When there is a high volume of exfiltration (basically download) in your organization, the scoping capability enables you to reduce the noise from low risk events so that you can zero in on genuine exfiltration events and resolve them.
Exfiltration (Download monitoring) can be scoped to:
Location: All or a specific set of drives
This allows you create flexible policies to monitor all or specific high-risk locations. This is a required scope for all policies.
User or User Group (Actor): Any or a specific set of users or user groups
This allows you to create custom policies for specific high-risk individuals or user groups. As such, you can create policies to monitor download activity by a disgruntled employee or departing employees. This can be set in combination to other scoping capabilities.
Permissions: Public, Organization or Restricted
This allows you to tailor your policies to drives or files with specific access restrictions. This can be set in combination to other scoping capabilities.
Detection rules: Any or a specific set of sensitive data protection detection rules
You can reuse any of detection rules you've already created or create new ones. This helps focus your detection on files which have associated sensitive data violations identified by your sensitive data scanning product. This can be set in combination to other scoping capabilities.
The Scope stage consists of two main sections.
Drive Selection: This section allows you to include various files and drives for monitoring. In this section, you can select the different types of drives to be monitored.
Add Filters: This section allows you to scrutinize your policy scope at more granular levels. While the Drive selection section allows you to select the whole drive to be monitored, this section provides you more granular level filters. You can select specific files within the selected drives for monitoring.
The Drive Selection section allows you to select various drives for monitoring. You can select either User Drives or Shared Drives to be monitored by Nightfall for exfiltration.
This section allows you to select various drives in your Google Drive to be monitored. There are two options in this section. You can either choose to scan the User drives, Shared drives, or both.
User Drives: The User Drives is the personal drive of the user. The files in this drive are visible only to the owner of the file and other users to whom the owner has granted access. User Drive is commonly known as My Drive in Google Drive. To monitor a User Drive, you must select the User drives check box as shown in the following image.
IMPORTANT
If you choose to monitor the User drives, all the User drives in your Google domain are selected for monitoring. You do not have the option to choose specific User drives for monitoring.
Shared Drives: Shared drives are common storage locations accessed by all the users in your Workspace. To select this option, you must select the Shared drives check box.
IMPORTANT
If you choose to monitor the Shared Drives, you can select whether to monitor all the Shared drives or only specific shared drives. Nightfall provides the following options.
If you select the All Drives option, all the Shared drives in your Google Workspace are selected for monitoring.
If you select the All Drives, except for option, you can exclude some shared drives from being monitored.
If you select the Specific Shared Drives option, you get the option to choose specific Shared drives for monitoring.
The following image displays the scenarios when you select the Shared Drives check box.
If you select the All Drives, except for option, you must also select the shared drives which must be excluded from monitoring.
Similarly, if you select the Specific Drive(s) option, you must also select the specific shared drives which must be monitored.
The filters section provides you the flexibility to include and exclude users at a granular level.
For instance, in the previous section, irrespective of whether you selected Shared Drive, User Drive, or specific User Drives, you ended up selecting one or a set of Drives for monitoring.
Once you select the Drives to monitor, in this section, you can overlay additional filters to further scope your monitoring. Nightfall provides the following additional filters:
Monitor specific: Choose this option to monitor one or a specific set of internal users. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
Monitor all, except: Choose this option to exclude specific individuals from your monitoring policy. Once you choose this option, Nightfall populates the list of users from the synced IdPs in Directory Sync. You must select the required users.
If you have not configured the Directory Sync feature, the users list is populated from the Google Drive integration setup. As a result, you can see the Google Drive icon before the user name. However, if you have set up Directory sync, the users list is fetched from the IdP used for the configuration. In the above image, the users list is populated from the Microsoft Azure IdP and hence you can see the Azure icon before the users’ names.
Important
For exclusions, Nightfall only checks the file ownership. For inclusions, Nightfall checks both file ownership and shared access. This rule is applicable to all the filters.
Monitor Specific: Choose this option to monitor one or a specific set of external users. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor all, except: Choose this option to exclude specific external users, from being monitored. Once you choose this option, you must manually enter the email ID(s) of the external users and hit the enter key.
Monitor specific: Choose this option to monitor one specific or a set of internal groups. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select at least one group.
Monitor all, except: Choose this option to exclude one specific, or a set of, internal groups from being monitored. Once you choose this option, Nightfall populates the list of internal groups from the synced IdPs in Directory Sync. You must select the required users.
Monitor specific: Choose this option if you have external user groups defined in your IdP and would like to monitor one specific or a set of external groups. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Monitor all, except: Choose this option if you have external user groups defined in your IdP and would like to exclude one or more external groups from being monitored. Once you choose this option, you must select at least one external user group to monitor then hit the enter key.
Before understanding the Permission filters, we must understand Google's General Access feature.
The general access feature in Google Workspace consists of three types of access, which are as follows.
Restricted: Files with this permission can only be accessed by users who have been granted access.
Target Audience: Files with this permission can be accessed by the users of the selected target audience group. There is a default target audience that gets created when the Google workspace is provisioned. This target audience has the same name as provisioned in the Google Workspace and includes all members of the organization. You can refer to this Google document to learn more about the target audiences.
Anyone with the Link: Files with this permission can be accessed by any user who has the file link.
Nightfall also provides inclusion and exclusion of files in policy scope that resembles the General Access sharing principle in Google Workspace. The Nightfall General Access permission options are as follows.
