Detect mass file deletion
Posted by StrikingPeace@reddit | sysadmin | View on Reddit | 63 comments
Is there a way we can detect when a user performs a mass file deletion or mass file copy/move?
We've had issues this year where digruntled employees whose jobs were terminated, left their laptop files wiped(Desktop, Downloads, Documents) etc
Whilst we have backups in place and can retrieve the data, in some particular cases which i wont go into the elaborate details we may fail to retrieve the data
what i'm concerned with at the moment is wether there can be an alert once a user deletes mass data or a sensor detects a sudden drop in used harddrive space
ConsciousValuable781@reddit
Logtrace, we installed its client on the member's PC (it has self-protection and will not be deleted), it monitors various file operations and application operations for us (the monitoring content can be customized), and then actively generates reports for us, or we search and filter directly on the management end, it is very direct software. And it is very cheap, we upgraded to the paid version, one year is only 5 or 10 US dollars.
ArsenalITTwo@reddit
Who cares - OneDrive known folder move, etc. File Server is easier with a SIEM / Audit Logging but local machines are a nightmare as users delete, modify and move files all the time.
HisAnger@reddit
I bet you don't have git repos. Before i noticed that i had placed git repo on one drive .... i had 750k files diff after 3 days. 6 months later one drive still notify me that it cannot sync randomly or that my trash can have tens of thousands of files that are about to be perma deleted
catlikerefluxes@reddit
Why are you putting git repos in your OneDrive documents folder?
bmxfelon420@reddit
Because I like to party
HisAnger@reddit
New pc, monday morning before coffee
__ZOMBOY__@reddit
“Oops”
Hollow3ddd@reddit
Onedrive backups are a must. They can delete their hearts content
4t0mik@reddit
The timing is such a hard thing to get across. Oh, hey this person is leaving on June 1st....so you can script them then. Also, can you watch them as they seem a little mad we are letting them go.
Uhhhh you might want to just call it now if you are worried.
RiceeeChrispies@reddit
Yup, OneDrive KFM with a solid backup solution for user devices.
No longer having to educate users about where to save is awesome, makes rolling out new kit easy as well.
Clamd1gger@reddit
Sounds like a policy issue. OneDrive or folder redirects for the technical side of things.
But generally speaking, most orgs try NOT to have to backup workstations and train employees to avoid storing data directly on their devices.
I guess it depends on whether you want/need said data. But ultimately, tracking massive changes is just chasing your tail. You might as well just script out backing up their files to a centralized share. Having a report that a termed employee did something wrong isn’t very valuable.
nerfblasters@reddit
Wazuh is a free open source SIEM that will do File Integrity Monitoring and detect any changes to specified paths.
Agent is relatively lightweight (<20MB ram used from the agent on my laptop), and the initial setup can be pretty quick - like under an hour and you're ingesting and parsing logs.
Tuning it and writing custom rules to increase your signal to noise ratio takes some time, but it can also save you a ton of time down the road when you're trying to investigate stuff like "random" account lockouts.
DarkAlman@reddit
Sounds like you are trying to solve an HR problem with IT
Management and HR should be seizing their equipment and having the accounts disabled before they are given their termination notice.
Why are you letting a terminated employee touch a computer?
ADAudit and various other monitoring tools can be programmed to alert if they detect such a thing.
You also have good backups right?
thortgot@reddit
Voluntary leavers often do this kind of thing prior to providing notice.
Very few companies back up individual workstations, enforcing OneDrive sync is generally the most you'll see.
Lordcorvin1@reddit
From your wording, it sounds like the person is deleting from their personal PC/Laptop before giving it back, maybe they have tax forms and rest they want to clean out.
I see no reason why you need to keep track of that, it might be even illegal in EU.
Otherwise, keep backups for your server hourly at least.
iwoketoanightmare@reddit
Stop making employees disgruntled.
poweradmincom@reddit
PA File Sight was originally designed for this exact scenario (and now it does more as well).
