Latest posts by Timothy Warner (see all)
- Specops Password Auditor - Detect weak password policies - Tue, Oct 31 2017
- Azure Backup – Easily back up Windows to the cloud - Thu, Oct 26 2017
- NAKIVO Backup & Replication v7.2 new features - Wed, Oct 25 2017
In a nutshell, Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control over changes, configurations and access in hybrid IT environments. Netwrix targets companies of all sizes from various verticals, including technology, financial, public, healthcare, education, and energy sectors. In other words, Netwrix helps maintain data security and provides assistance for industries most affected by compliance regulations.
If you're new to Netwrix Auditor, I will draw your attention to my previous 4sysops reviews:
- Netwrix Auditor for Active Directory: A visibility and governance platform
- Netwrix Auditor 8.5 - Detect & investigate unusual user behavior
Go ahead and download a free 20-day trial, and set up a test environment for yourself, or get Netwrix Auditor up and running in minutes with a virtual appliance. The ready-to-use virtual appliance has everything you need preinstalled, so you can start using Netwrix Auditor without having to provision any hardware or software.
One word of warning if you decide to deploy it yourself—you'll need a full SQL Server running that has both the Database Engine and Reporting Services features installed.
Now, on to the coolest new features in Netwrix Auditor 9.0!
Threshold-based alerting on file server activity ^
The WannaCry ransomware attack that took place earlier this year was enough to put businesses of any size on high alert for suspicious file server activity. To address the very real threat of ransomware, Netwrix Auditor 9.0 now includes threshold-based alerting on aberrant activity on file servers and in other systems.
Netwrix Auditor will trigger and alert you whenever it observes suspicious file access behavior on your file servers. For instance, a ransomware attack involves large-scale file modification attempts, particularly transforming files to unknown file extensions as it encrypts them.
To get started, navigate to "Alerts" and click "Add Alert". Then provide a name for the alert, e.g., "Possible ransomware activity” and go to “Recipients." Click "Add Recipient," and specify one or more email addresses the alert should be sent to.
After that, follow two simple steps to configure the alert:
- Navigate to "Filters" and add the following filters:
- Filter: "Action;" Operator: "Equals;" Value: "Modified"
- Filter: "Action;" Operator: "Equals;" Value: "Renamed"
- Fillter: "Object Type"; Operator: "Equals;" Value: "File"
- Filter: "Data Source;" Operator: "Equals;" Value: "File Servers."
- Navigate to "Thresholds" and switch them on.
- Set "Limit alerting to activity records with the same" to "Who" to be notified whenever the threshold is hit by a single user account.
- Specify how many times the action must occur within a given period of time in order to trigger the alert, e.g., modification of 150 activity records within 60 seconds and click "Add."
Support for Cisco networking devices ^
You already know that Netwrix Auditor includes built-in monitoring support for most of the Microsoft server portfolio. Did you know that Netwrix also hosts an Add-on Store? As you can see in the following screenshot, you can install free Netwrix RESTful application programming interface (API) extensions to monitor third-party hardware and software, including Cisco Adaptive Security Appliance (ASA) firewalls, routers and switches.
After you install the Cisco extension, you can create a monitoring plan by using the Netwrix API data source, as the next screenshot shows. You can then generate reports based on that plan as usual.
Role-based access control (RBAC) ^
The IT security principle of "least privilege" means that users, including administrators, should operate with only sufficient privileges to do their work and no more.
One of the most popular ways to implement least-privilege security is through role-based access control, or RBAC. Netwrix Auditor now supports RBAC and administrative delegation!
On the Monitoring Plans screen you'll see a new option called Delegate. You can then populate your Netwrix users into one of the following predefined roles:
- Global Administrator: Full control
- Global Reviewer: Read-only access to all monitoring plans
- Reviewer: Read-only access to a specific monitoring plan
- Contributor: Write access to the databases (can install an API integration, for example)
- Configurator: Write access to a specific monitoring plan
In the following screenshot, I add my Compliance Officers domain global group to the Global reviewer role.
New compliance reports ^
Netwrix Auditor has been strong historically in its ability to shorten the time required to prepare reports for your industry and/or regulatory compliance certifications. In the latest version, Netwrix added new report packs that cover the following "alphabet soup" of compliance programs:
- GDPR (General Data Protection Regulation)
- CJIS (Criminal Justice Information Services)
- FERPA (Family Educational Rights and Privacy Act)
- GLBA (Gramm-Leach-Bliley Act)
- NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection)
I show you the robust compliance report library in the following screenshot.
Netwrix Auditor is licensed per enabled Active Directory user, with the first year of support and maintenance included. Also you can acquire only applications you need to accomplish your work. For example, one customer may need only the Active Directory, Exchange, and Windows Server applications, while another customer may require only the Azure AD and Office 365 applications.
As you've seen though, your purchased applications reside in a single Netwrix Auditor interface. Personally, I think this elegant solution rises to the challenge of paying only for the software you actually need.
Contact Netwrix to request a price quote.