Whodunit? Auditing Logon Events Leaves Nothing to Suspense

You know a security breach has happened but who is responsible? Capturing the change itself won’t help you catch the culprit. The devil is in the user details. But what if that level of detail isn’t available at the critical moment when you investigate? You also need to know what happened before and after you were compromised to quickly set things right. Time is of the essence.


Too many people are basically waiting for something to go wrong — an expensive security breach or regulatory failure — to realize they need a solution for auditing user activity from start to finish. In the meantime, they don’t know what they don’t know. In our recent webcast, Windows security expert Randy Franklin Smith stressed the limitations of native IT auditing tools. “You need to know what you can do with them and what you can't. Centralized authentication auditing, at least in terms of domain accounts on domain controls, is not session auditing.”


The good news is you can overcome those limitations and proactively avoid security breaches, rather than waiting to react, with a program like Change Auditor. It captures and audits all user activity “door to door” — from logon to logoff — and everything in between. It tells you the 6 Ws you need to know: the who, what, when, where, why as well as the workstation where it happened. And the events have information about what was set before and after the change. By eliminating the need for native auditing overhead, it can save money and increase performance across the enterprise.


The big advantage to Change Auditor is that it not only automates and accelerates a time-consuming task, but also takes the mystery out of it. The unauthorized user will not escape you by clearing the security log to cover his or her tracks — all of it will still be there at your fingertips. Change Auditor collects the event as it occurs in real time. You can set up critical change and pattern alerts that go to an email or mobile phone to prompt immediate action. You can create a dashboard and give it to a helpdesk person so they can see the logon activity, the session activity, an account lockout, where it’s coming from, and tie it in with all the changes in Active Directory, Exchange, SharePoint, SQL, file servers and more. With deep visibility into user activity from a single powerful UI, you don’t have to be Sherlock Holmes to find and interpret the data. If you do have to play detective, you can use Change Auditor to deploy what I call “one-click forensics” on any workstation, or user account, clicking on the IP address or host name — the logon session where it was initiated from — and revealing all user activity.


Capturing the change itself won’t help you catch the culprit. But keeping track of user details will.