A few years ago, when we started implementing Change Auditor in one bank, we noticed a huge array of PowerShell scripts that performed exactly the same audit task, but in a artisanal way. A lot of time has passed since then, the customer still uses Change Auditor and remembers the support of all those scripts as a nightmare. That dream could also become a nightmare if the person who served the scripts in one person would take it and quit, hastily forgetting to transfer secret knowledge. From colleagues, we heard that such cases happened in some places and this then brought considerable chaos to the work of the information security department. In this article, we will talk about the main benefits of Change Auditor and announce a webinar on July 29 on this audit automation tool. Under the cut all the details.
The screenshot above shows the IT Security Search web interface with a google-like search bar, in which it is convenient to sort events from Change Auditor and customize views.
Change Auditor is a powerful tool for auditing changes in Microsoft infrastructure, disk arrays and VMware. Auditing supported: AD, Azure AD, SQL Server, Exchange, Exchange Online, Sharepoint, Sharepoint Online, Windows File Server, OneDrive for Business, Skype for Business, VMware, NetApp, EMC, FluidFS. There are pre-installed reports for compliance with GDPR, SOX, PCI, HIPAA, FISMA, GLBA standards.
Metrics are collected from Windows servers in an agent-based manner, which allows you to audit using deep integration into calls within AD and, as the vendor himself writes, this method detects changes even in deeply nested groups and introduces less load than when writing, reading and extracting logs (this is how they work ). You can check it under high load. As a consequence of this low-level integration, in Quest Change Auditor, you can veto certain changes for certain objects, even for Enterprise Admin level users. That is, to protect yourself from malicious AD administrators.
In Change Auditor, all changes are normalized to the 5W view - Who, What, Where, When, Workstation (Who, What, Where, When and on which workstation). This format allows you to unify the events received from different sources.
On June 2, 2020, a new version of Change Auditor was released - 7.1. It has the following key improvements:
- Pass-the-Ticket threat detection (detection of Kerberos Tickets with an expiration date that exceeds the domain policy, which may indicate a potential Golden Ticket attack);
- audit of successful and unsuccessful NTLM authentications (you can determine the version of NTLM, and notify about applications that use v1);
- audit of successful and unsuccessful Kerberos authentications;
- Deploying auditing agents in a neighboring AD forest.
The screenshot shows a detected threat with a long Kerberos Ticket validity period.
Together with another product from Quest - On Demand Audit, you can audit hybrid environments from a single interface and monitor logons in AD, Azure AD, and changes in Office 365.
Another advantage of Change Auditor is the possibility of out-of-the-box integration with a SIEM system directly or through another Quest product - InTrust. If you set up such an integration, you can perform automated actions to suppress an attack through InTrust, and set up views in the same Elastic Stack and give colleagues access to view historical data.
To learn more about Change Auditor, we invite you to attend the webinar, which will take place on July 29 at 11 am Moscow time. After the webinar, you will be able to ask your questions.
Other articles about Quest security solutions:
You can leave a request for a consultation, distribution kit or a pilot project through on our website. There are also descriptions of the proposed solutions.
Source: habr.com