Products & Solutions

SIEM - Gap Analysis & Management

NetIQ Change Guardian

Stop insider and targeted attacks with privileged-user activity monitoring, Cloud, bring-your-own device (BYOD), and other business-enabling technologies are here to stay. With even more complexity in your IT environment, how can you truly know what your privileged users are doing? NetIQ Change Guardian™ gives you the security intelligence you need to rapidly identify and respond to privileged user activities that could signal a data breach or result in compliance gaps.


The right data at the right time

Intelligent alerting helps to reduce risk from insider and targeted attacks. A leading cause of breaches and internal attacks is the misuse of privileged access. And while emerging technologies such as cloud and bring-your-own-device (BYOD) are improving the way we do business, they are also introducing complexities never before experienced, especially when it comes to your ability to securely enable access to data and resources from anywhere.

With your sensitive data and resources now exposed to more access points than ever before, not being able to distinguish an insider from an outsider once they are in your system becomes an even bigger security risk. 

NetIQ Change Guardian™ is a privileged-user activity and change-monitoring solution that helps you to detect and respond to potential threats in real time through intelligent alerting of unauthorized access and changes to critical files, systems, and applications. The alerts contain enriched security information with the detail necessary to identify threats and record change. Each intelligent alert answers key security and audit questions, such as:


  • What action was performed?

  • Who performed the action?

  • When was the action taken?

  • Where was the action taken?

  • Was the action authorized?

  • Before-and-after change details


The information is presented simply and clearly, eliminating the need for expertise in various event types and dramatically reducing the time and complexity of responding to suspicious activity.

Lower cost compliance without the complexity

Policy-based monitoring helps you to demonstrate compliance simply and at lower cost. Are you under constant pressure to meet multiple compliance mandates like PCI DSS, HIPAA/HITECH, NERC CIP, SOX, and FISMA?

NetIQ Change Guardian™ is a privileged-user activity and change monitoring solution that helps you to demonstrate compliance with various regulations, mandates, best practices, and internal policies through:


  • Policy-based change auditing

  • Automated audit alerting and reporting

NetIQ Change Guardian provides the ability to specify monitoring policies in familiar, everyday language. This makes it easy for your security teams to associate Change Guardian policies with technical controls required by diverse regulations and mandates, as well as internal policies. Policy-based monitoring benefits include:

  • Faster and less costly demonstration of compliance - Easy-to-read policy statements align easily to technical controls, simplifying meaning and intent

  • Reduced time and complexity required for auditing - Activity is presented in straightforward and simple terms, diminishing the effort required for audit preparedness and proof of compliance

  • No need for event-type expertise - Detailed change audit information is presented simply and clearly, reducing the need for subject matter expertise and freeing up resources for other revenue-bearing activities

NetIQ Change Guardian centrally records and audits changes, consolidating and archiving change events from across your entire IT environment. This helps to reduce the complexity required to analyze multiple, disparate logs. The automated solution delivers daily and historical change auditing and reporting. Additional auditing and reporting benefits include:

Satisfies compliance mandates

  • Expanded Windows file integrity monitoring (FIM) includes the ability to demonstrate to auditors that FIM controls are effective, and that changes made during a service outage will be detected

  • Helps to meet PCI DSS compliance requirements for deployment of FIM tools that alert personnel to unauthorized modification of critical system files, configuration files or content files


Provides evidence of compliance at lower cost

  • Detailed auditing of policy lifecycle and assignment to address audit requests

  • Automated audit alerting and reporting reliably demonstrates compliance to auditors


Communicates security and compliance risk

  • Customizable, highly readable reports promote greater risk visibility to business stakeholders

  • Instantly know if activities were authorized or unauthorized

  • Get exact details of change or access to sensitive files, systems, and applications

Enterprise insight made simple

A comprehensive, integrated approach to monitoring privileged-user activity can protect your growing enterprise from attack originating from the Cloud, bring-your-own-device (BYOD), mobility and other technology trends often increase flexibility, lower costs and improve productivity. These benefits enable the goals of the business, and meet the needs of end users who demand 24-hour instant access to services.

These technologies also bring complexity to your infrastructure, and complexity is the enemy of security. How do you balance the need for business gain with the requirement to maintain the confidentiality, integrity, and availability of the organization's critical assets?
Because dynamic, mixed IT environments typically do not allow for a holistic view of risk and compliance, a comprehensive security solution that helps detect and respond to unauthorized change and access by privileged users is needed. One that:

Simplifies security and compliance processes

  • Eliminates the need for multiple tools—or to manage systems separately

  • Integrates privileged-user activity and change-monitoring across mixed computing environments

  • Facilitates rapid response to unauthorized activities to reduce risk of loss or compliance gaps

  • Extends your ability to manage risk and avoid business disruption by centralizing security information

  • Enables seamless integration with SIEM solutions, such as NetIQ Sentinel™


Supports heterogeneous IT environments

  • Multiple servers, operating systems, devices and applications, including

    • Microsoft Windows

    • Microsoft Active Directory

    • UNIX

    • Linux

Mixed environments

  • Traditional

  • Private cloud

  • IaaS

NetIQ Change Guardian™ gives security teams the control and visibility they need to rapidly detect and disrupt threats that could negatively impact the confidentiality, integrity, and availability of the organization's critical assets.
Your SIEM just got better
Sometimes SIEM needs a helping hand. NetIQ Change Guardian closes the security intelligence gap.

Security information and event management (SIEM) has been—and will always be—a critical component of an organization's security "toolkit." However, the complexity of threats that organizations face from privileged users and external attackers, coupled with the advent of disruptive, business-enabling IT technologies such as cloud and mobility, means that organizations must now find ways to complement and extend what they have been able to do with traditional SIEM tools.

A SIEM solution collects a massive amount of data so that the data can be correlated and analyzed, and action ultimately can be taken. By itself, SIEM is not enough to achieve sufficient layers of data protection and risk mitigation. It is limited by its dependence on native logs, which give little insight into the whowhatwhen, and where of an event.
NetIQ Change Guardian™ complements and extends SIEM's ability to detect an insider or targeted attack through intelligent alerting of unauthorized access and changes to critical files, systems, and applications. Specifically, Change Guardian delivers:
Real-time change monitoring

  • Identifies and reports on changes to critical files, platforms and systems to help prevent breaches and ensure policy compliance.

  • Monitors all change: Who made the change, where the change was made, when the change was made, what change was made, and whether or not the change was authorized.

  • Provides real-time, intelligent alerts on unauthorized changes, enabling the fastest threat response.

  • Captures before-and-after values for objects, drilling down to detailed change reports. Investigators can quickly identify anomalies.


Privileged-user monitoring

  • Audits and monitors privileged-user activity to reduce the risk of insider attacks.

  • Provides a detailed audit trail of privileged-user activity across Microsoft Windows and Active Directory, UNIX and Linux environments.

  • Delivers real-time alerting on suspicious behavior to provide immediate visibility to changes that could lead to a breach.


File integrity monitoring

  • Helps to meet PCI DSS version 2.0 Requirement 11 by identifying, reporting and alerting on access and changes to critical content and sensitive Windows systems and files.

  • Helps to meet PCI DSS version 2.0 Requirement 10 by ensuring audit trails remain secure by alerting on changes to log files.

When integrated with SIEM solutions such as NetIQ Sentinel™, Change Guardian works to enrich the "actionable intelligence" provided by the SIEM solution with the security event detail you need to identify and react quickly to threats. Armed with this comprehensive security intelligence, you will be better able to mitigate the impact of an attack before serious damage or compliance gaps can occur.

More Info