Real-Time Security for Active Directory Contents The Need to Monitor and Control Change... 3 Reducing Risk and Standardizing Controls... 3 Integrating Change Monitoring... 4 Policy Compliance... 4 The Risk of Traditional Approaches for Active Directory Monitoring... 4 Reducing the risk of insider attack, data loss, and unmanaged change White Paper Companies face significant challenges in controlling change in their Active Directory environments. This white paper describes the need for more effective Active Directory monitoring as part of a broader change-control process, the problems with current approaches, and how to leverage NetIQ products to assure policy compliance and operational integrity. Criteria for an Ideal Solution 5 NetIQ s Approach to Active Directory Change Management... 6 Conclusion: NetIQ Change Guardian for Active Directory - Detecting Change and Reducing Risk... 7 About NetIQ... 7 About Attachmate... 8
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright 2009 NetIQ Corporation. All rights reserved. ActiveAgent, ActiveAnalytics, ActiveAudit, ActiveReporting, ADcheck, Aegis, AppAnalyzer, AppManager, the cube logo design, Change Administrator, Change Guardian, Compliance Suite, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowing is Everything, Knowledge Scripts, Mission Critical Software for E-Business, MP3check, NetConnect, NetIQ, the NetIQ logo, the NetIQ Partner Network design, Patch Manager, PSAudit, PSDetect, PSPasswordManager, PSSecure, Risk and Compliance Center, Secure Configuration Manager, Security Administration Suite, Security Analyzer, Security Manager, Server Consolidator, VigilEnt, Vivinet, Vulnerability Manager, Work Smarter, and XMP are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. 2 White Paper
The Need to Monitor and Control Change The ability to effectively and efficiently monitor and audit Active Directory (AD) has never been more important. As organizations work to reduce the risk of data breaches and insider attack, security and operational teams are recognizing the vital importance of detecting and as much as possible, preventing unmanaged changes to Active Directory and Group Policies. This requirement is further driven by the need of the business and auditors to meet regulatory requirements and demonstrate that appropriate controls are in place to meet those regulations, policies, and standards. The problem is that IT environments are in a constant state of change, and every change represents risk: risk that external attackers may breach security controls, risk that an insider may use elevated privileges to steal sensitive data, risk that an administrator may simply make a mistake that results in a significant and negative business impact. An overworked administrator may circumvent change control policy in order to respond to a business request and accidentally cause thousands of systems to become unavailable to their users. Likewise, a malicious insider executing an attack to steal sensitive data may well begin by escalating privileges on an account to gain greater access to the target resources. Unmanaged changes are a particular cause of many system failures and security incidents. Even when properly managed, changes to Active Directory may cause system outages due to an inherent lack of visibility to dependencies within the infrastructure. Unfortunately the prevailing approach to addressing problematic changes reactively fighting fires is unacceptable. Active Directory forms the foundational underpinnings of user management and access controls; therefore, good security for Active Directory is essential to maintaining the availability, integrity and confidentiality of both critical systems and the data they house. Reducing Risk and Standardizing Controls Effective change management ensures that standardized processes for all changes are enforced. These processes should facilitate the efficient and prompt handling of all changes, yet maintain the proper balance between the need for the change and the risk that the change has a negative impact on the business. Unfortunately, change controls are often heavily manual procedures, making them ineffective and expensive. Worse, these manual processes are rarely well integrated with other change detection and management technologies, which reduces the ability of the operational and security teams to respond rapidly to changes and reduce risk to data and services. Unless a change to a significant element of organizational infrastructure such as Active Directory can be placed in the context of other events and processes, there is far less chance to identify when a privileged user is conducting an attack or an accidental change is having a negative business impact. Real-Time Security for Active Directory 3
