SearchInform FileAuditor

The main articles are:

• DLP - Data Loss/Leak Prevention
• DCAP Data-Centric Audit and Protection

• FileAuditor classifies documents in real time, finding critical information and tagging sensitive documents.
• The program monitors file operations and notifies you of changes made to documents.
• Archiving critical documents ensures that lost sensitive information is recovered.

2024

Optimizing Document Copy Retrieval

The audit file and storage protection system "SearchInform FileAuditor" received an update in which they optimized the function of finding copies of documents. DCAP now displays information the presence of copies when viewing the file, and also allows you to detect duplicates using lightweight search tools. This was SearchInform announced on October 31, 2024.

When you view document information in the FileAuditor console, the Duplicates tab appears, listing copies of the file and the full path to where they are stored. The function works for any file and is also available from the context menu - just right-click on the file name in the list and select the "Find all duplicates" option. If the information security service needs to check whether there are copies of a particular document in the vaults, they can be found through the search panel based on the sample or hash sum of the file. You can narrow the search by excluding the known location of the file: then only unaccounted storage places will fall into the output.

The added tools in FileAuditor solve two problems at once. First, searching for duplicates helps detect unaccounted copies of sensitive data that must be stored in specified locations. Secondly, a quick help about doubles helps to assess how much copies are overloaded with disk space, and optimize it.

The system considers only files that fully match the hash sum as duplicates. Therefore, deleting extra copies will not lead to data loss or disruption of business processes, - explained Alexey Parfentiev, Deputy General Director for Innovation at SearchInform. - Both information security and IT departments have to deal with the problem of unaccounted - or simply redundant - copies. Working on the functionality and interface of products, we rely on the application needs of customers. Therefore, we strive to make sure that any tasks with their help are solved simply. This also works with searching for copies in FileAuditor - conveniently and efficiently.

Obtaining a patent for file stream interception technology

SearchInform has patented a technology for intercepting file streams. The company announced this on May 22, 2024.

The solution is at the heart of ChurchInform FileAuditor.

DCAP systems classify files by content and restrict access to them if the specified conditions are not met. Most class systems build restrictions on the level of user rights in the operating system: for example, to read a file, it is enough to open it under the account of a regular user, and to change it you will already need administrator rights. Such restrictions can be configured using the OS tools, but they will apply to specific files/directories and for specific accounts. In FileAuditor, restrictions are arranged differently. They act immediately for all files of a given category (for example, containing personal data) and work for processes that try to access the file. For example, locks in FileAuditor can deny access to all passport scans through graphic editors to prevent document tampering.

To implement such a lock, FileAuditor components act as kernel mode drivers. Unlike user mode, these drivers are not tied to accounts in the operating system and interact directly with file streams - sequences of bytes in which file data is actually "written" to the PC memory. FileAuditor embeds its content classification label into the file stream, making it as if "part" of a file that is almost impossible to remove or delete. This label becomes a kind of "instruction" for applications, when and how they can interact with the file, "said Alexey Parfentiev, head of analytics at SearchInform.

In this case, the labels are invisible to users and are inherited by various actions with files, including copying, renaming, changing the extension, moving. FileAuditor automatically rechecks the presence of labels and installs them even on files that are recreated on the basis of confidential documents. This ensures continuous monitoring. And access prohibitions apply to any applications: it is enough to set the blocking conditions and the name of the process, which, if followed, will be opened or closed. You can specify an arbitrary process, from service in the OS to self-described enterprise software. Locks are applied by label for selected users, PCs, directories, with certain attributes and other criteria that can be flexibly configured.

This is a completely uncharacteristic approach for DCAP solutions: most are limited to linking "access delimitation" to formal characteristics, file attributes. This is, for example, name, size, extension, location. As soon as one of the characteristics changes, the blocking will cease to work. Our demarcations are tied to labels, those to content, that is, exactly what really needs protection. After all, for example, it is important for the design institute to protect specific drawings, and not all.DWG files. This is the uniqueness of our development, - said Alexey Parfentiev.

Support for cloud classification of files

"SearchInform FileAuditor" supported the classification of files in the clouds. SearchInform announced this on April 24, 2024.

Now the DCAP system is able to analyze documents in cloud storage, connecting to them using the WebDAV protocol.

An information security analyst in the program console will see a tree of folders and files in the cloud with labels. The label will tell you what is contained inside the file.

In the 400 + system of ready-made automatic classification rules, you can also create your own. Thanks to such markup, it is clear which files require special control and protection, an information security specialist does not need to spend time studying content during an investigation. The program has access to proofreading such popular cloud storage as Yandex.Disk, Mail.ru Cloud, NextCloud, etc., which run on WebDAV. Optionally, access via this protocol can be enabled in almost any cloud.

