NNT Change Tracker Generation 7
Strengths: Good change management tool that would work well with some other types of risk management tools but has a strong place on its own for its compliance management.
Weaknesses: We missed the support portal; however, there still are a lot of resources on the website, such as white papers and training materials.
Verdict: For the change management required for compliance in just about all regulatory requirements, this is a very strong contender.
The product is a strong PCI compliance measuring and reporting tool. It is built around detecting changes and determines if the changes are malicious or not. The product audits the in-scope systems and tells if they are configured properly. It also can automate the remediation. The tool can be agent or agentless. If you opt for agents, you can receive real-time alerts. With the agentless option, the polled checking results are not returned in near real time because you must wait for the next poll to come around. Agents are more efficient.
Change Tracker can manage configuration changes. Remediation is built around group policy. So the tool focuses on system hardening and reporting configuration errors. However, the tool does not do patch management. Rather, it is focused on systems being out of compliance - in part by monitoring changes that introduce vulnerabilities. It operates at forensic-level configuration management. It does not patch because, in the vendor's view, patching causes lots of changes and, since the tool is intended to catch changes, patching would generate a lot of false positives.
However, Change Tracker has intelligent change control that can look for what patches look like. It recognises changes caused by patching so that it can recognise malicious activity hiding under patching.
The product operates on a hash level and sees changes, passes the hash to its threat intel feeder and compares with known hashes, good or bad (are they on the feed's whitelist or not?). Cache information (whitelist) resides on customer premises.
The goals of the tool are, first get everything into a compliance state. Second, detect changes. Third, learn from changes, provide context to the changes allowing you to learn about the changes in the context of your environment so that you can set a baseline of normal/expected changes.
We entered the system through the dashboard. We found it very easy to use with good drill down.
Audit reports can be automated and distributed automatically. There are multiple types of reports for multiple audiences. Some types of hierarchies can be set up for access (executives have one type of access while engineers have more detailed access, for example).
Devices can be put in groups and can receive configuration templates. The policy engine is very robust and may be as granular as you wish. Policies are available for just about any system and can track to standards such as CIS or PCI.
Changes can be automated by using a companion provided by the tool. The companion is the quickest route for automating - e.g., group policy for Windows (they provide the template) or a shell script, etc. You can use Puppet (configuration tool) for some change implementation. Administration is detailed but also very straightforward.
The product manages switches the same way. It uses SSH, but you should apply best practices to secure the SSH. Thus, the tool uses proxies to access SSH (or any of their agents) to protect targets. The system protects itself by several means. There is a solid audit trail. The agents themselves are protected. One-way communications to the hub only are permitted and instructions are signed. The agent can only do what the hub tells it to do.
We found the pricing reasonable and the basic support is included making it a pretty good value for the money. It can feed a SIEM that consumes syslogs and can roll out a test device, test it and make sure changes don't break anything, then roll out the production version.
There is no support portal and we found the website to be mostly marketing. If you look closely, you can find a phone number that covers all contact including support. Documentation was what we'd expect for a tool of this type.