Integrating Change Monitoring Integrated change monitoring closes the loop on the change management process and enforces control over the execution of change. Most importantly, change is controlled throughout the implementation and is verifiable, auditable, and recoverable. Good change monitoring provides documented proof that change and security controls are effective, demonstrates that only authorized and intended changes have been made to AD environments, and supports change control policy and security best practices. In addition to the need to provide secure controls around access to critical systems and data, the organization must also meet its objectives around compliance with regulations and policies, both internal and external. Good change monitoring will therefore have a direct impact on the way that Active Directory is managed and improve the ability to ultimately eliminate unmanaged change. Change monitoring processes should be able to rapidly detect when an unmanaged, or unauthorized change is taking place, and ensure that the appropriate response occurs generating an alert, escalating information to security personnel, or even initiating a process to remediate the change itself. Policy Compliance Another significant driver for monitoring changes in Active Directory is the need to demonstrate compliance with policies and standards. The mandates for Active Directory security and compliance come from many sources. Perhaps the most common sources are regulations and industry standards, such as PCI-DSS (Payment Card Industry Data Security Standard), Sarbanes-Oxley, and FISMA Accord. Indeed, external auditors routinely review their clients compliance programs as part of the financial audit. Unfortunately, many organizations do not have robust or complete information compliance policies, and those that do may struggle to implement those controls on something as dynamic as Active Directory. Documenting change control policy, and showing that such controls are in place, is essential to maintaining compliance. Thus an integrated change detection and management will provide the best approach to ensuring that compliance drivers are more easily met. The Risk of Traditional Approaches for Active Directory Monitoring Although the ability to detect when changes have occurred to Active Directory is vital to maintaining the security and integrity of assets, the methods for ensuring the security of Active Directory have, in many cases, not evolved at the same rate as the risks and threats. This represents a critical and growing organizational vulnerability. Traditional approaches to managing change within Active Directory can be traced back to the earliest days of using AD in the corporate environment; therefore, they are often inadequate when faced with the much broader, and more critical, use of AD today. 4 White Paper
Such processes are often: Highly manual Manual processes, using native tools, place an excessive burden on AD management teams. As such, these processes are difficult to scale across the enterprise, are errorprone, costly, and often come at the expense of more strategic planning and projects. Slow to detect change The inability to rapidly detect changes to AD represents a very meaningful risk to security and compliance. Even a well-intentioned administrator can make an accidental change that can result in business disruption. A motivated and skilled attacker can extensively undermine security policy through changes to AD and Group Policies. If these changes are not detected quickly, it may be too late to stop an attack before the damage is done. Not integrated with other security technologies The lack of integration between AD management, change controls, and other security technologies, such as compliance assessment and especially Security and Information Event Management (SIEM) tools, is a dangerous blind-spot in overall security monitoring. This lack of integration prevents security and AD teams from placing changes in the context of other events within the infrastructure, or having the ability to rapidly confirm that changes are indeed authorized and planned in the change management or ticketing system. Not scalable across the enterprise Processes that are manual, slow and poorly integrated may not scale well within a rapidly changing enterprise environment. As a result, AD security and the ability to manage change become less and less aligned with business and security needs. This will only be compounded as technologies such as Active Directory become integral to broad Identity and Access Management (IAM) programs. Criteria for the Ideal Solution The ideal solution for Active Directory monitoring should meet the following requirements: Reduces the workload of IT auditors and other involved personnel Any Active Directory management approach should be efficient. It should leverage automated technology when possible, and minimize the number of manual procedures. Assesses compliance with policies, regulations, standards and leading practices Compliance with applicable policies and standards (i.e., benchmarks) and other drivers (e.g., PCI- DSS, Sarbanes-Oxley, FISMA) is important in today s business. The solution should facilitate compliance by identifying exceptions from policies and standards. Leverages existing infrastructure whenever possible Organizations should not have to deploy a completely new monitoring framework just to support the necessary monitoring and auditing of Active Directory. An ideal solution would take advantage of existing systems and agents to provide monitoring, reporting and alerting of Active Directory changes. Provides an accurate assessment of security posture Active Directory audits should provide a comprehensive picture of security. They should provide a view from the inside out, so that it is clear where compliance exceptions and vulnerabilities exist. Supports real-time monitoring and continuous auditing The solution should be completely automated and work hands free. This means the solution should enable assessments to be scheduled on a recurring basis and performed during off hours, and should hold the results and data securely for subsequent reporting and analysis. Real-Time Security for Active Directory 5
