Objectives of the audit of changes in IT infrastructure
Have you come across such a thing as “change audit”? Google produces 10,100,000 results for this search query, but it’s difficult to get an answer about what “change audit” is from this data. Wikipedia refers to a mean description in English.
What hides behind the audit of changes in IT infrastructure? To answer this question, it is necessary to clearly understand what goals they face, and only then to define. And without clearly defined goals, the answer to the eternal question is impossible: “Do I need it?”
Let's try to determine what the goals of the change audit are:
1. Increasing control over IT infrastructure. Nobody is insured against changes. "Change happens". Sometimes, due to inexperience, carelessness or chance, users or administrators remove or change something, which further affects the functioning of the entire IT infrastructure. For example, they delete the Exchange user account , which also leads to the removal of the user from Active Directory. Or an inexperience accountant accidentally deletes an important document, and then forgets about it. Searching for information about what has been changed should be proactive, i.e. the administrator should receive information about critical changes as soon as possible. If even the audit of changes by the built-in tools of Windows Server is enabled, trying to find the necessary values in the security log takes at best several hours of hard work. Control also implies the need for its automation. It is very easy to miss the change if the administrator does not yet know about it, and the consequences of the change are not yet manifested.
2. Prevention of information security breaches. Increasingly, talk about backdoor in Active Directory , which allows you to penetrate the IT infrastructure management system using an AD administrator account, is heard from the mouth (and from under the fingers) of pentesters. Such violations of information security can lead to disastrous consequences. In this case, the specialist responsible for information security can be assisted by an audit of changes, namely, such a feature as real-time notifications about critical changes in the IT infrastructure. Before “something falls off” and it leaves the work of a division or an entire company, it is necessary to correct unwanted changes as soon as possible.
')
3. Compliance with the requirements of standards in the field of information security. In order to ensure the information security of both organizations and personal data of users, regulations of various levels are adopted - from intra-industry standards to federal laws. It is worth pointing out that ensuring the information security of the organization and confirming that the company actually properly provides it is not the same thing. The inspection bodies require quite clear evidence that the organization in its IT activities, provide adequate data protection, captures events of access to resources, inputs / exits from the system, etc. Confirming compliance with the requirements of the built-in audit tools is extremely difficult - they were not intended to be demonstrated as a result of an audit of changes. In this case, organization administrators must write complex scripts that extract event data, or use third-party solutions.
4. Achieving business continuity. When something in the IT infrastructure does not work - this is hell for the administrator. Apart from the fact that he is trying to find the cause of this, the dissatisfied voices of users who cannot properly perform their work are heard from all sides. It is especially unpleasant when something “falls off” that worked normally before. Obviously, this “something” was “changed” by someone. And in order to restore working capacity in a timely manner, you need to be aware of the changes that have taken place. Information security was hacked, and they had no idea about it.
5. Centralize all change information. It is possible that your organization specifically relies on an event log to retrieve information about changes. To some limit it is possible. However, each domain controller has its own event log, which entails considerable efforts to recreate a holistic picture of the changes. And besides, most of the changes are not unauthorized. Centralizing all information about changes in one place allows you to prevent changes in the logs that administrators can make in order to “close” information about certain changes.
6. Long-term storage of information. Also, one of the goals of an audit of changes is to ensure long-term storage of information. Event logs are overwritten, as a rule, every 30 days, so as not to take up too much space. However, in cases where it is prescribed by regulations, organizations must store data for several years on individual changes in the IT infrastructure to demonstrate that the requirements of standards in the field of information security are met.
Now let's try to define audit changes. In the first approximation, we can say that change auditing is a complex process of continuously tracking changes occurring in various IT infrastructure platforms, carried out in a formalized and automatic manner. However, further improvements to this definition are welcome.
Summing up, it is necessary to say that the audit of changes in the IT infrastructure is another step towards making the operation of a modern organization safe and at the same time as open as possible. There is also the moment of minimizing the consequences of “human error”, which administrators and information security specialists can now fix in automatic mode and process it in automatic mode.
Among the solutions for auditing IT infrastructure changes is the NetWrix Change Reporter Suite, with which administrators and information security specialists can perform a continuous audit of IT infrastructure changes. This software package provides extensive coverage of various IT infrastructure platforms on the market.
NetWrix Change Reporter Suite is an integrated solution for automated tracking and notification of any critical changes in the entire IT infrastructure. No matter who, where, when and what exactly changed - in Active Directory, file and Microsoft Exchange servers, file systems like NetApp and EMC, virtual or physical infrastructure, SQL Server databases - all components are centrally controlled, and the resulting data is combined and provided in the form of easy-to-read reports that are sent in accordance with the schedule to information security services and internal or external auditors.
