Netwrix added powerful new functionality for security risk assessment and anomalous behavior detection into Netwrix Auditor v9.5. Ransomware made quite a bit of news in 2017. That particular threat made many IT managers realize the need for proactive alerting on anomalous behavior.

Behavior anomaly discovery ^

Such behavior may indicate a ransomware threat, for example, read/write operations on hundreds of files simultaneously.
Netwrix clearly had information security and threat detection on its mind when it developed Netwrix Auditor v9.5. Today I'd like to explain these new features to you. In the meantime, check out any of the following 4sysops posts to learn more about Netwrix Auditor in general terms:

Risk assessment ^

In IT security nomenclature, risk refers to the potential for loss, damage, or destruction of an asset due to a threat exploiting a vulnerability. Risk mitigation involves your gaining a high-level perspective of your network's security posture. For instance, how much visibility do you have right now concerning the following areas?

  • Active Directory accounts with weak and/or non-expiring passwords
  • Orphaned or otherwise unused user and computer accounts
  • The extent to which accounts possess administrative privileges

In Netwrix Auditor v9.5, open the Reports list, expand the IT Risk Assessment category, and choose a report to view. As you can see in the next figure, there are four reports:

  • IT Risk Overview
  • IT Risk Assessment – Data
  • IT Risk Assessment – Permissions
  • IT Risk Assessment – User and Computers
New IT risk assessment reports

New IT risk assessment reports

The value added to the IT Risk Assessment reports is that Netwrix Auditor acts essentially as a "consultant in a box." The reports provide you with actionable feedback as to your IT security risk status for no additional charge.

Behavior anomaly discovery ^

Here is where we get to detecting malicious insiders and compromised accounts. Netwrix Auditor can proactively alert you for anomalous behavior in your infrastructure such as:

  • Privileged account use
  • Data theft (from a disgruntled employee, for instance)
  • Account hijacking

From the Netwrix Auditor v9.5 home screen, 9.5 home screen, click Behavior anomalies to open the Behavior Anomalies dashboard. As shown in the following figure, each account has a risk score which shows how much anomalous activity the user has done. The findings are plotted on the timeline.

Account behavior anomaly detection

Account behavior anomaly detection

Permission analysis ^

In information security, the principle of least privilege requires that in a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources necessary for its legitimate purpose.

In addition to effective permissions reporting on file servers, Netwrix added more robust detection for effective resource access permissions into two of its many application components:

  • Netwrix Auditor for Active Directory
  • Netwrix Auditor for Windows Server

You can view the "who has access to what" reports by opening the Netwrix Auditor Reports list and viewing some reports in the Active Directory – State in Time and Windows Server – State in Time categories.

For example, in the following screenshot you can see the organizational units (OUs) and accounts associated with the Active Directory user Kevin Dutch:

Effective access reports

Effective access reports

API-enabled integrations ^

Although Netwrix Auditor is a Windows application, version 9.5 gives you new incident response capabilities and visibility into your Linux environment as well. The product offers three new free, downloadable add-ons:

  • ServiceNow incident management integration: Netwrix can automatically create detailed tickets in your ServiceNow platform when detecting suspicious events.
  • Privileged user monitoring on Linux systems detects when users invoke the sudo command to execute privileged commands.
  • Generic syslog parsing for Linux systems allows you to investigate threats on your Linux servers via the long-standing syslog system.

You install these new add-ons from the Netwrix Auditor Add-on Store. Here, let me show you a picture:

Netwrix Add on Store

Netwrix Add on Store

The free add-ons available in the Netwrix Add-on Store provide fantastic value to the product and greatly expand its capabilities for heterogeneous business environments.

Custom report subscriptions ^

If your company has one or more stakeholders who need to receive audit reports for compliance purposes, you'll love this new feature. In Netwrix Auditor v9.5, you can generate a subscription schedule for any built-in or custom report.

For instance, you can see in the following screenshot that I configured Netwrix Auditor to send me a daily e-mail message containing the contents of the File Servers Overview built-in report.

Custom report subscription

Custom report subscription

Wrap-up ^

In my opinion, the security intelligence features alone make an upgrade to Netwrix Auditor v9.5 worthwhile. The Linux auditing capability is great news for multi-OS administrators, and the custom report subscriptions are very handy.

Download a 20-day free trial by visiting the Netwrix website. Don't forget that Netwrix offers a free community edition of Netwrix Auditor for Active Directory.


Leave a reply

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account