There is plenty of talk about the increase in external threats to critical IT infrastructures including BYOD, APTs, the growth in organised cybercrime and the cloud. All very important of course but some of the biggest threats to any organisation still come from within. Verizon’s 2013 Data Breach Investigations Report said that insider threats accounted for 14 percent of total incidents.
The weakest link for any organisation is not systems; it is the human factor. But while the insider threat is usually assumed to be from rogue employees or planted ‘moles’, it is important to also consider the role of IT administrators and managers that already have privileged access to sensitive information, resources and controls without having to hack into anything.
> See also: NSA leaks cause security execs to rethink administrator privileges
These individuals could include external contractors, security service providers and vendor or channel support staff.
They have the ability to stop and start systems, make critical changes such as granting access rights and can even delete security logs without trace.
We all prefer to believe we can rely on trusted employees or external consultants to do the right thing but it would be naive not to think it is possible that someone is going to abuse their privileges. And of course if they become disgruntled or plan to leave for a competitor – the risk is even greater.
Despite this, the majority of organisations have very limited capabilities to trace specific IT events to specific users, with any certainty. For example, one very large retail organisation recently told me that they had 90 IT administrators including a number working on contract through an outsourcer, yet they had no means of determining which changes were made by which administrator at any given point in time.
We can’t stop the occasional IT admin turning bad or simply making mistakes because they are not up to the job, but we can make sure we know ‘who, did what, where and when’, to act as a deterrent or to catch the culprit immediately after the event.
But unfortunately, many companies do not have quick and easy access to this information and very few IT teams really know what is happening in their infrastructures at any given time. Even some of the largest organisations still have to trawl manually through files of native logs to get the answers.
But it’s not just about the trust of privileged users. There is the question of how quickly you can identify a change in your infrastructure that has caused a problem or failure by a common user error or something more malicious. Take for example, Active Directory. It is at the core of 98% of all modern networks, yet the majority of organisations can’t tell you who has made changes, what they did and when they did it.
The same is true for changes to the password policies and procedures that underpin IT security and despite our reliance on email, it is not standard practice to monitor for erroneous or malicious changes to MS Exchange. Furthermore, when it comes to basic file access, many companies do not know who accessed a file, when it was accessed and if the attempt succeeded or failed.
The answer of course is effective IT change auditing. The problem is that auditing sounds like an additional headache and a lot of hassle when there is already not enough time in the day to keep the corporate network safe.
So, it is not surprising that so many companies do little more than pay lip service to it. A report from Quocirca found that many audits are only carried out before a compliance check or as part of an investigation after an event such as data loss or server failure.
> See also: Sky employee leaked customer data
While many organisations still rely on time consuming manual processes for change monitoring and auditing, others take a costly sledgehammer approach to the problem and opt for a SIEM (Security Information and Event Management) solution.
However, SIEM integrates other functions such as automatic remediation and intrusion prevention, making it an expensive and complex option if your focus is on audit reliability, speed and consistency. And SIEM still relies largely on interrogating native audit logs that can be tampered with by privileged users.
There is another way. Specialist change auditing software can deliver a reliable and consistent view of what is going on at around a third of the cost of SIEM. It captures multiple streams of data from multiple sources, then filters, translates, sorts and compresses the results for easy access, storage and archiving – and also provides real-time alerting and automated reports.
And importantly, it provides an accurate picture of network activity by capturing a ‘snapshot’ before and after a change is made and there are even video tools that effectively provide ‘CCTV’ for IT systems.
Change audit must be taken seriously and the channel has its part to play by educating customers and offering relevant tools. And it’s not just for compliance or to keep the auditors happy. By the time you have identified an abuse of privilege or insider error and got to the source by trawling through native logs – it could be too late.