Wouldn’t it be great if you could set up your IT environment in just the right way to ensure ongoing security and regulatory compliance? You’d put your firewalls and antivirus protection in place, ensure that all user and computer accounts are granted permissions in strict accordance with the least-privilege principle, tailor your Group Policy to your organization’s unique needs, and so on, and then sleep soundly at night, knowing everything is secure and compliant.
There’s just one thing — your IT environment isn’t a static exhibit in a museum, or even a case study in an IT best practices handbook. It’s an incredibly dynamic place, with users and applications accessing and changing data, accounts being provisioned and deprovisioned, systems and software being installed and retired, and data flowing in and out, all at a staggering pace. Moreover, it’s constantly interacting with the outside world, especially if you’ve adopted any cloud technologies. And of course, the threat landscape, both inside and outside your network, is also in constant flux.
As a result, security and compliance require constant vigilance and effort. One of the most important elements of that work is keeping a close eye on the activity of your admins and end users, both on premises and in the cloud. Much of that activity is logged, but those logs are stored in many places across the environment, in many different (but nearly always cryptic) formats. How can you hope to get the real-time insight you need to truly understanding what’s going on and where the real threats are?
Smart event log management from Quest InTrust
Event log management is part of the answer, but it has to be smart event log management. You don’t just need to collect all those logs, you need a solution that can correlate and normalize the data and present in a single pane of glass, so it’s easy to reconstruct a complete picture of user activity. And of course it must be able to store the data cost-effectively for years and make it easily searchable for fast reporting, troubleshooting and security analytics. You can get all that, and more, with Quest InTrust.
Smart change auditing from Quest Change Auditor
But there’s another critical aspect to consider: change auditing. You need to watch for key configuration, user and administrator changes to your AD, Exchange, Windows file systems, Azure AD and Office 365, SQL Server, SharePoint, and so on — something native logs can’t provide. But Quest Change Auditor can. From a single console, you get complete, real-time change auditing, in-depth forensics, and comprehensive reporting on these changes, as well as on user logons, authentications and other activity across the enterprise. Understanding exactly what happened is easy because each event and all related events are displayed in simple terms with all the critical details. You can even proactively protect critical objects from being changed in the first place.
Even better together
As valuable as Change Auditor and InTrust are individually, they really shine when used together. With the combined solution, you can protect against threats to your entire hybrid environment, quickly perform forensics when attacks occur, empower your security officers to test your security measures, and audit almost any system or application. Plus, the combined solution is the perfect complement to your SIEM because it alleviates both the cost and scalability issues you might be facing.
Here are just 5 of the top benefits of using Change Auditor and InTrust together:
1. Granular, real-time insight
Change Auditor and InTrust go above and beyond native logs by capturing every aspect of any change and access attempt, including the 5 Ws (who, what, when, where and originating workstation) and the previous and current values for each change event. You get far more detail about user sessions than native events provide, including how long the session lasted and how it began and ended. Moreover, both Change Auditor and InTrust collect events in real time, so you can respond in time to prevent a breach or system downtime.
2. Alerting
The combined solution will alert you in real time to potential threats, including both particular events (such as the appearance of a file with an extension that matches known ransomware) and a series of events that exceeds a threshold (such as changes to too many files by a particular user account in a short time period, which can indicate a ransomware attack in progress).
3. Google-like search and investigation
Both Change Auditor and InTrust include IT Security Search, a Google-like search engine that enables faster security incident response and forensic analysis. IT Security Search pulls in data from multiple Quest security and compliance solutions and feeds it all into a single pane of glass, so you can easily analyze user entitlements, activity, event trends, suspicious patterns of behavior and more, with rich visualizations and event timelines.
4. Automated responses and object protection
InTrust and Change Auditor can block many threats as soon as they are detected, mitigating the security risks associated with malware, stolen credentials and insider attacks. And Change Auditor can protect against changes to critical and sensitive data in Active Directory, Exchange and Windows file servers.
5. SIEM savings
As noted above, a quality SIEM is definitely a great tool to have in your arsenal, but it’s an expensive and inefficient way to do event log management. Many vendors license their tools based on the volume of data flowing into them — and native logging generates an enormous volume of events. That can quickly make the SIEM prohibitively expensive. You also need to store all that event data for years, which increases the cost even more. And even if your SIEM system can collect and process all the millions of events your environment generates per minute, it might take hours to run the queries you need, so you won’t be able to respond in time to block active threats.
The good news is, the combined solution of InTrust and Change Auditor is the perfect complement to your SIEM. You can store long-term event log data with InTrust, filter it and forward only the relevant data to your SIEM solution for real-time security analytics. Plus, by summarizing some actions into very focused events, Change Auditor can eliminate the need to forward some events to your SIEM at all; you can simply store them in InTrust for forensics and compliance and rely on Change Auditor for providing security insights for your SIEM. As a result, you can dramatically reduce the volume of data the SIEM ingests and the licensing costs you incur. For instance, one Fortune 500 automotive & transport company collects 50,000 events per day using InTrust, but sends just 1,000 events per day to their SIEM.
Next steps
Those are just the top 5 benefits of using InTrust and Change Auditor together! You’ll also get proven enterprise scalability, storage savings of up to 60 percent, fast time to value, a comprehensive library of pre-defined reports mapped to the requirements of GDPR, PCI DSS, SOX, HIPAA, FISM and many other common regulations, and much more.
I invite you to learn more about the combined solution in our white paper, “Integrated change auditing and event log management for strong security: Change Auditor and InTrust — better together.” You’ll also learn:
- The limitation of using native tools for monitoring user activity and why most third-party event log management tools aren’t much better than native tools
- The key functionality of InTrust and Change Auditor as separate solutions
- Exactly how InTrust and Change Auditor can help you with real-world use cases like spotting and blocking ransomware, responding automatically to known threats, and streamlining security investigations and audits.
Take a look and learn how you can use this integrated Quest solution, either alone or in combination with your SIEM, to improve security and compliance while reducing costs.