Your boss wants you to closely monitor an employee suspected of transferring company secrets to the competition. The IT department discovered the suspect installed a WinSCP client in order to use encrypted communication. Which of the following methods is BEST to accomplish this task?
To monitor an employee suspected of transferring company secrets using WinSCP, setting an alert action to any packet that matches your Rule Base and the suspect's IP address for both inbound and outbound traffic is the best approach. This allows real-time monitoring of the specific employee's actions without generating unrelated traffic logs. It provides a more focused and efficient method to track potentially suspicious activities directly related to the suspect's IP address.
A, sounds logical.
Why not C? If we specify only Port 22 as a filter the report will give us all WinSCP traffic of the network ( unrelated traffic ) , if we want to monitor the user specifically i would go with option C.
Makes no sense to make exports, which are an action in time, which means you need to make multiple exports, when your objective is monitoring. I would do B in a real situation...