WebDAV is another format for transmitting data, such as FTP or HTTP. It is widespread, so with its support, FileAuditor significantly expands the list of protected storages. Audit and content analysis of files in the clouds will allow you to put things in order there, and understand exactly what exactly lies in them and can be vulnerable, "said Alexey Parfentiev, head of analytics at SearchInform.

In addition to WebDAV, FileAuditor also works with FTP, SFTP, SMB, DFS, NFS standards in network scanning format, supports file logs, and Windows Active Directory , with NetApp it is integrated servers Exchange. At the local level, FileAuditor agents control any storage and PC on, and, Windows Linux MacOS seamless integration DSS Huawei with the OceanStore and lines is implemented. This Dorado makes the DCAP system from SearchInform of a universal tool for monitoring and protecting confidential documents in any infrastructure.

Linux Version View

SearchInform On April 17, 2024, the company "" introduced a version of the FileAuditor DCAP system for. operating system Linux INFORMATION SECURITY Specialists have the ability to control any deployed in data stores free-distribution environments, as well as. import-substituted operating systems

FileAuditor scans file stores, classifies data by content (PD, contracts, accounts, files with passwords, etc.), and assigns hidden labels to categories. According to them, the system identifies vulnerable content and monitors where it is stored and to whom it is available. Classification rules are configured in a simple constructor and support 8 intelligent searches, including OCR content analysis. It supports control of network folders and file servers over the network, as well as user PCs using the agent.

We are working to ensure that all our products are cross-platform and suitable for work in import-replaced infrastructures. From the very beginning, FileAuditor provided audit of network storage on Linux, and now it gives full control at all levels: from file servers and shared folders to user computers, "said Alexey Parfentiev, head of analytics at SearchInform.

Also, the system has pre-installed classification rules. There are more than 200 of them, they cover the main types of personal data, financial documents, intellectual property, etc. Each of the templates can be modified to suit your needs. Ready-made rules simplify the work of information security specialists and help to quickly and efficiently find data of certain categories immediately, from the first inclusion and without special configuration.

Ability to change access rights to a file in one click

SearchInform FileAuditor simplifies file access control for incident response. SearchInform announced this on March 13, 2024.

Now the DCAP system will allow you to change access rights in one click and prohibit users from using and moving files.

Until the information security service moves the file to a secure store, it will be isolated: users will not be able to open, move or copy it, make changes to it. Thus, FileAuditor will allow information security specialists to devote sufficient time to investigating the violation and neutralizing it.

This feature is called Become Exclusive Owner. It transfers access rights to the file only to an information security specialist working with FileAuditor.

Previously, FileAuditor already had the ability to change access rights, for example, using flexible content locks. They allowed you to prohibit working with a file in any application, but could not quickly isolate the file if a violation was found. Now such an opportunity has appeared, and in one click and immediately for all users, - said Alexey Parfentiev, head of the analytics department at SearchInform.

You can enable the option from the context menu when selecting a file. At the same time, you need to make sure that users do not have the opportunity to increase their access rights to the administrator level so that they do not return access to the selected files themselves.

2023

Support for reading Windows, Active Directory, and NetApp DSS logs

The DCAP system "ChurchInform FileAuditor" supported the audit of rights and operations files in networked stores on which the agent does not stand - a component of the system that is installed locally and provides local control. Now the program subtracts logs where Windows user activity with files is recorded, as well as logs Active Directory with changes information in user rights. The company SearchInform announced this on December 11, 2023.

Previously, subtraction of file operations was available only with the agent installed, only content analysis of files in repositories was carried out over the network. Integration allows you to quickly obtain data about operations at the network level. And the information from AD adds to the picture, showing cases, for example, a temporary change in the user's rights by an administrator, his inclusion in a privileged group, or unauthorized revocation of rights.

Let's emphasize the importance of the changes that we implemented in FileAuditor. First, there is no functional difference between the agent and server storage scanning models. File analysis, categorization, tagging, file operations, changes in access rights - all this is now available both when installing the agent and without it. Secondly, we are expanding the list of supported storage facilities, - commented Alexey Parfentiev, head of analytics at SearchInform.

Refinement allows you to control DSS with atypical file systems or in cases where agent installation is inconvenient or impossible - for example, if you need to subtract a separate network folder, not the entire storage. Agentless scanning saves resources. In the same way, FileAuditor works with NetApp, a storage system previously unavailable for auditing. Coupled with support for FTP, SMB, DFS, NFS and NTFS, integration with the entire Huawei OceanStore and Dorado line, this makes the program universal for controlling file storage in any infrastructure.

AAServer - component to speed up image analysis

A component for speeding up image analysis has appeared in SearchInform FileAuditor. This was announced on December 6, 2023 by representatives of the SearchInform company.

In particular, to extract text from images when performing a network scan, an additional AAServer component is used, specially created for analyzing graphics and media.

