Electronic security is a major concern for governments, organizations, businesses, and individuals. It seems that a day cannot go by without some news related to a security breach.
Moreover, it is becoming clear that security concerns are not just an issue with unauthorized intruders into electronic systems; rather, a decent amount of security breaches occur from someone having authorized accessed to the electronic systems; such as, an employee or a contractor of an employer.
Organizations do have a variety of monitoring systems to minimize insider abuses of electronic assets. However, most of these monitoring systems do not provide real-time notifications and real-time responses; as a result, the damage from an employee acting outside the scope of his/her authorization has long concluded when the employer learns of the employee's actions. The employee may have already left the employment of the employer (or left the country in cases of government employee abuses).
Another problem arises with existing monitoring systems as well. Applications accessed by users within a network environment may take a variety of not so obvious actions when persisting data to the file system, impeding a monitoring system's ability to clearly detect the final result of a persistent change in near real time. For example, when editing a file with Microsoft Word®, changes are made to a temporary copy of the original file. When the user saves their changes, the original file is deleted and the temporary file used during editing is renamed to the original file name. So, on completion of persisting changes to a file through Microsoft Word®, no file write operations occur on the original file. An observer that scans files would have to periodically compare file modification date for updates and then compare the file against an offline cache in order to determine if a change had actually occurred. Furthermore, the file handle (the file systems unique reference to a file) was changed during the save process making it difficult for automated systems to track the file of its lifetime.
Modern computing environments rely on file systems that are growing in size and complexity. Specifying every critical file that needs to be monitored individually is time intensive and hard to maintain as new critical files are introduced over time. In order to enable an effective monitoring strategy administrators need to be able to specify monitoring targets in groups (by location, by file type, by file name pattern, etc.) Further, because various applications interact with the file system in unique ways, this can cause monitoring systems to produce erroneous events and false positives.
Each user application can have its own idiosyncrasies that monitoring systems are not equipped to handle because they are largely based on a “one size fits all” approach and not customizable to address each specific user-application that an enterprise has in its network environment. Still further, applications are updated, upgraded, and added on a frequent basis, such that even if existing monitoring systems were capable of customization, they would need to be updated each time a new application is added or changed.