There is increasing pressure on organizations to strengthen their information security, increase monitoring capabilities and prove to stakeholders, auditors and regulators that they really know what’s going on in their IT Infrastructures. Yet, the reality is that many are still taking a fire-fighting approach to these challenges.
A bit like tax inspectors, auditors are not the most welcome of visitors for overstretched IT departments. When you’re trying to keep the business running smoothly and securely to avoid featuring in the next data loss headline, it’s the last thing you need.
Asking an IT or security manager to tell you who made what changes and when in their IT infrastructures will often involve a time-consuming, manual process. Trawling through disparate arrays of native audit logs from servers and network equipment is not very scientific. Yet, surprisingly, this approach is still common-place, even in the largest of organizations, despite being reactive, slow and insecure.
Many audits are carried out either before an investigation or after an event, such as a data loss or server failure. Very few IT teams really know what is happening in their infrastructures at any given time. And with increasingly complex IT infrastructures, there is a lot to keep track of.
Take, for example, Active Directory. It is at the core of 98% of all modern networks, yet the majority of organizations don’t understand there is a problem with it until it’s too late. The same is true for group IT policies, where auditing things such as password policies and procedures underpins security.
With our reliance on email, it is also important to continuously monitor whether erroneous or malicious changes are being made to Microsoft Exchange. In addition, it is essential to know who’s accessing whose mailbox, when and what for. The mitigation of data leakage and security depends on this information.
When it to comes to mission-critical servers, the ‘need to know’ seems obvious, yet very few organizations have a meaningful strategy for auditing basic file access to answer questions such as: Who accessed a file? When was it accessed? And whether the access attempt succeeded or failed? Data servers that hold personal and commercially sensitive information pose a particular security threat and demand greater insight into what changes are being made – and who is making them. Changes to a firewall or a network switch can also have major security implications and need to be taken seriously.
Going virtual poses its own challenges. With today’s virtual environments, it’s easier than ever to create new virtual servers. But managing them can be very complex, and understanding what’s happening is as important – if not more important – than monitoring your physical infrastructure.
Finally, understanding who is logging on to your network, where they are, what they are doing and for how long should be security practice 101. If organizations rely on native tools to do this, however, they won’t get the required detail in a readable, logically sensible format.
Change auditing can sound complex and not very exciting, but it’s not rocket science. Understanding the common approaches will enable you to determine the one that best suits your organization. There is not a one-size-fits-all solution, and the answer depends on what your drivers are and how much time and money you are prepared to invest.
It is possible to meet compliance using native audit logs and manual processes without further investment in technology. But in its raw form, this approach creates excessive ‘log noise’ and seemingly random streams of technical data that are meaningless without filtering or translation. Native audit logs are also inherently insecure because they can be edited, deleted and amended without trace; so you can never be 100% sure of their accuracy. They also lack any workable storage or archival capabilities for compliance purposes.
A second approach to auditing change is the much heralded SIEM – security information and event management. The cost of investment and support needed for SIEM can be justified if you want to integrate functions such as automatic remediation and intrusion prevention; but it is an expensive option if your focus is audit reliability and consistency. SIEM also fundamentally still relies largely on native audit logs and requires a high level of commitment to planning, deployment and management.
Another option is to write your own custom-built change auditing system. Although it may be useful to create a very specific solution to meet your needs, it takes a lot of time, technical resources and often requires the use of unauthorized APIs to collect audit data, which carries inherent risks.
An alternative approach is to use specialist change auditing software. While capabilities vary from vendor to vendor, these solutions can generally deliver a detailed, reliable and consistent picture of audit changes at around a third of the cost of SIEM. Most importantly, change auditing software utilizes multiple streams of data from multiple sources and then filters, translates, sorts and compresses the results for easy access, storage and archiving. Otherwise, you’re no better off than you are using native auditing.
To get an accurate picture of what is going on in your network, you should be able to capture a ‘snapshot’ before and after a change is made. This more focused approach to change auditing can also provide real-time alerting and automated reports to improve monitoring, detection and response capabilities.
There is no panacea to knowing what’s going on in your IT infrastructure. But if you can’t respond to some simple questions from the audit team without spending hours looking for the answers, then it’s time to look seriously at IT audit options.
Aidan Simister has been in the IT industry for over 15 years, working for major security and compliance vendors, distributors and resellers, including Access Information Security, Wick Hill and Sophos. He is currently the UK and Ireland country manager for IT change audit specialist NetWrix.