Graphic files, such as scans of documents in PDF, risk being unprotected if the criticality of their content is not determined in time. However, content analysis for graphics is "heavy" and can significantly load the system.

"AAServer optimizes the load: graphics processing can go separately and do not consume the resources of the main FileAuditor server. And local analysis on file servers can now be run in several threads: files will not "stand" in one processing queue, "said Alexey Parfentiev, head of analytics at SearchInform.

Improvements significantly increase system performance, removing the architectural limitations inherent in many class solutions. The AAServer component, as well as the transfer of multithreaded analysis to agents, allows you to maximize the power of the customer's computing equipment. Previously, performance was limited to only the part of the main DCAP server allocated for OCR analysis.

Ability to scan a Microsoft Exchange mail server

DCAP-SurchInform FileAuditor can now scan mail server MS Exchange content and analyze all corporate emails, attachments and drafts. to mail The opportunity was implemented as part of the November product update, the company said on November 30, 2023. SearchInform

FileAuditor directly connects to the mail server and analyzes letters "at rest," even those that are not stored locally. For example, if a user logs into work mail from a device that is not under the control of security systems and creates a draft with confidential information, this will be in the scope of the information security service thanks to an audit of the DCAP system.

"Mail control is the basic task of internal information security, previously it was impossible to implement it by DCAP, although the mail server is the same data store. Thanks to FileAuditor, the information security service sees immediately what information is exchanged in the company: the system analyzes the contents of each letter and marks it depending on the category of content, "explained Alexey Parfentiev, head of analytics at SearchInform.

Integration allows you to control individual mailboxes, user group mail, or all corporate domain mailboxes. FileAuditor analyzes the content of mail by content and notifies the information security service if it finds confidential information. And when used as part of the platform together with DLP "SearchInform CIB," the possibilities are expanded: spam can be blocked by FileAuditor labels.

Earlier, SearchInform reported an increase in FileAuditor performance when processing graphics, as well as when scanning file servers locally.

Availability on the Эффективность.рф platform

Information security solutions "SearchInform" are available on the "Эффективность.рф" platform. This was announced by SearchInform on July 6, 2023. SearchInform has presented 3 products and 3 services for placement on the platform, including SearchInform FileAuditor. Read more here.

Integration with VeiL ECP platform

The domestic vendor INFORMATION SECURITY"" and SearchInform the enterprise Research Institute Scale have completed integration their solutions. DLP "" and the SearchInform CIB DCAP system "SearchInform FileAuditor" have passed the compatibility test cloudy with the platform. ECP VeiL SearchInform announced this on April 20, 2023. More. here

Enterprise File Server Control

SearchInform On April 25, 2023, the company "" introduced an update to the DCAP system "ChurchInform FileAuditor" - now it has access to control of corporate ones file servers connected via FTP. File Transfer Protocol is still common with enterprise customers and is used to transfer large volumes: information archives, documents, databases drawings, software and other large files. Therefore, files transferred over an FTP connection need full control.

In terms of functionality, FTP scanning in ChurchInform FileAuditor works in the same way as scanning network folders, that is, it does not depend on the file server OS.

FTP servers are widely used and used in companies to transfer "heavy" data and documents, including for the exchange of information with external recipients. Therefore, data stored on such servers also requires categorization, classification and protection, "said Alexey Parfentiev, head of the SearchInform analytics department.

Automatic detection of more than 80 types of PD and office documents

On March 17, 2023, SearchInform introduced an update to the SearchInform FileAuditor DCAP system. The program is designed to search, categorize and protect confidential files in company vaults. Now the system has pre-installed rules for classifying office documents. This makes it easier for information security specialists to search for standard documents of certain categories.

SearchInform Classification Rule Templates

To get started, just select the required rule from the list. For convenience, templates are divided into thematic groups, for example:, and intellectual property financial information payment, data storage passwords , etc. There are more than 80 categories in the groups, including dozens of types, personal data correspondence, documents with stamps, contracts, acts, accounts, personnel, financial, tax documents, etc. The rules can be customized, or you can simply enable, and the development will begin automatically. After checking according to the rule, FileAuditor tags files according to classification, then easily searches for documents in a common array by labels, or configure access locks to avoid. leaks

The update allows you to solve the vast majority of typical tasks when organizing document management and secure storage of leak-sensitive files. Now, to start work, you do not need to delve into the subtle settings, the audit will begin in one click according to pre-created rules. This saves the time and strength of information security specialists in adapting the solution to real business tasks, "said Alexey Parfentiev, head of the SearchInform analytics department.

Create a rule using the SearchInform template.