GelatinousSalsa@reddit
HR problem. The employment contract should have some clause in it about destruction of company property. Work files on a company computer is company property.
vesko1241@reddit
Zabbix can have a trigger that triggers whenever the disk space has dropped by a specific amount over a specific period of time. But that would be after the fact, before that make a procedure that makes a full backup a day before termination, revoke users's rights or grant read-only on their last day of termination.
mb194dc@reddit
Permissions and backups ? Make sure the data is somewhere that can't happen in the first place and that it's backed up.
melasses@reddit
Why would someone do something preventing them from being able to give a reference. Hard to explain what you did before you applied for the next work. Being in prison would likely be a better explanation.
tjn182@reddit
I see where you are going, but the strategy is flawed.
Employees will do this on termination, or in anticipation of termination or quitting. They'll tidy up their desktop, delete documents. It's like cleaning their desk, but for some reason people do it on their computer. It's usually not malicious. So looking for a solution against this is kind of a moot point. OneDrive sync is helpful because an admin can preemptively download a users files before term.
Now a mass file deletion on a file server is different. There are softwares like Network File Auditor that can alert on things like that. Problem is: it works off the file server's event logs which shows write (approve/deny), delete (approve/deny), and read (approve/deny). So it can't tell you a file was copied, but that it was simply created like any other file. Cut and paste = delete and write.
So you can't really tell exactly what people are doing. The reads are even more off, because the machine may try indexing, which reads all subfolders. Logging each event.
But the mass file deletion would be deterred by making sure people have granular network access. Security groups on folders, users in security groups. Only person that can cause massive damage would be an admin - otherwise restore data from backups.
Consistent-Jump-762@reddit
Bullwall
wristyquill@reddit
There are solutions out there like "Symantec Data Loss Prevention" where you can set up rules to monitor activities such as copying, deleting, and emailing sensitive data. This does require an agent on the machine, port mirroring on your network equipment, and at least one server. Maybe any of those DLP solutions might fit. Good luck!
prodsec@reddit
You need to back files up.
Honky_Town@reddit
Technical users data is to be deleted!
Work related data is never to be stored on Desktop, Downloads or Documents.
Take a step back or two, take a deep breath and think it through without haste. Go for a better system to store company data and you can restore all with a few click and do not worry about local data or data privacy.
Noodlefruzen@reddit
Check out Microsoft’s Adaptive Protection (if you haven’t already).
WestToEast_85@reddit
Sounds like you’re trying to apply a technical solution to a non technical problem.
ff00ff00ff00@reddit
Detecting and preventing file deletion and modification is not a non-technical problem, even if there are non-technical roots.
It's cute you think HR can solve an issue like this.
WestToEast_85@reddit
Workplace culture being so shit that multiple disgruntled employees have done the ol’ last-minute-fuck-you absolutely is a non-technical problem.
ff00ff00ff00@reddit
You're mixing things up again. Disgruntled employees acting out and detecting and preventing mass deletion are different things.
You understand an attacker could cause mass deletion, right? :)
WestToEast_85@reddit
Yeah, I think we might be talking past each other a bit. You’re right I guess, these are separate but related problems.
I still think that if the impetus for this is because of staff behaviour , you have another non-technical problem that urgently needs attention. I’ve worked in too many toxic workplaces to think otherwise.
jango_22@reddit
Mass file deletion on a file server is an important thing to protect against but on a users PC…? just make sure important data isn’t solely stored on individuals computers and protect your file server.
WestToEast_85@reddit
Oh for sure, make sure it gets stored somewhere that is captured by backup, but if disgruntled users are pulling the ol’ last minute delete this often, there’s a workplace culture problem that is well beyond the scope of IT.
jango_22@reddit
True lol but the same solution to protect against the last minute delete will normally protect against ransomeware encryption. Things like Brikstor is what my org uses.
WestToEast_85@reddit
My current employer pushes everything to OneDrive and keeps extensive tape backups going back literal decades for any of the on-prem file servers.
Such is life in a corporate law firm I guess.
