How to detect files copied with DataSecurity Plus

One of the greatest threats to any organization is data leak perpetrated by trusted employees and partners. To combat the ever-increasing insider threat, you need to monitor all file activities, especially file copy actions. With DataSecurity Plus, you can now audit, monitor, and alert on all file copy events.

Steps to audit and report on file copy-and-paste events:

1. Download and install DataSecurity Plus.
2. Open the DataSecurity Plus console.
3. Navigate to the Endpoints tab. Go to Configuration > Sources > Devices.
4. In the Configured Workstation(s) page, select Add Workstation(s) in the top-right corner.

5. Select your domain.
6. Select the + symbol next to the Select Workstation(s) text box, and add the workstations that you want to audit and secure.
7. Choose File Copy Auditing.
8. Select Install Agent and Finish.

9. Navigate to Reports. Under Source Based Reports, choose File Copied Report. 
10. Select the desired time range over which file copy events are to be monitored using the Period drop-down.
11. The report displays all files copied during local or remote access.

Steps to selectively monitor when sensitive or large files are copied:

1. In the DataSecurity Plus console, navigate to the Endpoints tab.
2. Go to Configuration > Settings > Audit Configuration.
3. Choose Clipboard from the available audit profiles.
4. Select Edit for the File Copy Auditing audit profile.

5. The audit profile is predefined with an appropriate name, source, and description.
6. Navigate to the Criteria section and add these filters under the Include tab:
   • Actions: Files copied and files pasted.
   • Users: All
   • File classification*: Restricted
   Note: Use other criteria such as File Type, File Size, File Name, and more to selectively monitor critical data being copied.
7. Use the Exclude option to exempt trusted users, groups, or nonessential files from the file copied report.
8. Click Save.

Steps to generate instant alerts when sensitive files are copied in bulk:

1. In the DataSecurity Plus console, navigate to the Endpoints tab.
2. Go to Configuration > Settings > Alert Configuration.
3. Choose Clipboard from the available Alert Profiles.
4. Select the Edit option for the Sensitive Files Copy Monitoring alert profile.

5. The alert profile is predefined with an appropriate  Name, Source, Description, and Severity.
6. Navigate to the criteria section and add these filters under the Include tab:
   • Actions: Files copied and files pasted.
   • Users: All
   • File classification*: Restricted
   Note: Use other criteria such as File Type, File Size, File Name, and more to selectively monitor critical data being copied.
7. Use the Exclude' option to exempt trusted users, groups, or nonessential files from the file copied report.

8. Under the Threshold tab: 
   • Check Enable.
   • Specify the desired threshold value (e.g., configuring "100 events in 1 minute by any source" will raise an alert when 100 or more files are copied/pasted in under a minute.)
Note: The threshold limit can be customized to your organization's needs.

9. Under the Response tab: 
   • Select Email, and check Enable email notification.
   • Specify one or more email addresses you would like to send alerts to.
   • Set email Priority to High.
   • Add in an appropriate Subject and Message for your email.
10. Click Save.

You have now successfully configured DataSecurity Plus to audit, alert, and respond to sensitive files being copied.
*File classification: Files need to be classified manually based on their sensitivity as Public, Internal, Sensitive, or Restricted.