Simplifying security auditing, Part 2: Auditing systems that store sensitive data 

In part 1, we looked at an overview of auditing servers. In this blog, we'll discuss which events you need to audit in your databases and file servers where sensitive data is stored. New data protection regulations and large-scale global attacks have made this more important than ever before. The main goal is to not only ensure that the accesses and modifications to sensitive data in your network are authorized, but also that file and column integrity are maintained. Monitoring these activities in real-time also helps you instantly identify malicious activity such as ransomware attacks and SQL injections.

You need to know who accessed an object, which object was accessed, when the object was accessed, and what the changed values are. These are some events you should be tracking on your file servers:

  • File accesses

  • File creations

  • File movements

  • File deletions

  • File renamings

  • File modifications

  • File permission changes

  • SACL changes

Remember, while reviewing these events, you need to track both successful and failed attempts. We also recommend generating granular reports based on specific users and processes so that you get in-depth insight into file server activity. You can also configure alerts for indicators of compromise (IOCs) such as the occurrence of several file modifications within a short period of time, which could indicate ransomware activity in your environment.

 When it comes to databases, you need to track:

  • DML events such as selections and updates made to tables.

  • DDL events such as the creation, dropping, or alteration of databases, tables, and procedures.

  • Server activity such as startups and shutdowns.

  • User account activity including the creation and modification of users and roles.

Advanced SIEM solutions can go a step further and correlate activity in your file servers, databases, and other parts of your network to detect complex attack patterns. They can also detect anomalies using machine learning, a feature known as UBA (user behavior analytics).

Stay tuned for part 3 where we'll dive into auditing Active Directory in real-time. In the meantime, download our 10 crucial audit reports for IT security e-book.