NetFort Advertising

Generating an Audit Trail of Failed Access Attempts to Files or Folders

27 March 2018 GDPR,NetFort Blog By: Darragh Delaney

Why is it important to monitor for failed access attempts?

For some time now we have included a file activity monitoring feature in our LANGuardian product. It passively generates an audit trail of file and folder activity using network traffic as a data source. All you need to do is monitor network traffic going to and from your file servers and you can easily see who is doing what with your files and folders. The image below shows an output of a sample report.

network user accessing SMB file share

With the release of LANGuardian 14.4.1 we can now report on successful and failed access attempts to network file shares. The failed access attempts can be viewed in report format or they can also trigger alerts via email or SYSLOG.

For many compliance standards such as GDPR and CIS CSC 20 you also need to monitor for failed access attempts.  This is useful for generating alerts on anomalous activity where a user or device is attempting to access sensitive data. When it comes to GDPR and failed access attempts, this is what you need to focus on and how LANGuardian can help:

Requirement: Article 5 – Principles relating to the processing of personal data

1 (b) “Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)”

How to comply

 

In most enterprises, personal data is collected and stored in a database or a file server. To ensure that the data is being processed only for the purpose it had been collected for, it is necessary to monitor accesses to these systems and to the personal data itself.

Enterprises should watch out for anomalous personal data access, modification, and deletion, which could result in the data being processed in a way that was not originally intended.

How LANGuardian can help

In the case of personal data stored on network file shares, LANGuardian can help enterprises generate a real-time and historical view of all activity to and from important file shares. This includes:

Content and location changes (created, modified, overwritten, moved, restored, renamed, and deleted files/folders). Active directory integration also allows you to see associated usernames.

Failed access attempts (file/folder read, write, or delete). This is useful for generating alerts on anomalous activity where a user or device is attempting to access sensitive data.

Requirement: Article 32 – Security of processing

1(b) “The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”

How to comply

Continuously monitor and audit the storage\file\database systems that store personal data as well as the services (or applications) that process personal data.

Watch out for failed access attempts and anomalies in user activities on these systems and services.

How LANGuardian can help

In the case of personal data stored on network file shares, LANGuardian can help enterprises generate a real-time and historical view of all activity to and from important file shares. This includes:

File access/change events with associated username and IP address

Audit trail of content and location changes (modified, overwritten, moved, restored, renamed, and deleted files/folders).

Audit trial of failed file/folder process or access attempts (file/folder read, write, or delete).

A closer look at the LANGuardian failed access reports

You can access the failed access activity via any of the LANGuardian file share reports which contain the actions report filter. Use the search bar at the top of LANGuardian and type in “Filenames by Actions“.

On the left hand side you should see an Action filter with a drop down selector. Scroll down and you will be able to select from a range of failed access attempts.

You can also focus on a specifc file or folder by ising the file name filter. Once you run the report you can save a custom report which will include your filter selection.

failed access attempts

The image below shows a sample output. Here can see some failed file open attempts originating from client 192.168.127.237. Drilling down further will show the date and time that this event was triggered and you can also get associated usernames if you have configured the Active Directory integration.

A closer look at the LANGuardian failed access reports

Video Guide: Generating an Audit Trail of Failed Access Attempts to Files or Folders

You can download a 30 day trial of LANGuardian from here and use it to monitor, track file and folder activity on your network. You do not need any logs or client software. Just setup a SPAN or mirror port and you can passively monitor activity to and from your file servers.