When good admins go bad

April 12, 2012

Let’s face it – security breaches will happen. The main question is when. The recent data breach report from Verizon just reinforces this statement with unprecedented growth of security attacks reported across the board. Continue here.

Use case: Tracking user logons across the heterogeneous enterprise IT

March 2, 2012

Quest InTrust and Authentication Services comprise a killer combination to help you track user logons in the IT environment where both Windows and Unix servers and desktops are employed. Continue here.

Latest and greatest InTrust version 10.4 comes out of the door

January 25, 2012

The version 10.4 of InTrust advances in all three main capabilities attributed to successful event log management products. Continue here.

Custom InTrust add-in for reporting on DNS debug logs

October 27, 2011

I’m pleased to announce the availability of another custom InTrust add-in extending the product reach to new types of logs. This add-in continues a series of out of band solutions we make available to the InTrust customers outside of the official product release.

This time it’s the add-in that let’s you collect debug logs generated by Microsoft DNS servers.

Continue here.

OnDemand Log Management: Now supporting syslog, agent less collection and more

August 25, 2011

OnDemand Log Management gets exciting new features that help you comply with IT regulations, stay on top of changes to critical IT resources and detect and react to security issues. Continue here.

Stay on top of security issues with OnDemand Log Management

January 27, 2011

You tell me how important it is to keep a close eye on the Holy Grail of most IT environments today – Microsoft Active Directory.  No one else can solve this pain for you in a more elegant way than OnDemand Log Management with its extended auditing capability which covers Active Directory and other IT infrastructure components.

In this short video watch how subscription bases OnDemand Log Management lets you:

  1. Easily set up comprehensive tracking of all changes made to Active Directory irregardless of the native auditing configuration
  2. Perform investigation of security issues by giving you tools to effectively search and analyze audit trails
  3. Take proactive measures to prevent security incidents from happening in the future
  4. Prepare evidence reports suitable for presenting to CSOs and external auditors

Want to conduct your own investigation now?

Sign up for a full functional trial and let us know how it goes.


A better way to do custom reporting

December 23, 2010

As the year wraps up and the Christmas Eve rapidly approaches we’re making some exciting updates to the OnDemand Log Management we want you to hear about.

We’re pleased to offer a brand new custom reporting functionality that not only allows you to run any of the pre-defined reports but also build your own with the same ease.

The new export to PDF feature came to replace the old way of reporting that is now gone as is the Reports tab where you’d previously find it. Check out this short video that shows the new and straightforward process of building custom reports based on favorite searches. Now it literally takes the same amount of time as the video runs.

Wait, we’ve got some more news for you.

If you take a closer look to the home page of the product you’ll notice that it now contains another chart which lets you quickly assess the state of alerts you configured for your environment. Here is the sample screenshot of the Top Alerts chart:

Lucky owners of the commercial service subscription get another handy tool. With a help of Events by Time chart you can do basic trend analysis and watch for unusual event peaks. Here is a sample of this chart as well.

Both new charts have interactive features and drill down capability which instantly sets you up for further investigation.

We look forward to continuing expanding the product feature set throughout the next year.

Happy holidays!

Extended Auditing for Active Directory and File Servers now available in OnDemand Log Management

December 3, 2010

I’m sure many of IT admins happened to have this poor feeling when they couldn’t get from the logs a piece of information they were looking for. Partly because they didn’t have an appropriate log management tool in place. Partly because the logs themselves didn’t provide the level of details admins expected them to provide. It becomes especially frustrating in the change management world. If logs you rely on can’t give a full picture of the change that was made in the past how can you conduct a thorough change review to make sure that every change is made for a reason and according to your security policies?

Quite a few of the early adopters of OnDemand Log Management echoed this concern. As you know we’ve been listening to your feedback very carefully so we addressed this concern with the recent introduction of the so called Extended Auditing for Active Directory and File Servers. It’s Extended Auditing because it provides additional level of details compared to what you can extract from the native operating system or application logs.

Extended Auditing is instantly available to all of existing and yet to come customers of OnDemand Log Management. It is activated in the agent installation wizard by selecting Extended Auditing option as shown below. Just keep in mind that these options will only show up when you’re installing the agent to the server OS holding the corresponding server role: Active Directory server or file server.

Once you’ve let the agent capture first changes to your Active Directory objects or files and directories you can instantly view them by using one of the predefined searches that end with (Extended Auditing)

In this post I’m going to go through top 5 reasons why Extended Auditing gives you additional piece of mind from the change management standpoint. So, here they go

1. Capturing originator’s IP address

Unlike with Object Access events from the native Security log with Extended Auditing you can trace all changes down to a workstation from which the change originated. So, if multiple people in your organization use the same administrative account to perform their duty you could possibly distinguish between them by looking up the IP address they used.

