[WHOOSH] Welcome.
This is Quest Unscripted.
A vlog series on trending topics and Quest solutions related to Active Directory--
--Office 365--
--Oh, and don't forget, Azure AD.
You are here because you have questions.
We're here because we have answers.
I think. [LAUGHS]
We will address questions we've received from customers who experience the same challenges as you.
All with the goal of helping you confidently move--
--manage--
--and secure your Microsoft environment. We call the show Quest Unscripted because--
--except for this intro--
--nothing we say is scripted or rehearsed.
And we're pretty sure you'll notice that right away.
Hey, guys, thanks for joining.
Thanks for letting us be here. I like your shirt. In my defense, I was left unsupervised.
Pretty correct, yes.
So I have a quick question, guys. You know, I just got off the phone with a customer. I think me and you, Ian, were on it, maybe; can't remember. But the question came up with this customer has known interest in the past, currently is using Quest Change Auditor, and I guess the million-dollar question is, OK, what's the difference?
I can answer some of that. So InTrust was designed to be able to collect all the different native event logs that are out there. And it both is complementary, a lot of different [? sim ?] solutions, because we can actually compress the data, normally about at a 20 to 1 ratio where we can actually have quick searchability, and in some instances 40 to 1.
So logs that people normally can't collect, i.e. PowerShell, a lot of different tags happen via PowerShell. InTrust is going be able to collect all of those different logs and give you the searchability to see what things can actually happen. Now, in conjunction with that, InTrust even has the ability to do what's called response actions. So we see something, we can do something right away. And you can programmatically define what happens based upon the different situation that is occurring.
So Intrust has been around for 20-plus years. There's a lot of capabilities that are ahead of its time, but it's very complementary to be able to get all those different lot of data collection done in a cheaper source and be able to give the searchability, whereas Change Auditor is enriched data about the Directory and normalizes it, and there's protection capabilities [INAUDIBLE] to prevent some stuff from happening. And in many ways, they're actually better together.
Yeah, so let's just say-- let's take that last statement. So maybe, Ian, you can speak to some of your customers that use both Change Auditor and InTrust together. How do they work well together? Let's talk about, are they just collecting feeds from Change Auditor, and is it better from a response standpoint? What's been some of your examples with your customers?
It's been a little of both. When you look at the two, it's different data sources-- InTrust, or storing in a Cassandra file system, highly compressed. So a lot of customers, they still, for regulatory reasons, they need to grab logs. Change Auditor gives you much cleaner data to work on, but they still need the logs, so we'll grab them.
We can also use InTrust for long-term storage of the Change Auditor data. SQL is expensive for data storage. File systems are cheap. And with the compression that Bryan mentioned, we can store a lot of information on a file system very inexpensively for a customer.
The Response Actions is a really big one. This is one that we did for a very large government entity, where they wanted to be able to temporarily grant administrative access to a workstation. So somebody will go in and drop you into the Local Administrators group on your workstation, but they wanted to make sure that it only stayed there for 24 hours.
So one of the ways we do Response Actions is you look for an event happening at a certain time, and then we could correspondingly say, OK, this other event has to happen so long after. And if it doesn't, we're going to go do something. So what we had done there was we see the event happening for a user being dropped in the Admins group. 24 hours later, if I haven't seen the corresponding remove, I just do it automatically and the user is out of the group.
And one thing I want to know, InTrust is not a SIEM. It sounds SIEM-like. Remember, a SIEM is Security Information Event Management.
So we can see across a lot of anomalous sources and do stuff. It's meant for different analysis, for real-time detection. So InTrust is very complementary because we can capture all different data, keep it long-term for whatever compliance needs, and ford off just what you need to the SIEM of your different choosing. So they can just ingest the different data that's security-related, not necessarily compliance-related.
Yeah, I mean, the customer I was referring to, if you remember, Ian, their database is growing about 1/2 a terabyte every two or three days. This is the Change Audit database. So if we introduce InTrust into the mix, we're talking, what, 3 million events in three days? So a million events a day.
Yep.
A million events a day on your-- if Change Auditor produces that as an event into your event log, that's, what, 8 kilobytes per event? Take all that, put it in InTrust, compress it. You don't have to worry about the SQL server. Storage of all of that, it's compressed into InTrust. And the math may be off, but there's definitely a huge reduction in the storage needs when we switch over from Change Auditor to InTrust.
In the SQL Server, each event is roughly about 16K of space that's taken up in SQL server. And, obviously, you can't compress in SQL Server. You take that same information, drop it onto a file system, and compress it,
06:56