2022

Transition to PostgreSQL DBMS

SearchInform"" On December 1, 2022, it released an update to the DCAP system "SearchInform FileAuditor," now all information file about operations, access rights and the results of document classification are recorded in. database PostgreSQL

In 2022, serious changes took place in the field of information security: companies had to rebuild processes and more actively switch to domestic systems. Some organizations needed protective solutions that did not include any foreign components. We have answered this query before, and support for PostgreSQL DBMS is one of the steps towards final import independence. Now "SearchInform FileAuditor" does not depend on foreign solutions either at the system or at the application level, - said Alexey Parfentiev, head of analytics at SearchInform.

file Storage scanning over the network is implemented using the SMB protocol and does not depend on. In OS DCAP, you can also organize control through the web console, which makes it possible to use the system on any OS and device where it is. browser

Release of FileAuditor for MacOS

The updated release DCAP systems SearchInform of "FileAuditor" introduced functionality that allows to protect documents on corporate devices with. This was MacOS announced by the company SearchInform on July 29, 2022. In particular, INFORMATION SECURITY specialists will be able to find any vulnerable documents for PERSONAL COMPUTER employees thanks to full indexation. And file storages users will be able to add manual classification labels to files directly data from the context menu. This way you can protect files of any format, including executable - programs and, as well as applications archives.

Manual tags are placed in the form of stamps that are attached to the file icon - so employees immediately see that the documents are not intended for prying eyes. Labels can be customized: they can be named in accordance with the recommended level of access ("Confidential," "Business Use," "Public," etc.), with the content of the document ("Contracts," "Quotations") or any other characteristics ("For Accounting," "To the Annual Report," etc.).

Users to whom the information security service will provide such rights will be able to independently mark the documents with which they work. To do this, just right-click on the file shortcut and select the desired label from the context menu. At the same time, the information security service receives a visual report on which files received manual tags, and which users put them. And indexing all files on employees' PCs will allow the information security service to quickly search for confidential content in them to clarify whether the tags are correctly stamped.

MacOS is one of the most closed operating systems, but built-in security features are objectively lacking to ensure the right level of privacy for corporate customers. Therefore, in 2022 we adapted the SearchInform  CIB MacOS DLP system, and have now released a special version of FileAuditor. The company was based on the practical tasks of customers: in order to fully protect itself, it is important to find all vulnerable documents and give ordinary users an understanding that this information is important and not subject to disclosure. Manual labels unequivocally reflect this. In addition, companies will be able to involve employees in marking documents - after all, the owner of the document often understands best how confidential it is. The big thing is that you can mark up any files, so the warning system will cover all critical data without exception, told Alexey Parfentiev, Head of Analytics at SearchInform

Inclusion in Indonesia's national electronic catalogue

"SearchInform FileAuditor" and "SearchInform Risk Monitor" are included in Indonesia's national electronic catalog. This was announced on June 3, 2022 by SearchInform.

This is a system with which state institutions countries they can find detailed information information about the product they are interested in, as well as make. electronic procurement Placement in the system will help to "promote" in the SearchInform Russian software region, as well as allow the IT company's decisions to freely participate state in tenders. Before inclusion in the catalog ON , it is checked, then it is added to the national, or branch regional sections.

The national electronic catalog included products that SearchInform is actively promoting abroad. "SearchInform FileAuditor" - DCAP - a system for automated auditing of the file system, searching for access rights violations, changes in data, prohibiting actions with them. SearchInform Risk Monitor is the brand under which SearchInform promotes its DLP system abroad. Both solutions are in demand in the markets of Latin America, the Middle East, South Africa and Southeast Asia, including Indonesia.

We have been operating in Indonesia since 2019. The appearance of DLP and DCAP systems in the national catalog confirms their quality and relevance, increases brand confidence, and also opens up additional opportunities in the market - participation in government tenders. Plans to continue to increase sales in Indonesia and increase its presence in Southeast Asia, shared Sergey Ozhegov, CEO of SearchInform.

2021

Integration of privacy labels in MS Office

On August 23, 2021, SearchInform introduced an update to the SearchInform FileAuditor DCAP system. Now the system allows you to specify the level of confidentiality of documents directly in the interface of Microsoft Office applications. For example, if top managers do not want ordinary employees to be able to read a document with internal regulations of the board of directors, they will be able to mark the corresponding files - and the system will apply the required restrictions to them.

The task is solved by labels that can be assigned to a file when working with it in Word, Excel, PowerPoint, etc. FileAuditor labels are placed in one click in the control panel of the office editor and allow you to manually set one of five privacy levels: "Public," "Business Use," "Secret," "Top Secret" and "Special Importance."

For each category of manual labels, flexible protection criteria are available, which are centrally configured by the information security service in the FileAuditor console. For example, you can set a rule so that documents labeled "For business use" cannot be forwarded in Outlook, Telegram or any other applications. Or prevent everyone except the selected users and groups from reading the file labeled "Top Secret." The program also allows you to limit on which PCs and to whom the arrangement of such tags will be available - for example, only to the top management of the company.

Typically, DCAP solutions are focused on protecting documents in large amounts of data - when it is not possible to manually find all files containing confidential information. FileAuditor copes well with identifying vulnerable documents and protecting them; the system implements a technology to block access to a file in arbitrary applications. However, sometimes you do not need to look for anything: you need to protect a specific important document right now. Previously, information security specialists would have to adjust the system to detect and take it under protection. We took a shorter path: the author of the document himself can set a privacy mark by which the system will understand its value and apply control rules, - said Alexey Parfentiev, head of analytics at SearchInform.

SearchInform FileAuditor finds and sorts vulnerable documents in file stores. The program automatically marks all documents with critical content (personal data, password files, contracts, financial statements, etc.) and takes control of the operations that users make with them. The system allows you to control access to specified categories of files - prohibit reading, editing, forwarding documents. Manual tags enrich this functionality and provide additional protection to the most critical files. The results of manual "markup" and automatic classification can be combined. For example, if a document from the Financial category gets the label Top Secret, you can create a general rule by which only the chief accountant can work with the file.

In FileAuditor, the information security service receives a visual report on who, when he installed manual tags, and what operations were performed on marked files. In particular, who tried to open such documents without having the necessary access rights. And ordinary users are notified of manual tags about the safety measures taken in the company. Opening the document with a label, the employee will see privacy stamps in the form of headers and footers and watermarks. If such a document nevertheless leaks outside the company, this will indicate a deliberate leak of information: the employee saw the stamp "For official use," knew that the document was not intended for prying eyes, which means he deliberately committed a violation. In the event of a trial with insiders, this will serve as further evidence.

Integration with OceanStor

and Huawei SearchInform"" on April 16 introduced the integrated OceanStor + FileAuditor solution. OceanStor There are more than a dozen solutions in the line for reliable storages and ultra-fast processing data in corporate. To IT infrastructure Thanks to integration FileAuditor, in any data arrays inside, you can DSS automatically identify the most vulnerable (PD, trade secrets, log files, etc.), tag them into categories and flexibly configure control over their life cycle.

{{quote 'Huawei OceanStor series storage systems are popular with our corporate customers. In order to minimize the constantly growing risks in the field of information security together with our partner, SearchInform, we have developed a comprehensive solution, - comments Wang Qian, Head of Storage Systems, Huawei Enterprise in Russia. "It will enable our customers to improve the reliability and cost-effectiveness of storing, managing, and processing their data. }}

The integration of OceanStor and FileAuditor gives the user a ready-made solution to keep data in order and secure. It is especially important that protection extends not only to data inside DSS, but also when third-party applications interact with them. For example, FileAuditor will allow you to prohibit opening documents from the OceanStor store in text editors or forwarding them in mail or instant messengers. It turns out that security incidents can be prevented in advance, the risk of data loss is minimized - this is what customers are waiting for, "says Sergey Ozhegov, General Director of SearchInform. - This result is the result of a lot of collaboration, and we expect that our cooperation with Huawei will develop: there are many plans ahead to make FileAuditor even more convenient for OceanStor DSS users.

Order in Files and Folders: Access Control and Leak Protection

In March 2021, TAdviser published a joint material with SearchInform explaining the principles of the DCAP system. Read more here.

Add Anti-Unauthorized Access Protection

SearchInform FileAuditor provides protection against unauthorized access, changes and data leaks. SearchInform announced this on March 3, 2021.

Now the DCAP system "SearchInform FileAuditor" automatically blocks unwanted actions with files depending on their content.

SearchInform FileAuditor is a solution for auditing file systems, the program monitors confidential documents on users' PCs and monitors actions with them. The latest version of the software added the ability to block the access and transfer of confidential files in any arbitrary applications.

The task is solved using labels that are automatically assigned to files depending on their category - "commercial secret," "PD," "contracts," "financial statements," "files with passwords," etc. Then, by labels, permissions and prohibitions are configured: which users, behind which PCs and in which applications can be opened and changed. For example, in FileAuditor, you can prohibit sending files with the "PD" label on any channel - be it a corporate messenger or Telegram. The user simply will not be able to attach such documents to attachments and will receive an error notification. You can allow MS Office to work with documents from the "Confidential" category only to the director - then all other users, even having access to such a file, will not be able to open it.

In this case, the labels are invisible to users and are inherited by various actions with files, including copying, renaming, changing the extension. FileAuditor automatically rechecks the presence of labels and installs them on files that are newly created on the basis of confidential documents. This ensures continuous monitoring.

{{quote "The standard Russian INFORMATION SECURITY solution for protecting sensitive files for the market is to block them from being sent using DLP. But this technology has flaws: it does not save from unauthorized edits or deletion of files; in addition, you need to constantly support updates, OS, browsers instant messengers - otherwise the locks will stop working.

