netwrix it audit seminar

Simple, Efficient, Affordable

#1 for Change Auditing#1 for Change Auditing#1 for Change Auditing#1 for Change Auditing



Richard AuRichard AuRichard AuRichard AuSales Director, Asia & JapanSales Director, Asia & JapanSales Director, Asia & JapanSales Director, Asia & [email protected]@[email protected]@netwrix.com+852-9460-6840+852-9460-6840+852-9460-6840+852-9460-6840

©2011 All rights reserved. NetWrix is trademark of NetWrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other

countries. All other trademarks and registered trademarks are the property of their respective owners. These materials are intended for use by employees of NetWrix Corporation, its

branches and subsidiary companies, and by NetWrix Official Partners. In addition, these materials may be used by others in any capacity so long as advancing the use of NetWrix

products is the sole objective.

NetWrix IT Audit SeminarUnified Auditing for Critical IT Systems



Agenda • Data is an Asset class? 数据是一种资产吗？

• Is Change Auditing important? 变更审计重要吗？

• Real Use Cases – do you need it? 真实案例—你需要吗？

• What is Change Auditing software? 什么是变更审计软件

• NetWrix Architecture and How it Works 架构及工作原理

• Questions & Answers



Customer Data as an Asset Class 作为资产类别的企业数据

• Constantly appreciating 不断升值

• Files grow in size, importance, complexity 数据文件变得越来越

大，越重要，越复杂

• Many different file types 很多不同格式的文档



Using the Asset: Collaboration资产的使用：协作

Files that can’t be shared are a frozen asset.不能使用的数据文件就像被冻结的资产。

(like money that can’t be spent)就像不能花的钱一样



If Data Was Money?如果数据是钱• Imagine…想象一下

– Many people could access company accounts很多人都能直接存取公司的银行账户

– Budgets and spending rarely reviewed 预算和花费很少被检查

– No budget limit 没有预算上限

– No financial statements 没有财务报表

– No fraud detection 没有舞弊侦测

• What would that mean?那意味这什么？

– Big $$$ Loss 会损失很多钱

– No accountability 没有问责

– Chaos 混乱



Data assets need the same controls as financial assets我们要像对待财务资产一样对待数据资产

• Only the right people have access Only the right people have access Only the right people have access Only the right people have access 只有合适的人员有存取权限

• Access is continually maintained Access is continually maintained Access is continually maintained Access is continually maintained 持续维护存取权限

• Use is monitored Use is monitored Use is monitored Use is monitored 监控使用情况

• Abuse is observed and controlled Abuse is observed and controlled Abuse is observed and controlled Abuse is observed and controlled 滥用行为被记录和控制



Is there a Need? Improve & Audit Access Control?有没有这样的必要？是否需要审计及提升存取控制

• Compliance – internal audit requirements 合规----内部审计的需要

– Auditors, PCI, SOX, HIPPA, ISO27000, and Personal Privacy Act

• Data security – protect sensitive data 数据安全---保护敏感数据

– File level auditing, permissions management, and data owner identification 文件级别的检查，权限管理，数据经理分派。



• Entitlement Reviews – easier and faster 检查权限----更快更简单

– Who can access sensitive data 谁能存取敏感数据

– Snapshot permissions view by date and folder可以从不

同纬度观察权限情况。

• Risk Management – spot bad behavior 风险管理-----定位“坏行为”

– No more excessive permissions 没有“过度”的权限



关键系统的关键信息

NetWrix Architecture 技术架构

本地事件

系统配置

可扩展存储(4W)(4W)(4W)(4W)


Change Reporter SuiteChange Reporter SuiteChange Reporter SuiteChange Reporter Suite

AuditArchiveAuditArchiveAuditArchiveAuditArchive™™™™

分析

恢复报警

报告

AuditAssuranceAuditAssuranceAuditAssuranceAuditAssurance™™™™

AuditIntelligenceAuditIntelligenceAuditIntelligenceAuditIntelligence™™™™

操作及存取权限



NetWrix AAA Technology Platform技术平台

AuditAssuranceAuditAssuranceAuditAssuranceAuditAssurance™™™™ technology consolidates audit data from consolidates audit data from consolidates audit data from consolidates audit data from multiple independent sourcesmultiple independent sourcesmultiple independent sourcesmultiple independent sources, filling-in key details not present in any single source.

