2
1
I have a small office network with about 20 computers. How can I track what files and which computer is either sending or receiving files?
My question is not how to prevent someone from sending files, but to track who and what files they are sending and receiving outside of the network. The files could be send through messenger, email etc.
KMC
Posted 2012-01-11T11:42:40.437
Reputation: 1 537
1
Difficult to do in the network.
Difficult to do on the PC.
RedGrittyBrick
Posted 2012-01-11T11:42:40.437
Reputation: 70 632
1
As indicated in the previous answer it is technically difficult and actually impossible to block even the most obvious ways without obstructing fair usage.
Legally, it might be also tricky not to violate privacy laws.
Your best shot is to trust the users. And if you do not trust some - limit their access to the sensitive files.
user377178
Posted 2012-01-11T11:42:40.437
Reputation: 416
As my question stated, I do not intent to "prevent" / or block file transfer, but to log them. – KMC – 2012-01-12T00:56:07.950
1
There are DLP (Data Loss Prevention) products like InfoWatch Traffic Monitor that claim to do what you're asking. However, all these products are not off-the-shelf turn-key solutions, but rather complex systems that require consultants to be installed, tuned, etc. They use complex traffic analysis algorithms to detect data leaks (OCR image attachments, scan encrypted traffic, can detect suspicious activity, etc.).
They cost lots of money. I'm not aware of any such system that would be cost-effective for such a small company (20 users).
haimg
Posted 2012-01-11T11:42:40.437
Reputation: 19 503
1
There are some basic off-the-shelf solutions (eg Macafee's offering) that can work as a drop in on basic role based access rules, but to gain any value you will need to tune/configure any DLP solution.
What some organisations I work with do is define permissions by user (eg only these 3 individuals are allowed to send attachments out, only those ones can print etc). For this scenario you place your trust in those named users. If they make a mistake, or turn rogue you can still check the logs to see what they sent, but data can leak. At least you have reduced the risk down to just those individuals (or anyone with their credentials)
What others do is attach code words to all key documents, and set the DLP service to trigger on them. Standard mail gateways may have this functionality (I know Mailsweeper and the like do)
A more mature solution is to enforce classifications on all documents - this may be overkill for you just now, but you are at a size where it is manageable, and will become ever more useful as you grow. Using classifications it becomes very easy to deny outgoing secret or internal docs while allowing lower sensitivity ones.
To stay closer to your exact question, all of the above options will log what is sent out - the most appropriate for you if you aren't needing to block may just be to enable logging of all mails sent with attachments at your mail gateway (eg Exchange...)
Rory Alsop
Posted 2012-01-11T11:42:40.437
Reputation: 3 168
0
If you have linux systems you can use the linux kernel auditing to log all the file accesses read/write. From this you can get the user, process-id and executable name that accessed the file.
You can use aureport to generate a report.
In the report you can look for executables like chat clients,browser,ssh client etc. to find what files were accessed by them (possibly for sending)
Note:You have to install the "auditd" package for this.
This is a good place to start. http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
daya
Posted 2012-01-11T11:42:40.437
Reputation: 2 445
It would help to give more information on your network setup – Journeyman Geek – 2012-01-11T11:52:16.323
If you want to monitor every possible method of a file transferring out of your network, you will need to be more specific than "etc" – Paul – 2012-01-11T11:54:44.090
I have updated my answer - it has detail on prevention as I misread your question...now it also has a wee bit on logging. – Rory Alsop – 2012-01-11T17:18:33.123