Upload
marina-gryshko
View
309
Download
3
Embed Size (px)
Citation preview
Change Auditor
Vlad Samoylenko | BAKOTECH GROUP| [email protected]
Dell - Restricted - Confidential2
Modules covered in this presentation
• Change Auditor for Active Directory
• Change Auditor for AD Queries
• Change Auditor for Exchange
• Change Auditor for SharePoint
• Change Auditor for Windows File Servers
• Change Auditor for NetApp
• Change Auditor for EMC
• Change Auditor for SQL Server
Dell - Restricted - Confidential3
The Challenges
Microsoft Active Directory, Exchange, SharePoint, Windows File Servers, VMware, NetApp, EMC and SQL Server are part of your mission-critical infrastructure
• Event logging and change reporting are required to satisfy auditor requests and prove compliance
• No comprehensive view of all changes and event logs, they scattered in various locations and formats
• Searching for a specific event is time consuming and frustrating
• Native event details contain limited information which is difficult to decipher without application expertise
• No protection exists to prevent sensitive objects from being deleted or logs from rolling over. Administrators aren’t usually made aware of problems until it is too late causing potential compliance violations and system downtime
• Reporting is a time consuming process
• Event context is lost when viewing any single event across the Microsoft eco-system
Dell - Restricted - Confidential4
Enables enterprise-wide change management from an intuitive client. Sort, group, filter and graph on the fly.
Ensures a secure and compliant infrastructure by tracking changes in real time, while logging the origin as well as before and after values.
Strengthens internal controls through object protection and insight into both authorized and unauthorized changes.
The Solution: Change Auditor
• Real-time, consolidated change auditing for:AD, AD Queries, Exchange, SharePoint, SQL, Windows file servers, VMware, NetApp, EMC, Lync, User logon Activity, SonicWALL NGFW devices, cloud storage auditing, Registry, Services, Local Users & Groups
Dell - Restricted - Confidential5
What is Change Auditor?Change Auditor provides complete, real-time change auditing, in-depth forensics and comprehensive reporting on all key configuration, user and administrator changes for Active Directory, ADLDS, AD Queries, Exchange, SharePoint, Lync, VMware, NetApp, Windows File Servers, EMC, and SQL Server. Change Auditor also tracks detailed user activity for web storage and services, logon and authentication activity and other key services across enterprises.
Who made the change?
When the change was made?
Why the change was made? (Comment)
Where the change was made from?
What object was changed (before and after)?
Smart Alerts
Workstation where the request originated?
Dell - Restricted - Confidential6
Change Auditor - Key Features• In-depth auditing for:
• Active Directory & ADLDS
• Exchange
• SharePoint
• Windows File Servers
• EMC
• NetApp
• Microsoft Lync
• Detailed who, what, when, where, why and workstation, plus original and current values for all changes – presented in simple terms
• Event Context – provides change information in relationship to other things happening in your environment
• Optionally log events to a Windows event log
• Protect against undesirable changes to AD objects, mailboxes, Windows files and folders
• Restore unwanted changes to AD with a single click
• User Logon Activity
• SonicWALL NGFW devices
• Cloud storage providers
• SQL Server
• VMware vCenter /ESX Hosts
• AD queries against Active Directory (Applications and scripts)
• Registry, Local Users & Groups, and Services
Dell - Restricted - Confidential7
Change Auditor 6.6Architectural diagram
InTrust
Change Auditor for Active Directory
Dell - Restricted - Confidential9
Change Auditor for Active Directory
AtAGlance
EasyRead
EventFilter
Context&Restore
Dell - Restricted - Confidential10
Change Auditor for Active Directory: GPO Settings
Dell - Restricted - Confidential11
Change Auditor for Active Directory: Locked Out
Dell - Restricted - Confidential12
Change Auditor for Active Directory
ObjectProtect
Dell - Restricted - Confidential13
Change Auditor for Active Directory
Role-Based Access
Change Auditor For Exchange
Dell - Restricted - Confidential15
The Challenges of Managing Exchange
• Impossible to natively track changes to Exchange Store settings
• Event log and audit data that is distributed throughout the enterprise
• Volume of audit data is difficult to archive
• Audit data is takes time to analyze, trend, report on and distribute
• Native auditing does not provide detailed information on:– Non-owner mailbox access and specific activity related to this access
