- Interact with Azure Cosmos DB with PowerShell - Tue, Sep 14 2021
- Azure health services: Track Microsoft cloud outages and maintenance - Wed, Sep 8 2021
- Powerline: Customize your PowerShell console - Tue, Aug 31 2021
Behavior anomaly discovery ^
Such behavior may indicate a ransomware threat, for example, read/write operations on hundreds of files simultaneously.
Netwrix clearly had information security and threat detection on its mind when it developed Netwrix Auditor v9.5. Today I'd like to explain these new features to you. In the meantime, check out any of the following 4sysops posts to learn more about Netwrix Auditor in general terms:
- Netwrix Auditor 8.5 - Detect & investigate unusual user behavior
- Netwrix Auditor for Active Directory: A visibility and governance platform
- Use cases for Netwrix Auditor Free Community Edition v9.0
Risk assessment ^
In IT security nomenclature, risk refers to the potential for loss, damage, or destruction of an asset due to a threat exploiting a vulnerability. Risk mitigation involves your gaining a high-level perspective of your network's security posture. For instance, how much visibility do you have right now concerning the following areas?
- Active Directory accounts with weak and/or non-expiring passwords
- Orphaned or otherwise unused user and computer accounts
- The extent to which accounts possess administrative privileges
In Netwrix Auditor v9.5, open the Reports list, expand the IT Risk Assessment category, and choose a report to view. As you can see in the next figure, there are four reports:
- IT Risk Overview
- IT Risk Assessment – Data
- IT Risk Assessment – Permissions
- IT Risk Assessment – User and Computers
The value added to the IT Risk Assessment reports is that Netwrix Auditor acts essentially as a "consultant in a box." The reports provide you with actionable feedback as to your IT security risk status for no additional charge.
Behavior anomaly discovery ^
Here is where we get to detecting malicious insiders and compromised accounts. Netwrix Auditor can proactively alert you for anomalous behavior in your infrastructure such as:
- Privileged account use
- Data theft (from a disgruntled employee, for instance)
- Account hijacking
From the Netwrix Auditor v9.5 home screen, 9.5 home screen, click Behavior anomalies to open the Behavior Anomalies dashboard. As shown in the following figure, each account has a risk score which shows how much anomalous activity the user has done. The findings are plotted on the timeline.
Permission analysis ^
In information security, the principle of least privilege requires that in a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources necessary for its legitimate purpose.
In addition to effective permissions reporting on file servers, Netwrix added more robust detection for effective resource access permissions into two of its many application components:
- Netwrix Auditor for Active Directory
- Netwrix Auditor for Windows Server
You can view the "who has access to what" reports by opening the Netwrix Auditor Reports list and viewing some reports in the Active Directory – State in Time and Windows Server – State in Time categories.
For example, in the following screenshot you can see the organizational units (OUs) and accounts associated with the Active Directory user Kevin Dutch:
API-enabled integrations ^
Although Netwrix Auditor is a Windows application, version 9.5 gives you new incident response capabilities and visibility into your Linux environment as well. The product offers three new free, downloadable add-ons:
- ServiceNow incident management integration: Netwrix can automatically create detailed tickets in your ServiceNow platform when detecting suspicious events.
- Privileged user monitoring on Linux systems detects when users invoke the sudo command to execute privileged commands.
- Generic syslog parsing for Linux systems allows you to investigate threats on your Linux servers via the long-standing syslog system.
You install these new add-ons from the Netwrix Auditor Add-on Store. Here, let me show you a picture:
The free add-ons available in the Netwrix Add-on Store provide fantastic value to the product and greatly expand its capabilities for heterogeneous business environments.
Custom report subscriptions ^
If your company has one or more stakeholders who need to receive audit reports for compliance purposes, you'll love this new feature. In Netwrix Auditor v9.5, you can generate a subscription schedule for any built-in or custom report.
For instance, you can see in the following screenshot that I configured Netwrix Auditor to send me a daily e-mail message containing the contents of the File Servers Overview built-in report.
In my opinion, the security intelligence features alone make an upgrade to Netwrix Auditor v9.5 worthwhile. The Linux auditing capability is great news for multi-OS administrators, and the custom report subscriptions are very handy.