How to monitor Shadow IT using network application detection and user behavior events
- Article Number: 000015536
- Products: NGFW Security Management Center
- Version: 6.4
- Last Published Date: March 05, 2018
Forcepoint NGFW Security Management Center provides powerful visibility into Shadow IT and its context within your organization with the capability to detect over 7,000 applications and track usage patterns down to the individual level with the User Dashboard and User Behavior Events.
Managing Shadow IT within your organization is a mounting challenge. New cloud-based productivity applications appear regularly, and usage patterns change constantly as users discover and share them with their co-workers and friends.
Even though Shadow IT poses a serious security risk to your organization, it is often used without malicious intent. Indeed, users of Shadow IT often justify its use as a productivity and collaboration booster that provides value to the organization.
Shadow IT is not a "good vs. bad" binary problem that is easy to classify and prevent with static policies. Additional context is key to understanding what risks Shadow IT poses to your organization, what are the best policies for managing those risks, and how the right security actions can be taken.
Visibility and context
Successful management of Shadow IT requires two capabilities: visibility into its use with the ability to detect an ever-growing number of applications, and the context in which it is used to better inform your security policies and enforcement.
Forcepoint NGFW Security Management Center (SMC) provides powerful visibility into Shadow IT with the capability to detect over 7,000 cloud and network applications, with new ones added regularly through dynamic updates.
Plus, with the User Dashboard and User Behavior Events, you can monitor Shadow IT applications and usage patterns down to the level of the user, providing vital context for Shadow IT usage as it inevitably evolves and changes within your organization.
About this guide
This guide presents an example of how you can use SMC to monitor for Shadow IT applications usage and detect interaction patterns at the user or IP-address level. The example configuration filters firewall log entries based on application usage and creates User Behavior Events when Shadow IT applications are detected.
Monitoring can also be configured to display IP addresses instead of user names. This is a useful option in regions where privacy laws dictate that users must not be easily identified or if there are no user names stored in log data.
Step 1: (Optional) Enable a user authentication method
If you want to identify Shadow IT use by individual user instead of IP address, your firewall must enforce a user authentication method. Authentication methods include client certificate, LDAP authentication, NPS, pre-shared key, or user password.
See your Forcepoint NGFW Product Guide for more detailed instructions on how to configure user authentication.
Step 2: Enforce network application and optional user information logging
Logging rule options enforcing network application and user information logging
See your Forcepoint NGFW Product Guide for more detailed instructions on logging network applications and user information.
Step 3: Enable the User Dashboard
Step 4: Create a User Alert and Shadow IT network applications filter
Example Shadow IT User Alert Check