2.10.3 Investigating suspicious movements of files from systems using operation logs
You can collect computer user's operations as operation logs. Also, by setting the conditions for determining which operations are to be regarded as suspicious in a security policy, suspicious operations that might lead to information leakage can be detected automatically. You can check for operations that might lead to information leakage, and take appropriate actions before the damage expands.
The following figure shows the flow when operation logs are collected for investigation of suspicious operations.
![[Figure]](GRAPHICS/ZU070014.GIF)
To detect suspicious operations, you need to set the conditions for determining which operations are to be regarded as suspicious in a security policy. Suspicious operations can be detected on a computer to which a security policy that defines these conditions has been applied.
If you detect that a file has moved out of a system, you need to investigate where the file was moved from to prevent confidential information leakage. When a suspicious operation is detected, it is reported as a Suspicious Operations event. You can check the event in the operation log, and track the source of the file that moved out of the system.
- Tip
-
You can export operation logs by executing the ioutils exportoplog command. We recommend that you export operation logs when you want to use the contents of operation logs (for example, in documents).
Related Topics:
- Organization of this subsection
(1) Collecting logs for suspicious movements of files from systems
JP1/IT Desktop Management 2 can automatically check the contents of operation logs, and monitor suspicious operations that might lead to information leakage due to file movement from a system.
In a security policy, specify the operations that are to be regarded as suspicious and set the conditions for those operations to be regarded as suspicious.
Operations to be regarded as suspicious:
-
A monitored file is attached to an email and sent to an email address#1, #2 set in the policy.
-
A monitored file is uploaded to a web server#1, #2, #3 or an FTP server#1, #2, #3 that is set in the policy.
-
A monitored file is copied or moved to external media.
A file to be monitored satisfies one of the following conditions:
-
A file received as an attachment of an email that was sent from an email address#1, #4 set in the policy
-
A file downloaded from a web server#1, #3, #4or an FTP server#1, #3, #4 that is set in the policy
-
A file newly created in the organization
-
A file that exists since before operation logs were collected
#1: Addresses that partially or completely match the specified address are applicable.
#2: When a monitored file is moved to an address that does not match any of the specified addresses, the operation is determined to be suspicious.
#3: If an IP address is specified, the IP address converted from the host name contained in the address of the downloaded file and an address that partially matches the specified IP address are applicable.
#4: When a file is moved from an address that does not match any of the specified addresses, the file is determined to be monitored.
When a monitored file is acquired, the operation of acquiring the file is not regarded as a suspicious operation. When a monitored file is moved from the system to outside, the operation is regarded as a suspicious operation, and an event is issued.
- Example of monitoring emails with attachments
-
For example, configure the settings as shown in the figure below if you want to perform monitoring as follows:
-
Monitor movements of attached files to outside the company.
-
Do not monitor movements of attached files within the company (where the address hitachi.co.jp is used).
![[Figure]](GRAPHICS/ZU990080.GIF)
-
- Example of monitoring a web server or FTP server
-
For example, configure the settings as shown in the figure below if you want to perform monitoring as follows:
-
Do not monitor uploading Web server A's data to outside because the data can be open to the public.
-
Monitor uploading Web server B's data to outside because the data is sensitive.
![[Figure]](GRAPHICS/ZU990081.GIF)
-
The products that support monitoring of suspicious operations are the same as the products that support collection of operation logs. For details, see the supported products described in #2, #3, and #4 in 2.10.1 Types of operation logs that can be collected.
- Important note
-
Suspicious operations can be correctly detected only when the file system of the target computer is NTFS. If the file system is not NTFS, the original file information is not set and suspicious operations might not be correctly detected.