What is Quest Change Auditor and how does it compare to and complement Microsoft ATP and third-party SIEM solutions?
What is Quest Change Auditor and how does it compare to and complement Microsoft ATP and third-party SIEM solutions?
Hear Quest product experts, Ghazwan Khairi, Bryan Patton and Robert Tovar discuss the real-time security and IT auditing of Change Auditor and how it compares to and integrates with SIEM solutions and Microsoft Advanced Threat Protection.
Welcome. This is Quest Unscripted, a V-log series on trending topics and Quest solutions related to Active Directory, Office 365, oh, and don't forget Azure AD. You are here because you have questions. We're here because we have answers. I think. We will address questions that we've received from customers, experience the same challenges as you. All with the goal of helping you confidently move, manage, and secure your Microsoft environment. We call the show Quest Unscripted because, except for this intro, nothing we say is scripted or rehearsed. And we're pretty sure you'll notice that right away.
So, Ghazwan Khairi, systems consultants with Quest. Bryan Patton, same thing. Robert Tovar is our subject matter expert when it comes to everything compliance. And today we're going to talk about compliance solutions.
We have been getting a lot of questions from customers about how does Change Auditor family of products compare, competes, compliments Microsoft's ATP previously known as ATA. And also we get a lot of questions similar to that as to how Change Auditor competes, compares, works with SIEM Solutions. So that's what we're going to cover today. Hopefully this answers all the questions that come up now or in the future around these questions.
So I'm going to start with Robert Tovar. And before we get deeper into that subject, Rob, I'm just going to ask you a quick question. A high level question. What is Change Auditor overall value is for customers who may be hearing about Change Auditor for the first time?
OK. So Change Auditor is an agent based solution that audits many platforms. It's a multi module solution. And it focuses on, and in this case I'm going to focus on Active Directory, for example, because that's usually what most folks are interested in. So with native event logging, which everyone should be familiar with, you are relying on the operating system to provide the details for the changes that are occurring within the environment. So it's pretty hard to determine exactly what happened when you're relying on native event logs. And in most cases, you'll have audit policies enabled in order to get the additional information. And then you're overwhelmed with the number of events that are being produced. And the level of detail that you get from these native events are lacking.
So Change Auditor, on the other hand, does not rely on native event logs. So it doesn't require that additional footprint that you place on your servers when you do enable the native auditing policies. So it relies on the agent. The agent tracks exactly what's going on. I won't get into the details of how it does it just for the sake of time, but the point is that it can pinpoint exactly what's going on in the environment, determine who did it, what happened, where did it happen, on which domain controller the origin of the change, the before and after value. So you get a concise event with all of the details that are necessary to determine exactly what happened.
There is additional functionality like alerting. There's scheduled reporting that you can incorporate. And there's also the ability to protect objects. So although some third party tools out there can do some of this, Change Auditor can do all of it. So I think that's where the value is. The differences between auditing native events with third party tools versus Change Auditor is the ability to be able to produce concise events with details that you normally wouldn't get.
Got it. Bryan, anything you want to add?
Yeah, I like the normalization of the data, the who, what, when, where. So we have easier searchability over these events later on. Ghazwan, you mentioned the word SIEM, which stands for security incident management, and that's looking at a lot of different disparate systems. We really focus on the Microsoft ecosystem and giving you that rich view of that different data. So there is less volume you have to search through to find out what you're truly looking for.
Right. Well, let's take your point and address the SIEM solution talk for just a second. So Change Auditor is focused on Microsoft ecosystem. SIEM solutions are looking at that plus looking at everything else. So if I'm sitting in an Active Directory organization, that's my role, and I've got security involved. And you come and you pitch what you just pitched over to me and I say, you know what, I've got that covered with my SIEM solution. What's your value add? Can you talk a little bit more about the Microsoft ecosystem. What's your value add for me as an Active Directory administrator?
I'm thinking about--
Walk me through a SIEM solution.
I'm thinking about like a simple change such as adding and removing [INAUDIBLE] group. You know, that one change that you're making in Active Directory natively, you can turn on auditing to see that group membership was changed. But you can't necessarily see how it changed, who got it added in, who got removed, from where did that originate. So the fact that we can get you all that extra relevant information in a smaller number of events I think is vital because it's a lot less stuff that you have to search through after the fact.
I'd like to add that with a SIEM solution-- well, let me just make something clear. Change Auditor does not compete with SIEM solutions, right. We compliment the SIEM solution. So it's not like you can choose Change Auditor over a SIEM solution. We don't claim to do all that a SIEM does. So I think the value add that we provide or the value that we add to the SIEM solution is that we can capture those normalized events, right. We can provide details that you wouldn't get from the native event logs and incorporate those with the SIEM solution.
