IT auditing is all about knowing what was changed in your IT infrastructure, who changed it, when and where. This information is vital and should be an integral and ongoing part of any security strategy. Yet, a Netwrix survey of some 600 IT professionals revealed that 57% of respondents have made undocumented changes to their IT systems that no one else knows about.
With many audits only being carried out annually or after an event has happened, such as a data loss or server failure, very few IT teams really know what is happening in their IT infrastructures at any given time. And with increasingly complex physical and virtual IT environments, there is a lot to keep track of. Surprisingly, this reactive, slow and insecure approach is still common-place, even in large organisations. If not managed properly, IT auditing challenges can thwart the security and compliance efforts of even the most ambitious organizations.
Too little, too late
For example, Active Directory is at the core of 98% of all modern networks, yet the majority of organisations don’t understand there is a problem with their AD until it’s too late. The same is true for Group Policies where auditing things such as changes to password policies underpins security. And with increasing reliance on email, it is vital to continuously monitor erroneous or malicious changes being made to Microsoft Exchange, along with who is accessing whose mailbox, when and what for. The mitigation of data leakage and security depends on this information.
The need to know
When it to comes to mission-critical servers, the need to know seems obvious, yet very few organisations have a meaningful strategy for basic file access auditing and log file analysis to answer questions such as: who accessed a file; when was it accessed; and if the access attempt succeeded or failed? Data servers that hold personal and commercially sensitive information pose a particular security threat and demand a much greater awareness of what changes are being made and who is making them.
The trend to virtualisation opens up a new set of challenges. While it’s easier than ever to create new virtual servers and run new applications, managing them can be very complex and understanding what’s happening is as important, if not more important, than monitoring your physical infrastructure.
Approaches to IT auditing
First approach to auditing is to use native audit logs and process auditing manually, but sorting out the relevant data from the excessive ‘log noise’ is time consuming and inherently insecure, because native logs can be edited, deleted and amended without trace. They also lack any workable storage or archival capabilities for compliance purposes.
Another approach to IT auditing is SIEM – Security Information and Event Management. But the cost of investment and support needed for SIEM can only be justified if you want to integrate functions such as automatic remediation and intrusion prevention. It is an expensive option if your focus is to audit reliability and consistency. And even if SIEM is implemented, it still doesn’t fully provide actionable change auditing, because it relies mostly on the data in native logs. A case of “garbage in, garbage out”.
A third option is to write your own custom-built change auditing system. While it may be useful to create a very specific solution to meet your needs, it takes a lot of time, technical resources and often requires the use of unauthorised APIs (Application Programming Interfaces) to collect audit data, which carries inherent risks.
The forth way
An alternative approach is to use specialised change auditing software. These solutions can generally deliver a detailed, reliable and consistent picture of what is happening across the entire IT infrastructure at around a third of the cost of SIEM. Most importantly, change auditing software utilises multiple streams of data from multiple sources and then filters, translates, sorts and compresses the results for easy access, understanding, storage and archiving.
To get an accurate picture of what is going on in your network, you also need to be able to capture a ‘snapshot’ of before and after a change is made. This more focused approach to audit changes can also provide real-time alerts and automated reports to improve monitoring, detection and simplify root-cause analysis.