Why Netwrix is #1 for Change Auditing

Spice IT

Simple, Efficient, Affordable - that's Netwrix's stance, and that's what makes Netwrix #1. With the broadest platform coverage availability in the entire industry, no other vendor focuses more extensively on IT infrastructure change auditing.

What Is SIEM 2.0 and how Netwrix fills-in audit gaps left by your old-school SIEM 1.0 solution

SIEM 2.0 is a more granular level of auditing beyond what your existing SIEM solution can provide. SIEM 2.0 granular auditing is achieved by supplementing your existing old-school SIEM solution with Netwrix auditing. Netwrix’s auditing capabilities fill-in the audit gaps by feeding your SIEM granular audit data in a format it can understand. To understand these audit gaps it is important to realize what SIEM 1.0 solutions typically provide.

Security Information and Event Management (SIEM) solutions typically provide reporting, real-time alerting and long-term storage of event log data, and support incident response and forensics analysis. SIEM tools can be used to automate security and compliance audits, producing reports that support existing IT Governance, Risk Management and Compliance (IT GRC) processes.

However, SIEM 1.0 solutions have auditing gaps because data may be missing in the targeted system’s audit data; several examples are provided in the table below. This happens because traditional SIEMs rely on a single source of audit trail data, which is generated by managed systems and applications, such as Windows Server, VMware, SQL Server and others. Unfortunately, accuracy and completeness of the native audit data is limited: in many cases it is cryptic,hard to understand and sometimes does not contain meaningful information such as before and after values for changes or information about who made those changes. In addition, Security Information and Event Management solutions also tend to require a lot of commitment in terms of time for planning, deployment and management as well as cost.

Netwrix SIEM 2.0 solution complements your SIEM 1.0 solution or in some cases replaces it with three major Netwrix technologies:

  • AuditAssurance
  • AuditIntelligence
  • AuditArchive
Try SIEM 2.0 for free: Free Trial

Unlike traditional log management solutions or SIEM 1.0, Netwrix SIEM 2.0 makes it very easy to find relevant answers to key questions: who changed what, when and where, including previous and new values for modified settings. And Netwrix SIEM 2.0 fully integrates with SIEM 1.0, leveraging your existing investments. The following table shows some examples of how SIEM 2.0 compares to SIEM 1.0:

Typical Audit Question Netwrix SIEM 2.0 Traditional SIEM 1.0
Who created a user in the Active Directory? The report will contain a single change with detailed information. The report will contain seven events to reflect this single change.
Who modified user attributes? The report will contain detailed information including the before and after values, and user-friendly properties' names. Example:

Object Name:
\local\test\Users\LemTest
Phone Number changed from "(888) 100-1000" to "(888) 200-2000"
User properties will be represented as system names. The report will not contain the before and after values. This change is not included into the default “Change Management” filter, so to track it additional configuration of the application is required.

Example:

Windows 2003


Windows 2008
Who delegated management rights for an OU? The report will contain full details, including the information on which permissions exactly were changed.

Example:

Object Name:
\local\test\Users
Object Security:
Added: "Permissions: Test\Test Users (Allow: Delete subtree, List object, Read permissions, Read all properties, Modify Permissions, Write all properties, Delete, All validated writes, List contents, Modify owner, Delete all child objects, Create all child objects, All extended rights)"
Only the fact of the change will be reported. This change is not included into the default “Change Management” filter, so to track it additional configuration of the application is required.

Example:

Windows 2003


Windows 2008
Who created an Address List on the MS Exchange Server? The report will contain a single change record with detailed information. This will not be reflected in the report as a single change. To detect this change, data on several events will have to be analyzed manually by the auditor. This change is not included into the default "Change Management" filter, so to track it additional configuration of the application is required.

Example:
MS Exchange 2007 on Windows 2008:
Who created/deleted a mailbox? The report will contain a single change with detailed information. This change will not be reported.
Who modified a SQL server configuration or the structure of the production table? The report will contain a single change with detailed information.
Example:

Resource Name
Databases\ProdDB\ Tables\dbo.ProdTable Permissions changed from "(Grantee: dbo[S] Grantor: dbo CONNECT GRANT)" to "(Grantee: dbo[U] Grantor: dbo CONNECT GRANT)"

Resource Name Databases\ProdDB\ Tables\dbo.ProdTable Text filegroup changed from "Temp" to "PRIMARY"
Only execution of T-SQL commands will be reported, with no additional analysis or the before and after values. Analysis of such events requires knowledge of DBA from the auditor.
Who modified permissions for an important folder on a file server? The report will contain full details, including the information on which permissions exactly were changed. Example:
Resource Path
\Share\Documents\Sales
Security: Added: "Permissions: Test Users (Allow: Read Attributes, Traverse Folder/Execute File, Read Extended Attributes, Read Permissions, List Folder/Read Data, Create Folder/Append Data, Create Files/Write Data); Audit: Everyone (Success, Failure: Delete Subdirectories And Files, Delete, Write Extended Attributes, Take Ownership, Create Folder/Append Data);"
The information is hard to interpret, as it will be presented in a format that is difficult to understand. On Windows 2003, this change will not be monitored. On Windows 2008, the report will contain new permissions only in the SDDL format.
Example:
Change audit on a file system on Windows 2003. The report will contain detailed information. This will not be reflected in the report as a single change. To detect this change and get its details, data on several events will have to be analyzed manually by the auditor.
Audit of changes to CIFS shares on NetApp Filer appliances. The report will contain detailed information. Audit of NetApp Filer is not supported.
Audit of changes to CIFS shares on EMC VNX/VNXe/Celerra appliances. The report will contain detailed information. Audit of EMC VNX/VNXe/Celerra devices is not supported.
Who created a new GPO? The report will contain full details, including the information on the GPO structure. The information is hard to interpret, as it will be presented in a format that is difficult to understand. It is impossible to get details of the new GPO.
Example:

Windows 2003


Windows 2008
Who modified the Audit Policy in the Default Domain Policy? The report will contain detailed information including the before and after values.
Example:
Group Policy Object
Default Domain Policy

Modified
Audit object access: Success - > Success Failure
The information is hard to interpret, as it will be presented in a format that is difficult to understand. It is impossible to get details of the change.
Example:

Windows 2003


Windows 2008
Was the sound card replaced on a server? The report will contain detailed information including the before and after values of the modified hardware.
Example:
Resource Path
System Information\Components\Sound Device\High Definition Audio Device
Object attributes before deletion:
Configuration Manager Error Code: "Device is working properly"
Last Error Description: "empty"
Last Error Code: "empty"
Status: "OK"
Such changes will not be detected, as they are not written into logs.
Who deleted the registry keys responsible for the production software configuration? The report will contain detailed information including the deleted values.
Example:

Resource Path
Registry\HKEY_LOCAL_MACHINE\ Software\ProductionUtility
Object attributes before deletion: Active (REG_DWORD): "1"
SubscriptionID (REG_SZ): "{25610817-BDD7-45CE-9805-48F4DD7DCCB3}"
MethodName (REG_SZ): "PostSnapshot"
OwnerSID (REG_SZ): "S-1-5-18"
Enabled (REG_DWORD): "1"
Windows 2003: This will not be reflected in the report as a single change. To detect this change, data on several events will have to be analyzed manually by the auditor. It is impossible to get details of the change.

Windows 2008: It is impossible to get the values of the deleted registry key.
Example:
SharePoint audit The report will contain detailed information. Audit of SharePoint is not supported.
Audit of SCVMM Environments The report will contain detailed information. Audit of SCVMM Environments is not supported.
Try SIEM 2.0 for free: Free Trial