Monitor System Changes And User Activity

Monitoring for changes and user activity is often considered a best practice in IT, and is even mandated by requirements such as the Payment Card Industry Data Security Standard (PCIDSS). Unfortunately, current approaches such as native auditing, file integrity checking or kernel shims often fail to meet the changing threat landscape, manage the proliferation of regulatory mandates or map to the requirements of the business.

This whitepaper will present a new solution offering, NetIQ Change Guardian for Windows™, and will discuss how it overcomes the challenges of common approaches to change and activity auditing on your Windows servers—all without the need for native auditing. In this paper you will learn:

__ Why organizations are having to perform more detailed monitoring of their files and the activities of their users
__ Recent, well-publicized events that show where current approaches to system security monitoring have failed
__ How NetIQ Change Guardian for Windows provides invaluable, real-time insight into what is going on across your Windows servers—all without the need for performance-hindering native auditing

Introduction
No one can argue that electronically-based information is the lifeblood of today’s organizations. Over the past 10-20 years there has really been an explosion of the amount of data the average corporation will retain, including not only information about the corporate entity itself but also about its partners, its customers and more. Many factors have aided this trend, including the proliferation and accessibility of the Internet, the fact that nearly all information is available in electronic format, the continual reduction in the cost of data storage and the constant increase in computing processing power to try to make sense of the “overload” of data.

Protecting this deluge of information and the IT systems within which it resides has become more important to organizations today than ever. While the risk of breaches and theft of information have always been a part of life for organizations, some of the “clear and present danger” for companies today is not just losing the information but, due to regulatory requirements, having to publicly report any security incident that involves any loss of information. Given the speed in which information gets into the hands of the media and consumer, any negative publicity can be a bad thing. To prove this point, there are many examples over the past few years where the requirement to publicly expose a security incident or data theft has inflicted more damage on a company due to its customers losing faith and going elsewhere. CardSystems, a US-based company that used to process financial transactions for the major credit card vendors, is a perfect example where an IT security breach led to the loss of millions of US dollars and the cancellation of contracts from its key customers—all of which ultimately led to the company becoming a non-entity and being acquired for a fraction of its former worth.

To monitor their systems, organizations have surprisingly few options available to them. The most common approaches available to organizations for protecting their systems and data include native auditing, integrity checking and kernel shimming; all of which have existed for quite some time with enhancements that have not developed in line with the growing requirements of today’s organizations. This lack of progress is well demonstrated by the relatively large number of recent and publicly-reported security exposures, particularly where the security compromise has gone undetected for months if not years. What is needed is a new approach to detecting changes and monitoring user activity that reduces detection times and helps assure the integrity and availability of critical IT systems and services, and the confidentiality of the information that the organization retains.

Through this paper we will discuss how, where and why organizations are being encouraged, if not required, to improve their monitoring of user activities and changes across their systems. We will also present and analyze some of the recent cases where security breaches have caused the loss of millions of US dollars worth of data. We will then investigate and discuss the common approaches to monitoring system changes and user activity and discuss where and how they do not meet the needs of the organization of today. The paper will then present a new monitoring approach that Microsoft developed to monitor the Microsoft server platform, and introduce a new solution offering from NetIQ that delivers real-time detection of changes, and monitoring of user activity, across your Windows servers that does not require native auditing to be enabled.