Freely subscribe to our NEWSLETTER

© akva

For most information security departments, auditing is not top of their list of priorities when they are trying to protect their networks against increasing threats. It is more likely to be done once a year or only when something has gone wrong. But now they are under increasing pressure to prove to regulators, compliance officers and the Board that they really know what is going on in their IT infrastructures.

IT auditing is all about knowing what was changed, who changed it, when and where. This information is vital and should be an integral and ongoing part of any security strategy. Yet, a recent Netwrix survey of some 600 IT professionals revealed that 57% of respondents have made undocumented changes to their IT systems that no one else knows about. Other figures show that 65% have made changes that caused services to stop, while a shocking 39% have made a change that was the root cause of a security breach. The survey also found that as many as 40% of organisations have no formal IT change management controls in place.
So what’s going wrong? One problem is that many IT managers still rely on a time-consuming manual process that involves trawling through pages and pages of native audit logs from servers and other pieces of network equipment. In their raw form, these native logs create an excessive amount of unreadable and unnecessary technical data that is meaningless without filtering or translation. Surprisingly, this reactive, slow and insecure approach is still common-place, even in large organisations.

Too little, too late

With many audits only being carried out annually or after a event has happened, such as a data loss or server failure, very few IT teams really know what is happening in their IT infrastructures at any given time. And with increasingly complex physical and virtual IT environments, there is a lot to keep track of.
For example, Active Directory is at the core of 98% of all modern networks, yet the majority of organisations don’t understand there is a problem with their AD until it’s too late. The same is true for Group Policies where auditing things such as changes to password policies underpins security. And with increasing reliance on email, it is vital to continuously monitor erroneous or malicious changes being made to Microsoft Exchange, along with who is accessing whose mailbox, when and what for. The mitigation of data leakage and security depends on this information.

The need to know

When it to comes to mission-critical servers, the need to know seems obvious, yet very few organisations have a meaningful strategy for auditing basic file access to answer questions such as: who accessed a file; when was it accessed; and if the access attempt succeeded or failed? Data servers that hold personal and commercially sensitive information pose a particular security threat and demand a much greater awareness of what changes are being made and who is making them.
The trend to virtualisation opens up a new set of challenges. While it’s easier than ever to create new virtual servers and run new applications, managing them can be very complex and understanding what’s happening is as important, if not more important, than monitoring your physical infrastructure.
Finally, understanding who is logging on to your network, where they are, what they are doing and for how long, should be basic security practice; but if organisations rely on native tools to do this, they won’t have rapid access to this information in any form that makes sense.

Approaches to auditing

While change auditing sounds complex, it is not rocket science. Understanding the common approaches will help you to determine what best suits your organisation. There is not a one-size-fits-all solution and the answer will depend on what your requirements are and how much time and money you are prepared to invest.
It is possible to meet compliance using native audit logs and manual processes, but sorting out the relevant data from the excessive ‘log noise’ is time consuming and inherently insecure, because native logs can be edited, deleted and amended without trace. They also lack any workable storage or archival capabilities for compliance purposes.

A second approach to change auditing is SIEM – Security Information and Event Management. But the cost of investment and support needed for SIEM can only be justified if you want to integrate functions such as automatic remediation and intrusion prevention. It is an expensive option if your focus is to audit reliability and consistency. And even if SIEM is implemented, it still doesn’t fully provide actionable change auditing, because it relies mostly on the data in native logs. A case of “garbage in, garbage out”.

A third option is to write your own custom-built change auditing system. While it may be useful to create a very specific solution to meet your needs, it takes a lot of time, technical resources and often requires the use of unauthorised APIs (Application Programming Interfaces) to collect audit data, which carries inherent risks.

The forth way

An alternative approach is to use specialised change auditing software. These solutions can generally deliver a detailed, reliable and consistent picture of what is happening across the entire IT infrastructure at around a third of the cost of SIEM. Most importantly, change auditing software utilises multiple streams of data from multiple sources and then filters, translates, sorts and compresses the results for easy access, understanding, storage and archiving.
To get an accurate picture of what is going on in your network, you also need to be able to capture a ‘snapshot’ of before and after a change is made. This more focused approach to audit changes can also provide real-time alerts and automated reports to improve monitoring, detection and simplify root-cause analysis.

There is no single solution to knowing what’s going on in your IT infrastructure. But if you can’t respond to the who, what, where, when questions from the audit team without spending hours looking for the answers, it’s time to look seriously at IT audit options.