Audit of changes of IT infrastructure

To fulfill the requirements of standards in the field of information security which are imposed to the organizations it is not enough to punish guilty persons and to hold 'blamestorming session'. It is necessary to perform audit of changes of IT infrastructure – process which takes away time and money if to carry out it manually.

To prevent 'leaks' of information and unstable work of IT infrastructure and at the same time not to spend time a great lot, trying to find the answer in different magazines, you can use automatic auditing facilities of changes of IT infrastructure. If administrators have no opportunity to trace who exactly performed changes, then it opens a scope for the unauthorized actions taken by those who want 'merge data', start viruses in corporate network or perform intra network attack.

In addition, requirements of standards outright speak about need of records of audit of changes of IT infrastructure which should be extremely exact and created automatically; data should be stored in archives. And these records should fix everything, beginning from events in magazines before change of user rights. If such data are not obtained by the auditor, then it is possible to tell from 100% probabilities that audit will be recognized unsatisfactory.

Significant changes which can have a serious impact on any IT infrastructure occur daily. Someone made little changes to membership in groups, objects group the politician, the trust of domains, roles or any other object – and it can threaten all company of formation of 'holes' in security or negative result of audit. Most the companies just has no time, desire and financial resources to monitor these changes of IT infrastructure with the tools developed independently or the built-in means of Windows which have an insufficient functionality for implementation of audit of changes.

For this reason many companies automate audit of changes of IT infrastructure special software solutions to raise the security level, to provide compliance to standards and to preserve nerves of administrators and the management.

However the real situation is that in most the companies reactive approach to the solution of the similar problems connected with changes is still used.

To obtain information on events in IT infrastructure, it is necessary to address regular instruments of audit. And though for the time being approach to audit from positions of regular tools is possible, in process of gain of requirements to information security and accomplishment of standards, this approach often is to inadequate business needs and requiring big time and finance costs. Besides it is impossible to recognize it reliable.

So, you are faced by a task of audit of changes of IT infrastructure. To make a choice, optimal for your company, you need to know all possible options of its implementation.

Naturally, there is no universal solution, option for all occasions. It is necessary to consider those purposes which face you and your company, budgets (including time), features of specific infrastructure and the sizes of the company.

Before starting assessment of options, you should understand why you need to perform monitoring and audit of changes and only after that to formulate criteria by which options will be estimated.

It is also necessary to define whether audit of changes as an auxiliary tool for recovery is necessary to you as an intrusion prevention system (IPS) or it is an integral part of general strategy of security of the company.

The following criterion – implementing solutions duration. However it is important to remember that not all their following approaches demand a lot of time and financial resources for implementation. Let's pass to different approaches to audit of changes:

• Standard approach to audit of changes – use of exclusively regular tools – event logs. It is worth pointing that it is possible to provide fulfillment of requirements of standards for information security using only these event logs at once; they can help with quality of the diagnostic tool for systems management (systems management).

However this approach to some extent is limited. Though here additional expenses are not required (in addition to labor costs of workers), the regular system of audit contains reefs which shall be considered.

First, the regular system of maintaining magazines generates the excess amount of data, so-called "noise" which do not bear in themselves any useful information without use of filtering or sorting; it can have a negative impact on functioning of a system, in turn. Regular magazines of audit are also unsafe – they can be edited, be removed or improve. So if you do not collect them regularly, you will never be able to be sure of their accuracy.

Also within this approach there is no opportunity to fully store or archive data; therefore if you are faced by a task to store magazines for the purposes of fulfillment of requirements of standards, then this process can take away a lot of time. But if you have time, patience and human resources, you can theoretically work with the regular system of audit, however remember that it is far from ideal.

• The second approach to audit of changes consists in use of SIEM solutions – Information management systems and events. Few years of the SIEM solution received great attention from media for the last and were proclaimed by some as a step forward in audit area of changes.

SIEM solutions are necessary first of all for those companies which, performing audit of changes, pursue the aims information security support. However an Achilles' heel of use of SIEM solutions in relation to audit of changes is that they rely only on data of regular event logs. It means that with them the same problems connected with integrity of data as with regular tools are possible, namely – falsification of magazines. These solutions rely only on one data source and reliability of it is low. Solutions such inherently require considerable costs of time and resources for implementation and maintenance of their working capacity.

Besides SIEM – it is rather expensive therefore it should be taken into account them if your purpose is accomplishment of certain security requirements. Also they are used when a need for integration into your strategy of audit of changes of separate functions, such as automatic recovery and intrusion prevention is had. But they obviously do not approach if your main goal is ensuring reliability of data of audit and their integrity, and budgets are cut down. Here only some of vendors of SIEM solutions — Log Logic, Arcsite, LogRythym or Splunk.

• The third approach to audit of changes – to write the system of audit of changes. On the one hand it is useful to create a specific system which would satisfy requirements of your organization. On the other hand, a lot of time, technical resources and use of not authorized API to perform data collection that already in itself concludes certain risks is required. Finally, having taken into account the fact that in the market there are rather inexpensive and adaptive solutions for audit of changes, approach "make - itself" is not viable what decrease in its popularity testifies to.

• The last approach – to use the solutions which are developed vendor which specializes in audit of changes. Possibilities of these or those solutions provided by vendors can vary therefore it is necessary to select suitable you and to implement it correctly. Such approach to allow to receive the complete, reliable and broad picture of changes in IT infrastructure.

It is important that you were sure that solutions of vendor which you selected are capable to collect data from different sources, to perform their filtering, sorting and compression that afterwards access to them was simplified.

Such functions of solutions as storage and archiving of data of audit are important; otherwise, such solutions it is not better than regular instruments of audit. It is also important that the solutions provided by vendor had an opportunity to fix values before change – such visualization to allow to solve quickly the problems arising during the analysis of changes.

Along with providing the detailed and exact picture of what occurs to your IT infrastructure and fulfillment of requirements of standards for information security, this more focused approach to audit of changes allows you to receive both notifications in real time, and automatic reports that will allow you to increase considerably transparency happening in the organization of changes.

This approach not such complex as SIEM solutions regarding the fact that it will not allow to recover automatically data or to prevent invasion; but specialized solutions for audit of changes stand several times less, than a normal SEIM system. If you want to receive such level of integrity and a detalizirovannost of audit which is provided by specialized solutions, but also implementation of complex strategy of security is also necessary for you, you can always invest in solutions of vendor on audit of changes and integrate it with your SIEM solution.

Having counted time, costs and risks connected with different options of acquisition of knowledge of your IT infrastructure you most likely it will be come to a conclusion that specialized program providing for audit of changes will be most possibly provided to you by the fastest return on investment.

But as with all things in life, the universal solution does not exist therefore to find it for your organization, the first step on the way of audit of changes is that you should have a clear picture of the fact that you need to reach and understand what options are available for you.