Top 5 Stories


Comment: Audit what’s Going on in your IT Infrastructure…It’s Not Rocket Science

15 January 2013
Aidan Simister, NetWrix

Aidan Simister of NetWrix looks at what organizations need to audit, but too often don’t

There is increasing pressure on organizations to strengthen their information security, increase monitoring capabilities and prove to stakeholders, auditors and regulators that they really know what’s going on in their IT Infrastructures. Yet, the reality is that many are still taking a fire-fighting approach to these challenges.

A bit like tax inspectors, auditors are not the most welcome of visitors for overstretched IT departments. When you’re trying to keep the business running smoothly and securely to avoid featuring in the next data loss headline, it’s the last thing you need.

Asking an IT or security manager to tell you who made what changes and when in their IT infrastructures will often involve a time-consuming, manual process. Trawling through disparate arrays of native audit logs from servers and network equipment is not very scientific. Yet, surprisingly, this approach is still common-place, even in the largest of organizations, despite being reactive, slow and insecure.

Many audits are carried out either before an investigation or after an event, such as a data loss or server failure. Very few IT teams really know what is happening in their infrastructures at any given time. And with increasingly complex IT infrastructures, there is a lot to keep track of.

Take, for example, Active Directory. It is at the core of 98% of all modern networks, yet the majority of organizations don’t understand there is a problem with it until it’s too late. The same is true for group IT policies, where auditing things such as password policies and procedures underpins security.

With our reliance on email, it is also important to continuously monitor whether erroneous or malicious changes are being made to Microsoft Exchange. In addition, it is essential to know who’s accessing whose mailbox, when and what for. The mitigation of data leakage and security depends on this information.

When it to comes to mission-critical servers, the ‘need to know’ seems obvious, yet very few organizations have a meaningful strategy for auditing basic file access to answer questions such as: Who accessed a file? When was it accessed? And whether the access attempt succeeded or failed? Data servers that hold personal and commercially sensitive information pose a particular security threat and demand greater insight into what changes are being made – and who is making them. Changes to a firewall or a network switch can also have major security implications and need to be taken seriously.

Going virtual poses its own challenges. With today’s virtual environments, it’s easier than ever to create new virtual servers. But managing them can be very complex, and understanding what’s happening is as important – if not more important – than monitoring your physical infrastructure.

Finally, understanding who is logging on to your network, where they are, what they are doing and for how long should be security practice 101. If organizations rely on native tools to do this, however, they won’t get the required detail in a readable, logically sensible format.

Change auditing can sound complex and not very exciting, but it’s not rocket science. Understanding the common approaches will enable you to determine the one that best suits your organization. There is not a one-size-fits-all solution, and the answer depends on what your drivers are and how much time and money you are prepared to invest.

It is possible to meet compliance using native audit logs and manual processes without further investment in technology. But in its raw form, this approach creates excessive ‘log noise’ and seemingly random streams of technical data that are meaningless without filtering or translation. Native audit logs are also inherently insecure because they can be edited, deleted and amended without trace; so you can never be 100% sure of their accuracy. They also lack any workable storage or archival capabilities for compliance purposes.

A second approach to auditing change is the much heralded SIEM – security information and event management. The cost of investment and support needed for SIEM can be justified if you want to integrate functions such as automatic remediation and intrusion prevention; but it is an expensive option if your focus is audit reliability and consistency. SIEM also fundamentally still relies largely on native audit logs and requires a high level of commitment to planning, deployment and management.

Another option is to write your own custom-built change auditing system. Although it may be useful to create a very specific solution to meet your needs, it takes a lot of time, technical resources and often requires the use of unauthorized APIs to collect audit data, which carries inherent risks.

An alternative approach is to use specialist change auditing software. While capabilities vary from vendor to vendor, these solutions can generally deliver a detailed, reliable and consistent picture of audit changes at around a third of the cost of SIEM. Most importantly, change auditing software utilizes multiple streams of data from multiple sources and then filters, translates, sorts and compresses the results for easy access, storage and archiving. Otherwise, you’re no better off than you are using native auditing.

To get an accurate picture of what is going on in your network, you should be able to capture a ‘snapshot’ before and after a change is made. This more focused approach to change auditing can also provide real-time alerting and automated reports to improve monitoring, detection and response capabilities.

There is no panacea to knowing what’s going on in your IT infrastructure. But if you can’t respond to some simple questions from the audit team without spending hours looking for the answers, then it’s time to look seriously at IT audit options.

Aidan Simister has been in the IT industry for over 15 years, working for major security and compliance vendors, distributors and resellers, including Access Information Security, Wick Hill and Sophos. He is currently the UK and Ireland country manager for IT change audit specialist NetWrix.

This article is featured in:
Compliance and Policy  •  Identity and Access Management  •  Internet and Network Security  •  IT Forensics



ksuresh says:

24 January 2013
Interesting article on the importance of auditing and how they help businesses. Read a whitepaper about this very topic "Which SOC controls report is right for your organization" it offers very good information readers will find it very helpful @

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×