Detecting Data Exfiltration - Who is watching your employees actions?

Detecting Data Exfiltration - Who is watching your employees actions?

How do you know if your trusted employees are stealing sensitive data?  Companies have to allow them access to do their jobs (Utilize USB Drives, Touch File Shares etc), but need to monitor their actions.

With Change Guardian and Sentinel we can detect this and give real time alerts.  In today's example we are watching for someone to attach a USB Drive to their computer, and then copy more than 4 files to the thumb drive in a 5 min window.  These numbers are arbitrary and can be tuned to any threshold chosen, but were picked as a starting point.

1. Setting up the Change Guardian Policy

In Change Guardian, enable a policy on your computers to watch for USB Device attachment and file copies as seen in the screen shot

Screen Shot 2015-04-03 at 10.14.50 AM

Once the policy is created, apply it to the appropriate computers via the Policy Assignment/Policy Set Manager.

2. Generate Data

While you can create the rule by hand, Sentinel's easy drag and drop rule creator makes you wonder why you would want to.  Start by plugging in your USB drive and moving  a couple files to it, so data is generated.

Screen Shot 2015-04-03 at 10.19.34 AM


3. Create Correlation Rule

Select the log messages and go to "Event Operations -> Create Correlation Rule".  This will open up the rule builder.  From here drag the wording "Device was Attached" to the top block.  This will create the first event which must happen on the correlation rule.  Once that is done, click on the "Subrule" button to open another rule block, and drag "File was Written" into that block.  Change the count on the second rule block to your threshold (4 in my example) and how long you want to watch for those events (5 min in my example).  In the "Group by" fields of the Rule and the second rule block "File was written" make sure it is set to Source Host Name so the events all have to come from the same device.

Screen Shot 2015-04-03 at 10.32.01 AM

Once done give the rule a name and description. You can create an Alert or add any action you wish to the event. Save and deploy the rule.

4. Test the Rule

Now that you have the rule in place plug in a USB device and copy some data to it in the same method you did to generate the logs.  Look and see if the correlated event was created.

Screen Shot 2015-04-03 at 10.33.47 AM



Hope this helps show how Change Guardian and Sentinel can work together to tackle challenges all IT organizations face.

Please suggest a new topic if you have something you have been looking for.



Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Personally, I need this software because we have graphic production house there are 200+ employer work here so we are needing monitoring when they are using a USB drive.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2015-04-03 18:35
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.