Change Auditor 7.1 – New Features

Hey, guys, thanks for joining. This is Ghazwan Khairi, Strategic Systems Consultant with Quest. And I'm joined, as you can see on the screen, by Bryan Patton, Principal Systems Consultant with Quest. And Rob, do you want to say hi? Here's Rob, Rob Tovar, Senior Services Architect with Quest. So today, we're super excited to talk about what's coming new in Change Auditor 7.1 release. 7.1 release, actually, is going to go live as of yesterday. Did it go live, guys? June 2nd, it's out there. Yep. Cool, so it's out there, as of yesterday. And we're super excited about the new capabilities. Brian, I see, you're, like, on fire. Talk to us about what is going to come or what just released for Change Auditor Logon Activity. So the first item that we released, I'm really excited about, is Golden Ticket Detection, where we can see the time to live, it would be, kind of, the [INAUDIBLE] tickets are greater than 10 hours. Not only that, but the identification of NTLM, where we can see if version 1 or version 2 of NTLM is being used, as well, have both been added into the product. OK, so let's zoom out from this technical talk, and why do I care? The Golden Ticket Detection, this means that somebody may be in your network. Typically, when you authenticate, and you have a ticket, the default is 10 hours. So [INAUDIBLE] forged tickets that may be created by Mimikatz or some other different type of toll, and those tickets can actually last up to 10 years. So the fact that we're looking that's between 10 hours, in that 10 year lifetime, indicates that something bad's happening. That's the first thing we, kind of, indicate when those exist in your environment. The other one on NTLM in version 1 and version 2, allow if you want to get rid of NTLM authentication. So the first one, the most insecure, is NTLM version 1. Knowing that that's being used is really bad, but some applications do use it. So identifying which applications are using it can help you remediate and fix that. NTLM version 2, you know, if you can't get rid of it, you should. Although, a lot of, like, the Schiavo cases don't. But just identifying which applications are using it can help you on later down the road. Cool, from an operational standpoint, say, I upgrade Change Auditor to 7.1, how do I go about finding out where-- just give me one screen, show me all Golden Tickets, or all NTLM events that are happening in the environment, from one screen, how do we go about doing that in Change Auditor Logon Activity. Yeah, so there's a component, I guess, a portal that we have incorporated with many of our Quest products, called IP Security Search. IP Security Search, if you guys aren't familiar with it, it's a portal that can tap into multiple resources, Quest resources, and Splunk, for that matter. But the whole idea is to feed this portal the information from our Quest products, including Change Auditor. So it's a portal that allows you to plug-in keywords and do a Google-like search. So you plug-in the keywords, hit enter, and you get the results within seconds. So it's a nice way to do searches, get your details, get your information, regardless of what product you're talking about. But in this case, with Change Auditor, we can quickly get that information. So today, I probably logged in and out, and left my screen up, and came back to it, probably, I don't know, a dozen times. And I'm sure you guys have done the same thing. What I'm trying to get at is, the users are going to be generating a lot of events, a lot of noisy events. Rob, how do we control that, so that we're cutting the noise out, but we're still gaining value from Change Auditor? So there's some options, right? Some customers will choose-- I mean, there's an option to disable event, if the events aren't necessary. But if you do want to see them, one option that we have is to allow the events to come through, and then apply a purge job that's very specific or detailed as to what it's going to eliminate or get rid of. You can also archive the events, so there's multiple options. One would be to purge the events more frequently, another option would be to archive the events to a second database, another option is to move events to a third party tool, or to even use our interest solution that would allow you to compress the data in a repository, with a 20 to 1 compression ratio. So there's many ways to either eliminate the data or move the data for further use in the future. I know with some compliance regulations, there is a need to store or keep information for longer periods of time. So we have both options. Got it. Bryan, is there anything else you want to add? Yeah, another option may be turning it on for just a little while, identifying the application that's still using NTLM, disabling it, then turn it back on after you've remediated authentication, maybe [INAUDIBLE] see if those different bits are being generated or not. And so we'll use that go one by one, each different application, maybe, to remediate, and get them to more modern authentication. Yeah, I agree, because most of the time, with NTLM, at least version 1 and version 2, what they want to do is, you want to identify, so you can stop those type of authentications. So turn it on, stop, turn it on, stop. And then for the Golden Tickets, that's something that you, obviously, want to look for. Now, from a Golden Ticket standpoint, the default, you said it's 10 hours, and I think that's what we have. We have a filter that says 10 hours by default, but you can change that. How do we go about proactively, rather than coming back to the screen and looking at the events that are 10 hours, or more or less, based on our configuration, how do we proactively let customers who are monitoring logon activity know about these kind of events and these kind of situations? Well, a lot of it's going to be around prevention to begin with. Unfortunately, we can't always prevent, because you have to keep the business moving forward. Sometimes they do rely upon NTLM. You'll see guidance where, if you can, you should disable NTLM to begin with. So how do we prevent a Golden Ticket to begin with is reducing the different attack surface, removing and minimizing the number of people that have or are a member of these certain privileged groups. So you may have heard me talk about our Orange Forest concepts, it actually has the ESA architecture, a law, that's been around, preventing it from happening in the first place. Rob what's the-- how can alerting in Change Auditor, kind of, help proactively with, you know, telling people that some-- you know, these are events that are being generated in the environment? Is that an option in Change Auditor? Yeah, yeah, so we have different ways to alert SNMP, SNPP, [? WOMI. ?] And we can alert based off of criteria-- excuse me one second. We have alerts that can be configured, based off of criteria that you define, right? So it doesn't have to be very specific, it can be very broad, it can be specific, if you'd like it to be. You can have these alerts be focused on certain servers, certain users, you define the criteria and you determine exactly what it is that you want to be alerted. The last thing you want is a bunch of false positives or information that's not going to make any sense to you. So we can definitely define these alerts, provide them, and then, maybe even take further action, based off of the results. Yeah, cool, I'll just mention this, real brief, so with the 7.1 release of Change Auditor, we are also introducing some new capabilities in the On Demand audit, which is our SaaS offering for auditing everything, Azure Active Directory, Office 365. And the good news there is we just added risky events. So this is now, if I log in from one location, or twice from two different locations at the same time, this is a travel that I can't physically do that gets flagged as a risky event and it stopped the-- I can't remember the term. But basically, an Allow Travel or something like that. Impossible Travel. Impossible Travel, that's the word I was looking for. So we've added a whole bunch of events there for Office 365 and Azure Active Directory events. And that's coming in 7.1, as well, as of yesterday. So you guys, anything else you want to add before we wrap this? The only thing I'd add being, we asked about how to prevent Golden Tickets. We do offer a free security assessment, if you're interested, go to www.quest.com/securityassement, you can register there. Cool, so we'll have links to all this on the screen, Change Auditor Logon Activity and the security assessment. Rob-- Wait, we just want to make sure, these security assessments, free of charge, rate? Absolutely. Yeah, anyways, that ends the session. Thank you, guys. Talk to you later. Thank you.