KB Article | Forcepoint Support

Problem Description

Forcepoint NGFW Security Management Center provides powerful visibility into Shadow IT and its context within your organization with the capability to detect over 7,000 applications and track usage patterns down to the individual level with the User Dashboard and User Behavior Events.

Resolution

Managing Shadow IT within your organization is a mounting challenge. New cloud-based productivity applications appear regularly, and usage patterns change constantly as users discover and share them with their co-workers and friends.

Even though Shadow IT poses a serious security risk to your organization, it is often used without malicious intent. Indeed, users of Shadow IT often justify its use as a productivity and collaboration booster that provides value to the organization.

Shadow IT is not a "good vs. bad" binary problem that is easy to classify and prevent with static policies. Additional context is key to understanding what risks Shadow IT poses to your organization, what are the best policies for managing those risks, and how the right security actions can be taken.

Visibility and context

Successful management of Shadow IT requires two capabilities: visibility into its use with the ability to detect an ever-growing number of applications, and the context in which it is used to better inform your security policies and enforcement.

Forcepoint NGFW Security Management Center (SMC) provides powerful visibility into Shadow IT with the capability to detect over 7,000 cloud and network applications, with new ones added regularly through dynamic updates.

Plus, with the User Dashboard and User Behavior Events, you can monitor Shadow IT applications and usage patterns down to the level of the user, providing vital context for Shadow IT usage as it inevitably evolves and changes within your organization.


Example User Dashboard view
Example Shadow IT User Dashboard view

About this guide

This guide presents an example of how you can use SMC to monitor for Shadow IT applications usage and detect interaction patterns at the user or IP-address level. The example configuration filters firewall log entries based on application usage and creates User Behavior Events when Shadow IT applications are detected.

Monitoring can also be configured to display IP addresses instead of user names. This is a useful option in regions where privacy laws dictate that users must not be easily identified or if there are no user names stored in log data.

Step 1: (Optional) Enable a user authentication method

If you want to identify Shadow IT use by individual user instead of IP address, your firewall must enforce a user authentication method. Authentication methods include client certificate, LDAP authentication, NPS, pre-shared key, or user password.

See your Forcepoint NGFW Product Guide for more detailed instructions on how to configure user authentication.

Step 2: Enforce network application and optional user information logging

Logging rule options enforcing network application and user information logging
Logging rule options enforcing network application and user information logging

  1. Open your firewall policy for editing.
  2. In the IPv4 Access or IPv6 Access tab, add or edit a rule that applies to the traffic you want to monitor for Shadow IT usage. Include the following Logging options:
    1. Set Log Network Applications to Enforced
      Note: When network application logging is enforced, your firewall may check connections against its inspection policy to identify an application even if deep inspection is not enabled. TLS connections may be decrypted if this is necessary to identify the application.
    2. (Optional) Set Log User Information to Enforced if you If you want to identify Shadow IT use by user name and have enabled a user authentication method.

See your Forcepoint NGFW Product Guide for more detailed instructions on logging network applications and user information.

Step 3: Enable the User Dashboard

  1. Select Menu > System Tools > Global System Properties.
  2. On the Global Options tab, select Show Users in the Home View.
  3. (Optional) Choose to display users as User Names instead of IP addresses.
    Note: To be able to monitor users by name, you must enable the logging of user information in the Firewall IPv4 and IPv6 Access rules.

Step 4: Create a User Alert and Shadow IT network applications filter

Example Shadow IT User Alert Check
Example Shadow IT User Alert Check

  1. Click on Configure User Alerts and add a new User Alert Check:
    1. Select Web Content Check as its Type.
    2. Click Add > New > Filter: Network Application and add your filter criteria to match the Shadow IT-related network applications you want to monitor. You can choose specific applications or use Tags to group many applications together by Usage.
    3. Add another "whitelist" network application filter that includes your IT-sanctioned network applications and mark the Negate Row checkbox.
    4. Choose a Threshold and Severity.
    5. Select which User Alert will be generated when the threshold is exceeded or add a new one.
      Tip: Click Save to save your Shadow IT Network Applications filter. The filter can be used for additional Shadow IT monitoring tasks such as creating statistics reports.
  2. Add the new User Alert Check to your User Alerts.
  3. User Alerts will now be generated whenever Shadow IT application usage is detected. These alerts will appear in your User Dashboard under the User Behavior Events section.

Article Feedback



Thank you for the feedback and comments.