Restricted: Choose this option to scope monitoring to files with restricted access.
Shared with target audiences: Choose this option to scope monitoring to files shared with target audiences within your Google Workspace environment.
Anyone with the link: Choose this option to scope monitoring to files shared with anyone with a link.
The Nightfall Detection Rules consist of a single or multiple detectors. You can use this filter to either include all the detection rules or include only specific detection rules. Note that upon a download event, Nightfall will check if the downloaded file has been previously scanned, and results matched at least one of the selected detection rules (i.e. The file is not rescanned upon download).
All: If you select this option, all the detection rules are included.
Monitor Specific: If you select this option, you must also select the required detection rules. Nightfall scans your files only for the selected detection rules.
The trigger section further enhances the unwanted noise reduction capabilities. With the trigger section, you can
Set what download behavior can be termed as an exfiltration event.
Exclude downloads by trusted apps from being termed as exfiltration events.
In the trigger section, you can set the download behavior, the download frequency to be precise, must be termed as an exfiltration event.
To configure the Trigger section:
Set the minimum number of downloads threshold that must be considered as an exfiltration event.
Set the required time period (frequency). If the minimum download threshold (set in the previous step) is reached or exceeded, within the set time period, an exfiltration event is generated.
In the following image, the configurations are set such that if an asset is downloaded 2 or more times within 10 minutes, an exfiltration event is triggered.
You must set the action frequency carefully. For example, consider that you set the download condition as 5 or more files, within 1 hour. In this case, if a user downloads four assets, every 1 hour, the policy does not trigger a violation, since the condition is not met.
Depending on your environment, a significant number of downloads may be attributed to applications (i.e. backup apps). You may choose to ignore such download events to reduce the noise and focus your monitoring on unexpected application and user download events.
The Exclude apps section allows you to exclude specific applications from being monitored by your policy.
To configure the Exclude apps section, select the applications to exclude from the drop-down menu. Once saved, Nightfall will not alert on download events attributed to the excluded applications.
Exfiltration policies allow you to monitor download events across your Google Drive environment. Through real-time download monitoring, you can identify insider risk and anomalous behaviour before it escalates to large scale security incidents. You can monitor download activity for specific users or user groups, specific drives containing valuable sensitive assets, or downloads of any files containing sensitive data types as discovered and classified by Nightfall's ML/AI based detectors.
You can set up your policies to monitor only, to educate users in real-time about your download and data governance policies, or to automatically suspend user access to the Google Workspace to enforce zero tolerance policies.
The detailed steps to configure the Google Drive Exfiltration policy is explained in the following documents.
In this stage, you select the Integration for which the policy is created. In this case, Google Drive integration must be selected.
Click Policies from the left menu.
Click + New Policy.
Select Exfiltration.
Select the Google Drive integration.
In this final stage, you assign a name to the policy, verify your configurations, and create the policy.
Enter a name for the policy.
(Optional) Enter a description for the policy.
Click Next.
Verify if all the policy configurations are set up as per your requirements.
(Optional) Click back or click on any specific stage to modify any of the policy configurations.
Click Submit.
This stage allows you to select automated notification channels or actions if a policy violation occurs.
This section allows you to send notifications to Nightfall users. The various alert methods are as follows. You must first turn on the toggle switch to use an alert method.
The alert configurations configured in this section describe the process of creating alerts at the policy level. Policy-level alerts apply only to the policy on which they are configured. To configure an alert on all the Google Drive Exfiltration policies, you must configure alerts at the integration level. To learn more about how to configure integration-level policies for the Google Drive integration, read .
The steps to configure alert channels for policy-level integration are the same as in the case of integration-level alerts. You can refer to for steps.
Automated actions allow you to configure automated remediation actions when an exfiltration attempt is detected by Nightfall policy. Nightfall supports the following automated actions for Google Drive. You can choose to implement the automated action immediately after detecting a download attempt or after some time.
Suspend Account: This action suspends the user's account who tried to download files and triggered the exfiltration event.
To enable the automated action, you must turn on the respective toggle switch.
You must now select when exactly after detecting the event, the action must be triggered. if you select the Immediately option, the automated action is triggered immediately after the download attempt is made.
If you select the After option, you must select the time gap after which the automated action must be implemented.
This section allows you to configure notifications to be sent to the end user whose actions triggered the violation.
The automation settings allow you to send notifications to end users. You can select one or both the notification methods. You must first turn on the toggle switch to use the automation option. The automation notification channels are as follows
Email: This option sends an Email to the user who attempted the download.
Slack: This option sends a Slack message to the user who attempted the download.
End-user remediation (also known as Human Firewall) allows you to configure remediation measures that end users can take, when a violation is detected on by their download attempt. You must turn on the toggle switch to use this option. End-users receive the remediation actions in an Email as an action item. The various available remediation actions for end-users are as follows.
Report as False Positive with Business Justification: This option allows end users to report false positive alerts and provide a business justification as to why the alert is considered to be false positive.
When end-users report alerts as false positive, you can choose the resolution method to be either Automatic or manual.
If end-users do not take any remediation action, you can set the frequency at which they must receive the notifications to take action.
Enter a custom message to be sent to the end user. This message is sent in an Email. You can modify the default message provided by Nightfall and draft your message. The total character length allowed is 1000 characters. You can also add hyperlinks in the custom message. The syntax is <link | text >. For example, to hyperlink with the text Nightfall website, you must write <www.nightfall.ai|Nightfall website>.
