Every single access is logged on such systems, regardless what kind of file hosting you use.
An employee suddenly accessing tons of files, potentially in indexing order (meaning they’re either clicking through every link, every folder, every file, or are using an automated tool that does exactly the same), now that’s suspicious.
Combine that with logs from their terminal, which would usually contain things like downloads, file operations, as well as external storage connection/disconnection events, and you can basically get a near perfect map of what they stole and how.
They knew what they stored it on, so presumably they did it in a company computer, and that computer had logging software that the company got access to (whether it automatically sends it to them or just stores it locally until needed).
Yeah I guess that’s the only sane way to do it. A tiny bit crazy the whole system exists, an automatic verification lights up, but only after the dude left.
Why did he have access to all that for starters, why wasn’t the alarms ringing when he did it etc. seems like security at Intel is kind of wonky. 🤷🏻♀️
It might just come down to they never experienced the exact type of espionage so didn’t have strong guardrails to prevent this. Hopefully some security engineers learned a lesson from this and will change their processes.
Siems and such systems are designed for that. Could be part of SOC or CSIRT. Generally all large companies have that. It’s also getting more accessible to smaller structures in the form of « as a service ».
A data leak is a data leak whatever the vector so shit needs to be detected & acted upon.
It’s all fun & fair games when about Intel secrets it seems but what when a dickhead steals medical data or other perso stuff ?
How ho you detect someone stole files nowadays? Did they have them printed out on a bookshelf?
Every single access is logged on such systems, regardless what kind of file hosting you use.
An employee suddenly accessing tons of files, potentially in indexing order (meaning they’re either clicking through every link, every folder, every file, or are using an automated tool that does exactly the same), now that’s suspicious.
Combine that with logs from their terminal, which would usually contain things like downloads, file operations, as well as external storage connection/disconnection events, and you can basically get a near perfect map of what they stole and how.
They knew what they stored it on, so presumably they did it in a company computer, and that computer had logging software that the company got access to (whether it automatically sends it to them or just stores it locally until needed).
Logs
Who logs who reads files? And even if, who checks those logs? Gotta be a wild system.
Lots of companies maintain access logs. Anything with high security you want to be able to audit who accessed what and when.
But who pays someone to check them?
Normally you just have the systems admin or an automated system look into it. It depends on your security setup.
Yeah I guess that’s the only sane way to do it. A tiny bit crazy the whole system exists, an automatic verification lights up, but only after the dude left.
Why did he have access to all that for starters, why wasn’t the alarms ringing when he did it etc. seems like security at Intel is kind of wonky. 🤷🏻♀️
It might just come down to they never experienced the exact type of espionage so didn’t have strong guardrails to prevent this. Hopefully some security engineers learned a lesson from this and will change their processes.
Siems and such systems are designed for that. Could be part of SOC or CSIRT. Generally all large companies have that. It’s also getting more accessible to smaller structures in the form of « as a service ». A data leak is a data leak whatever the vector so shit needs to be detected & acted upon. It’s all fun & fair games when about Intel secrets it seems but what when a dickhead steals medical data or other perso stuff ?
I check those logs, not for Intel though.
The systems that support this range from simple to unnecessarily complex.
Are you paid to check file access logs?
Yes that’s a small part of my job.
I setup monitoring systems, ingest logs and create rules to detect unusual or malicious behaviour.
Then I perform investigations which sometimes turn into forensic investigations, which sometimes results in legal action.
It would be stupid not to do so. Bigger question is, why could he download the files and leave campus?
Someone downloading full datasets that would rarely happen in the regular course of work (unless there was special projec tor some sort).