In FileAuditor, we implemented blocking not only forwarding, but also working with confidential files in any arbitrary applications - from mail to a graphics editor. You can not worry that the security system does not support the corporate messenger, or the updated OS, the FileAuditor restrictions work deeper - at the level of receiving data from the file system, says Lev Matveev, Chairman of the Board of Directors of SearchInform.}}

An additional feature of this approach is efficiency. For comparison, DLP subtracts each file sent separately to find sensitive content and check if it fits the blocking criteria. It takes more time and resources. In FileAuditor, information about whether actions on a file are allowed or prohibited is collected in a label - the program reads it and acts instantly. At the same time, FileAuditor works offline and can protect confidential files even in companies where DLP is not installed.

In conjunction with DLP, the functionality of the program grows multiply: under control there will be attempts to send not only the entire file, but also excerpts from it - for example, the text copied into the message or body of the letter.

2020: Review by ChurchInform FileAuditor

Imagine the situation: a study that cost you fabulous money suddenly ends up on the Web - because instead of 10 tops, the entire team got access to it, and someone "shared" it without seeing a big secret in the document. Or management plans to "cut the bones" with quarterly bonuses - and employees saw a draft plan in a shared folder and ran riot. Or a disgruntled sysadmin deleted the entire accounting archive for the year - and file tax reports tomorrow. What is there to do?

All these are serious information security incidents, but to protect against them, it is no longer enough to track the movement of data outside the organization. It is important to know who and how works with confidential files inside, and who has access that they do not need in practice and carries a potential risk. These questions are answered by ChurchInform FileAuditor, the first domestic product of the DCAP class (data-centric audit and protection, audit and protection with a focus on data).

Introduction

There seem to be enough tools for controlling confidential documents: eDiscovery solutions find them in any corner of the corporate IT infrastructure, built-in OS tools control access to them, DLP systems establish which user interacted with them - for example, printed or sent.

However, none of these tools cope with the task comprehensively. OS tools distinguish access to files as "containers," data not taking into account the content - without understanding the value of what is contained inside information , this is ineffective. eDiscovery does not audit changes and access rights. Finally, DLP solutions are not considered a violation of the action with confidential files if they do not leave the corporate network.

To really protect sensitive data within the organization, you need to constantly monitor the contents of files and highlight the most significant among them, control their movement, changes, deletion, visualize who works with them in the team, and notify them of a violation of security rules. A similar detail when auditing file systems is provided by SearchInform FileAuditor. Let's take a closer look at its capabilities.

Solution Architecture

"SearchInform FileAuditor" has a classic client-server architecture.

The server part is responsible for the installation and management of agents: it allows you to connect/disable agents, select computers and individual folders for monitoring and configure scanning rules. Here, monitoring data is written to databases running MS SQL and storage is configured for archiving critical files.

The main functions for collecting and analyzing data from file systems are performed by the agent component and the network scanning service.

System agents are installed at endpoints and allow monitoring at the workstation and/or file server level. The network scanning service monitors network storage, and interacts with them using the SMB protocol - that is, scanning is possible on any device, regardless of the OS.

Fig. 1. FileAuditor Flow Chart

Functionality

FileAuditor solves the following task groups:

• File storage monitoring.
• Detection and classification of vulnerable data.
• Archive critical documents.
• Audit of access rights.
• Control of user actions.
• Security Incident Management.

Let's analyze each of them in more detail.

Storage monitoring

FileAuditor continuously monitors endpoints to quickly detect changes in files and folders. You can flexibly configure monitoring boundaries - from PC groups and servers to individual machines and directories.

During the first scan, the program subtracts the entire structure and content of files on the monitored machines. In the future, the "field of view" of the system includes primarily those files and folders that users accessed - opened, edited, deleted, created new, renamed or moved. Moreover, changes on employees' PCs are monitored in real time, that is, the information security specialist always has an up-to-date idea of ​ ​ what is happening with the data in the company. Primary content and context analysis of files also occurs right at the endpoints, the functionality is implemented on its own search engine. Despite the wide "front of work," agents are invisible to users, do not slow down controlled machines. This is achieved thanks to the settings:

• Check schedules (for example, only at the end of working time)
• check conditions (for example, only if the CPU usage is less than N%, only in the absence of active sessions, etc.)
• Scan speeds (can be reduced to ease infrastructure load).

Some files and folders can be excluded from scanning to save time. For example, there is no need to spend software resources and time analyzing system files. The exception list is flexible by attribute, name, location, and more.

Fig. 2. Scan Statistics in FileAuditor

All information about the progress of subtracting directories with files according to FileAuditor rules is available on the Scan Statistics tab. General statistics for all computers and network resources are available, as well as detailed scan reports for individual devices. Information security specialists can view when the last scan passed and how long it lasted, how many files were checked and how much they occupy, what categories the information falls into them and whether there were any errors during the subtraction.

