Real-Time Security for Active Directory

Reducing the risk of insider attack, data loss, and unmanaged change

Companies face significant challenges in controlling change in their Active Directory environments. This white paper describes the need for more effective Active Directory monitoring as part of a broader change-control process, the problems with current approaches, and how to leverage NetIQ products to assure policy compliance and operational integrity.

The Need to Monitor and Control Change

The ability to effectively and efficiently monitor and audit Active Directory (AD) has never been more important. 

As organizations work to reduce the risk of data breaches and insider attack, security and operational teams are recognizing the vital importance of detecting and as much as possible, preventing unmanaged changes to Active Directory and Group Policies.

This requirement is further driven by the need of the business and auditors to meet regulatory requirements and demonstrate that appropriate controls are in place to meet those regulations, policies, and standards.

The problem is that IT environments are in a constant state of change, and every change represents risk: risk that external attackers may breach security controls, risk that an insider may use elevated privileges to steal sensitive data, risk that an administrator may simply make a mistake that results in a significant and negative business impact.  An overworked administrator may circumvent change control policy in order to respond to a business request and accidentally cause thousands of systems to become unavailable to their users.  Likewise, a malicious insider executing an attack to steal sensitive data may well begin by escalating privileges on an account to gain greater access to the target resources.

Unmanaged changes are a particular cause of many system failures and security incidents. Even when properly managed, changes to Active Directory may cause system outages due to an inherent lack of visibility to dependencies within the infrastructure. 

Unfortunately the prevailing approach to addressing problematic changes––reactively fighting fires––is unacceptable. Active Directory forms the foundational underpinnings of user management and access controls; therefore, good security for Active Directory is essential to maintaining the availability, integrity and confidentiality of both critical systems and the data they house.

Reducing Risk and Standardizing Controls

Effective change management ensures that standardized processes for all changes are enforced. These processes should facilitate the efficient and prompt handling of all changes, yet maintain the proper balance between the need for the change and the risk that the change has a negative impact on the business.

Unfortunately, change controls are often heavily manual procedures, making them ineffective and expensive. Worse, these manual processes are rarely well integrated with other change detection and management technologies, which reduces the ability of the operational and security teams to respond rapidly to changes and reduce risk to data and services. Unless a change to a significant element of organizational infrastructure such as Active Directory can be placed in the context of other events and processes, there is far less chance to identify when a privileged user is conducting an attack or an accidental change is having a negative business impact.

Integrating Change Monitoring

Integrated change monitoring closes the loop on the change management process and enforces control over the execution of change. Most importantly, change is controlled throughout the implementation and is verifiable, auditable, and recoverable.

Good change monitoring provides documented proof that change and security controls are effective, demonstrates that only authorized and intended changes have been made to AD environments, and supports change control policy and security best practices.

In addition to the need to provide secure controls around access to critical systems and data, the organization must also meet its objectives around compliance with regulations and policies, both internal and external. 

Good change monitoring will therefore have a direct impact on the way that Active Directory is managed and improve the ability to ultimately eliminate unmanaged change.  Change monitoring processes should be able to rapidly detect when an unmanaged, or unauthorized change is taking place, and ensure that the appropriate response occurs – generating an alert, escalating information to security personnel, or even initiating a process to remediate the change itself.

Policy Compliance

Another significant driver for monitoring changes in Active Directory is the need to demonstrate compliance with policies and standards.

The mandates for Active Directory security and compliance come from many sources. Perhaps the most common sources are regulations and industry standards, such as PCI-DSS (Payment Card Industry Data Security Standard), Sarbanes-Oxley, and FISMA Accord. Indeed, external auditors routinely review their clients’ compliance programs as part of the financial audit. Unfortunately, many organizations do not have robust or complete information compliance policies, and those that do may struggle to implement those controls on something as dynamic as Active Directory.

Documenting change control policy, and showing that such controls are in place, is essential to maintaining compliance. Thus an integrated change detection and management will provide the best approach to ensuring that compliance drivers are more easily met.

The Risk of Traditional Approaches for Active Directory Monitoring

Although the ability to detect when changes have occurred to Active Directory is vital to maintaining the security and integrity of assets, the methods for ensuring the security of Active Directory have, in many cases, not evolved at the same rate as the risks and threats. This represents a critical and growing organizational vulnerability.

Traditional approaches to managing change within Active Directory can be traced back to the earliest days of using AD in the corporate environment; therefore, they are often inadequate when faced with the much broader, and more critical, use of AD today.

Such processes are often:

Highly manual – Manual processes, using native tools, place an excessive burden on AD management teams. As such, these processes are difficult to scale across the enterprise, are error-prone, costly, and often come at the expense of more strategic planning and projects.

Slow to detect change – The inability to rapidly detect changes to AD represents a very meaningful risk to security and compliance. Even a well-intentioned administrator can make an accidental change that can result in business disruption. A motivated and skilled attacker can extensively undermine security policy through changes to AD and Group Policies. If these changes are not detected quickly, it may be too late to stop an attack before the damage is done.

Not integrated with other security technologies – The lack of integration between AD management, change controls, and other security technologies, such as compliance assessment and especially Security and Information Event Management (SIEM) tools, is a dangerous blind-spot in overall security monitoring. This lack of integration prevents security and AD teams from placing changes in the context of other events within the infrastructure, or having the ability to rapidly confirm that changes are indeed authorized and planned in the change management or ticketing system.

Not scalable across the enterprise – Processes that are manual, slow and poorly integrated may not scale well within a rapidly changing enterprise environment. As a result, AD security and the ability to manage change become less and less aligned with business and security needs. This will only be compounded as technologies such as Active Directory become integral to broad Identity and Access Management (IAM) programs.