You can learn more about the program and download the trial on our website.
What hides behind the audit of changes in IT infrastructure? To answer this question, it is necessary to clearly understand what goals they face, and only then to define. And without clearly defined goals, the answer to the eternal question is impossible: “Do I need it?”
Let's try to determine what the goals of the change audit are:
1. Increasing control over IT infrastructure. Nobody is insured against changes. "Change happens". Sometimes, due to inexperience, carelessness or chance, users or administrators remove or change something, which further affects the functioning of the entire IT infrastructure. For example, they delete the Exchange user account , which also leads to the removal of the user from Active Directory. Or an inexperience accountant accidentally deletes an important document, and then forgets about it. Searching for information about what has been changed should be proactive, i.e. the administrator should receive information about critical changes as soon as possible. If even the audit of changes by the built-in tools of Windows Server is enabled, trying to find the necessary values in the security log takes at best several hours of hard work. Control also implies the need for its automation. It is very easy to miss the change if the administrator does not yet know about it, and the consequences of the change are not yet manifested.
2. Prevention of information security breaches. Increasingly, talk about backdoor in Active Directory , which allows you to penetrate the IT infrastructure management system using an AD administrator account, is heard from the mouth (and from under the fingers) of pentesters. Such violations of information security can lead to disastrous consequences. In this case, the specialist responsible for information security can be assisted by an audit of changes, namely, such a feature as real-time notifications about critical changes in the IT infrastructure. Before “something falls off” and it leaves the work of a division or an entire company, it is necessary to correct unwanted changes as soon as possible.
')
3. Compliance with the requirements of standards in the field of information security. In order to ensure the information security of both organizations and personal data of users, regulations of various levels are adopted - from intra-industry standards to federal laws. It is worth pointing out that ensuring the information security of the organization and confirming that the company actually properly provides it is not the same thing. The inspection bodies require quite clear evidence that the organization in its IT activities, provide adequate data protection, captures events of access to resources, inputs / exits from the system, etc. Confirming compliance with the requirements of the built-in audit tools is extremely difficult - they were not intended to be demonstrated as a result of an audit of changes. In this case, organization administrators must write complex scripts that extract event data, or use third-party solutions.
4. Achieving business continuity. When something in the IT infrastructure does not work - this is hell for the administrator. Apart from the fact that he is trying to find the cause of this, the dissatisfied voices of users who cannot properly perform their work are heard from all sides. It is especially unpleasant when something “falls off” that worked normally before. Obviously, this “something” was “changed” by someone. And in order to restore working capacity in a timely manner, you need to be aware of the changes that have taken place. Information security was hacked, and they had no idea about it.
5. Centralize all change information. It is possible that your organization specifically relies on an event log to retrieve information about changes. To some limit it is possible. However, each domain controller has its own event log, which entails considerable efforts to recreate a holistic picture of the changes. And besides, most of the changes are not unauthorized. Centralizing all information about changes in one place allows you to prevent changes in the logs that administrators can make in order to “close” information about certain changes.
6. Long-term storage of information. Also, one of the goals of an audit of changes is to ensure long-term storage of information. Event logs are overwritten, as a rule, every 30 days, so as not to take up too much space. However, in cases where it is prescribed by regulations, organizations must store data for several years on individual changes in the IT infrastructure to demonstrate that the requirements of standards in the field of information security are met.
Now let's try to define audit changes. In the first approximation, we can say that change auditing is a complex process of continuously tracking changes occurring in various IT infrastructure platforms, carried out in a formalized and automatic manner. However, further improvements to this definition are welcome.
Summing up, it is necessary to say that the audit of changes in the IT infrastructure is another step towards making the operation of a modern organization safe and at the same time as open as possible. There is also the moment of minimizing the consequences of “human error”, which administrators and information security specialists can now fix in automatic mode and process it in automatic mode.
Among the solutions for auditing IT infrastructure changes is the NetWrix Change Reporter Suite, with which administrators and information security specialists can perform a continuous audit of IT infrastructure changes. This software package provides extensive coverage of various IT infrastructure platforms on the market.
NetWrix Change Reporter Suite is an integrated solution for automated tracking and notification of any critical changes in the entire IT infrastructure. No matter who, where, when and what exactly changed - in Active Directory, file and Microsoft Exchange servers, file systems like NetApp and EMC, virtual or physical infrastructure, SQL Server databases - all components are centrally controlled, and the resulting data is combined and provided in the form of easy-to-read reports that are sent in accordance with the schedule to information security services and internal or external auditors.
You can learn more about the program and download the trial on our website.
Source: https://habr.com/ru/post/140333/
All Articles