Change tracking and auditing

Change tracking and auditing allow you to determine who modified a document, when the document was modified, and what modifications were made to the document. Implementing change tracking is important when addressing the integrity pillar of the CIA triad.

Change tracking also often provides organizations with the ability to roll back changes. For example, should an authorized person make an unauthorized change to a document, those changes can be detected and rolled back if change tracking is implemented as a security control? If change tracking is not implemented as a security control, it may be impossible to determine which unauthorized changes were made unless an in-depth analysis of the document is performed. This is assuming, of course, that the unauthorized changes are detected in the first place, something that can be difficult to do without change tracking unless the changes are blatantly obvious.

Auditing is important as it provides information about which users, both authorized and unauthorized, may have attempted or gained access to data. Auditing isn’t just limited to data. As a part of maintaining an effective security posture, organizations should audit all changes to information system configuration, from roles and features being added and removed through to changes in security group membership and specific configuration settings.

For example, if auditing of security groups isn’t enabled, it might not be possible to determine whether a user account has been added to a sensitive group by an authorized administrator or an attacker who is attempting privilege escalation. If auditing of firewall configuration isn’t enabled, it might not be obvious that specific ports have been opened to allow an external user to gain remote access.

Monitoring and reporting

As mentioned in the previous weeks unless a system is present to record events as they happen, it is almost impossible to have an accurate picture of what is happening within your organization’s information system’s infrastructure. Collecting system event telemetry not only allows you to determine what actions an external intruder might be taking on the organizational network, but what unauthorized actions an authorized insider might be performing on the organizational network.

Organizations can use IDS and SIEM systems to collect, aggregate, and analyze system event telemetry. As security analytics software becomes more capable, it’s become possible for these systems to alert administrators to abnormal activity. For example, systems might notice that an authorized insider might only access specific sensitive files outside of office hours, an activity that might be worthy of further investigation.

In terms of developing a baseline security posture, having an IDS and SIEM system that has analyzed event telemetry in enough detail to determine what constitutes normal activity makes it easier for those systems to determine and raise an alert when abnormal activity occurs.

Join the discussion

What type of information classification schema does your organization use? Use the discussion section below and let us know your thoughts. Once you’re happy with your contribution, click the Mark as complete button to check the step off, then you can move to the next step.