Netwrix Auditor – The perfect tool for Auditing your IT !

Posted on Updated on

As a network architect I usually get many questions from my customers about it-governance, monitoring and security. Today I would like to present you one of my top- tools that I usually recommend to my clients. This product is Netwrix Auditor – a tool that  provides you with complete visibility across your it-infrastructure (http://www.netwrix.com).

So…What is Netwrix?

Auditing the infrastructure is always painful, you have to be well equipped and most of the time you need several products to meet your requirements. Netwrix is one of the best products, i’ve ever seen for auditing your infrastructure.

First of all, Netwrix Corporation, created in 2006 in Irvine, Californien, was primary focused on auditing of Active Directory and during the past few years, it has diversified its portfolio with applications for other critical systems, as e.g. File Servers, SharePoint Servers, Exchange Servers, Windows Servers, SQL and VMWare servers. Meaning that the tool can be purchased independently by applications. The product proposes one unified platform for governing all the applications, what is really useful and provides you with information about all the critical systems.

One major point? Auditing across the entire infrastructure

 

clip_image002The entire approach is based on knowing « who did what, when and where ». It is a pleasure to have a kind of tool that gives you a clear focus on the users’ habits. It allows you to answer many fundamental questions: How can my company avoid the data leakage? How to deal with several sources of data?

How can I have a human readable approach among all the massive data? How can I be alerted on crucial file changes? So many questions that the product can actually answer with strength and flexibility.

Netwrix offers you three pillars of activities and guides you through this different pillars for making your IT the most secured as possible. The pillars are Security, Compliance and Optimization. All of them are very tied as they are all used in an iterative and incremental approach

So… How can Netwrix auditor help you to strengthen your Security?

One of the biggest challenges here is to make the things visible with the goal to detect suspicious user activity and prevent data leakage.

Netwrix Auditor will allow you to:

  • Detect insider threats;
  • Investigate security incidents and prevent breaches;
  • Overcome limitations of native auditing.

Are you sure, that you are compliant with the most common external standards?

IT compliance is a kind of headache to IT Companies, because first of all there are several standards and secondly it is not so easy to implement them. For answering to theses points, Netwrix has a Compliance-Standard-approach and allows to implement the following standards easily: PCI DSSHIPAASOXFISMA / NIST800-53ISO/IEC 27001.

So the product allows you to :

  • Implement and validate controls from a variety of regulatory compliance standards;
  • Get easy access to reports required for passing compliance audits;
  • Keep a complete audit trail archived for more than 10 years.

Furthermore Netwrix ensures compliance as continuous process and not as event. With Netwrix compliance folders, that contain relevant reports, you will be able to check at any time, whether you are compliant with most common standards or not.

ISO.jpg

Learn how Netwrix helps you with process optimization:

By Design the tool does not need to crawl through a mass of log data, to get data in readable form and to be alerted in case of same critical changes.

Netwrix Auditor allows you to:

  • Automate time-consuming manual tasks associated with generating reports;
  • Minimize system downtimes and service outages;
  • Simplify root cause analysis;
  • Unify auditing across the entire IT infrastructure.

 

For whom is the tool actually?

Clearly, all the IT departments who are in charge of maintaining and governing the company’s IT. The sys admins will find the solution really invaluable.

The tool provides you with precious information, that is also useful for IT Directors and CISOs, external auditors and data owners to keep them informed about any changes made to the objects they own.

See below the different actors that could be interested in the solution.

clip_image004Audit Data Actors

And now… let’s see how it works in real life.

The product requires configuration by modules on the targeted machines. Once it’s done, you have access to the Administration panel and Client Auditor Panel. And that’s it !

clip_image006Netwrix Auditor Administrator Panel

 

And below please see Netwrix Auditor Interface (client console) – One Single Point of Entry, that allows you working with information collected by Netwrix Auditor.

image014

Netwrix Auditor allows you to see all the changes across the entire infrastructure in different ways:

  1. Interactive search within all the applications
  2. Pre-defined reports and actual subscriptions
  3. Enterprise dashboards

 

Let’s start with enterprise dashboards, that visualize all the changes.

All the dashboards are grouped by date, the change was made, by the servers, where the most changes were made, by  the users, who made the most changes and by the most modified changes. In case you see e.g. among the users with most changes someone, who should not be here, just click on the dashboard and go to the detailed report

image029.jpg

Netwrix Auditor Enterprise overview

And the same enterprise overview, e.g. for SharePoint.

clip_image010_thumb.jpg

SharePoint Reports

Also a nice feature, that Netwrix Auditor offers you, is the ability to subscribe specific members to some dashboards or reports.image032.jpgYou choose to whom the reports should be sent, how often and in which format (pdf, excel, word, csv).

image033.jpg

The same enterprise overview but for Windows Server

And now have a look at the pre-defined reports. All the reports are grouped by folders based on the system changes.

image035.jpg

Now just let’ us go through some examples:

Vmware changes:

I find this module very interesting and efficient as it gives precious information about all changes in your virtualized infrastructure:

  • Resource Pools
  • Cluster Changes
  • Hosts (ESX)
  • Virtual Machines

image036.jpg

File Servers auditing:

The product is already predefined with more than 20 reports focused on:

  • File Changes
  • Access to files
  • Permission Changes
  • Permissions State

Netwrix audits windows-based file servers, NetApp and EMC devices.

