Hello Community of Security Professionals 🙂
I am looking for a solution that can monitor a NAS / File Storage, and can quickly identify files that were affected of a malicious activity. Such as, an employee deleting hundreds of file in a short period of time; Files that were encrypted during a ransomware attack; etc.
The idea is to efficiently identify the files that were affected for efficient recovery. It is ideal to recover only specific files, rather than a whole drive; Identify who performed the malicious act for accountability; Reporting and alerting mechanism for quick action (I understand prevention is key, but this is for added layer of security for the unexpected).; Quick recovery for the files that were compromised.
Hoping to hear from you.
Hi @bsdulay I went through a comprehensive assessment on behalf of a client recently. I can privately share my recommendations, if you wish.
However, I went through a multitude of Open Systems, i.e. CFEngine, freeware, various licensing requirements, through to commercial solutions.
The top of the list, is normally Tripwire, but to be quite frank and objective, everyone must be trained to use it correctly, it generates lots and lots of false positives and needs a lot of support and maintenance.
However, the Tripwire checklist is a great resource for validating and comparing other candidates.
Financial Institutions, use it extensively, but they invest in training their staff and maintain it.
However, in my case, given the client's circumstances, I put through a different recommendation based on NTT Change Tracker R2, as it was far more economical for this particular client, and included some good AI capabilities, great reporting facilities and integration with good support, and the overall resources requirements were ideal for the use cases required.
@jksec Asking questions of the organisation directly. Many of these FIM solutions, pretend to be either add-ons to SIEMs or are actually a full blown SIEM themselves. I will report back in due course.
@bsdulay Microfocus Change Guardian can redirect alerts to SIEM solutions like Sentinel (from Microfocus) and also work with other SIEM solutions i.e Splunk..etc