monitoring so you can have it record every file going in and out of your network. You can also create dynamic file policies.. e.g. block JAR files at the perimeter.

It also has Wildfire so it can run MS Office files, Java files and PDFS inside a Windows Xp/Windows 7 VM to see if the file does anything malicious.
Schuyler DorseyCommented:
Palo Alto also has DLP-lite built in.
i have nothing against palo alto which is a great product, but i cannot stress enough how impossible this is.

stick the file in a password-protected rar, and there is no way to determine it's type, export it as hex, and it is a binary, export it as pdf, copy-paste in word document, or directly in a mail body as an html table... much worse, aggregate the first 2048 bytes of a picture and a huge excel sheet and it magically turns into a picture (try it). send an encrypted email with an attachment and say goodbye to file type detection... and that's far from exhaustive. many users, many ideas

additionally transfering over ssl also makes file detection impossible, meaning that secure access to dropbox, or gmail are NOT monitorable and any user can do them. who can afford to forbid all SSL traffic ?

and palo does not protect from users with an usb key, floppy, camera, mobile phone... either
clifford_m71IT ManagerAuthor Commented:
I apologize for taking so long to reply. I had other projects that took precedence. Thank you to everyone for the great information. I am aware that someone intent on getting our data will most likely find a way. I want to make that as difficult as possible but am more concerned with our own employees acting stupid or malicious and being able to monitor that.

Imperva looks like something that will work for us as far as monitoring our DB and file sharing.

For monitoring attacks I am going to work with our current firewall provider (we use watchguard) and purchase some of their add-on applications.

Thanks again for the advice and information and sorry again for the delay.
regarding 2)
can't you make your db accessible through something like a vnc or rdp connection with copy-paste disabled ? this would at least prevent downloading whole chunks of the db. (obviously, retyping the whole thing or taking a number of screenshots would still be doable but loooong)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
clifford_m71IT ManagerAuthor Commented:
I've requested that this question be deleted for the following reason:

We have decided not to spend the money on this. I therefore have not tested any of the solutions provided.
clifford_m71IT ManagerAuthor Commented:
Even though we do not have the budget to move forward with this project at this time I appreciate the help. I have accepted multiple solutions because I believe they all offered some help.
Rich RumbleSecurity SamuraiCommented:
Have a look at OpenDLP just to get your "beak wet" when it comes to DLP:
It's free :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.