In the first two parts of this series, we discussed why permissions management, the traditional approach to file security, no longer works and introduced a new approach to file security that leverages machine learning to build dynamic peer groups based on how users actually access files. In this final installment, we look at three real-life examples derived from validation testing of our dynamic peer group algorithms. By automatically identifying groups based on behavior, file access permissions can be accurately defined and dynamically removed for each user based on changes in user interaction with files over time.
For our validation testing, several Imperva customers allowed us to leverage production data from their SecureSphere audit logs. Containing highly granular data access activity, the log data provided full visibility into which files users accessed over a given duration. Based on the dynamic peer group analysis algorithm, incidents were identified in each of the customer environments.
We’ve highlighted three incidents below. In each case, users had valid permissions to access the files and folders.
An engineering manager accessed a sensitive financial file
The first case focuses on an engineering department manager who was part of an engineering peer group comprised of others who work on similar projects. This manager’s close peer groups were also comprised of engineering department employees.
The manager attempted to access \\Finance\Contractors\Budget\FY16\Round 1 Submission, a sensitive document stored in a finance folder. The folder is associated with—and regularly used—by two peer groups: one containing finance department employees, the other comprising finance department contractors.
Because the folder was not associated with the manager’s peer group nor its close clusters, the algorithm identified the engineering manager’s inappropriate file access.
A finance employee accessed an HR file
Another case involves an employee in finance. Clustered in a peer group with six others working on a specific project, this employee attempted access to personal data stored in an HR folder regarding another employee. But the folder is not associated with the user’s cluster, nor with those close by. Rather, it is associated with a peer group containing HR personal from a different location within the organization.
A researcher accessed a software classification file not related to his work
A researcher was clustered into a peer group with twelve others, in addition to R&D employees. The researcher attempted to open a software specification document that is regularly accessed by a specific R&D team. But the folder containing the file was not associated with the researcher’s peer group nor its close clusters. This is the type of incident for which we can alert the SOC team.
All three beg the question…
All three of these incidents raise a common question: “Why did the employee have access to the directory in the first place?” There are three explanations:
- An oversight – The employee shouldn’t have had access at all.
- Course-grained granularity – To ease administrative burden, in many cases permissions are defined with fairly course granularity. The result of this is “creep” that results in users receiving overly broad access.
- Lack of revocation – An employee was granted access to a directory for a specific project, but once completed, access was never revoked.
These three causes are not mutually exclusive. They amplify each other. In fact, the explosion in unstructured data and the number of people that create it (and in many cases the creator de facto sets the permissions) and use it exacerbates the impact of these three issues.
More Information
Traditional, black and white file access control can’t keep pace with today’s fluid, knowledge-driven working environment. Dynamic peer group functionality closes the security gap introduced by a dated permissions management approach to file security, keeping data contained in files secure from being lost, stolen or misused by malicious, careless, or compromised users.
For additional information on detecting suspicious file access with dynamic peer groups read the full Imperva Hacker Intelligence Initiative (HII) report: Today’s File Security is So ‘80s.
Learn more about dynamic peer group functionality available in Imperva CounterBreach.
Other posts in the series
Today’s File Security is So ’80s, Part 1: Why the Traditional Approach to File Security is Broken
Today’s File Security is So ’80s, Part 2: Detect Suspicious File Access with Dynamic Peer Groups
Try Imperva for Free
Protect your business for 30 days on Imperva.