Change provides constant opportunity
Aidan Simister says too many organisations are slow and reactive when managing infrastructure
Organisations are feeling more pressure to strengthen their information security and monitoring capabilities, as well as prove to stakeholders, auditors and regulators that they know what is going on in their IT infrastructure. Yet the reality is that many are still fire-fighting rather than preventing the problems in the first place.
Auditors are a bit like tax inspectors: not usually the most welcome of visitors for overstretched IT departments. When you are trying to keep the business running, keep everyone happy and avoid featuring in the latest data-loss headline, they are the last thing you need.
Ask an IT manager to tell you who changed what and when in their IT infrastructures, and the answer will often be time consuming and involve trawling manually through a disparate array of native audit logs from a range of servers and network equipment.
This approach is still common even in the largest of organisations, even though it is reactive, slow and insecure.
Many audits are carried out either before an investigation or after an event such as data loss or server failure. I have read that very few IT teams really know what is happening in their infrastructure at any one time. And with that infrastructure becoming increasingly diverse, there is a lot to monitor.
Active Directory is core to modern networks, but most organisations rely on crude native log tools to audit it, and do not understand what is happening until they have to investigate an event.
Auditing group policy on factors such as passwords is essential, yet often ignored. And given the reliance on email and the functionality of native tools for Microsoft Exchange, it is vital to check changes for malicious activity or mistakes regularly.
Who is accessing which mailbox when? Mitigating data leakage and overall security depends on this information. Who is making changes to mission-critical servers, especially when it comes to local users and groups?
Few have a meaningful strategy for auditing file access, answering questions such as who accessed such-and-such a file, when, and whether access was achieved. This information should be available instantly at any time. Obviously log-on and log-off access per user and location needs monitoring as well - but native tools do not deliver this detail in a readable format.
Understanding your servers
Companies need to understand the critical role and security threat around SQL database servers better. They need to know what changes are being made and by whom. Alterations to firewalls or network switches should also be monitored or audited.
Then there is managing virtual environments. This can be complex, but it is just as important as monitoring traditional infrastructure.
While it is possible to comply with current regulation using native audit logs and manual processes, this approach, in its raw form, creates an excessive amount of log “noise” and seemingly random streams of technical data that are meaningless without filtering or translation.
Native audit logs are also inherently insecure as they can be edited, deleted and amended without trace, and they do not have workable storage or archiving capacity.
Security information and event management (SIEM) can be justified if the customer wants to integrate functions such as automatic remediation and intrusion prevention. But it may rely on native audit logs and be time consuming.
Specialist change auditing software is available, or you can write your own change auditing system. This obviously takes time and resources, and often requires the use of unauthorised APIs to collect audit data, which carries inherent risks.
Streams of audit data from multiple sources should be filtered, translated, sorted and compressed for access, storage and archiving. You should also be able to see “before” and “after” values for the changes and get a detailed picture of what is going on in the network. Real-time alerting and automated reports can also help.
Aidan Simister is UK and Ireland country manager at NetWrix