Lineage

Data Lineage in Forcepoint provides a comprehensive view of a file's lifecycle, tracking its origin, movement, transformation, and usage. This enhances security, compliance, and forensic investigations by offering end-to-end visibility into data activities.

Traditional data monitoring provides static snapshots, which quickly become outdated, especially for large datasets. Real-time lineage addresses this by:
  • Reducing Dependency on Rescans: Once streaming is enabled, changes are captured instantly.
  • Improving Visibility: Organizations can see data movements in near real-time.
  • Enabling Faster Incident Response: Security teams can quickly assess and respond to threats.

Use Cases

Data Lineage was developed to enable forensic investigations, ensuring organizations can:
  • Investigate Incidents: Identify the root cause of security incidents, such as data breaches or unauthorized sharing.
  • Enhance Compliance: Maintain audit trails for regulatory requirements.
  • Support Risk Mitigation: Quickly respond to suspicious activities and apply appropriate remediation actions.

Pre-Requisites to See Lineage

  • Connection to Each Data Source: Ensure that each Data Source to be monitored has been configured in Forcepoint DSPM.
  • Enabling Streaming: Activate real-time event streaming for each connector.

Navigation to Lineage

  1. From Enterprise Search: Select a file and click on Lineage in the drop-down.

  2. From Open Risks: Identify a flagged file and expand the side menu.

Lineage UI Explanation

Filters
  • Event Type (Create, Modify, Delete, Share, Move, etc.)
  • Data Source
  • User Activity
Export
  • Export lineage details to CSV for auditing and reporting.
Color Scheme
  • Green: Normal activity
  • Yellow: Medium-risk events (e.g, permission changes)
  • Red: High-risk events (e.g, external sharing)

Description of the Lineage Screen

  • Lifecycle: Displays the complete lifecycle of a file from creation to current state.
  • Event Timeline: Chronological list of all file-related actions.
  • User & Device: Shows which users and devices interacted with the file.
  • File Path: Original and current locations of the file.

List of Events Supported by Each Data Source

Common Events
  • Create
  • Modify
  • Delete
Extended Events (via Audit Logs)
  • Change Permissions
  • Share
  • Move
  • Copy
  • Rename
  • Upload
  • Download
Data Source Specifics
  • Google Drive: Audit log events available.
  • Azure (SharePoint Online, OneDrive, Blob, Files): Audit log events supported.
  • Box & Confluence: Extended events available in regular logs.
  • AWS S3, SMB, Dropbox: Limited to Create, Modify, and Delete.

Use Case for Lineage

Lineage supports forensic investigations, such as:
  • External Sharing Investigation: When a file is shared externally, security analysts can trace its history to determine if the action was intentional or accidental.
  • Suspicious Activity Investigation: If a user accesses and downloads sensitive information after a password reset, lineage provides detailed insights.
  • Incident Response: Analysts can determine what actions to take, such as revoking access, quarantining files, or addressing user behavior

How to Access Lineage

  • Enterprise Search: Select the file, click the drop-down, and choose Lineage.
  • File View: Expand the file details and navigate to the Lineage tab.

Hover and Export Options

  • Event Description: Hovering over event icons shows a brief description.
  • Export: Export the entire lineage history, including metadata, to CSV for audit trails and reporting.

Data Lineage empowers organizations with real-time visibility, advanced threat detection, and comprehensive forensic capabilities, ensuring sensitive data remains secure and traceable.