AuditIntelligenceAuditIntelligenceAuditIntelligenceAuditIntelligence™™™™ technology provides a complete audit picture by transforming raw audit data into meaningful transforming raw audit data into meaningful transforming raw audit data into meaningful transforming raw audit data into meaningful and actionable intelligence.and actionable intelligence.and actionable intelligence.and actionable intelligence.

AuditArchiveAuditArchiveAuditArchiveAuditArchive™™™™ technology provides long-term archivingprovides long-term archivingprovides long-term archivingprovides long-term archiving, making your data available for historical reporting and forensics analysis.



White Papers & Case Studies• How to Effectively Audit Your IT Infrastructure• Tracking File Access for Auditing and Compliance• File Auditing in the Enterprise• Exchange Auditing• Group Policy Auditing• Zoll Systems - HIPAA and SOX Compliance Processes

Automation• L3 Communications – Tracking AD and Group Policy Changes

for SOX Compliance• IBF Consulting – Improving Data Security and Expediting IT

Support in Private Equity Investment Firm



Thank YouThank YouThank YouThank YouRichard AuRichard AuRichard AuRichard Au

[email protected]@[email protected]@netwrix.com+852-9460-6840+852-9460-6840+852-9460-6840+852-9460-6840



···· Compliance Suites for SOX,PCI,HIPAA,FISMA,GLBA Compliance Suites for SOX,PCI,HIPAA,FISMA,GLBA Compliance Suites for SOX,PCI,HIPAA,FISMA,GLBA Compliance Suites for SOX,PCI,HIPAA,FISMA,GLBA ···· All components can be acquired individually All components can be acquired individually All components can be acquired individually All components can be acquired individually

Product Suites and ComponentsEnterprise Management SuiteEnterprise Management SuiteEnterprise Management SuiteEnterprise Management Suite

Change Reporter Suite Change Reporter Suite Change Reporter Suite Change Reporter Suite Identity Management SuiteIdentity Management SuiteIdentity Management SuiteIdentity Management Suite Additional ComponentsAdditional ComponentsAdditional ComponentsAdditional Components

• Active Directory Change Active Directory Change Active Directory Change Active Directory Change ReporterReporterReporterReporter

• Group Policy Change Group Policy Change Group Policy Change Group Policy Change ReporterReporterReporterReporter

• Exchange Change Reporter Exchange Change Reporter Exchange Change Reporter Exchange Change Reporter includes Non-owner Mailbox includes Non-owner Mailbox includes Non-owner Mailbox includes Non-owner Mailbox Access ReporterAccess ReporterAccess ReporterAccess Reporter

• File Server Change ReporterFile Server Change ReporterFile Server Change ReporterFile Server Change Reporter• SQL Server Change ReporterSQL Server Change ReporterSQL Server Change ReporterSQL Server Change Reporter• SharePoint Change ReporterSharePoint Change ReporterSharePoint Change ReporterSharePoint Change Reporter• VMware Change ReporterVMware Change ReporterVMware Change ReporterVMware Change Reporter• Change Reporter for System Change Reporter for System Change Reporter for System Change Reporter for System

Center for Virtual Machine Center for Virtual Machine Center for Virtual Machine Center for Virtual Machine ManagerManagerManagerManager

• Logon ReporterLogon ReporterLogon ReporterLogon Reporter• Network Infrastructure Network Infrastructure Network Infrastructure Network Infrastructure

Change ReporterChange ReporterChange ReporterChange Reporter• User Activity Video ReporterUser Activity Video ReporterUser Activity Video ReporterUser Activity Video Reporter

