Recommended tool for monitoring

Is there a tool that could monitor downloads by remote VPN users from network share. I have MAC domain users but there mac laptop are not configured to domain. I have to monitor that they are not downloading confidential files.

Recently, I installed LANGUARDIAN for completely different type of monitoring which is for P2P and youtube usage. But it looks like the tool does not log much information for system that are not a member of domain but it did give me the detail information of Windows users on domain but I did not find monitoring option for VPN users downloading from internal share.
LVL 4
pchettriIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jian An LimSolutions ArchitectCommented:
depends on your cost.

first, you need to turn on file server auditing (assuming windows servers)

splunk is a well known log parsing software and they document how to do it natively ( and enhanced with their free tools - small amount )

http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/
btanExec ConsultantCommented:
Netfort LG should be placed in the SPAN of the router connecting to file server to inspect the machine connected via SMB to file server (FS).
https://www.netfort.com/solutions/monitor-user-activity/user-activity-logging/

 Domain machine can mapped the user but local (workgroup) machine will not surface any info on user as it can be local user - not even AD will get such login access. The various log (DHCP, VPN log with assigned IP to remote user tunneled in) are required to correlate the event of the machine during the period of interest.

Definitely LG alone will not give the insight required. SIEMS can ingest the syslog or CEF log to better map the activities as a whole from those device source including LG as one of the source. SPlunk, Arcsight or Solarwind are some example. In particular solarwind has integration support for LG
•Network forensics
 Analyze network events that happened some time previously, such as a file deleted on a windows file share or high bandwidth on a link. Instantly generate reports for management to support internal investigations, audits and capacity planning.
https://www.netfort.com/features/solarwinds-integration/

But note even user id needs AD integration...at least you can identify the machine at bare minimally to conduct further checks and its doing if surface any anomalies. Doubt there is any other "capture" tool unless you are looking at user monitoring agent in the every machine like ObserveIT...local machine still need to centrally managed via the monitored tool per se though not domain joined.
Software agents installed on Windows, Unix and Linux machines record each user's screen, mouse and keyboard activity, regardless of how the user logged in (Remote Desktop, Terminal Server, SSH, local console, etc.). The captured data is transmitted to the Application Server in realtime, or cached for later delivery if the endpoint is temporarily offline. Agent behavior is controlled by policies defined using the Web Console. Robust safeguards protect the agent software and data from tampering.
http://www.observeit.com/product/how-it-works

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
use ADRMS to restrict access to these files.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

pchettriIT DirectorAuthor Commented:
I want them to use and download files while they are in office but monitor it if they are using VPN
btanExec ConsultantCommented:
There is one DLP s/w which is pretty sound (quite similar to the digital right mgmt like MS AD IRMS) and you want to consider to hear them too as the fundamental for preventing leakage or abused tamper attempt logged requires tagging of the "asset" including those files
The user can indicate the classification of the document (such as Secret, Top Secret, Company Confidential, etc) and it can then be reflected in the header / footer or watermark of the document. These labels are completely customizable and can be changed to suit your environment.   For instance, the list of labels could be changed to Internal Use Only, Confidential, Restricted etc. The label is inserted as a custom property of the document and as such can be used to search for documents. For example, administrators can quickly locate all CONFIDENTIAL documents on their network
http://www.titus.com/solutions-encryption-and-RMS.php
http://www.titus.com/solutions-data-loss-prevention.php

In fact, just to add further TITUS can be used in conjunction with Microsoft RMS, such that documents and email is properly protected based on classification tagged, and restrict only certain users have rights such as “View”, “Forward”, “print” etc. fyi
btanExec ConsultantCommented:
RMS has such use case for further customisation
Once the script has been run, the end user should be able to open existing rights-protected content or apply rights-protections to content. In many instances, the user will be prompted to enter his or her username and password for your Active Directory domain when using RMS. If the user is connected to your internal network using a VPN connection, RMS may be able to pick up the user’s credentials from the VPN and won’t prompt the user for authentication.
http://www.css-security.com/blog/configuring-a-non-domain-joined-rms-client-machine/
Naomi GoldbergCommented:
If you are looking into a SIEM solution then you might find the real user reviews on IT Central Station to be helpful: http://www.itcentralstation.com/categories/security-information-and-event-management-siem/top

Splunk is currently rated as the number one solution in this category. This user says, "Innovative Tool But It Needs To Be Improved For Day To Day Use." You can read his full, in-depth review here: http://www.itcentralstation.com/product_reviews/splunk-review-32119-by-vinod-shankar

LogRhythm is currently ranked as the number 2 solution in this category. This user wrote, "Security Management Is What It's Best At, But It's Generally For Medium-Sized Companies." http://www.itcentralstation.com/product_reviews/logrhythm-review-34988-by-ghias-minto
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Displays / Monitors

From novice to tech pro — start learning today.