Here at Lepide we brand ourselves as an IT security and compliance vendor, which raises a really interesting question as to what IT security really is.
Sure, while we have always offered solutions that enable users to audit, monitor and alert when potential security threats arise, you could arguably say that visibility does not necessary equal security. Just because someone knows about a potential issue does not in itself equate to actually resolving, remediating and securing the issue.
Partly it’s down to how you define security. The SANS institute defines security as “the process of implementing measures and systems designed to securely protect and safeguard information (business and personal data).” Whereas, I would say it’s not necessarily about the process, it’s about the action that is actually taken. You can have the best plan in the world – but it’s essentially useless you pair it with action.
Around 18 months ago, with all the media attention around ransomware and other such threats, we realised that our solution, while it was excellent (arguably one of the best) when it came to providing alerts and reports offering visibility over actions, events and incidents, in security terms still wasn’t quite as proactive as we would have liked.
Let me elaborate.
Whilst talking to our very large healthcare customers, they specifically said they had a particular problem with a ransomware attack and, while our solution offered them great insight, at the time LepideAuditor wasn’t able to offer them any real means of stopping the spread or remediating the issue.
So, here’s what we did. Our mission, in line with everything we do, was to ensure we could create the fastest, simplest, most flexible and user friendly approach to enabling IT teams to react to threats without any human intervention.
Using our threshold alerting feature we found we already had the ability to filter and create alerts based on criteria of event volume/event type vs duration. So, in terms of being to identify suspicious trends, such as perhaps a specific file or folder having been modified (potentially encrypted), we had this. It could simply be an alert that’s showing you that a user has copied a suspicious number of files and folders over a short time.
Frankly, we knew when it came to real time alerts and reports we had enough quality, meaningful and useful audit data to enable us to spot suspicious activity across any part of the Active Directory, Group policy, Exchange Server, SQL Server, SharePoint, Exchange Online (Office 365), Windows File Servers and NetApp Filers.
So, what we ultimately decided is that we wanted to allow users to be able to create a script of their choosing in VB Script, PowerShell Script or a simple .BAT file. This would then be executed based on a trigger created from the alert itself. For example, you could execute a script to disable a user account on the identification of a suspicious alert, or perhaps enable the firewall (and even switch the kettle on should you wish).
The point is, this enabled IT teams to choose the action. We offer the visibility, we provide the insight – our customers choose how they want to automate the response.
Having the ability to automate how you react to trends, obviously with caution, offers tangible value to help you spot and stop ransomware in its tracks, spot perpetrators of data leakage, identify rogue administrators and prevent privilege abuse. All of which is fundamental to developing a good security strategy.
If this sounds like it could be a useful asset in your IT team as part of your overall security strategy, download a free trial of LepideAuditor and see for yourself how easy it is.