Data Control - Notification

Question

We implemented Data Control policy in our network. Any one transfer data to USB device will create logs in SEC

My questions is

Scenario: A staffperson is offloading a significant amount of sensitive information
Questions:

Would (or could) this activity be highlighted in a fashion on the Sophos console so that it would be brought to our attention? Or, do we simply need to review the detailed logs?

Can we implement thresholds that would provide us notification based on:
- The frequency with which a specific staffperson is offloading data.
- The amount of data being transferred
- The type of data being transferred.

This thread was automatically locked due to age.

jak · Accepted Answer

Hi,

It's not available in SEC but the data is in the database, so a small script (maybe running once an hour) could do it.

Rather than just going for the tables directly, I would suggest doing it offiically using the Sophos Reporting Interface (SRI). This will ensure it keeps working in future versions. The SRI seems to be installed by default in SEC 5.1 (soon to be released), prior to that it's a separate download available through here for V5.0 and V4.x: http://www.sophos.com/en-us/why-sophos/our-people/reporting-interface.aspx . Note: you only need to install the interface not the logwriter. 
 More informaiton can be found on the forum here: /search?q= 8285

The "Views" you are probably interested in are: [Sophos Reporting Interface].[vEventsDataControlData] 
 [Sophos Reporting Interface]. [vComputerHostData ] 
 and if you want SEC group information in the report: [Sophos Reporting Interface]. [vComputerGroupMapping ] 
 [Sophos Reporting Interface]. [vGroupPathAndNameData ]

E.g. to get all of this data in a single query (I'm using SEC 5.1 as I have it on a test machine): 
 SELECT *
 FROM [SOPHOS51].[Sophos Reporting Interface].[vEventsDataControlData] as ed
 inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerHostData] as hd on hd.computerid = ed.ComputerID
 inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerGroupMapping] as cm on cm.ComputerID = hd.ComputerID
 inner join [SOPHOS51].[Sophos Reporting Interface].[vGroupPathAndNameData] as gpn on gpn.GroupID = cm.GroupID

So I would call that data and limit it by: 
 "UserName" 
 "FileSize" (SEC 5.0+ only) 
 "EventTime" 
 "TrueFileType" e.g. "Plain text"

So you could say, in psudo code: for UserName = 'x' where EventTime is within the last day. sum all the FileSize. 
 If sum all the FileSize > 5MB, send email.

One example query might look like 
 SELECT SUM(ed.FileSize) as DataInK
 FROM [SOPHOS51].[Sophos Reporting Interface].[vEventsDataControlData] as ed
 inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerHostData] as hd on hd.computerid = ed.ComputerID
 inner join [SOPHOS51].[Sophos Reporting Interface].[vComputerGroupMapping] as cm on cm.ComputerID = hd.ComputerID
 inner join [SOPHOS51].[Sophos Reporting Interface].[vGroupPathAndNameData] as gpn on gpn.GroupID = cm.GroupID
 where ed.UserName ='domain\user1'
 and ed.EventTime > dateadd(dd, -1, GETUTCDATE())
 
 This will give the total data in the last day for user 'domain\user1'. So the script calling the SQL, could use this returned number to descide on if to alert based on on some value such as (1024*5) for an example 5MB limit threshold.

Hope this gives you some ideas.

Regards, 
 Jak

:24335