The Metadata Era

In my last post, we determined that someone added a fictitious user account, “Allen Carey,” to Active Directory and this account was used to steal trade secrets from “Alpha Chemicals.” Fortunately, you had the foresight to install the DatAdvantage suite of products which will help recreate the activities performed by “Allen Carey” but more importantly, will help you ensure that your trade secrets are properly protected and monitored.

As you know, DatAdvantage provides a full audit trail, tracking both event activity and permission changes in a single interface.   As a result, complex activities–such as correlating the activities performed by any user account across multiple platforms–is a simple task.  In our hypothetical situation, the activities performed by “Allen Carey” were performed within Active Directory, within Windows Servers, within SharePoint and within Exchange. The “Allen Carey” account made permission changes and was used to obtain sensitive information–information that could devastate the financial future of our hypothetical company, “Alpha Chemicals.“

By using DatAdvantage you’ve determined the following:

1. On November 18th at 6am (during the company’s change management window), Carol Edwards domain admin account was used to create a new user, “Allen Carey”
   1. Carol Edwards then  added “Allen Carey” to the domain admins group
   2. Carol added “Allen Carey” to the R&D group within Active Directory
   3. Carol added “Allen Carey” as a delegate to Bob Darwin’s Exchange Mailbox
   4. Carol then added send-as permissions to “Allen Carey’s” email account as well as a number of others
2. On November 18th at 6:30am Carol Edwards subsequently removed “Allen Carey’s” account from the domain admins group
3. All of the above changes were made from the from the IP address 10.4.2.3

DatAdvantage also revealed that:

1. Between November 18th and December 1st, “Allen Carey” performed a number of underhanded activities including:
   1. Opening documents which contained the words “Transparent Aluminum” within the the R&D SharePoint Site
   2. Opening documents which contained the words “Transparent Aluminum” within the R&D File Server and reading each of the relevant files
   3. Opening documents which contained the words “Transparent Aluminum” within the R&D public folders and reading each of the relevant files, also from the IP address 10.4.2.3
   4. Reading email sent to Bob Darwin, who worked in R&D and specifically within the “TP” Group
   5. Marking all of the Email messages that he viewed as “unread”
   6. Using the SharePoint site to learn about collaborative activities within the R&D department
   7. Reviewing financial analysis documents sent by Bob Darwin to the finance department
   8. Using his Exchange “send-as” permissions to email documents to Bob Darwin’s new public email account (that “Allen Carey” created)
2. After a very brief investigation, you found that Michael Allen, a temporary employee, was using a workstation with the IP address 10.4.2.3, the same workstation used by “Allen Carey”

Mystery Solved

The above information was used to determine exactly what happened: On November 1st,  Michael Allen began work as a contract employee performing basic network administration for “Alpha Chemicals.” Michael was the type of person you’d like your daughter to date–nice, charming and intelligent.  He was a quick study, sociable, and quickly made friends with many people in R&D, application development, infrastructure engineering and operations.  On November 2nd, while troubleshooting a network problem using a packet sniffer, Michael encountered  a number of packets which contained the words “Transparent Aluminum” and “Confidential.”  Michael proceeded to approach a man by the name of Bob Darwin who worked in the R&D department and asked him what he knew about the compound, “Transparent Aluminum.”  Bob revealed no information other than stating that it was the companies next blockbuster product.  In mid-November Michael started dating a girl by the name of Carol Edwards.  Carol had been with Alpha Chemicals for 20 years and enjoyed Michael’s company. Carol was a Domain Administrator within the IT Department with responsibility for all of the R&D servers, meaning  Windows 2003 and 2008 File Servers, Solaris Servers, SharePoint R&D Sites and both EMC and NetApp NAS storage.   Dawn Franklin was a close friend of Carol’s .  Dawn was the Exchange administrator and had Exchange Admin privileges within the entire Exchange environment. Michael, Carol and Dawn frequently ate lunch together and were also frequent visitors to the local pub, Scruffy’s.  Apparently on November 17th, after a drink-fest at Scruffy’s, Michael obtained Carol’s domain admin password…and “Allen Carey” was conceived.

Intelligent Forensics

Companies require the ability to correlate malicious activities performed on disparate platforms with context about the sensitivity of company data, and authorization/permission changes. For example, in the above scenario, a company would require the ability to:

• Monitor Active Directory user and group permission changes
• Monitor access activity by domain administrators and local administrators
• Monitor access activity within SharePoint Servers
• Monitor Access activity within Windows 2003 and Windows 208 File Servers
• Monitor permission changes within Exchange
• Monitor access activity within Exchange mailboxes
• Monitor access activity within Exchange Public Folders
• Determine where their sensitive information is located
• Monitor email opened by people other then the owner of the mailbox
• Monitor email transmitted outside the company
• Monitor email sent by people other then the owner of a mailbox
• Monitor the people who are marking email as “unread”

DatAdvantage provides these capabilities. Want to see for yourself? Sign up for a free 30-day evaluation of the entire Varonis Data Governance Suite today.