Any seasoned IT pro will tell you: auditing file and email activity is hard. You’ve got a production Exchange or SharePoint server being pounded on relentlessly by users all day long and now you want to turn on auditing to capture crucial metadata, but you’re worried about taxing the box and running out of disk space storing all the audit data. Dilemma.
In addition to performance and scalability challenges, auditing is hard for other reasons, too. How do you ensure you’re capturing every event continuously without any gaps? What about the output? Where does it go? Can I search it? Build reports? Get alerts?
It might sound scary, but if you can overcome these obstacles, metadata about your most important information assets, like emails and files, can be leveraged for a myriad of use cases (finding “lost” data, detecting data breaches, identifying stale data, and many more).
Here are 8 things to consider when looking at file auditing products:
- Does it require that you turn on native auditing (which can often be taxing on the box) and read raw log files?
- How much audit data can it store, where, and for how long (some products don’t normalize well and you have to purge audit data often)?
- Is the audit data accessible to other complimentary products? On the flip side, can it take other data sources in?
- Is the audit data easily searchable, sort-able, and reportable (raw text in an event viewer just doesn’t cut it)?
- Is the audit data unified (i.e., can I look at what a user is doing across Exchange, SharePoint, file servers, etc. in a single view)?
- Is the audit data correlated with other metadata (i.e., who’s using data + data sensitivity indicators = win)?
- Is the audit data actionable (i.e., if you see a user touching data they shouldn’t, can you safely lock it down or create a real-time alert in case it happens again)?
- Is the auditing real-time and comprehensive? (some native auditing systems don’t capture all event types)
I hope these questions help you formulate a plan for deciding which file and email auditing software works for your environment and use cases. As always, test your auditing software!
Have additional questions? Feel free to reach out to us on Twitter: @varonis.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.