Posture management policies in Nightfall allow you to monitor sharing settings changes that alter the security posture of your SaaS environment. The trigger of a Posture violation event consists of two parts: scope and action. Scope refers to the location where the event occurred. Action refers to the suspicious event which could be a posture alteration attempt.
When a policy detects such a possible posture change attempt, you can configure appropriate steps to remediate the user action. Nightfall provides multiple automated remediation measures and notification channels when a policy detects a posture alteration attempt. The remediation actions help you revert the posture change attempt. The notification channels can be used to notify appropriate stakeholders about the posture change attempt detected by Nightfall.
The detailed steps to configure the Google Drive Posture management policy is explained in the following documents.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Posture.
Select the Google Drive integration.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
Once you zero down the policy Scope to the required devices and originating domains, you must now define the trigger actions that can be termed as Posture change events. When these trigger actions are performed on the scoped entities, Nightfall considers it as a violation and a Posture Management Event is created.
Nightfall provides you two types of trigger actions that you can set as Posture change events.
Changes Share Settings: Attempt to modify Link sharing settings (ex. from restricted to public) of a single or multiple Google Drive asset.
Gives Access: Attempt to provide access to a single or multiple Google Drive assets.
If an user changes the Sharing Settings of one or multiple assets, within a stipulated amount of time, it is considered to be a violation and a posture change event is created.
To use this Trigger action, you must select the Changes share settings option.
Once you select the Changes share settings option, you must select the Google share setting that must be used as a Trigger.
You must then select the number of assets and the timeline within which if the trigger action is implemented, Posture event must be raised.
For instance, in the following image if the Sharing setting of five Google Drive assets is modified to Public, within 1 hour, a Posture Event is created.
In this Trigger action, if an employee grants permissions to one or multiple assets within a short span of time, it is considered as a Violation by Nightfall and a Posture Management Event is created.
You must define the number of assets and the timeline. In the following image, if access is given to 5 or more assets within 1 hour, Nightfall considers it to be a Violation and triggers a Posture Event.
You can add filters to the #gives-access trigger action to trigger the action only when access is granted to users from a specific domain or exclude users belonging to a specific domain. The Filters section has two options.
Only Include: You can use this option to only monitor if users belonging to specific domains are given access. To add a domain, type the domain name (example abcd.com) and hit the enter key. This option also allows you to include personal email domains by clicking the Add free personal email domains check box.
Exclude: You can use this option to exclude monitoring of certain users who belong to a specific domain. To exclude a domain, type the domain name (example abcd.com) and hit the enter key. This reduces unwanted noise from sanctioned external collaboration. Note that you can also exclude monitoring of sharing with personal email accounts. This latter option is recommended if you already have an existing policy monitoring personal email (also recommended). This will ensure that your monitoring policies are mutually exclusive.
When there is a high volume of posture modifications in your organization, the scoping capability enables you to reduce the noise from low risk events so that you can zero in on genuine posture change events and resolve them.
Posture Changes can be scoped to:
Location: All or a specific set of drives
This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.
User or User Group (Actor): Any or a specific set of users or user groups
This allows you to create custom policies for specific high-risk individuals or user groups. As such, you can create policies to monitor posture change activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.
Permissions: Public, Organization or Restricted
This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.
Detection rules: Any or a specific set of sensitive data protection detection rules
You can reuse any of detection rules you've already created or create new ones. This helps focus your detection on files which have associated sensitive data violations identified by your sensitive data scanning product. This can be set in combination to other scoping capabilities.
The Scope stage consists of two main sections.
Drive Selection: This section allows you to include various files and drives for monitoring. In this section, you can select the different types of drives to be monitored.
Add Filters: This section allows you to scrutinize your policy scope at more granular levels. While the Drive selection section allows you to select the whole drive to be monitored, this section provides you more granular level filters. You can select specific files within the selected drives for monitoring.
The Drive Selection section allows you to select various drives for monitoring. You can select either User Drives or Shared Drives to be monitored by Nightfall for posture changes.
This section allows you to select various drives in your Google Drive to be monitored. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both.
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has granted access. User Drive is commonly known as My Drive in Google Drive. To monitor a User Drive, you must select the User drives check box as shown in the following image.
IMPORTANT
If you choose to monitor the User drives, all the User drives in your Google domain are selected for monitoring. You do not have the option to choose specific User drives for monitoring.
