Data breach forensics – Get an Intelligent Looking Glass into Your Environment

What’s worse than a data breach, when you’re in IT?

Figuring out where to start your search for root causes.

It’s a drag to dig into log files, events, permissions, groups and Active Directory (AD) objects across workstations, Windows servers, SQL servers, Linux servers and cloud servers. Even if you know what you’re looking for, you can burn up a lot of time on the hunt.

For example, suppose you’ve suffered a data breach, insider attack or other security breach and you’re trying to figure out how widespread the damage is. Or, suppose HR tells you that two disgruntled employees with administrator rights have just left the company, and you need to quickly see which resources they could access.

What if you could start your search simply by typing a term into a web-based interface?

 

Investigate with IT Security Search

Like an intelligent looking glass into your environment, IT Security Search pulls data from your servers and workstations into an interactive search engine, ready for you to query.

You’re probably not used to thinking about using the search function for auditing, IT forensics and security, are you? Usually, you start somewhere in the middle and work your way out toward the ends.

That’s why we’ve built IT Security Search as a search engine.

In fact, here’s the main screen:

Look familiar? Now you can start your investigations by entering a username, keyword, search term or date range, then drilling into the results.

So, if you suspect that the breach had to do with credit card data, you can enter “*credit*” in the search field. Or if you want to see all of disgruntled former employee Jeffrey Lebowski’s permissions, group memberships and access privileges, you can search for “jeffrey lebowski" and IT Security Search will find it will find the associated user.  Then, when you use that associated user as a facet of your search and it will search for all the permutations of the name - For example "Jeffrey Lebowski" "labcorp\jlebowski" "jlebowski@labcorp.net, etc...

IT Security Search then summarizes and returns relevant files and system resources for any specified date range in an easy-to-navigate format, ready for drill-down:

It’s the shortcut to finding out who has access to data, how they obtained it and how they’ve used it.

 

How does IT Security Search work?

IT Security Search correlates the data from multiple Quest® platform management products:

  • Enterprise Reporter – Provides insight into state-based data such as user and group information, permissions and ownership.
  • Change Auditor – Ensures security and compliance through real-time auditing, whether the activity is on premises or cloud-based
  • InTrust – Securely collects, compresses and stores event log data from Windows servers/workstations, Unix/Linux servers, network devices, third-party systems and more
  • Recovery Manager for Active Directory – Reduces backup recovery time and impact to users by discovering which AD objects have changed, including before- and after-values, and restoring them to a previous state with a few clicks
  • Active Roles – Secures and protects AD resources simply and efficiently

Each of those products by itself covers entire categories of data from sources on premises and in the cloud. IT Security Search pulls together data from any and all of those Quest platform management products. The more products you run, the more comprehensively you can investigate your entire environment with IT Security Search.

How much does IT Security Search cost?

And the best part is that you pay nothing, zero, zilch, nada, niente additional for all the security and forensic power of IT Security Search. It’s a downloadable feature available to companies that own Enterprise Reporter, Change Auditor, InTrust, Recovery Manager for Active Directory, and/or Active Roles.

 

Next steps

IT Security Search uses a web interface to correlate IT data from disparate systems into an interactive search engine. Once you’ve used it to track down a security breach, investigate an issue or the system wide access privileges of a user, you’ll wonder how you ever got along without it.

Have a look at our on-demand webcast, 5 Administrative Tasks Made Easy with IT Security Search, for concrete examples and on-screen demonstrations of the kinds of work IT Security Search can simplify for you.

Better yet, take IT Security Search for a test-drive yourself. Simply start your 30-day trial of any of the Quest platform management products mentioned above. IT Security Search currently integrates with Change Auditor, Enterprise Reporter, InTrust, Recovery Manager for Active Directory and Active Roles, so download one or all of them and start your trial.

See how it works

Use Cases

In my next post we'll explore four use cases that IT Security Search can help with by speeding investigations and managing your environment. 

Anonymous