Users Leaving? How to get an audit trail
Network users come and go. When new employees start we create sign on accounts and assign any relevant permissions. When employees leave we typically transfer their data over to someone else and disable any logon accounts.
During this transition period, an audit trail can be an invaluable resource. Sometimes users think they are doing everyone a favor by deleting what they think is old data or they move data around without telling anyone. In other cases, users may copy large volumes of data from the network with the intention of using it in their new job.
There are two main ways of getting an audit trail of user activity on your network. You can either install client\agent software on every network device or you can monitor network traffic inside your network. Client or agent software can be problematic as users can disable it or it may not be feasible to install it on personal devices.
Network traffic analysis is the most independent with no requirement for any client software or server logs. You just need to capture network traffic at the correct points and extract the relevant metadata. It is an ideal data source for network visibility, security, and compliance.
Monitoring Network Traffic
Network traffic analysis tools use deep packet inspection technologies to extract certain metadata from network traffic. Traffic is typically captured at the core of a network using a SPAN, mirror port, TAP or packet broker. Metadata can be something like a filename or a SQL query. When captured and stored this metadata can be then used to build an audit trail of user activity.
The image to the right shows a typical traffic capturing setup where traffic going to and from important servers is copied to a monitoring or SPAN port. This is a method of passive monitoring and because it is not in line it does not interfere with client and server communications.
It does not matter if users use wired or wireless devices, their traffic will be seen as it passes through the core switch.
Focusing on an individual user for a specific time period
Recently we heard from a customer who had an issue when an employee was leaving. This employee moved, renamed and deleted some files off network shares. Using their LANGuardian, the network manager was able to get an audit trail of file and folder activity to find out what had been changed. It was then just a matter of putting everything back in its original location which saved the IT department a lot of time trying to figure out what files needed to be restored.
The image below shows a sample of the LANGuardian file activity monitoring reports. Data in this report is acquired by analyzing the network traffic associated with the SMB or NFS protocols. Here we can see where user Leo deleted a profit and loss database together with the exact date and time when this action was seen.
It may also be worth looking at other user metadata when suspicious file activity is observed. The image below from a LANGuardian system shows that this user accessed some customer and sales data (1) and at the same time, data transfers were associated with Dropbox (2).
Cloud-based storage systems like Dropbox can be used to copy data out of a network and you may want to set up alerts if activity like this is detected on your network. We will follow up with another post showing how you can set this up with LANGuardian, just subscribe to our blog to get updates.
Click on the image below to access the user forensics section of our online demo.