E.g. with reports successful file reads you can see who opened the files and can detect, if someone is too curios.

With a similar report failed read attempts you will see who tried to open the files with non-sufficient privileges and this information can help to prevent an insider attack.

 image037File Server changes report

SharePoint Server:

The product is also very efficient for SharePoint as it is focused on collecting the changes about:

  • Farm Configuration
  • Content
  • Permissions

image039.jpgSharePoint changes by object type

SQL Server:

The product proposes a very granular approach based on:

  • Server Instances
  • Logins
  • Permissions
  • Tables
  • Data rows

image040.jpgSQL Server changes

What about Exchange Server?

I was very surprised by the simplicity of analysis and efficiency that the product can do for Exchange, here is what the product is focused on:

  • Server Configuration
  • Server Permissions
  • Database
  • Mailboxes

Mailboxes permissions

A great feature, the exchange application offers, is alerting in case the non-mailbox owners try to get access to the mailboxes of other users.

image041.jpgExchange changes

What about Windows Server?

A very granular and detailed information is caught by this module:

  • Hardware
  • Local Policies
  • Local Users & Groups
  • Program Additions/Removals
  • Services
  • Scheduled tasks
  • DNS Configuration

image042.jpgAll Windows Server Changes by Server

And Active Directory –the most powerful application in the “Netwrix family”.

The tool is already predefined with more than 70 reports focused on the following changes, that are grouped by:

  • Domain Controllers
  • Objects Security Settings
  • User Accounts
  • Organizational Units
  • Groups / Groups Membership
  • Passwords

image043.jpg

In case some critical changes were made and you need to roll back them, Netwrix Auditor for AD will provide you with this ability – and in this case you do not have to restore data from backup.

image044.jpg

Active Directory Object restore wizard

 And now some words about Netwrix interactive search, that makes it possible for you to create your own reports by choosing relevant criteria.

During the search the data is collected across all the audited systems.

image045.jpgThe very efficient Search Interface

Just one example how you can use interactive search capability in real life:

E.g. you need to know, Who accessed or tried to access secured file on your File Server for the past month excluding Administrators.

1) To look into that simply launch Netwrix Auditor console and select the “Search” tile.

image046.png

2) Go to the “Advanced” above the search field and adjust filters:

image047

  • Audited system equals File Servers
  • Action equals Read, Read (Failed Attempt)
  • What equals Sales

image048.png

3) Click on Search

image049.png

Then we will filter the results by using “Exclude from search” feature to remove Administrator account,  then press Search again.

image050.png

No changes have been found

image051.png

 You can save this search to get quick access to it in future.image047.png

Any others great “exotic” features?

You can plug the product into your SIEM tool. SIEM (security information and event management) products allow you to collect and correlate behaviors and triggers counter measures in your IT environment. I mean different solutions like, QRADAR (IBM), Splunk, Cisco, HP ArcSight… Integration of your SIEM solution with Netwrix Auditor extends your auditing options, while data will be collected from a broader range of resources.

FIM (File Integrity Monitoring), is a feature for tracking changes to critical systems, files and configurations.

And with Netwrix User Activity Video recording functionality you can monitor critical systems, that do not produce any logs.

Just have a look to understand how easy it works:

image052.jpg

You should choose the users, whose activity you want to track, as well as the applications you want to track. You can also specify the video recording settings, where you choose quality parameters, video recording duration and audit arcive settings.

image053.jpg

The trial key can be downloaded from the website or you can use TestDrive (you have to register a corporate email).

So there is no doubt, that the tool is really useful for any infrastructure.

How to TEST the product?

I was very pleased to test Netwrix auditor in Netwrix virtual lab  with Online TestDrive, so everyone can test Netwrix Auditor without downloading it and installing it in your environment. It’s a good way to get first impressions about the solution. Here’s the link where you can test it:http://www.netwrix.com/auditing_it_infrastructure_testdrive.html

Then I would recommend to download a trial key to test the solution with your data in your environment. A trial key can be downloaded from the Netwrix  website. You also can ask for a 1-to-1 demo with one of the Netwrix experts or ask for a quote using Netwrix website.

So my conclusion is:

The product is very efficient and focused on all the activities that you may need to track in your company. It gives a good analysis and reports by applications.

Today the product is only for On-Premises environment, but in future auditing for Office 365 is planned. And also a good benefit is that you can configure the modules that you need without purchasing the others.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s