Scales securely The solution should grow with the business and support the entire enterprise. This means the solution should work over large, distributed Active Directory domains with little impact on utilization and other resources. Moreover, it should communicate and store data securely, so that the solution itself does not become a potential exposure. Provides insight into different types of change It is not enough just to know that change is occurring. In order to help administrators, management and auditors, the ideal solution should help to classify and identify the types of changes occurring in the Active Directory environment so that there is an understanding of which changes and personnel are following defined processes. NetIQ s Approach to Active Directory Change Management NetIQ Change Guardian TM for Active Directory delivers real-time monitoring and alerts you of changes to your Active Directory environment, It also provides detailed audit reporting that shows changes made inside or outside of your change process, as well as the level of importance of the change. Not only does this ensure that changes to the production infrastructure are authorized, tested, and approved, but it also identifies unauthorized changes and how they impact audit metrics. This technology is well integrated with leading SIEM solutions, in order to enable rapid detection of changes to be placed in the context of activity, especially privileged-user activity, and to more easily identify insider attacks before they cause significant damage. Benefits of NetIQ Change Guardian for Active Directory NetIQ Change Guardian for Active Directory minimizes the risks associated with operational changes to Active Directory. The product provides the visibility you need to protect your Active Directory environment from dangerous security exposures and costly service disruptions by automating and simplifying Active Directory change monitoring. Improving Compliance and Security Posture for Active Directory Risk exposure from operational changes is most effectively managed with a change control effort that closely monitors changes to Active Directory. NetIQ Change Guardian for Active Directory enables IT security teams and AD administrators to perform IT security audits efficiently on the most important aspects of Active Directory and also scales to support both large and small implementations from those in a single domain to domains distributed around the world. Moreover, because monitoring occurs in a real-time continuous basis, NetIQ Change Guardian for Active Directory enables you to identify and alert on potential policy compliance issues at any time, assuring that issues can be addressed within minutes, instead of hours or days. Minimizing cost while maximizing existing infrastructure NetIQ Change Guardian for Active Directory enables you to maximize the technology you already use. Not having to deploy a new infrastructure just to monitor and alert on Active Directory changes means that your organization can realize the additional benefits of monitoring and reporting without having to learn entirely new interfaces or incur additional impacts on performance. 6 White Paper
Reinforcing change control processes through metrics Providing the ability to differentiate between managed, unmanaged, and high-profile changes in Active Directory gives organizations a unique opportunity to really see which changes are occurring within or outside of their change control process a very important metric for the auditing process. Increasing availability and reducing risk Assuring that AD administrators and other privileged personnel are making changes according to corporate policy and process through the use of smart monitoring can provide confidence to your organization that risk is being mitigated and that necessary systems and services will be available to the knowledge workers in your organization. Conclusion: NetIQ Change Guardian for Active Directory - Detecting Change and Reducing Risk As never before, IT auditors and managers, as well as Active Directory administrators, require a tool designed for both policy compliance assessments and operational integrity reporting that also provides realtime alerting on the types of changes that matter most. NetIQ Change Guardian for Active Directory automates and streamlines the AD auditing process, freeing up administrators from manually gathering historical data from log files and enabling security teams to identify and respond more effectively to potential attacks. By enabling the rapid detection and response to unmanaged changes in Active Directory, organizations will be able to most directly support and reinforce existing security controls, and directly reduce the workload on the critical Active Directory management teams the first line of defense against attacks to critical systems and sensitive data. About NetIQ NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of awardwinning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control, and Enterprise Administration. Real-Time Security for Active Directory 7
About Attachmate Attachmate enables IT organizations to extend mission critical services and assure they are managed, secure, and compliant. Our goal is to empower IT organizations to deliver trusted applications, manage services levels, and ensure compliance by leveraging knowledge, automation, and secured connectivity. To fulfill that goal, we offer solutions that include host connectivity, systems and security management, and PC lifecycle management. 8 White Paper