I am looking into ways to trigger an alert with Sophos endpoint security when someone copies more than 10 MB of data to a USB key (either single file, or multiple files).
Is this possible to do with Sophos Endpoint or any other Sophos software?
Hello EdvinMalaj,
definitely not with SESC, dunno about any other Sophos software but I don't think so as size doesn't matter (much) when it comes to security. Monitoring the size of an on-endpoint transfer (and especially an accumulated value) ... I'd say such a product won't be inexpensive.
Could you disclose why you need such a feature?
Christian
Hello Edvin,
I see. I'm not Sophos and I don't have any insider knowledge (I'm just a long-time SESC customer).
Size doesn't matter was only in part intended as funny remark. It's usually (potential) content that one is interested in when monitoring or restricting data transfer to storage devices. A few kB can already contain lots of sensitive data while, say, a publicly available sales video can be quite large.
I'm still puzzling over the notion that an occasional copy of a few MB is considered legit and greater amounts not. Not to forget, devices on USB might not present themselves as drives. Perhaps what the client wants is not what they say (or think) they need.
Christian
Hello Christian,
I understand your point, the reason we need that kind of alert is not for restricting sensitive data, but to be warned in case there is a big amount of data being transferred to a USB disk. For example if someone is thinking to leave the company but has not requested or been authorized to take away data he/she has been working on.
Another issue I am having with this setup is that even if I setup email alerts for Data Control it is not working, no email arrives. I can see the event logged into Events - Data Control Events and also email alerts are working fine with Anti Virus and HIPS alerts. Have you seen a similar issue in the past? In the Exchange server logs there seem to be nothing logged also.
many thanks,
Edvin.
Hello Edvin,
I see - very tricky if you generally permit USB devices. What about MTP devices (cameras, smart phones, ...), or cloud storage?
As for email alerts - they should work (and they do, used to do also for allow and log events). IIRC they use the same mechanism as AV ... have to check when I'm at work if there are any gotchas.
Christian
Hello,
In the Data Control Event Viewer in SEC, there is a column for the size of the file so the data is in the database along with the other values you can see, i.e. the known user, file type, computer, rule, time, filename, path and destination type.
It would therefore be feasible (with the data control events you require to monitor reported to SEC) to write a script (simple VBS or Powershell, whatever you're most familiar with) that queries the 'core' Sophos database say every 5 minutes and email one or more addresses if a new item was found matching the criteria required. This would provide almost realtime alerts of new copies you're interested in by size.
The values you need, including "Filesize" are exposed by the Sophos Reporting Interface (SRI) - https://www.sophos.com/en-us/medialibrary/PDFs/documentation/sec_52_sriugeng.pdf so it shouldn't change under you.
select * from [Sophos Reporting Interface].VEventsDataControlData
Will give you a starter as to what is available in your database and you can see filesize.
It would also be possible and to some degree easier (the previous method would need to persist in some way the alerts already alerted to) to email a daily report of all files larger than x size moved to a removable storage device, by which user on which device for while rule etc. The script could just run as a scheduled task and as the query would just be all events in the last 24 hours for example you wouldn't need to worry about keeping track of those alerted to.
I would probably use CDO to send an email with a HTML file (table of required data) generated attachment of the data as a report.
Hope it helps.
Regards,
Jak
Thanks Christian,
We do have Sophos SafeGuard Enterprise and I think we can allow only usb disks and request data to be encrypted to those devices, guess that should work, to filter out MTP devices? I am still learning with Sophos products.
The email alerts seem not to work, even though everything is correctly configured. I have raised a support incident with Sophos also.
Edvin.
Jak,
that was a very useful tip. I have reached to the point where I can generate a table with the today's events from the SQL DB, and group by the username, but due to my limited SQL skills I
don't know how to add up the file size column for each user.
Once sorted that out I can look at how to send an email with the results.
thanks,
Edvin.
Hi,
The following might help as a way to get the total data in KB moved per user.
I've left some conditions in there as examples, maybe you want to use them, if not you can drop them.
SELECT
UserName, SUM(FileSize)/1024 AS TotalSizeKB
FROM
[Sophos Reporting Interface].vEventsDataControlData
WHERE
DestinationValue IN ('removableStorage','Outlook')
AND
DATEDIFF(dd,EventTime,GETUTCDATE()) < 1
GROUP BY UserName
ORDER BY SUM(FileSize) DESC
Hopefully it gives you something to start from.
Regards,
Jak
Thank you both for your suggestions. Very useful to have access to the Database via SQL indeed.
I have noticed that in some cases the database holds less events than those happened. I mean a user copies 100 files to USB but in the database there are only a subset, example 20 entries.
is this a bug or some other issue?
thanks again,
Edvin.
Thank you both for your suggestions. Very useful to have access to the Database via SQL indeed.
I have noticed that in some cases the database holds less events than those happened. I mean a user copies 100 files to USB but in the database there are only a subset, example 20 entries.
is this a bug or some other issue?
thanks again,
Edvin.
Hello Edvin,
one of my replies in this rather old thread suggests that once I've thought to remember that in "audit" mode not all events are logged/sent (if this is indeed the case then probably for performance reasons - as the Allow and log mode actually is not intended for strict auditing but only for "getting a picture" of data transfer activity.
Christian
