NNT Change Tracker Generation 7
New Net Technologies
Strengths: Good change management tool that would work well with some other types of risk management tools but has a strong place on its own for its compliance management.
Weaknesses: According to the vendor, support and maintenance typically is provided at 20 percent of the license fee. However, for enhanced service, which the vendor defines as 24/7/365 support, there is an uplifted charge of a maximum of 30 percent that is applied, depending on the agreed service levels.
Verdict: For the change management required for compliance in just about all regulatory requirements, this is a very strong contender.
The product is a strong PCI compliance measuring and reporting tool. It is built around detecting changes and determines if the changes are malicious or not. The product audits the in-scope systems and tells if they are configured properly. It also can automate the remediation. The tool can be agent or agentless. If you opt for agents, you can receive real-time alerts. With the agentless option, the polled checking results are not returned in near real time because you must wait for the next poll to come around. Agents are more efficient.
Change Tracker can manage configuration changes. Remediation is built around group policy. So the tool focuses on system hardening and reporting configuration errors. However, the tool does not do patch management. Rather, it is focused on systems being out of compliance - in part by monitoring changes that introduce vulnerabilities. It operates at forensic-level configuration management. It does not patch because, in the vendor's view, patching causes lots of changes and, since the tool is intended to catch changes, patching would generate a lot of false positives.
However, Change Tracker has intelligent change control that can look for what patches look like. It recognizes changes caused by patching so that it can recognize malicious activity hiding under patching.
The product operates on a hash level and sees changes, passes the hash to its threat intel feeder and compares with known hashes, good or bad (are they on the feed's whitelist or not?). Cache information (whitelist) resides on customer premises.
The goals of the tool are, first get everything into a compliance state. Second, detect changes. Third, learn from changes, provide context to the changes allowing you to learn about the changes in the context of your environment so that you can set a baseline of normal/expected changes.
We entered the system through the dashboard. We found it very easy to use with good drill down.
Audit reports can be automated and distributed automatically. There are multiple types of reports for multiple audiences. Some types of hierarchies can be set up for access (executives have one type of access while engineers have more detailed access, for example).
Devices can be put in groups and can receive configuration templates. The policy engine is very robust and may be as granular as you wish. Policies are available for just about any system and can track to standards such as CIS or PCI.
Changes can be automated by using a companion provided by the tool. The companion is the quickest route for automating - e.g., group policy for Windows (they provide the template) or a shell script, etc. You can use Puppet (configuration tool) for some change implementation. Administration is detailed but also very straightforward.
The product manages switches the same way. It uses SSH, but you should apply best practices to secure the SSH. Thus, the tool uses proxies to access SSH (or any of their agents) to protect targets. The system protects itself by several means. There is a solid audit trail. The agents themselves are protected. One-way communications to the hub only are permitted and instructions are signed. The agent can only do what the hub tells it to do.
We found the pricing reasonable and the basic support is included making it a pretty good value for the money. It can feed a SIEM that consumes syslogs and can roll out a test device, test it and make sure changes don't break anything, then roll out the production version.
There is a comprehensive support portal with all of the amenities one would expect. It is accessed from the members area. If you are not a customer you still can sign up to access the resources.