Detect File Copying
Is it possible to detect a user copying files?
This is a tough problem. The user's computer certainly knows that a file is read from the disk or the network into the computer's memory. Unfortunately, once the data is in memory, it can't be tracked any further. It might be inside of Microsoft Word and displayed as a document on the screen, it might have been loaded into an FTP application and sent out onto the network, or it might have been loaded into a program that is sending it to the printer. It's just not possible to track the destination of a file once it's been read.
But how can I make sure my sensitive data isn't disappearing?
There are a few solutions for this.
- Lock the data up (encrypt it) so that you don't need to worry if someone takes your data. Although good in theory, in practice this makes your documents pretty hard to work with. Microsoft has a large infrastructure called Rights Management Services for Microsoft Office files, but getting it going is not a small endeavor.
- Use heuristics to detect that a user is probably copying data. PA File Sight's Watch: User Activities feature can do that (only available in the Ultra version)
- Use software on the client computer, like the File Sight Endpoint to detect where files are going. Of course it will need to cooperate with software on the server, like PA File Sight does. This feature requires the Ultra version of PA File Sight.
How does the heuristics approach work?
With the Ultra version of PA File Sight you can be alerted any time a user reads more than X amount of data (a number of files, or an amount of data) in Y amount of time. For example, it's unlikely that a user would open and read 50 Word documents in a one minute period of time. So if 50 Word documents are read by a single user within 1 minute, you have a pretty good guess that a directory copy probably just took place.
Watch the training video How to set up a monitor to detect file copying.
How does the File Sight Endpoint work?
When the File Sight Endpoint is installed on a client computer, it will interact with the PA File Sight service to coordinate tracking files that come from the server. When it sees a file that is read from a server, it keeps track of which process (Word, WinZip, Windows Explorer, etc) read the file, and where that process wrote out any files. If it sees the same filename getting written out, it will report back to the PA File Sight service that a file copy operation probably just occurred.
To detect file copying, the client running the Endpoint and the server running PA File Sight both need to be Windows 7 / 2008 R2 or newer. Older versions of Windows did not provide the server with the client IP address.
What else can PA File Sight do?
Besides alerting on possible file copying operations, PA File Sight can also tell you if someone deletes a file, or if they move a file, including who moved it, and where they moved it to. It can also help help protect against ransomware.