File Share Entitlement Review: Finding the Owner

One thing top of mind for information security professionals in 2012 is understanding who has access to what and being able to provide clear, concise reporting around it. We call it Access Governance or Data Governance and it consists of entitlement reviews, access reviews, or audit reporting. The terms overlap and the complete superset of product features around this challenge can seem overwhelming and difficult to comprehend. At STEALTHbits, we simplify things. We’ve developed quick-win solutions that get you from where you are today to the next step with a proven and pragmatic methodology.

Data Owners

One small example is how we’re able to identify owners of file shares and other resources. First, we have an algorithm that provides a list of probable owners based on a number of factors – who has rights, who is doing what, etc. The algorithm is adjustable to meet specific requirements, but we know that there isn’t an algorithm on earth that could determine ownership with 100% accuracy across large scale environments. So, we leverage the STEALTHAudit Platform survey modules to reach out to probable data owners to ask them if we’re right.

If we are, we provide a set of instructions on what we need them to do. If they’re not, we move on to the next probable owner to see if we can track down the right people. Each step of the way, we report on where things stand: which shares are high-risk, which have owners, which are still awaiting response, etc.

In large scale environments, there is no easy button. But there is experience and expertise. Experience counts. If you’re trying to figure out who owns your content, let’s chat and we’ll let you know what we’ve learned about this challenge as we’ve helped a number of the world’s largest organizations solve it.

Open File Shares: A Pragmatic Approach

A number of STEALTHbits’ customers have reported that their #1 audit challenge boils down to open file shares. Auditors are clearly concerned with access and while it’s difficult to understand access rights across millions of individual files, it’s immediately apparent when there are file shares that are open to anyone.

But, how do you approach a problem that spans across thousands of servers? Do you implement a monitoring solution for three months? Manually sift through each one? Well, you could do either of those things. And if you’re interested in activity monitoring, we’ve got the best solution on the market. But, I’d argue that the best way to deal with open shares is to move through a quick, pragmatic process that scopes resources, identifies high-risk, and automates cleanup without significant infrastructure or investment.

STEALTHbits has developed a step-by-step approach to closing down open file shares and has proven it out at a number of the world’s largest organizations. It’s simple to deploy, uses a just single server, can scan remotely, and it works. We’re able to provide real results in about one week. Give us 5 days, and we’ll have your arms comfortably around the problem and your mind at rest.

So, in the "new and upcoming news" category, StealthINTERCEPT is due out shortly here at STEALTHbits. With a name like that, we're not suprisingly referring to it as SI internally right now. And since I'm sitting up here in Canada going through some webpage design for the roll-out, I think of it as CSI. And then I get to thinking - CSI - well, it may not be bones and blood tests, but it's sure useful for Corporate System Investigation. Some poor OU goes missing? Get CSI on the case. Got a bad one, Tony - three critical users were just deleted. Better get CSI.

And from talking to a few of our friends/customers out there let me tell you - people need CSI. I heard from one guy how he discovered as part of an ad-hoc cleanup process that the permissions on the CEO's mailboxes had "acquired" several different unwarranted security principals. After a quick panic lockdown, and the removal of all of the unwanted access, everything seemed fine - until the CEO couldn't log on to his mailbox either. Then the stuff really hit the fan. Worst of all, they couldn't find out who had made the unwanted changes in the first place. The only guy they had a name for was the guy who tried to clean it up. Guess who got in trouble? Bleah.

Another of our clients has a problem where OUs keep moving around. They think it's caused by accidental drag-and-drops by admins using ADUC, but they don't really know for sure. They're looking for a tool to tell them who is making changes to their OU names. And what they'd really love is to be able to stop them *before* it happens. Moving OUs causes all kinds of messy ripple effects with DNs changing and applied GPOs getting mis-applied, they'd like to prevent all that before it hits.

So, look for [C]SI coming out soon from STEALTHbits. It may not be as sexy as Jorja Fox (what a name!), but it's just as good for finding out the whodunnit and making sure those responsible pay for their (electronic) crimes. And it can do some prevention too - so unwanted changes to critical objects don't happen in the first place. Pretty cool stuff.

You've heard it before – that nagging phrase that makes you feel like you're underachieving or stretching yourself too thin: Jack of all trades, Master of none. Yet, in today's world of click-happy multi-tasking, that phrase is ringing less and less true. To be effective, the demand within organizations now seems to be for Jacks of all trades, people who can wear multiple hats in order to obtain a complete picture.

Perhaps nowhere is this more obvious than within the IT Governance space. While there are certainly distinctions among and separations between administrative teams within IT (and for good reason!), the team responsible for an organization's governance and security program needs to be able to access and leverage all of those individual teams and their technologies to truly determine security and compliance levels, and curb potential threats.

