Why you shouldn’t ignore change auditing

Get a copy of the upcoming book "Secure Operations Technology"

Rupesh Kumar is the Director of Lepide Software. In this interview, he discusses the benefits of change auditing.

What are the benefits of using change auditing? What security issues can an organization discover and prevent?
Change configuration auditing is an integral component of IT security because it reveals the critical changes in server configuration that can lead to security breaches or server crashes. Change auditing is essential for organizations that want to abide with regulatory compliances such as PCI DSS, HIPAA, GLBA, FISMA, and SOX.

Change auditing illustrates facts that an IT administrator wants to know, such as:

  • all changes at the server
  • permissions granted to the users
  • changes in the user permissions and rights
  • recent attempts to change the password
  • logon or logoff events
  • failed or successful authentications
  • schema modification
  • infrastructure configuration modifications
  • DNS Zone, DNS Node, or MSMQ modifications
  • accesses to shared files or folders
  • ownership and auditing settings of objects
  • changes in databases and tables
  • accesses to the users’ mailboxes by non-owners.

Auditing not only lets an administrator compare the permissions, ownership, or auditing settings of an object between two dates, but it also lets them create a long trail of relevant changes.

What advice would you give to security professionals thinking about implementing a change auditing solution in their organization?
When it comes to implementation, it’s recommended to use a centralized system to perform the auditing of multiple servers. Multiple instances of Active Directory, Group Policy Objects, Exchange Server, SharePoint Server, SQL Server, and other server applications should be monitored from a common platform.

There should not be a significant lag between the occurrence of an action and the collection of its events. The software you’re using should collect the logs in real-time and parse them into intelligent records. Change logs should be stored for a long-time, with weekly or monthly archiving of logs in a secured place.

The selected solution is also required to keep a check on the continuously changing resource requirements of a server, and send real-time alerts for critical changes. Administrators should receive periodic audit reports on different categories like mailbox access, database changes, permission modifications, etc. If a file server auditor is being implemented, then it should be a perfect tool to monitor data stored on all computers in the network from a single platform.

How important is change auditing in the overall security architecture of a large organization?
With multiple servers or multiple domains, large organizations can take advantage of change auditing in order to stay compliant and secure. For example, the number of users logging into workstations may be high in a large organization. These bulk logon attempts can be at the same time or different intervals. It’s necessary for the administrator to know which accounts faced failure attempts before successful logon and what others failed to login completely. At times, failed logon attempts are signals that an unauthorized user is trying to login using hit and trial methods. Similarly, access to a critical shared folder or file at an unexpected time can be a clue for unwanted data access.