There is increasing pressure on organisations to strengthen their information security, increase monitoring capabilities and prove to stakeholders, auditors and regulators that they really know what’s going on in their IT Infrastructures.
Yet, the reality is that many organisations are still taking a fire-fighting approach to these challenges and only act after an event has occurred through ad-hoc audits utilising a disparate array of native auditing technologies. And while it is just about possible to audit IT changes in this way, as security and compliance demands have increased, this approach is frequently proving inadequate, time-consuming and unreliable.
So, if you have reached the point where you know you need to be doing a better job of auditing your IT infrastructure, you need to be clear what your options are. While change auditing can be a complex topic, by understanding the main common approaches you will be able you to determine the one that best suits your organisation.
There is certainly not a one-size-fits-all solution. The answer ultimately depends on what your drivers are and how much time and money you are prepared to invest in the solution. Before starting to investigate the options, however, you need to be clear why you want to monitor and audit and lay out your criteria with regards to wants and needs, carefully considering associated costs for the wants over and above the needs.
You also need to determine whether you want to integrate audit into a remediation, IPS (Intrusion Prevention System) or more general security strategy and whether this is important to your organisation. You also need to consider how much time you have to plan and execute such a solution as some, but not all of the approaches require a considerable amount of time and money to deploy and manage.
A common approach to auditing is doing it manually using Native Audit logs. While it is possible to meet compliance using native audit logs and it can help as a diagnostic tool for systems management, this approach is unarguably a ‘blunt object’. Although there is no initial outlay apart from the cost of time and resources, it has many drawbacks that must be considered.
In its raw form, native logging often creates an excessive amount of ‘log noise’ and produces seemingly random streams of unnecessary technical data that is meaningless without filtering or translation; this can, in turn, have a negative impact on system performance. Native Audit logs are also insecure – these logs can be edited, deleted and amended without trace. Unless you collect regularly, you can never really be sure of their accuracy.
This approach also lacks any workable storage or archival capabilities; so if you have a requirement to retain your logs for compliance purposes this process can be time-consuming. If you have the time, patience and resources, then theoretically you can make do with native auditing, but it’s far from ideal.
A second and common approach to auditing change is SIEM – Security Information and Event Management. SIEM has been getting a lot of media attention over the last few years and has been heralded by some as the way forward with regards to auditing.
While SIEM is a strong approach if your specific driver is security, the Achilles heel of using SIEM solutions with regards to auditing is that they often rely purely on native audit logs. This means they are subject to the same audit consistency issues; namely – log tampering and reliance, on a single source of audit data. Solutions of this nature also tend to require a lot of commitment in terms of time for planning, deployment and management as well as cost.
SIEM is generally a very expensive approach that is only worth considering if you have very specific security requirements and need to integrate functions such as automatic remediation and intrusion prevention into your change auditing strategy and have the budget to do so. But it is not so excellent if your main driver is audit reliability and consistency and if budgets are tight. Some of the leading SIEM vendors include Log Logic, Arcsite, LogRythym or Splunk.
The third approach to IT auditing is to write your own change auditing system. While it is useful to create a very specific system to meet your needs, it takes a great deal of time, extensive technical resource and often requires the use of unauthorised APIs to collect the audit data, which carries inherent risks. Ultimately, given the array of relatively inexpensive and flexible change auditing solutions available, the ‘do-it-yourself’ approach is generally no longer necessary and has decreased in popularity.
The final approach is to use software provided by a specialist change auditing vendor. While capabilities vary considerably from vendor to vendor, providing you pick the right one and implement it properly, this more targeted approach will deliver a comprehensive, reliable and consistent picture of audit changes.
It’s important you ensure the vendor you select is able to utilise multiple streams of audit data from multiple sources and then filter, translate, sort and compress the results for easy access, storage and archiving; otherwise you’re no better off than native auditing. It’s also important you check the vendor will enable you to see before and after values of the changes.
As well as giving you a detailed and accurate picture of what is going on in your network and meeting compliance requirements, this more focused approach to change audit will provide you with real-time alerting and automated reports to enable you to significantly improve monitoring capabilities.
This approach alone won’t go as far as a SIEM solution in that it won’t do automated remediation or any form of intrusion prevention; but then again it is often just a third of the cost of a typical SIEM deployment. But if you want this level of audit consistency and detail but also need the security side – you can always invest in both a specialist change auditing vendor and an SIEM solution and integrate the two.
Certainly when you calculate the time, effort, cost and risks associated with the various options to harness the knowledge in your network, specialist change audit software is the most likely to deliver the quickest ROI. But as with most things in life, there is no panacea, so to find the best solution for your organisation, the first step on the change audit route is to have a clear picture of what you need to achieve and understand the options open to you.