Can you give me a couple of examples? Because that's typically the question we get. Can you give me a couple examples on where do we really provide-- and I agree with you-- provide really granular, in-depth knowledge about the changes that are happening in Active Directory that you may or may not get with a SIEM solutions? So--
GPOs is one good example. Also log on activity, right. With our log on activity module, we can get log on sessions that provide the details of when someone actually logged on to a computer or into a network and then when they actually logged off. So you get that session, that detailed session of Jane Doe is on for eight hours 45 minutes and 30 seconds and she was logged on to this server or this workstation while on the network. So that level of detail. There's more examples, but the point is that we can provide that in a single event as opposed to trying to fish through all of the native events to capture bits and pieces.
All right. Well let's take that conversation and move on to Microsoft's ATP, Advanced Threat Protection, which used to be called ATA. Do we compete with Microsoft ATP or do we complement? And if so, where does one kind of hand off to the other if I, as a customer, have both of them? And I'm not sure which one of you wants to respond.
Well, I think it's still the same value prop. We have enriched data whereas ATA, ATP a lot of what they're doing is they're looking for different signatures of events or logs occurring that meet a certain criteria. For example, they're looking for past [INAUDIBLE]. They're seeing these different patterns occur whereas we're looking at the additional information compared to what they're looking at. They're looking the native security logs by default.
Would you guys say that also the customers organizations, the people responsible to manage ATP, are typically on the security side versus someone who is looking at a change auditor as more on an Active Directory side and they will have to basically address the concerns that are coming in from an Active Directory side a lot faster than if we were to go involve a security team to look at the same events?
I know in my experience with all the different security teams, all the expertise tends to sit on the network layer not so much on Active Directory. So the fact that Change Auditor by default you plug it in and we're auditing all different critical events that need to be observed out of the box without any kind of extra configurations is of a huge value prop. Not only that, but then you can choose from the operations perspective what data should then go over to the SIEM or whatever the security team to kind of get that floor picture of everything that's going on in the different network.
Yeah. And Rob, I know we do work with SIEM solutions out of the box, right? We can forward events to SIEM solutions out of the box. Do you want to tell us more about that?
Yeah. So Change Auditor can produce events like we said, right. And these events normally in a default setup would get streamed directly to the Change Auditor database where they're stored. One of the options that we have is to forward the events directly from the database to a SIEM solution. We also have the ability to produce events in an EVT format. So it's an option in addition to forwarding the events to the Change Auditor database. We can. In addition, create the events locally on the domain controllers so that any third party tool can pick up those events as well.
By the way--
Robert, as far [INAUDIBLE] said earlier as well, that protecting capabilities. And those SIEMs are usually trying to figure out different events that do occur. And I think we want to highlight maybe the protection capabilities just because we can prevent certain things from ever happening.
Can you give a couple of examples of protection that you see a lot of customers taking advantage of?
Yeah, definitely. Definitely. So the idea here is to take a proactive approach as opposed to a reactive approach, right. So if you're waiting for something to happen and then react to that, it may be too late. So with our solution, we can actually protect the objects. And some of the examples would be like protecting your critical group, right, the domain admin group. For example, let's say we're all domain admins but we don't want Bryan to make changes to specific critical group, even though he's a domain admin, even though he can be an enterprise admin. We don't necessarily want him to change the membership for whatever reason.
He will have the native permissions technically, but he will be blocked by Change Auditor. So we can provide a whitelist, a list that's going to allow some of these administrators to make changes while protecting the objects. We can do the same thing with Group Policy objects. We can do the same thing with accounts or OUs. Maybe we don't want objects being created in certain OUs. So the whole idea is even though some of us end up having all the keys to the kingdom, some of us shouldn't be making changes to certain critical objects.
Yeah. And the only thing I'd add is you can get to all of this fairly quickly with Change Auditor. I mean, Rob, how long in your typical engagement does it take for you to go in install, configure, and start seeing results in Change Auditor?
Assuming we have the prerequisites, which are pretty simple, right? It's just the Change Auditor server, which is a Windows server, a SQL backend. We can be up and running a brand new installation within an hour. And that means producing events, seeing reports of activity, putting in protection templates. We can do the whole thing within an hour. Basically, what it takes.
Awesome. Well, Bryan, Rob, anything else you guys want to add before we end this?
No. Just keep in mind that we can make any SIEM switch you have a little bit better with our enriched data that we have within Change Auditor for AD file system submitted from platforms on a single payment class.
Yeah. I just want to add.
Real quick. Yeah. Since we can get up and running so quickly and it's a solution that doesn't have a heavy footprint, we can actually put this in production or in a lab environment rather quickly. So if you are interested, we could easily get that going with a trial key.
Awesome. And I am sure someone from marketing will put a link to the product somewhere on the screen. But I appreciate you guys taking the time for this. Rob, I love your background. You can go and finish the day on your hammock. Appreciate it. Thank you, guys. Until next time.
Take it easy guys. Bye.