– Changes to permissions at the client level
– Changes to permissions to the Configuration Store
• Native auditing does not provide detailed change tracking of permission changes made to a mailbox within AD
Dell - Restricted - Confidential16
• No visibility into administrator or user activity in the cloud
• Remote logs must be subscribed and downloaded
• No alerting based on activity
• Events are only in Excel 2010 format
• Requires programming skills to turn on and collect audit data
Managing Exchange Online / Office 365
Dell - Restricted - Confidential17
What to consider if your going to audit Exchange
• Access to Key Mailboxes– Executives, Board members, HR, …
– Ignore Non-Owner auditing messages from Departmental Mailboxes
• Changes to membership to Key Distribution Lists– Senior Leadership Team – discuss company strategies
• Changes to administrative security groups
• Exchange Server configuration changes
Dell - Restricted - Confidential18
Change Auditor for Exchange
Role-Based
Access
MailboxProtect
Dell - Restricted - Confidential19
Change Auditor for Exchange
ConfigTracker
Dell - Restricted - Confidential20
Change Auditor for Exchange
Dell - Restricted - Confidential21
Change Auditor for Exchange
Change Auditor for Windows File ServersChange Auditor for NetAppChange Auditor for EMC
Dell - Restricted - Confidential23
Managing Files and Access can be difficult
• Providing timely information to help compliance/security teams meet requirements around file/object access is critical:
– What are users doing with their access?
– When potential violations occur to permission changes?
– When ownership changes take place?
• Critical documents may be at risk without reporting/alerting on permission and ownership changes.
• File/Folder access auditing has always been a big hole in regards to compliance and security initiatives.
• The collecting and reporting on file access audit data is difficult and takes many man hours.
• Archiving and consolidating event logs takes up a large amount of network bandwidth and disk space.
• Native file access auditing degrades server performance.
• Permission changes made to files and folders is difficult to capture and interpret.
Dell - Restricted - Confidential24
With Change Auditor for Windows File Servers, NetApp & EMC you can…
• Centralize File System and NAS auditing into a single task– Normalized events across differing file infrastructure
– Simplify and centralize alerting & configuration
• Reduce cost & complexity and meet security objectives– Easily determine what permission changed
– Easily determine what action was performed
• Improve IT Operational Management and Efficiency– Critical system resources are saved & security is improved
• Block users from destructive and dangerous actions– Prevent deletion and changes to permissions
– Windows File System only
Dell - Restricted - Confidential25
Change Auditor for Windows File Servers, NetApp & EMC
Dell - Restricted - Confidential26
Change Auditor for Windows File Servers
Dell - Restricted - Confidential27
Change Auditor for Windows File Servers
ShareAudit
Real-Time Alert
RapidReport
Dell - Restricted - Confidential28
Change Auditor for Windows File Servers
ShareAudit
Change Auditor for SQL Server
Dell - Restricted - Confidential30
Change Auditor for SQL Server
• Organizations face increased demands to improve security to meet regulatory requirements surrounding sensitive and financial data.
• Reduce the risks of operational outages from accidental or malicious actions by privileged users.
• Report on DBA and other privileged users activity on your SQL Servers across the enterprise and answer questions such as:
– How do you monitor access to confidential information?
– How do you log SQL Server security events such as startups, shutdowns, and logins and do you review exceptional events?
– How do you report on direct access to production data that is outside of normal application controls?
– How do you monitor database configuration and parameter setting changes?
Dell - Restricted - Confidential31
Change Auditor for SQL Server (2)
• Automates the process of collecting data about both privileged and non-privileged access.
• Centralizes the collected events
• Normalizes SQL and other Windows events into a single platform in simple to understand terms
• Allows privileged users to perform their important and required job duties by unobtrusively monitoring and auditing behaviors
• Allows you to answer your auditors’ and regulators’ questions about how you manage activity of users on SQL Servers across the enterprise
Dell - Restricted - Confidential32
Change Auditor for SQL Server Auditing Templates
• Enable SQL Server auditing by adding a SQL Auditing template to an agent configuration.
