Detect File Copying
Is it possible to detect a user copying files?
This is a tough problem. The user's computer certainly knows that a file is read from the disk or the network into the computer's memory. Unfortunately, once the data is in memory, it can't be tracked any further. It might be inside of Microsoft Word and displayed as a document on the screen, it might have been loaded into an FTP application and sent out onto the network, or it might have been loaded into a program that is sending it to the printer. It's just not possible to track the destination of a file once it's been read.
But how can I make sure my sensitive data isn't disappearing?
There are two generic solutions for this.
- Lock the data up (encrypt it) so that you don't need to worry if someone takes your data. Although good in theory, in practice this makes your documents pretty hard to work with. Microsoft has a large infrastructure called Rights Management Services for Microsoft Office files, but getting it going is not a small endeavor.
- Use heuristics to detect that a user is probably copying data. That's what PA File Sight does.
How does it work?
With the Ultra version of PA File Sight you can be alerted any time a user reads more than X amount of data (a number of files, or an amount of data) in Y amount of time. For example, it's unlikely that a user would open and read 50 Word documents in a one minute period of time. So if 50 Word documents are read by a single user within 1 minute, you have a pretty good guess that a directory copy probably just took place.
Watch the training video How to set up a monitor to detect file copying.
What else can PA File Sight do?
Besides alerting on possible file copying operations, PA File Sight can also tell you if someone deletes a file, or if they move a file, including who moved it, and where they moved it to. In addition, you can audit who has loaded or changed files.