What is Quest Change Auditor and how does it compare to and complement Microsoft ATP and third-party SIEM solutions?
What is Quest Change Auditor and how does it compare to and complement Microsoft ATP and third-party SIEM solutions?
Hear Quest product experts, Ghazwan Khairi, Bryan Patton and Robert Tovar discuss the real-time security and IT auditing of Change Auditor and how it compares to and integrates with SIEM solutions and Microsoft Advanced Threat Protection.
[MUSIC PLAYING] So, Ghazwan Khairi, Systems Consultant with Quest. Bryan Patton, same thing. Robert Tovar is our subject matter expert when it comes to everything compliance. And today we're going to talk about compliance solutions. We haven't been getting a lot of questions from customers about how does Change Auditor family of products compare, competes, compliments Microsoft's ATP, previously known as ATA.
And also, we get a lot of questions similar to that, as to how to Change Auditor competes, compares, works with SIEM solutions. So that's what we're going to cover today. Hopefully, this answers all the questions that come up now or in the future around these questions. So I'm going to start with Robert Tovar. And before we get deeper into that subject, Rob, I'm just going to ask you a quick question, at a high level question. What is Change Auditor overall value is for customers who may have or may be hearing about Change Auditor for the first time?
OK. So Change Auditor is an agent-based solution that audits many platforms. It's a multi-module solution, and it focuses on, and in this case, I'm going to focus on Active Directory, for, example, because that's usually what most folks are interested in. So with native event logging, which everyone should be familiar with, you are relying on the operating system to provide the details that are, for the changes that are occurring within the environment.
So it's pretty hard to determine exactly what happened when you're relying on native event logs. And in most cases, you'll have audit policies enabled in order to get the additional information. And then you're overwhelmed with the number of events that are being produced. And the level of detail that you get from these native events are lacking.
So Change Auditor, on the other hand, does not rely on native event logs. So it doesn't require that additional footprint that you place on your servers when you do enable the native auditing policies. So it relies on the agent. The agent tracks exactly what's going on. I won't get into the details of how it does it, just for the sake of time.
But the point is, that it can pinpoint exactly what's going on in the environment, determine who did it, what happened, where did it happen, on which domain controller, the origin of the change, the before and after value. So you get a concise event with all of the details that are necessary to determine exactly what happened.
There's additional functionality, like alerting. There's scheduled reporting that you can incorporate. And there's also the ability to protect objects. So although some third party tools out there can do some of this, Change Auditor can do all of it. So I think that's where the value is. The differences between auditing native events with third party tools versus Change Auditor is the ability to be able to produce concise events with details that you normally wouldn't get.
Got it. Bryan, anything you want to add?
Yeah, I like the normalization of the data. The who, what, when, where. So we have easier searchability for these events later on. Ghazwan, you mentioned the word, SIEM, which stands for Security Incident and Event Management. And that's looking at a lot of different disparate systems. We really focus on the Microsoft ecosystem. Giving you that rich view of that different data, so there's less volume you had to search through to find out what you're truly looking for.
Right. Well, let's take your point, and address the SIEM solution doc for just a second. So Change Auditor is focused on Microsoft ecosystem. SIEM solutions are looking at that, plus looking at everything else. So if I'm sitting in an Active Directory organization, that's my role, and I've got security involved and you come and you pitch what you just pitched over to me, and I say, you know what? I've got that covered with my SIEM solution, what's your value add? What, you can you talk a little bit more about the Microsoft ecosystem. What's your value add for me as an Active Directory administrator?
I'm thinking about.
Walk me through a SIEM solution.
I'm saying about like a simple change, such as adding and removing somebody to be in Evan's group. You know, that one change that you're making in Active Directory natively, you can turn on auditing to see that that group membership was changed, but you can't necessarily see how it changed, who got it added in, who got removed, from where did that originate. So the fact that we can get you all that extra relevant information in a smaller number of events, I think is vital, because it's a lot less stuff that you have to search through after the fact.
I'd like to add that with a SIEM solution, well, let me just make something clear. Change Auditor does not compete with SIEM solutions. We complement the SIEM solution. So it's not like you can choose Change Auditor over a SIEM solution. We don't claim to do all that a SIEM does. So I think the value add that we provide or the value that we add to the SIEM solution, is that we can capture that normalized, those normalized events. We can provide details that you wouldn't get from the native event logs and incorporate those with the SIEM solution.
Can you give me a couple of examples? Because that's typically the question we get. Can you give me a couple examples? Or where do we really provide, and I agree with you, provide really granular in-depth knowledge about the changes that are happening in active directory that you may or may not get with a SIEM solution?