Data classification

Unlike traditional file system controls, FileAuditor classifies files not only by name or location. The program analyzes the contents of files, divides them into categories and distinguishes confidential ones among them. To do this, classification rules are preset - what key features a file must have in order to fall into a particular category.

The program can search for these characteristics:

• Keywords, phrases and character sequences (foreign language inserts, @, No., $,%, etc.). The search for "keyboards" with morphology is supported, i.e. in modified forms. You can refine the search by specifying how many times the search words and phrases should appear in the document. If you search for multiple keywords at once, you can specify the distance in the document between them to consider the combination significant.
• By dictionaries. The program has a built-in editor that automatically converts any sample text loaded by the user into a ready-made dictionary. This type of search is useful for highlighting thematic categories of documents: for example, consider a file to fall into the category "financial documents" if it has met at least 5 expressions from the dictionary of accounting terminology.
• By regular expressions. The program has a convenient editor for creating regular expressions with a virtual keyboard from ready-made elements of the search formula, all of which are accompanied by detailed comments. You can create complex regular expressions when multiple conditions are combined in a single search. For example, consider only files in the classification rule where at least 5 combinations of card numbers and three-digit CVC/CVV codes are found at the same time. In addition, you can immediately make sure that the request works correctly: a validation field is available, where you can set an example of the desired character combination and test whether the system recognizes it.

Fig. 3. Regular Expression Editor in FileAuditor

• By attributes. The criterion allows you to refer to the classification rule only files of a certain type, size, created or changed in a given interval, stored in a certain directory, etc.

One rule can combine several types of search at once, the criteria are combined using logical operators. For convenience, the system has ready-made rule templates that are easy to adapt to your organization's needs. You can also create and use your own templates.

Classification rules can be applied to all files in the corporate infrastructure or to individual machines/directories. As a result, all relevant information within the company will be sorted into categories - "Office Files," "Contracts," "Prices," "Personal Data," etc. The system will find all files related to them, wherever they are, and put the corresponding "tags" on them.

This markup is rendered as color markers. When viewing the contents of the file in Text Only mode, the fragments from which the program has determined belonging to the specified category are highlighted.

Archive Critical Documents

To protect documents from unauthorized changes, FileAuditor creates shadow copies of the files. You can store several latest versions of the necessary files - it is convenient to track exactly how users edited the document and whether the content was distorted. If desired, the desired version can be restored. This ensures that information is not lost, even if the document is accidentally or intentionally deleted. In this case, all shadow copies are stored in encrypted form, so that they cannot be compromised in the FileAuditor store.

The program saves only those objects for which the corresponding settings are set, so the server is not overloaded with copies of unnecessary files. Deduplication is also implemented: if identical copies of the same file are found at several points on the network, then only one instance will enter the FileAuditor store.

In addition, you can determine the number of saved versions of each unique file, then outdated copies with which users have stopped interacting will be automatically removed from the check out. To prevent the vault from overloading, you can clear shadow copies of files that no longer need control - if their control rules have been removed or if they were on machines that have been excluded from monitoring.

Access Rights Audit

FileAuditor determines user access rights to each document by subtracting information from file system resources. All the necessary information is collected in a single view - there is no need to attract additional tools. The auditor sees:

• List of groups and specific employees to whom the file is available
• list of operations available to each user with a specific file/directory.

The program has filters that help to specify the output for a more detailed analysis of access rights. For each file, you can find all users with specific permissions - for example, all employees who can edit and delete the file, or only those who are denied access to the file. Conversely, you can search which files are available or not allowed to be used by the specified users/user groups.

The most complete information about user permissions is available in the Resource Access Rights and Resource Owners reports. The latter is especially useful to control the appearance of new objects in the file system and distribute access rights to them.

Fig. 5. FileAuditor Resource Access Rights Report

User Activity Control

FileAuditor provides detailed information about all user file operations. For each document in the controlled vaults, you can view the case history: who opened or edited the file you are looking for and when.

Fig. 6. Viewing File Operations in FileAuditor

In addition, filters can narrow the selection of files depending on which critical operation you want to monitor. For example, you can select only documents that are within a specified period of time:

• have been modified;
• renamed;
• moved;
• deleted;
• received new access rights settings;
• fell under the rule or ceased to comply with it.

The "File Control Terminated" criterion indicates when the characteristics for which the system determined its belonging to a particular category have disappeared in the document. For example, if users have removed the "trade secret" stamp from the text. Technically, the system will cease to consider such a file confidential, but will record the operation for further investigation. This helps uncover incidents involving attempts to steal important documents and defraud security systems.

Fig. 7. FileAuditor Incident Investigation: Employee changes document content to stop falling under rule and moves it to "Don't Forget to Take Away" folder

For the most critical documents, it is advisable to configure special security policies that will track specified file transactions and notify auditors who and when committed them.

