A real business need for network traffic analysis: File activity monitoring
For many people network traffic analysis is seen as a troubleshooting tool, something for the packet experts who spend their time in Wireshark. However, network packets are an excellent source of user and application metadata.
Metadata can be defined as the human readable portions of the network packets. Filenames, web domains, SQL queries, and IP addresses are examples. While you can extract this metadata using tools like Wireshark, it can be a struggle if you are aiming to capture traffic just by packets.
SMB and NFS
Server Messaging block (SMB) and Network File System (NFS) are two most popular protocols for accessing files and folders on network shares. SMB is typically used on networks with Windows clients and NFS is typically used by non-Windows operating systems, such as Linux. While SMB can support encryption, most implementations are not configured to use this.
Are log files enough?
It is possible to enable file activity auditing on a Windows fileserver. However, you must specify what folders to monitor and it will generate thousands of events and so is not scaleable. The data from these logs could be fed into a SIEM. SIEMs also have limitations, starting with the fact they are only as good as the log events being fed. If the log records are incomplete or someone disables logging, then you lose your audit trail.
A common issue I come across is systems such as NAS servers do not have native logging options. They are designed to serve up large quantities of files and folders securely. Auditing and logging can slow these systems down which means most will not have auditing capabilities.
Log files will also miss security type information such as clients using SMBv1 or the ability to generate an alert if a client suddenly started to rename large numbers of files. This can be the sign of Ransomware activity.
Capturing SMB or NFS metadata from network traffic