Videos is one good example. Also, logon activity. With our logon activity module, we can get logon sessions that provide the details of when someone actually logged on to a computer or into a network, and then when they actually logged off. So you get that session, that detailed session of Jane Doe was on for eight hours, 45 minutes and 30 seconds.
And she was logged on to this server or this workstation while on the network. So that level of detail. There's more examples, but the point is, that we can provide that in a single event as opposed to trying to fish through all of the native events to capture bits and pieces.
All right, well, let's take that conversation and move on to Microsoft's ATP, Advanced Threat Protection, which used to be called ATA. Are we, do we compete with Microsoft ATP? Or do we complement? And if so, where does one kind of hand off to the other, if I, as a customer, have both of them? I'm not sure which one of you guys wants to.
Well, I think it's still the same value prop. We have enriched data, whereas ATA, ATP, a lot of what they're doing, is they're looking for different signatures of events or logs occurring that meet a certain criteria. For example, they're looking for pass the hats, they're seeing these different patterns. A cure. Whereas, we're looking at the additional information compared to what they're looking at. They're looking the native security logs by default.
Would you guys say that also, in customers' organizations, the people responsible to manage ATP are typically on the security side versus someone who is looking at a Change Auditor is more on an Active Directory side? And they will have to basically address the concerns that are coming in from an Active Directory side a lot faster than if we were to go involve a security team to get a look at the same events?
I know that in my experience, a lot of different security teams, all the expertise tends to sit on the network layer, not so much on Active Directory. So the fact that Change Auditor by default, you plug it in and we're auditing all different critical events that need to be observed out of the box, not any kind of extra configurations, is of a huge value prop. Not only that, but then you can choose from the operations perspective, what data should then go over to the SIEM or whatever the security team, to kind of get that fuller picture of everything that's going on the different network.
Yeah. And Rob, I know we do work with SIEM solutions out of the box. We can forward events to SIEM solutions out of the box. Do you want to tell us more about that?
Yeah. So Change Auditor can produce events, like we said, right? And these events normally, in a default setup, would get streamed directly to the Change Auditor database where they're stored. One of the options that we have, is to forward the events directly from the database to a SIEM solution. We also have the ability to produce events in an EVT format. So it's an option. In addition to forwarding the events to the Change Auditor database, we can in addition, create the events locally on the domain controller, so that any third party tool can pick up those events as well.
As far as something you said earlier, as well, that protecting capabilities. I know SIEMs are usually trying to figure out different events that do occur. And I think we want to highlight maybe the protection capabilities, just because we can prevent certain things from ever happening.
Give you a couple of examples of protection that you see a lot of customers taking advantage of.
Yeah, definitely, definitely. So the idea here, is to take a proactive approach as opposed to a reactive approach. So if you're waiting for something to happen and then react to that, it may be too late. So with our solution, we can actually protect the objects. And some of the examples would be, protecting your critical group.
The domain admin group, for example. Let's say we're all domain admins, but we don't want Bryan to make changes to specific critical group, even though he's a domain admin. Even though he can be an enterprise admin. We don't necessarily want him to change the membership for whatever reason. He will have the native permissions technically, but he will be blocked by Change Auditor.
So we can provide a white list, a list that's going to allow some of these administrators to make changes while protecting the objects. We can do the same thing with Group Policy objects. We can do the same thing with accounts or OUs. Maybe we don't want objects being created in certain OUs. So the whole idea is to, even though some of us end up having all the keys to the kingdom, some of us shouldn't be making changes to certain critical objects.
Yeah. And the only thing I'd add, is you can get to all of this fairly quickly with Change Auditor. I mean, Rob, how long in your typical engagement does it take for you to go in, install, configure and start seeing results in Change Auditor?
Assuming we have the prerequisites, which are pretty simple, it's just a Change Auditor server, which is a Windows Server, a SQL back end. We can be up and running a brand new installation within an hour. And that means producing events, seeing reports of activity.
You know, putting in protection templates. We can do the whole thing within an hour, basically is what it takes.
Cool. Awesome. Well, Brian, Rob, anything else you guys want to add before we end this?
No, just keep in mind that we can make any SIEM solution you have a little bit better with our enriched data that we have with the Change Auditor AD file system submitted from platforms on a single pane of glass.
Yeah, I just wanted to add.
Real quick, yeah, since we can get up and running so quickly, and it's a solution that doesn't have a heavy footprint, we can actually put this in production or in a lab environment rather quickly. So if you are interested, we could easily get that going with a trial key. Awesome. And I am sure someone from marketing will put a link to the product somewhere on the screen. But I appreciate you guys taking the time for this. Rob, I love your background. You can go and finish the day on your hammock. Appreciate it. Thank you, guys. Till next time.
Thanks. Take it easy, guys. Bye.