Darkk_Knight@reddit
We use OneDrive at work with long retention policies on everything. Even user deletes the files and emptys the recycle bin it will keep them in a special folder that the admins can get to. If the files really needs to be deleted from the tenant only admins can do it.
Plus we use absolute CompuTrace to remote lock the PCs just before they are termed.
FlatusGiganticus@reddit
Sounds like the correct solution is to fix your backup strategy.
breizhsoldier@reddit
Or a better termination process, as if, the moment they are told, revoke all creds and force restart if not in office, if in office grab the mofo's computer lol...
GHouserVO@reddit
This is the answer.
The immediate failure appears to be in the termination/exfiltration process.
Yes, you can easily monitor and send alerts for all the stuff that you’re asking for, but by that point they’ve already done something with the data. You don’t want it to get to that point.
Combine it with a better backup/restoration policy and you’re pretty much covered.
fresh-dork@reddit
or, you term the credentials and then tell them
FlatusGiganticus@reddit
This is our process. I get a call as they are going into the term meeting. In just a couple of minutes their badge is disabled. All logged in sessions are forced closed. Credential cache is wiped and machine(s) rebooted. If its a personal phone, the business side of the phone is wiped, else it is wiped and locked pending return. It's mostly automated now days.
devino21@reddit
Racktop
EyeLikeTwoEatCookies@reddit
Netskope has this capability.
rheureddit@reddit
We run OneDrive backups to Commvault daily and keep a 6 month data archive.
Ballaholic09@reddit
I genuinely read this post as nefarious.. I think OP is the disgruntled employee asking if he can get away with deleting company data…
BadSausageFactory@reddit
If you have backups, shadow copy on local, and litigation hold on email there's not much they can do
wow_thatshard@reddit
I don't know what did an alert is going to do? By the time you get to the threshold for your alert, you're gonna have to do a restore anyway.
d3u510vu17@reddit
I always wondered.
PC gets decommissioned after employee leaves. Some intern's job is to wipe/reset PCs. The intern first copies browser data and other interesting files. Makes some profit selling login credentials.
I'd wipe my work PC too.
Rahne64@reddit
If you host your file shares on NetApp systems, they have autonomous ransomware detection that would flag such activity and at a minimum trigger immediate snapshots. It's also possible to configure automated blocking of the users and/or client machine triggering the detection.
GronTron@reddit
Varonis can alert on mass create/modify/delete events.
Numerous_Customer_65@reddit
Second that aswell
DespacitoAU@reddit
I demo'd ADAudit plus a while back that allows for auditing of on prem file shares that would allow for something like this. From memory you could also push it to user endpoints but I think it gets pretty expensive once you do
Shoonee@reddit
Sounds like a job for SIEM. Put all the log sources to that, and let it detect if there is a mass deletion
mrlinkwii@reddit
i think the better stregagy would where files are saved on the work drive( where they have 0 deletion powers) and any laptops / interfaces are just dummy terminals
midwest_pyroman@reddit
This is why there is backup system. Also, no matter the reason if on good terms or bad when HR calls security to disable the badge \ keys they also call IT to disable the account and force token resets (aka 365).
bit0n@reddit
I would not look to monitor the device for this as the user could just boot MBAM and wipe the disk or encrypt the disk to destroy the data. Even if you stop them booting off a USB a screwdriver solves that roadblock. Stopping them saving anything locally is the solution.
T0a3t@reddit
Netwrix or Varonis will flag this for you if you want it to.
UCFknight2016@reddit
Varnois goes crazy when I delete stuff at my job. Security pings me all the time when I do those operations.
jc31107@reddit
If you sync to onedrive you can get this alert, same for mass download if you’re worried about people walking with data
lechango@reddit
I'd think most EDRs would have something for this you could configure, maybe whatever you use does.
flatvaaskaas@reddit
MCAS can so that. As well as soc/Siem monitoring. Even the Compliance or Security Center from Microsoft has detections and alert rules for them
freakdageek@reddit
Sounds like a fun place to work.