• Password ManagerPassword ManagerPassword ManagerPassword Manager• Password Expiration NotifierPassword Expiration NotifierPassword Expiration NotifierPassword Expiration Notifier• Inactive Users TrackerInactive Users TrackerInactive Users TrackerInactive Users Tracker• Logon ReporterLogon ReporterLogon ReporterLogon Reporter

• Event Log ManagerEvent Log ManagerEvent Log ManagerEvent Log Manager• Bulk Password ResetBulk Password ResetBulk Password ResetBulk Password Reset• Disk Space MonitorDisk Space MonitorDisk Space MonitorDisk Space Monitor• Service MonitorService MonitorService MonitorService Monitor• USB BlockerUSB BlockerUSB BlockerUSB Blocker• Privileged Account ManagerPrivileged Account ManagerPrivileged Account ManagerPrivileged Account Manager• Account Lockout ExaminerAccount Lockout ExaminerAccount Lockout ExaminerAccount Lockout Examiner

Freeware Freeware Freeware Freeware –––– blue color blue color blue color blue color



NetWrix Corporation• Founded in 2006 HQ located in New Jersey • Philosophy - Simple, Efficient and Affordable• Global customer base of approximately 6000• As of 2011 approximately 6M licenses sold• Focused on Auditing with an R&D to staff ratio 3:1• Offices in North America, UK and APACJ• Microsoft Gold Certified Partner



• ING Direct• Verizon Business Systems• Massachusetts Port Authority• Forex Capital Markets• Columbia University• Berkshire Hathaway• Blue Cross of Idaho• Zurich Financial Services• WebMD• Tower Group• Thomson Reuters• Teachers Insurance • Boston Medical Center• Massachusetts General Hospital• Zoll Pharmaceuticals

• Bureau of National Affairs • State of Maine• NYC Dept. of Transportation• US Military Academy• US District Court, SDNY• Fiserv• Edelman Financial Services• Denmark State Bank• Universal NBC• Alaska State Legislature• Berkeley National Laboratory• Black & Decker• Fred Hutchinson Cancer Research• National Institute of Health (NIH)• Vertex Pharmaceuticals

Customer List



Typical Audit QuestionsPlatformPlatformPlatformPlatform Typical Audit QuestionsTypical Audit QuestionsTypical Audit QuestionsTypical Audit Questions

Active DirectoryActive DirectoryActive DirectoryActive Directory• Who added a user to a specific security group?• Who created a new user account?• Who delegated management rights to OU?

MS ExchangeMS ExchangeMS ExchangeMS Exchange• Who deleted a mailbox?• Who changed mailbox permissions?• Who reconfigured information store?

File ServerFile ServerFile ServerFile Server• Who changed file permissions on NetApp Filers?• Who accessed sensitive files on file servers?• Who deleted files from file server?

Group PolicyGroup PolicyGroup PolicyGroup Policy• Who deactivated strong password policy?• Who unlinked GPO from organization unit?• Who configured new software installation policy?



Typical Audit QuestionsPlatformPlatformPlatformPlatform Typical Audit QuestionsTypical Audit QuestionsTypical Audit QuestionsTypical Audit Questions

VMwareVMwareVMwareVMware• Who created a new virtual machine?• Who changed resource pool parameters?

SQL ServerSQL ServerSQL ServerSQL Server• Who changed table structure in a production SQL database?• Who deleted production SQL database?• Who added new database login?

Server Server Server Server ConfigurationConfigurationConfigurationConfiguration

• Who installed what software?• Who changed computer configuration settings?• Who made changes to registry?

SharePointSharePointSharePointSharePoint• Which web applications were created/changed/deleted?• What servers were added to / removed from a farm?• What changes occurred to the incoming/outgoing e-mail settings?

SCVMM SCVMM SCVMM SCVMM EnvironmentsEnvironmentsEnvironmentsEnvironments

• What changes occurred to virtual machine configuration?• What virtual machines were added/deleted?



How it Works

netwrix it audit seminar

Documents