Visual analisis of file shares access logs

Analysis of large reports in Veritas Data Insight is a challenge. How to find patterns in the vast array of "raw" data? How to distinguish between the typical behavior of users and the malicious? 

One way to facilitate the task of analyzing large amounts of information, and in particular - security logs, is a visualization. The information presented in a graphical form is much better perceptible by a human than presented as a table with a huge number of similar records.

So, how Data Insight reports can be visualized?

Here is a possible one. The horizontal axis corresponds to a time stamps. The vertical axis labeled by numbers, corresponding to the folder' s depth in a hierarchy. Not all folders are of interest - only those wich have files with corresponding log entries in a report.

Implementation is done by me in RStudio using "data.tree" and "plotly" packages. The result you can see in the screenshot, and in a short video. The plot is interactive.

Here we can see, for example, single vertical lines, wich means a user once visited folder(s) he never visited before and after. We can find gaps, corresponding to holidays.

Veritas Data Insight reports visualization using R

Data Loss Prevention - Group Therapy (Brandon Baker)

Short intro to Cloud Access Security Broker

Weak HTTPS encryption leads to data loss

Over a third (35%) of the world’s websites are still using insecure SHA-1 certificates despite the major browser vendors saying they’ll no longer trust such sites from early next year, according to Venafi.

Continue to read

Gartner Market Guide for File Analysis Software

Read: Market Guide for File Analysis Software

How to find out a user account for Outlook Web Access(Apps) incidents [Symantec DLP]

If you are using Web Prevent for monitor Outlook Web Access (OWA) traffic, you probably were unlucky to find out any user account information in such incidents.

Good news! After inspecting a "Message body" part of such incidents, I found out that it contains a string with user SID from Active Directory. Using this entry you can fetch any user's information from your Active Directory. 

And even better! You can use it in your Lookup Plugins as well. With a little trick. As you may know, Lookup Plugins can not directly deal with incident's attachments, message and so on. But if you leveraging any script language for Lookup Plugin, you can easily get around this limitation. There is another place where you can get any incident's component - Incident Reporting and Update API.

I prefer to write Lookup Plugins with Python for it's simplicity. If you do so, I recommend using SUDS to deal with API.

Download the Forrester report

Magic Quadrant for Enterprise Data Loss Prevention

Enterprise DLP continues evolving to support both content-aware and context-aware capabilities, as well as support for IT security leaders to cover broader deployment use cases beyond regulatory compliance and intellectual property protection.

Follow the link: Gartner, 2016

A practical approach to deploying Data Loss Prevention Jon Damratoski

Thwarting the Insider Threat: Developing a Robust “Defense in Depth” DLP...