Information security in events of StaffCop Enterprise

StaffCop Enterprise collects data in the form of events. This article explains what cybersecurity threats are registered as events, what actions can be taken over events of various kinds and how you should react on threats.

Introduction

On reading this article, cybersecurity specialists and company executives will appreciate the advantages of the system, if they are not already using StaffCop Enterprise. System administrators will get their current knowledge organized if their companies are already using the system.

File operations

Information is stored in files. Users interact with files through applications. To define the action performed on a file, the administrator should understand the context of the event. The «File operation» event type receives all the file operations that were made by users and applications. Events contain information on the time of the operation, the computer it was performed on, the name of the user and the application that performed the operation. The table can sort operation by its type: read, write, copy, move or delete.

Example: some files are missing from the network disk and the system administrator is trying to realize who have deleted them. The administrator chooses the network drive type in the dimension panel to filter the output. The «Delete» file operation dimension provides further filtration. The administrator finds required types of information by changes of files extensions. The resulting table shows us which files were deleted and by which users. The administrator can print the table and attach it to the report on the incident for the management.

Intercepted files

The «Intercepted file» event receives shadow copies of files that were sent by e-mail or instant messengers, downloaded from a browser or cloud-based storage.

Note: to receive shadow copies in the «Content» field, enable the «Shadow copying» module.

Example: when investigating an incident the system administrator demands files copies for a certain path. The files that will correspond to the path mask will be shadow copied.

Printing documents

The ink and paper seem to be an insufficient item of expenditures until employees start to use corporate resources for their personal needs.

Records of the event type «Printing» display the user, the document and the time when this document was printed. The «Summary statistics» report will show the amount of printed documents and pages by particular users in the table form and the total sum for the chosen period of time. The system administrator will see who printed books or documents for personal needs.

Clipboard

Users work with confidential data not only in files, but also in applications, for example, e-mail client. A part of important text may be copied and sent. Text content of the clipboard is intercepted by the analytical system and saved into the event type with the same name, where it waits for further analysis and proper reaction by the system administrator.

The clipboard receives confidential information from internal documents. Search by the «Clipboard» event type combined with search by keyword displays events associated with sensitive information. The resulting filter can be saved for quick access in further use. For access to the text copied by a user, enable the «Clipboard» module in the configuration.

External drives

USB-flash drives remain a one of the most exploited channel of confidential data leakage from a corporate network. History of the «Disk drive» event type shows context of connections of external drives to the computer. The statistics of file copying by users is displayed if you choose the dimension «Device — Device type — Removable». The details of file copying to external drives can be seen with the help of the dimension «File — Operation — Copy/Create». The administrator receives the list of files which were copied from/to external drives.

Example: by default, the system intercepts files copied to external drives. The system administrator can apply search by keywords in the content of intercepted files and save them in a filter in order to get notifications on receiving files containing the stated words.

The system will show which of the employees passed corporate or personal external drive and which files were copied and read. Such a selection helps to analyze distribution of files within the company and build the corresponding relation graph.

The administrator will see which files were transferred to external drives, the source and destination paths, and which corporate information channels they passed. They will see which users had access to the files and the facts of sending files outside the company corporate network. These selections of facts help in investigating incidents.

FTP

The system administrator knows when a user sends a request to FTP. The following details are intercepted for each session: username, password, IP-address of the FTP-server, downloaded and uploaded files (with their shadow copies kept).

E-mail

E-mail is the second most popular channel of confidential data leakage. The details of e-mails contain not only senders, recipients and the subject, but also content with attached. To monitor these events you should enable the modules «E-mail», «Webmail» and «Network monitoring».

Example: popular action — view all the recipients addresses that don’t belong to your local domain, select all the users. Employees use e-mail to exchange e-mails and files in the web interface or mail clients that don’t correspond to the local domain of your organization.

To reveal these events you should choose dimension «Messaging — Direction», «Messaging Channel — Mail», «Messaging Direction -«Outgoing».

Add the dimension «Messaging — Sender domain» to the filter and choose the local company domain as the «Sender domain» and specify the «Anti-filter» option in the properties of this filter.

The system will show all the senders and recipients which sent e-mail not from the corporate domain. In the «Account» dimension you will find details with the description of messaging members. The details will contain attached files, the content of the messaging and will give the ability to search by keywords.

The required number of filters can be saved for future usage to receive notifications on the e-mail of the system administrator.

Instant messengers

Messengers, such as Skype, WhatsApp and Telegram are gaining popularity and can compete now with e-mail to be the most popular data leak channel. To monitor instant messaging, the modules «Instant messengers», «Network monitoring», «Screenshots» and «Keyboard input».

Two popular variants of using filters with the «Instant message» event type:

1. Search for files and users which were transferring them.
2. Search for dictionary triggers — potential threats for a company.

For the first variant you should choose «Messaging — Channel — Mail» and invert all the results to select all transferring channels excluding E-mail.

Choose «Intercepted files» as the Event type and see the files that were intercepted by all transferring channels excluding E-mail.

The second variant is enabled by default and allows usage of the predefined vocabulary in the policies «Curse words vocabulary» and «Credit cards» to see who used the listed words in communication.

For that, choose the «Curse words vocabulary» in the dimension «Triggered filters». The output will be displayed in the right part of the window — the so-called «Lens».

In the dimension — «Application» choose the desired application for more details, if the web-versions of the messengers were used — specify the site in the «Website» dimension to get details on web-sites.

Search query

Does a user google for ways of solving his job tasks or for a new job? The «Search query» event type helps to understand what exactly a user is loo

Websites visiting

Similar to search queries, internet-surfing of a user is categorized into productive and unproductive. The administrator evaluates the visiting history with the help of the «Web» event. The «Web traffic» and «Network monitoring» modules should be enabled.

Network

Malicious network connections are not always initiated by a user. Perhaps, a malicious application is launched on the computer, which consumes the calculating resources or transfers information outside the corporate network. The administrator can define which IP-addresses and ports were used for connections in the «Network connections» event type. The «Network monitoring» module should be enabled.

System log

The «System log» event type is used by the StaffCop support team to analyze the work of the system. The «Debug mode» module should be enabled.

Summary

Information security events in StaffCop Enterprise cover monitoring of file operations and network connections. A system administrator can track file operations from the moment of their creation if he got all the required modules enabled and the system correctly set up. Network connections and web sites visiting don’t pass unnoticed and they can be analyzed by a system administrator.