– Which can then be assigned to a Change Auditor agent (SQL Server)
• Change Auditor ships with a pre-defined SQL Auditing template– Best Practice SQL Auditing Template
Dell - Restricted - Confidential33
Common SQL Configuration Examples
Only audit events for databases named “Accounting”:
Audit any activity that is not from this service account:
Audit any activity that is not from my application server:
Dell - Restricted - Confidential34
Change Auditor for SQL Server Supports: SQL 2005, 2008+R2, & 2012
Dell - Restricted - Confidential35
Change Auditor for SQL Server
Dell - Restricted - Confidential36
Change Auditor for SQL Server:Captures the Actual Query Used
Dell - Restricted - Confidential37
Native SQL Auditing
Dell - Restricted - Confidential38
SQL Server Audit Events in the Best Practices Template
• Add DB User
• Add Login
• Add Login to server role
• Add Member to DB role
• Add Role
• Change Database Owner
• Change Member in DB Role
• Create database
• Delete database
• Delete DB user
• Delete Login
• Delete Login from Server role
• Delete member from DB role
• Delete Role
• Grant database access to DB user
• Revoke database access from DB user
In Total Almost 400 SQL events can be captured
Change Auditor for SharePoint
Dell - Restricted - Confidential56
Change Auditor for SharePoint
• Audit SharePoint 2010 & 2013– Includes Foundation Servers
– Doc libraries, Lists, Permissions, etc.
• Powerful tool when combined with CA UI grouping/sorting/filtering– See historical changes to sites and documents
– Track users activity on a site by site basis
• Track changes to farm/site configuration– Audits changes to Central administration
– Additions of Sites and Site Libraries
Dell - Restricted - Confidential57
Change Auditor for SharePoint
Change Auditor Reporting
Dell - Restricted - Confidential59
Reporting Capabilities in Change Auditor
Dell - Restricted - Confidential60
Built-in Searches for Historical Reporting
Dell - Restricted - Confidential61
Recommended Best Practice Reporting
Dell - Restricted - Confidential62
Regulatory Compliance Reporting
InTrust
Dell - Restricted - Confidential64
Make sense of your IT data with on-the-fly investigations
• InTrust: consolidate, store, search and analyze massive amounts of IT data in one place with real-time insights into user activity for security, compliance and operational visibility.
– Reduce the complexity of searching, analyzing and maintaining critical IT data scattered across information silos
– Speed security investigations and compliance audits with complete real-time visibility of your privileged users and machine data in one searchable place
– troubleshoot widespread issues should an incident occur
– Save on storage costs and adhere to compliance event log requirements (HIPAA, SOX, PCI, FISMA, etc.) with a highly compressed and indexed online long-term event log repository
Dell - Restricted - Confidential65
InTrust as a big data solution with IT Search
“Make sense of your IT data”
• IT Search lets your organization make sense of the “big IT data” including log events, changes, file permissions, users entitlements and more to streamline regulatory compliance, conduct security incident investigations and improve day to day operations
Dell - Restricted - Confidential66
Search all IT assets in one place
Dell - Restricted - Confidential67
Exploit relationships between events and state based data
Dell - Restricted - Confidential68
See what resources users had accessed
Dell - Restricted - Confidential69
See where users have access
Dell - Restricted - Confidential70
See how access was obtained
Dell - Restricted - Confidential71
Other Enhancements
Task The old way The new way
Gathering of Windows logs
Schedule based, have to wait hours until data becomes available
Real-time, data is available seconds after it is generated
Support of network devices (syslog data)
Separate set up, unnecessary Windows event log overhead, poor performance
Built into the main InTrust components, no overhead, great performance
Running reports Slow import to the SQL database, clunky SSRS infrastructure, hard to create custom reports
Reports directly from the repository, RV as the reporting client, every search easily converts into a report
Integration with CA and ER
Clunky and limited integration through QKP
Unified and fast access to data from multiple products through web based search engine
Integration with SIEM Schedule based querying of the audit DB
Real-time forwarding of all logs that are collected
Incidents investigation Slow, static and raw analysis of events from the audit DB
Fast, customizable and free form searches against the indexed repository with rich results visualization
Change Auditor Integration
Change Auditor and InTrust
Dell - Restricted - Confidential74
InTrust
(Short Term Storage)
Reports
(Knowledge Portal)
InTrust - Scheduled
(Long Term Storage)
Exchange
Active
Directory/
LDAP
Windows
File Server
Change Auditor
Real TimeChange Auditor
Client)
SQL Server
EMC
NetApp
Change Auditor Long Term Storage & InTrust Architecture
40Xcompression ratio
Dell - Restricted - Confidential75
•
•
To learn more about Change Auditor
• http://www.software.dell.com/products/change-auditor
• Write an e-mail to [email protected]