Our collective security capabilities mature, and as they do, many internal security teams are converging their auditing and compliance needs and evolving into a risk-oriented approach. This gives rise to an increased need for governance-, risk-, and compliance-centric (GRC) products. GRC is not a new product space but it is growing to include auditing, policy management, and change management. Needless to say, with the countless GRC product offerings in the market, it can be difficult to determine what solution would be most effective for your organization.
Without the proper auditing of changes, organizations exponentially increase the risk of costly security breaches going undetected and looming failed compliance audits. Native auditing and logging mechanisms were originally designed to support troubleshooting efforts (not security auditing requirements). This is why more and more GRC products are incorporating change auditing capabilities into their solutions. Effective change auditing enables organizations to answer:
- Who made the change?
- What change was made?
- When was the change made?
- Where was the change made?
I spoke with Robert Bobel, Director of Product Management at NetWrix, one of the leaders in IT infrastructure change auditing and compliance, to ascertain how their products fit into the greater GRC realm. Bobel described NetWrix's All-in-One Suite as the "first of its kind to offer complete change auditing of the entire IT infrastructure in one fully integrated set of simple, efficient and affordable tools that can give you answers to those critical questions and help adhere to compliance requirements for SOX, HIPAA, GLBA, PCI, FISMA, and others." Furthermore, he added that NetWrix solutions help to increase overall operational efficiency by "automating identification, alerting, collecting and reporting of relevant events and entities resulting in minimizing costs."
NetWrix's key differentiators (according to Bobel and the NetWrix website) allow companies to:
- Pinpoint and assess security risks
- Implement and monitor appropriate security measures
- Assess accountability
- Facilitate audit readiness and reporting
The change auditing components mixed with other GRC functionality gives IT, security, and auditing teams the necessary information and context to determine how well their organization is meeting their governance, risk, and compliance goals. NetWrix's bread and butter, since their inception, has been configuration and change auditing (both of which have become critical factors in governance). Incorporating privilege account and identity management into their change reporting suite, NetWrix is driving towards more long-term holistic auditing (all devices) and data access governance/compliance.
At what "security maturity" level should an organization be before even thinking about GRC technologies? Bobel explained that companies — no matter their security maturity — will get value as their internal security and network teams will gain a strong grasp on exactly what is happening in their networked environment from a change perspective. This is something that would benefit all companies of all sizes. The difference is that some would likely be in a better position to act on the newfound findings. Bobel went on to explain that many GRC change management tools are complex, wrought with increased hidden costs, and come with a high cost for initial configuration and deployment. According to Bobel, one of NetWrix's guiding tenets, is to create simple, unobtrusive, and easy-to-configure applications.
Their unified module deployment approach follows a repeatable, easy to follow process and installation is a breeze for any network administrator. NetWrix's flexible licensing allows for companies to "cherry-pick" the module(s) that best serve their needs and requirements.
NetWrix certainly offers a unique spin on the GRC space, and I believe we will see more GRC products follow their lead. I would like to thank Robert Bobel for his time and insight into NetWrix and their product suite. Future articles will include discussion and analysis around other GRC products so you, the reader, can gain an understanding as to the different GRC flavours.
Have a security product or security company you would like to know more about? Contact me via Twitter - I'd love to hear from you.
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.