Up until a few years ago security was an afterthought in most IT organizations. It wasn’t until data breaches started to become public that nearly every company found a renewed focus on security. The investments for cyber security over the next 5 years is, according to some IT analysts, is going to exceed over $1 trillion. One major challenge facing organizations as they wrap with hands around cyber security is the lack of information about changes in the environment. Change is a constant in IT environments, but for a long time, we have had a severe lack of auditing and tracking of what has actually changed. To address that gap IT shops have implemented centralized audit logging, but that has left some serious gaps.
One of the biggest gaps I see is that audit logging is more about information and a lot less about how that information is presented. Let’s take a look at the simple example of creating a user inside of active directory. That single user creation will actually trigger nearly half a dozen individual events including events for the actual creation, enabling, password reset, and change of said account. This generates, literally, pages of data about the events. This can be a huge problem for creating accurate reports that reflect the change, especially if your target audience is a non-technical auditor. IT operations staff have to spend time not only creating the report but also explaining what it actually is. Even with a renewed focus on security, this inefficient user of resources hampers the ability to actually perform work. This problem is very common with traditional SIEM implementations, as it often seems presenting information is an afterthought.
At Tech Field Day 11 in Boston, we spoke with Netwrix about their solution to this problem. In my user creation example above they turn the event sprawl into a nice report about showing just relevant information like what user was created by who and when. That is a stark comparison to a traditional centralized logging system which gives information overload. This is just one of many examples of not Netwrix allows for deep analytics of security and auditing data. In this new world of security having access to what has changes allows us to not only be more security, but leverage security information to troubleshoot our environment. Netwrix is the start of the next generation of SIEM technologies which think about presenting the data not just collecting.
At too many organizations the security and IT operations team have an adversarial relationship. The IT operations staff sees security as coming in waving their baselines and demanding immediate work. While the security work does have value, it isn’t part of the core work for IT operations, but that doesn’t make it any less important. In the current state of data breaches, it is impossible for organizations not to focus on security. However, it doesn’t mean IT operations and security can’t collaborate on tools which help both teams. I think this is a nice place for a change auditing tool to fit. When troubleshooting major incidents one question always asked is “What changed?”. This is asked so often because we know very often incidents are caused by change. Wouldn’t it be nice during an incident troubleshooting sessions you could easily answer what change happened recently?
Moving forward the partnership between IT operations and security has to get stronger. We need each other to be successfully and allow for protected thriving business. To foster a true partnership we need mutually beneficial tools like Netwrix to help pave the road. Until security tools help operations, we can expect them to continue to have an adversarial relationship. Let’s hope that newer generations of tools that are starting to appear can help us bridge the divide between the two sides of the house.