Incident management

Security policies in FileAuditor help you respond in time to unwanted events with specified data categories. You can configure automated search for violations:

• by file or folder category (according to classification rules)
• by location;
• by type;
• on expansion;
• by user access rights;
• by date of creation or change, etc.

For example, you can create a policy that notifies you if new users have advanced access to documents from the Financial Statements category.

Fig. 8. FileAuditor Security Policy Triggered: New Users Granted Rights to Edit Controlled Document

When the policy is triggered, the system will send an alert to the information security specialist and save the search results on the Incidents tab. There you can study the cut for each trigger and the accompanying information about the files that came into the field of view of the policy: where and how they are stored, to which categories they belong, to whom they belong and who else has access to them.

To prevent incidents, you can block unwanted user actions in advance. Inhibitions can be set for all or individual users/PCs, and exceptions can be configured. For example, prohibit reading files from the "Commercial Secret" category to all users except top management. Information security specialists will be able to learn about blocked access attempts/changes from the audit results.

More locks are available when FileAuditor is integrated with the SearchInform CIB DLP system.

Integration capabilities

FileAuditor is a standalone product that can integrate with other information security systems. The program interacts with DLP systems of any manufacturers, and integrates seamlessly with the SearchInform CIB solution within a single interface.

Sharing multiples the level of information security, since not only the external perimeter of the organization, but also the internal ecosystem are under control. FileAuditor will show who has confidential documents stored in violation of security policies, and the DLP system will allow you to track who, when, to whom you sent files, and clearly demonstrate this along content routes.

In addition, CIB can prohibit the transfer of documents through certain channels that fall into the categories specified in FileAuditor. For example, prohibit any attempts to send a file from the Financial Documents category to the cloud or share a document with the Commercial Secret token in the messenger.

FileAuditor also supports integration with SIEM and SOC.

Conclusions

Russian Domestic solutions are just beginning to appear on the market that would completely take control of the file system in the company. SearchInform FileAuditor is the first full-featured development of its kind in the DCAP class.

The program allows you to structure information, creates a visual picture of how many confidential files are stored on the system, who accesses them and whether he has the right to do so. And integrating FileAuditor with DLP systems and other information security tools provides a comprehensive investigation of violations.

Free testing of the full-featured version of SearchInform FileAuditor is available on the customer's infrastructure.

Advantages:

• SMB operation independent of the OS (for network scanning).
• A completely domestic product is an analytical component (search engine) of its own design.
• High data processing speeds with low storage utilization (scanning data is collected and analyzed on agents without first writing to the database).
• Proactive incident management capabilities with files and folders (content locks, customization of control rules for different categories of documents/users).
• Easy visualization of the state of file systems (color labeling of files by content, event log, reports on owners and access rights to resources, scan statistics, etc.).
• Archive critical information (shadow copy of the latest versions of files from the specified categories).
• Good integration capabilities - with DLP, SIEM systems, SOC and other information security solutions.

Disadvantages:

• Control only from the application (no web interface).
• Third-party licenses ON (server OS) required. Windows
• The current version does not allow direct configuration of file system permissions (NTFS).

2019: Commercial release of "SearchInform FileAuditor"

On September 3, 2019, SearchInform announced the commercial release of the product - SearchInform FileAuditor. The solution belongs to the class of DCAP products (audit and protection of unstructured data) and allows you to control files that contain critical data, track changes in them (created, changed, "shared," moved, deleted) and make a shadow copy of the latest revisions. The system shows which of the users performed these actions, detects violations of access rights.

According to the company, the possibilities are not limited only to files - for folders analytics , content in it content or changed rights are also available. Thanks to the program, INFORMATION SECURITY the specialist has a visual idea of ​ ​ what is happening in the file system. This solves the problem of controlling the transfer of confidential information to users who do not have access to it.

"SearchInform FileAuditor" allows you to clean up the file system and quickly respond to dangerous situations. For example, this was discovered after a test installation of software in one of the customers - a large one. retailer A file with market research, which cost the organization 100 thousand, dollars was available to 300 employees instead of a limited circle of several dozen. If the module had been installed earlier, the problem could have been prevented. told Lev Matveev, Chairman of the Board of Directors of SearchInform

The system tracks the location of sensitive data using several types of searches: by text, regular expressions, file attributes (type, size, location). It is possible to create complex searches, for example, search by a fragment of text and a file attribute at the same time, as well as by selected directories and computers of users. SearchInform FileAuditor analyzes data on both local PCs and servers, which reduces the cost of purchasing storage equipment.

The classic DLP approach, when sensitive data should not leave the corporate perimeter, is no longer sufficient. Modern business processes require perimeters to be highlighted even within an organization when access to data is restricted depending on an employee's role. But the built-in access delimitation tools do not stand up to criticism, because an employee who has the right to work with a document can transfer it to a public folder. To protect against such incidents, SerchInform FileAuditor is used. told Alexey Parfentiev, Head of Analytics at SearchInform