StaffCop Enterprise collects data in the form of events. This article explains what cybersecurity threats are registered as events, what actions can be taken over events of various kinds and how you should react on threats.
Introduction
On reading this article, cybersecurity specialists and company executives will appreciate the advantages of the system, if they are not already using StaffCop Enterprise. System administrators will get their current knowledge organized if their companies are already using the system.
File operations
Information is stored in files. Users interact with files through applications. To define the action performed on a file, the administrator should understand the context of the event. The «File operation» event type receives all the file operations that were made by users and applications. Events contain information on the time of the operation, the computer it was performed on, the name of the user and the application that performed the operation. The table can sort operation by its type: read, write, copy, move or delete.
Example: some files are missing from the network disk and the system administrator is trying to realize who have deleted them. The administrator chooses the network drive type in the dimension panel to filter the output. The «Delete» file operation dimension provides further filtration. The administrator finds required types of information by changes of files extensions. The resulting table shows us which files were deleted and by which users. The administrator can print the table and attach it to the report on the incident for the management.
Intercepted files
The «Intercepted file» event receives shadow copies of files that were sent by
Note: to receive shadow copies in the «Content» field, enable the «Shadow copying» module.
Example: when investigating an incident the system administrator demands files copies for a certain path. The files that will correspond to the path mask will be shadow copied.
Printing documents
The ink and paper seem to be an insufficient item of expenditures until employees start to use corporate resources for their personal needs.
Records of the event type «Printing» display the user, the document and the time when this document was printed. The «Summary statistics» report will show the amount of printed documents and pages by particular users in the table form and the total sum for the chosen period of time. The system administrator will see who printed books or documents for personal needs.
Clipboard
Users work with confidential data not only in files, but also in applications, for example,
The clipboard receives confidential information from internal documents. Search by the «Clipboard» event type combined with search by keyword displays events associated with sensitive information. The resulting filter can be saved for quick access in further use. For access to the text copied by a user, enable the «Clipboard» module in the configuration.
External drives
Example: by default, the system intercepts files copied to external drives. The system administrator can apply search by keywords in the content of intercepted files and save them in a filter in order to get notifications on receiving files containing the stated words.
The system will show which of the employees passed corporate or personal external drive and which files were copied and read. Such a selection helps to analyze distribution of files within the company and build the corresponding relation graph.
The administrator will see which files were transferred to external drives, the source and destination paths, and which corporate information channels they passed. They will see which users had access to the files and the facts of sending files outside the company corporate network. These selections of facts help in investigating incidents.
FTP
The system administrator knows when a user sends a request to FTP. The following details are intercepted for each session: username, password,
E-mail
Example: popular action — view all the recipients addresses that don’t belong to your local domain, select all the users. Employees use
To reveal these events you should choose dimension «Messaging — Direction», «Messaging Channel — Mail», «Messaging Direction -«Outgoing».
Add the dimension «Messaging — Sender domain» to the filter and choose the local company domain as the «Sender domain» and specify the
The system will show all the senders and recipients which sent
The required number of filters can be saved for future usage to receive notifications on the
Instant messengers
Messengers, such as Skype, WhatsApp and Telegram are gaining popularity and can compete now with
Two popular variants of using filters with the «Instant message» event type:
1. Search for files and users which were transferring them.
2. Search for dictionary triggers — potential threats for a company.
For the first variant you should choose «Messaging — Channel — Mail» and invert all the results to select all transferring channels excluding
Choose «Intercepted files» as the Event type and see the files that were intercepted by all transferring channels excluding
The second variant is enabled by default and allows usage of the predefined vocabulary in the policies «Curse words vocabulary» and «Credit cards» to see who used the listed words in communication.
For that, choose the «Curse words vocabulary» in the dimension «Triggered filters». The output will be displayed in the right part of the window — the
In the dimension — «Application» choose the desired application for more details, if the
Search query
Does a user google for ways of solving his job tasks or for a new job? The «Search query» event type helps to understand what exactly a user is loo
Websites visiting
Similar to search queries,
Network
Malicious network connections are not always initiated by a user. Perhaps, a malicious application is launched on the computer, which consumes the calculating resources or transfers information outside the corporate network. The administrator can define which
System log
The «System log» event type is used by the StaffCop support team to analyze the work of the system. The «Debug mode» module should be enabled.
Summary
Information security events in StaffCop Enterprise cover monitoring of file operations and network connections. A system administrator can track file operations from the moment of their creation if he got all the required modules enabled and the system correctly set up. Network connections and web sites visiting don’t pass unnoticed and they can be analyzed by a system administrator.