While it makes perfect sense to have, for instance, an Exchange team managing Mailboxes or a Collaboration team managing SharePoint from a functional and administrative perspective, security management often requires a "grey area" to ensure governance at the intersection of these teams' endeavors. For instance, if a company is undergoing a Public Folder retirement campaign in preparation for a migration to SharePoint, the Governance team plays a crucial role in answering questions like:

1. Are any of the PF's open to security threats (excessive permissions, sensitive data with improper access assignments, etc.)?

2. Are those threats the result of effective access?

3. Who owns the PF, and are they aware of the people it's available to?

4. Are the folders being migrated to SharePoint locked down as tight as possible, even when considering effective access?

And that's just one scenario. With IT departments often composed of dozens of teams – one or more for each critical area of the enterprise – it's no wonder that Data & Access Governance and Security folks have a tough time gaining the kind of cross-disciplinary insight needed to say with confidence: "Yes, my environment is compliant and secure."

The ability to have insight into security at all levels and across all resources – from Exchange to SharePoint, Active Directory, the file system, SQL, NetApp Storage Controllers, Windows Servers, and even into mobility applications like BES—is critical for anyone brave enough to wear the Security and Compliance Hat. The thing to remember, though, is that IT Governance Teams are still evolving and expanding to address security issues as folders move from Exchange to SharePoint (as above), and usually require the individual Exchange or SharePoint administrators to take on a governance role.

So, to all the Jacks of all Governance trades out there, remember the original (and long-forgotten) addendum to the "Jack of all Trades" phrase:

"Jack of all trades, master of none,
Though oftentimes better than master of one."

Try this: go to your favorite search engine, and type in “high risk share.” Chances are, you’ll get the same thing I did: pages and pages of financial information dealing with risky shares as they pertain to stocks. The definition and even identification of a high risk stock is fairly straightforward (at least in theory). In the IT space, though, high risk shares are much broader in term, and can be difficult to identify (which, in turn, makes them difficult to govern). Unlike a stock market, which appears in a uniform way to all investors in that market, high risk data repositories vary across organizations based on individual access settings, permission needs, departmental requirements, and more.

One way to look at it is in terms of access. If a file or share is accessible by a very large number of users (through well-known security principles like “Everyone,” for instance) the chances increase that it would be considered at “high risk.” At the same time, organizations often purposely leave folders at the top level open because they’re commonly used across the board. So where’s the risk then, exactly?

Risk comes into play when open permissions at the top level filter down through effective rights to permissions several levels below. Because effective rights are difficult to identify (take our effective rights quiz to see how well you do), they can leave sensitive data open to many more people than need or should have access to it.

To learn more about high risk shares, and how to identify and remedy them, watch our STEALTHsession on Controlling the threat of High Risk Shares.

Understanding who is opening another user's mailbox is an integral Compliance requirement within any regulated institution. Whether Security needs to monitor executive mailboxes for users probing for information on confidential material, or find the Exchange administrators taking advantage of their elevated mailbox support rights, it is pertinent to have a single consolidated view that highlights these access violations.

Data leakage can cause both financial and reputational damage to an organization. The business, with the IT team, needs to come together to identify what should be monitored and how, while ensuring that the tools implemented do not pose risk to the integrity of the systems.

There are tools in the market that can answer this business question using a variety of unique approaches. Most common is an agent that sits on the Exchange server and runs within the Exchange process, intercepting the traffic. This provides in-depth and granular details around who is doing what in the monitored mailboxes. This agent approach provides an abundant amount of information, but it also poses significant risk of causing serious outages on the systems. Other solutions scan the event log for specific event IDs that identify access violations. Again, these solutions provide the required data, but require administrators to turn up diagnostic logging. For larger organizations, this is often not a viable option, as the amount of events logged when diagnostic logging is turned up can cause a significant volume influx of events. Maintaining history can become very difficult.

A new and different approach, from STEALTHbits Technologies, is similar to the agent variety, but does not pose as much risk. This approach utilizes the existing WMI/PowerShell queries, as you would see in ESM, to find non-owner access. You also maintain history on this data as Microsoft overwrites previous data as soon as the user logs out of the mailbox. Additional data processing and business intelligence isolates executives and rogue admins for focused monitoring. This approach eliminates the risk of an outage as it simply uses the native Windows Scheduler on the remote Exchange server that sits idle and on low priority, watching the resources around it.

Whether understanding access violations is a requirement in an organization or not, it is certainly a common request from senior management. Instead of implementing a "big brother" solution that quietly monitors logon violations, some organizations choose to notify the mailbox owner immediately with this information. In either case, the technology remains the same, and it is pertinent to find a solution that not only meets the business needs, but also does not cause any degradation in services.