Perception Update - Network Drive Activity Cache

A new mechanism has been developed on Perception sensors to allow file sharing activity between client machines and windows network drives to be stored.

Enhanced visibility of network drive access provides the Perception classifiers with a huge amount of insight into a client machine’s behaviour.  This in turn allows classifiers to detect potential threat behaviours such as accessing and downloading large parts of a network share or repeated download/upload activities that can often be indicative of malicious behaviour.
This feature also facilitates the inclusion of additional associated meta-data in the events generated by the system such as the names and locations of the files accessed which can be vital in cases where data exfiltration has taken place.

The Network Drive Activity Cache gives Perception an extra level of information on top of all of the existing meta-data it has.  When files are transferred from or to Windows-based machines on a network, information about that transfer moves across the network.  Perception now includes this information in any behaviours that identify file movement across a network.  As a result, any behaviours that saw data movement can now also tell which files were accessed, and whether they were read or written.

Our analysts are already seeing great benefit from this feature, as it immediately identifies which files have been accessed in data movement events, so investigating suspicious events is far faster.  Rather than having to trawl through capture files looking for which data has been accessed, the file information is right there, front and centre.

This information provided by this feature enables a number of additional capabilities, the first set of which we’ll tell you about next week.  The system can also now build intelligence around who accesses which files, when, and how unusual this is for that person.  How we utilise the Network Drive Activity Cache will become more and more complex and beneficial as the system continues to improve, but it’s already showing great results.

This update is CCS and sensor based, and will be pushed to all managed customers at the pre-agreed upgrade time.  Self-monitored customers can update their own sensors and CCSs using the software upgrade process.  Please be aware, this feature may change the performance requirement of the sensor, and can therefore be turned on or off as required.  If you have any further questions about this upgrade please contact us at