2. Full Active Directory change auditing down to the attribute level with before and after values

As the screenshot above shows for each change being made to Active Directory Extended Auditing scrupulously seizes all the details including the object attribute and more importantly the before and after values.  Not only you can replay a sequence of changes made to Active Directory within a specified time period but also roll them back if they deem inappropriate. Unlike with the native Windows auditing subsystem there is no need to go through a time consuming process of setting up the auditing configuration. Once Extended Auditing for Active Directory is enabled it immediately starts intercepting changes and change attempts to all objects in Active Directory.

3. Group Policy settings change auditing

The only indication of changes ever made to Group Policy configuration that can be found in the native Security log is an event like this below. Unfortunately, no way it’d tell you whether this change concerned one of the security policies like Account Lockout Policy or it just targeted one of the application configuration settings.

Compare this to the event you’d get with a help of Extended Auditing in OnDemand Log Management. In addition to the name of the Group Policy object you would easily see both the name of the affected setting and its before and values!

4. Detailed permission change tracking

Those of you that can’t read with naked eye a lengthy sequence of hexadecimal numbers will have no clue who actually was granted or revoked what permissions to a file or Active Directory object. Simply because this is how Windows stores permissions in the object’s security descriptor and native event logs don’t bother decrypting this format.

Extended Auditing makes things a way easier by breaking each permission change down into a series of events in which you can clearly see what user or group was granted or revoked which permission to the file or Active Directory object in question.

5. Accurate file and share access auditing

As you know due to the implementation details of the Windows auditing subsystem the accuracy of file access audit events really depends on how well behaved the application that works with those files is. It can turn into a real mess when a lot of file activity happens behind the scenes which is the case with Microsoft Word.

Extended Auditing for File Servers brings that mess in order. However complex the underlying file manipulations are it will always capture the real operations performed on a file, directory or share. So instead of having to guess whether this file open event actually resulted in a subsequent file write or not you’ll know for sure when the file was changed, deleted or moved.

And for every file access event you’ll get the entire picture including the file operation, the name and IP of the user who made the change and the application executable that carried out the request on the user’s behalf.

As you might guess there are many other cases where Extended Auditing does a much better job capturing every single aspect of a change being made to files, folders, shares and Active Directory objects. And the best way to feel it is to give it a free try by yourself.

With the help of Extended Auditing you can bring change management processes to an absolutely new level where tight and all encompassing control of changes becomes a reality.

CloudCamp experience

November 11, 2010

I wanted to drop a note about an unusual cloud event I recently attended in San Francisco.

CloudCamp is a half day conference related to trends in cloud technologies. It’s held throughout the world and supported by well known experts and companies in the cloud industry.
It was a 4 hour event packed with a lot of interesting content and discussions. I liked the idea that attendees could submit topics for discussions and a self nominated panel of cloud experts could pick up any questions they felt comfortable answering over the beer :).
The event started with vendor sponsored enlightening talks. Speakers were teaching the audience what’s unique about the cloud restraining from pitching their own tools.
Scalr and RighScale shared VM pattern based approaches they use to efficiently scale cloud applications up and out. Jeremiah Peschka from Quest Software raised the importance of NoSQL databases and explained how Toad for Cloud Databases can help developers interact with cloud databases in the way they’ve been doing with traditional RDBMs.
Adrian Cockroft from Netflix talked about the company’s experience with the recent infrastructure migration to Amazon EC2 (which turned out being a complete rewrite) and what they would like to see provided by yet to mature NoSQL databases. Other presentations were delivered by guys from IBM, Tropo and Twilio.

Everyone agreed that security, reliability and NoSQL will continue being the cloud buzz words throughout 2011.

The break out session on PaaS held by Sebastian Stadil was of particular interest to me. Today most of the cloud derived value comes from IaaS while PaaS still has to go a long way to become an attractive alternative to traditional development platforms.
The group was debating when leveraging PaaS can make sense today. The agreement was the PaaS might be a good start for a “two guys in the garage” startup to quickly spin up their startup project. It becomes more difficult to stick with the PaaS of choice when the service grows and you have to keep up with the increasing demand at the same time staying profitable and not locking yourself into a single platform vendor.

This is when open source projects can play very important role to bridge the gap. Announced at the event the project typhoonae is an open source implementation of Google AppEngine API that can run in any virtual environment. Its flexible architecture let’s you plug in any NoSQL database as a storage backend while making transparent the migration from Google AppEngine PaaS to your choice of IaaS. So, if down the road you’ve learned that for your type of application immediate data consistency can be traded off in favor of constant data availability you could easily switch from say Google Big Table to Cassandra or MongoDB running in Amazon EC2.

Apparently, over the course of the next couple of years we’ll continue seeing the convergence of IaaS and PaaS . For cloud providers this is the only viable way to provide a rapid development platform for highly available, massive data processing applications and cut the cost of on premise applications migration. What an interesting age we’re living in!