Criteria for the Ideal Solution

The ideal solution for Active Directory monitoring should meet the following requirements:

• Reduces the workload of IT auditors and other involved personnel – Any Active Directory management approach should be efficient. It should leverage automated technology when possible, and minimize the number of manual procedures.

• Assesses compliance with policies, regulations, standards and leading practices – Compliance with applicable policies and standards (i.e., benchmarks) and other drivers (e.g., PCI-DSS, Sarbanes-Oxley, FISMA) is important in today’s business. The solution should facilitate compliance by identifying exceptions from policies and standards.

• Leverages existing infrastructure whenever possible – Organizations should not have to deploy a completely new monitoring framework just to support the necessary monitoring and auditing of Active Directory. An ideal solution would take advantage of existing systems and agents to provide monitoring, reporting and alerting of Active Directory changes.

• Provides an accurate assessment of security posture – Active Directory audits should provide a comprehensive picture of security. They should provide a view from the inside out, so that it is clear where compliance exceptions and vulnerabilities exist.

• Supports real-time monitoring and continuous auditing – The solution should be completely automated and work “hands free.” This means the solution should enable assessments to be scheduled on a recurring basis and performed during off hours, and should hold the results and data securely for subsequent reporting and analysis.

• Scales securely – The solution should grow with the business and support the entire enterprise. This means the solution should work over large, distributed Active Directory domains with little impact on utilization and other resources. Moreover, it should communicate and store data securely, so that the solution itself does not become a potential exposure.

• Provides insight into different types of change – It is not enough just to know that change is occurring. In order to help administrators, management and auditors, the ideal solution should help to classify and identify the types of changes occurring in the Active Directory environment so that there is an understanding of which changes and personnel are following defined processes.

NetIQ’s Approach to Active Directory Change

Management

NetIQ®Change Guardian^TM for Active Directory delivers real-time monitoring and alerts you of changes to your Active Directory environment, It also provides detailed audit reporting that shows changes made inside or outside of your change process, as well as the level of importance of the change.

Not only does this ensure that changes to the production infrastructure are authorized, tested, and approved, but it also identifies unauthorized changes and how they impact audit metrics. This technology is well integrated with leading SIEM solutions, in order to enable rapid detection of changes to be placed in the context of activity, especially privileged-user activity, and to more easily identify insider attacks before they cause significant damage.

Benefits of NetIQ Change Guardian for Active Directory

NetIQ Change Guardian for Active Directory minimizes the risks associated with operational changes to Active Directory. The product provides the visibility you need to protect your Active Directory environment from dangerous security exposures and costly service disruptions by automating and simplifying Active Directory change monitoring.

Improving Compliance and Security Posture for Active Directory

Risk exposure from operational changes is most effectively managed with a change control effort that closely monitors changes to Active Directory. NetIQ Change Guardian for Active Directory enables IT security teams and AD administrators to perform IT security audits efficiently on the most important aspects of Active Directory and also scales to support both large and small implementations – from those in a single domain to domains distributed around the world.

Moreover, because monitoring occurs in a real-time continuous basis, NetIQ Change Guardian for Active Directory enables you to identify and alert on potential policy compliance issues at any time, assuring that issues can be addressed within minutes, instead of hours or days.

Minimizing cost while maximizing existing infrastructure

NetIQ Change Guardian for Active Directory enables you to maximize the technology you already use. Not having to deploy a new infrastructure just to monitor and alert on Active Directory changes means that your organization can realize the additional benefits of monitoring and reporting without having to learn entirely new interfaces or incur additional impacts on performance.

Reinforcing change control processes through metrics

Providing the ability to differentiate between managed, unmanaged, and high-profile changes in Active Directory gives organizations a unique opportunity to really see which changes are occurring within or outside of their change control process – a very important metric for the auditing process.

Increasing availability and reducing risk

Assuring that AD administrators and other privileged personnel are making changes according to corporate policy and process through the use of smart monitoring can provide confidence to your organization that risk is being mitigated and that necessary systems and services will be available to the knowledge workers in your organization.

Conclusion: NetIQ Change Guardian for Active Directory - Detecting Change and Reducing Risk

As never before, IT auditors and managers, as well as Active Directory administrators, require a tool designed for both policy compliance assessments and operational integrity reporting that also provides real-time alerting on the types of changes that matter most.

NetIQ Change Guardian for Active Directory automates and streamlines the AD auditing process, freeing up administrators from manually gathering historical data from log files and enabling security teams to identify and respond more effectively to potential attacks.

By enabling the rapid detection and response to unmanaged changes in Active Directory, organizations will be able to most directly support and reinforce existing security controls, and directly reduce the workload on the critical Active Directory management teams – the first line of defense against attacks to critical systems and sensitive data.

About NetIQ

NetIQ, an Attachmate business, is a leading provider of comprehensive systems and security management solutions that help enterprises maximize IT service delivery and efficiency. With more than 12,000 customers worldwide, NetIQ solutions yield measurable business value and results that dynamic organizations demand. NetIQ's best-of-breed solutions help IT organizations deliver critical business services, mitigate operational risk, and document policy compliance. The company's portfolio of award-winning management solutions includes IT Process Automation, Systems Management, Security Management, Configuration Control, and Enterprise Administration.

About Attachmate

Attachmate enables IT organizations to extend mission critical services and assure they are managed, secure, and compliant. Our goal is to empower IT organizations to deliver trusted applications, manage services levels, and ensure compliance by leveraging knowledge, automation, and secured connectivity. To fulfill that goal, we offer solutions that include host connectivity, systems and security management, and PC lifecycle management.