Shared Drives: Shared drives are common storage locations accessed by all the users in your Workspace. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to monitor the Shared Drives, you can select whether to monitor all the Shared drives or only specific shared drives. Nightfall provides the following options.
If you select the All Drives option, all the Shared drives in your Google Workspace are selected for monitoring.
If you select the All Drives, except for option, you can exclude some shared drives from being monitored.
If you select the Specific Shared Drives option, you get the option to choose specific Shared drives for monitoring.
The following image displays the scenarios when you select the Shared Drives check box.
If you select the All Drives, except for option, you must also select the shared drives which must be excluded from monitoring.
Similarly, if you select the Specific Drive(s) option, you must also select the specific shared drives which must be monitored.
The filters section provides you the flexibility to include and exclude users at a granular level.
For instance, in the previous section, irrespective of whether you selected Shared Drive, User Drive, or specific User Drives, you ended up selecting one or a set of Drives for monitoring.
Once you select the Drives to monitor, in this section, you can overlay additional filters to further scope your monitoring. Nightfall provides the following additional filters:
Monitor specific: Choose this option to monitor one or a specific set of internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Monitor all, except: Choose this option to exclude specific individuals from your monitoring policy. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Note
If you have not configured the Directory Sync feature, the users list is populated from the Google Drive integration setup. As a result, you can see the Google Drive icon before the user name. However, if you have set up Directory sync, the users list is fetched from the IdP used for the configuration. In the above image, the users list is populated from the Microsoft Azure IdP and hence you can see the Azure icon before the users’ names.
Important
For exclusions, Nightfall only checks the file ownership. For inclusions, Nightfall checks both file ownership and shared access. This rule is applicable to all the filters.
Monitor Specific: Choose this option to monitor one or a specific set of external users. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor all, except: Choose this option to exclude specific external users, from being monitored. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor specific: Choose this option to monitor one specific or a set of internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select at least one group.
Monitor all, except: Choose this option to exclude one specific, or a set of, internal groups from being monitored. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required users.
Monitor specific: Choose this option if you have external user groups defined in your IdP and would like to monitor one specific or a set of external groups. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Monitor all, except: Choose this option if you have external user groups defined in your IdP and would like to exclude one or more external groups from being monitored. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Before understanding the Permission filters, we must understand Google's General Access feature.
The general access feature in Google Workspace consists of three types of access, which are as follows.
Restricted: Files with this permission can only be accessed by users who have been granted access.
Target Audience: Files with this permission can be accessed by the users of the selected target audience group. There is a default target audience that gets created when the Google workspace is provisioned. This target audience has the same name as provisioned in the Google Workspace and includes all members of the organization. You can refer to this Google document to learn more about the target audiences.
Anyone with the Link: Files with this permission can be accessed by any user who has the file link.
Nightfall also provides inclusion and exclusion of files in policy scope that resembles the General Access sharing principle in Google Workspace. The Nightfall General Access permission options are as follows.
Restricted: Choose this option to scope monitoring to files with restricted access.
Shared with target audiences: Choose this option to scope monitoring to files shared with target audiences within your Google Workspace environment.
Anyone with the link: Choose this option to scope monitoring to files shared with anyone with a link.
The Nightfall Detection Rules consist of a single or multiple detectors. You can use this filter to either include all the detection rules or include only specific detection rules.
All: If you select this option, all the detection rules are included.
Monitor Specific: If you select this option, you must also select the required detection rules. Nightfall scans your files only for the selected detection rules.
This stage allows you to select notification channels if a policy violation occurs. The notification alerts are sent at two levels.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Google Drive Posture policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Google Drive integration, read this document.
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to this document for steps.
Automated actions allow you to configure automated remediation actions when a posture alteration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Google Drive. You can choose to implement the automated action immediately after detecting a download attempt or after some time.
This action suspends the user's account who tried to download files and triggered the posture alteration event.
To enable the automated action, you must turn on the respective toggle switch.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This action revokes the access to the asset which caused the policy violation. You can select if the access must be revoked for external users and groups, internal users and groups, or both.
Additionally, you can also configure the timing as to when this automation action must be implemented, after detecting the violation. The configurations are similar to the #suspend-account action.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink www.nightfall.ai with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>
.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is triggered as a result of their actions. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.