TOM KEMP'S CENTRIFY BLOG

Now Entering the Room: DirectAudit

Tuesday, March 13, 2007

Today we are really excited to announce a major new product, Centrify DirectAudit.

In a nutshell, Centrify DirectAudit addresses regulatory compliance requirements for auditing, logging and reporting on user activity within your UNIX/Linux environment in an easy-to-use, secure and reliable manner. DirectAudit helps you detect suspicious activity and lets you granularly track activity down to which users accessed what systems, what commands were executed and what changes were made to key files and data. DirectAudit also provides in-depth diagnostic troubleshooting capabilities by letting you replay and report on user activity that may have contributed to system failures, as well as lets you perform real-time monitoring of who is currently accessing all of your UNIX/Linux systems.

Our beta sites and Systems Engineers found the product incredibly easy to install and use, and people absolutely love the way it allows an auditor or systems administrator to "play back" user sessions. I likened it to a "Tivo for Linux" or a "Tivo for UNIX" until I was told that folks in Europe don't know what Tivo is, so now I describe it in VCR terms. I also love how you can "google" (i.e. search) the transcripts for key words and run pre-packaged reports. Definitely check out the five-minute demo and/or the 30-minute chalktalk I did with our CTO, Paul Moore.

DirectAudit does a nice job of complementing our DirectControl solution. DirectControl lets organization secure their non-Microsoft platforms using the same authentication, authorization and Group Policy services deployed for their Windows environment. DirectAudit complements DirectControl by delivering comprehensive auditing, reporting and logging of user activity on non-Microsoft systems. Together our solutions enable organizations to improve IT efficiency, better comply with regulatory requirements, and centrally audit and control access to their heterogeneous computing environment. To me the two products address the classic "3As" of Identity Management: Authentication, Authorization (aka Access Control) and Auditing. We are the only vendor to do so with an Active Directory-centric approach.

To me there are three main reasons a prospective customer should request an evaluation and frankly buy the product ASAP.

The first is to meet regulatory requirements around auditing. For example, take the Payment Card Industry Data Security Standard (version 1.1), and check out Section 10 (see Figue 1 below). It reads: "Requirement 10: Track and monitor all access to network resources and cardholder data." Later it says: "Logging mechanisms and the ability to track user activities are critical. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong. Determining the cause of a compromise is very difficult without system activity logs."

Figure 1. PCI Data Security Standard, Section 10. (Click to see an enlarged version.)

This means that to pass a PCI audit (or else face nasty fines of up to $500,000), not only must you track who logs off and when (which you can get with DirectControl, because all login/logout attempts are recorded on the Active Directory domain controller's event log), but you must track things more granular than that. For example, look at Section 10.2.2: "Implement automated audit trails for all system components to reconstruct the following events … All actions taken by any individual with root or administrative privileges." The key item is "All actions," which means every keystroke, every file edit, etc. — something that DirectAudit can deliver. In other words, to pass section 10 of the PCI audit, you really must have DirectAudit. And this is true of other standards, such as HIPPA, SOX, etc., which require this level of granular auditing down to what privileged users were doing and typing, etc.

The second reason a customer should check out DirectAudit is to improve security, namely help address the threat of insider attacks. I recently blogged on how Goldman Sach's recent security survey identified thwarting insider attacks as the #2 driver for improvements in security spending (compliance being #1). Information Week also recently published an interesting article on this topic (see Figure 2 below), and some of the interesting quotes included:

"Insider attacks against IT infrastructure are among the security breaches most feared."
"About half of all insider attacks take place between the time an IT employee is dismissed and his or her privileges are taken away."
"Managers must not only monitor system access, but also let employees know their system changes can be tracked."
"A recent survey by the Secret Service and CERT indicates that 86% of internal computer sabotage incidents are perpetrated by tech workers"

Figure 2. Information Week, December 11, 2006. (Click to see an enlarged version.)

Clearly DirectAudit, by tracking what these privileged users are doing in terms of what commands they are typing, what files they are editing, etc. will help to reduce the chance of insider threats.

And finally, the third reason you should check out DirectAudit is that it does a great job of trouble-shooting problems you may be experiencing on UNIX/Linux systems. Say a server crashes; what were people doing or what was changed on that system prior to the crash? DirectAudit can tell you exactly that.

So in summary, if you need to address regulatory compliance and trouble-shooting requirements for auditing and reporting on user activity within your UNIX/Linux environment, definitely check out DirectAudit. I will definitely do some more blog posts on DirectAudit in the future to give you a feel for how customers are already using it today. It rocks!

Categories: DirectAudit, Regulatory Compliance, All

Bookmarks: