Re: [Fed-Talk] Don't get Snowden-ed
Re: [Fed-Talk] Don't get Snowden-ed
- Subject: Re: [Fed-Talk] Don't get Snowden-ed
- From: Todd Heberlein <email@hidden>
- Date: Thu, 11 Jul 2013 13:33:01 -0700
> Regarding the Snowden issue, that is the exact problem I've been working on for years
By the way, if you look at the data FAAS collects, it includes both syslog and BSM data. I specifically included the syslog data to address Snowden-type exfiltration.
When a user inserts a thumb drive into the Mac, the make, model, and unique identifier of that thumb drive is recorded in the syslog data.
Likewise, there is a corresponding mount() audit record in the BSM audit data identifying the directory path for that thumb drive.
You can then combine these two data points with file read and write BSM records to:
(A) Determine exactly when a thumb drive is inserted into a mac, including its make, model, and ID
(B) Determine all files read from or written to that thumb drive, via what programs, etc.
I haven't automated that analysis yet, but I did the experiments several months ago. I encourage people to collect both data streams.
Todd
PS. If you haven't seen it, here is a 4 minute FAAS introduction video
FAAS Intro
http://www.netsq.com/Podcasts/Data/2013/FAASIntro/
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden