Automox Audit Trails for Compliance and to See Who's Doing What, Where

Episode 6   Published June 25, 202412 minute watch

Episode Summary

In this episode of the Product Talk podcast, Steph Rizzuto interviews Brandon Shopp, VP of Product, and David Riott, Senior Engineer, at Automox. They discuss the upcoming feature called Audit Trail, which allows users to track and monitor activities within the Automox platform. The feature will initially be supported via the API, with plans to integrate it directly into the Automox console in the future. The decision to develop this feature was driven by customer demand for compliance and security purposes. The engineering challenges involved creating a non-invasive implementation that captures and saves the necessary data without disrupting the existing backend systems. Customers will be able to access the data through an API and ingest it into their own platforms using the Open Cybersecurity Framework (OCSF) schema. The feature is set to be released by the end of June.

Transcript

Steph Rizzuto: Hi everybody. Welcome to our next episode of the Product Talk podcast. You'll notice Peter's not here. We've given him the summer off. So you guys are stuck with me for the next two podcasts. And I have some guest stars today. Brandon Shopp, who's our VP of Product and David Riott who is the Senior Engineer here at Automox Why don't we start by Brandon, you want to go ahead and introduce yourself?

Brandon Shopp: Sure. My name is Brandon Shopp. I've been at Automox just over a year now here and leading the product organization as well as technical alliances. And wanted to talk to you today a little bit about a new feature that will be launching here shortly called Audit Trail. In our first iteration of this functionality, it is going to be supported via the API. And what's important about...

you know, this Audit Trail functionality is that it tells you within the Automox platform who did what, when and where. So if you want to see who created a Worklet who edited a Worklet, who added a policy, those are the types of activities and events that you'll be able to see in there from an audit perspective. But even from a security perspective, if you have somebody that's trying to brute force,

their way into the Automox platform by authenticating repeatedly multiple times, you'll see that as a set of failure events. So there are multiple use cases into why Audit Trail is an important set of capabilities.

Steph Rizzuto: Brandon stole my intro. I was going to tee up the feature, let Brandon talk about it, but he just, he just jumped right in. That's okay. All right, David, why don't you go ahead and introduce yourself and then we'll talk more in depth about it.

David Riott: Hehehehe. Hehehehe.

Brandon Shopp: Sorry.

David Riott: Yeah, yeah, David Riott here joined Automox in January of 2023. So coming up on a year and a half. And I'm an engineer here working on a bunch of of stuff, but I did the Audit Trail feature along with the team. So yeah, that's that's me in a nutshell. It's why I'm here.

Steph Rizzuto: So Brandon, I wanted to kind of hit on while we're here and we talked about it in the last podcast about how we are moving to more iterative approach. So you're going to see features out faster, allows us to get feedback and get things into our customers hands quickly. So maybe we could talk a little bit about how this first version is the API, but then what's next? Like what's the evolution of this? What's next to come for it?

Brandon Shopp: Yeah, no, great question. And so, yeah, so we initially focused on, you know, as you mentioned, the API and, you know, so that way customers could expose or export these Audit Trail events into, you know, their logging tool or their SIM tool of choice from an analysis and security perspective. But as a follow on, what we intend to work on is exposing this directly within the Automox console so that you can interact with these events, whether it's via the APIs that we're discussing today or in the future, being able to search, filter, group, things like that directly within our console.

Steph Rizzuto: And Brandon, did we see, how did we kind of land on picking this feature? You see a high customer demand. Could you talk a little bit about what that process was like?

Brandon Shopp: Yeah, absolutely. This has definitely been a highly sought after feature, And a lot of it really comes down to typically one of two things. One is compliance. I need to be able to prove to my auditors that I am auditing, I am tracking these types of activities and events.

And the second, as I stole the thunder earlier, talked about the security side of things, to where you want to understand who's doing what in the system and where. And is there any type of potential malicious activity going on that you need to be mindful and keep an eye on? And so that's ultimately what drove customers to do that. But also, I'll add in there,

A lot of times it's, you know, somebody makes a change and not everybody knows who to go ask or in some cases who to blame. So, you know, if a policy gets created, it runs and there's an issue. Well, do I go talk to David? Do I go talk to somebody else? Who do I go talk to about that? You know, why did you set it this way? Why is it configured this way? Things like that.

Steph Rizzuto: All right, Brandon, yeah, that makes sense and sounds good. It's good to hear where these requests are coming from and how we're using the customer feedback to drive the roadmap and things like that. So I know this was a big ask

but like you said, this was like a pretty highly requested feature. So it's pretty exciting and ready for it to be out there and people can start taking advantage of it. Let's shift gears a little bit and David, maybe we can talk about some of the engineering aspects of this. You know, it's me and Brandon's job and product to say what we want, what the customer demand is, but then David has the tough job of figuring out

how to go make that happen, all these crazy requests that we have and the timeframes that we want them in. So I want to take us through this feature a little bit. What were some of the challenges, how, you know, the ins and outs of it, how you decided to implement it and  such.

David Riott: Sure. Well, sometimes deciding what you want is actually harder than determining how to get it. At least for me, that's proven true. But no, this is honestly, it's fairly straightforward in the sense of most of the, well, all the activities already happening on the Automox platform. And it's kind of a matter of just really capturing it in a way that's.

Steph Rizzuto: Sometimes.

David Riott: non -invasive to the rest of the whole backend systems and you know, not doing not interrupting latency and anything else like that. So Yeah, that's stuff that sort of springs to mind in terms of the challenges is just how to do a kind of lightest touch implementation possible without disrupting.

you know, any of these APIs that our customers know and use every day. So, yeah, that's sort of front of mind. One thing we've been doing here at Automox is introducing something called an API gateway, which is sort of a front door, not strictly speaking the front door, but a sort of conceptual one into the rest of the backend systems in the platform. And there are a number of good reasons to do that.

authentication, rate limiting, greater control over your endpoints and your paths, and sort of future -proofing some of the ways that you can evolve as an organization to change routing or do different kind of things that are transparent to the customer but that are necessary and required to keep a system up to date and alive and well. So as a part of that work, introducing an API gateway, we decided to...

plot the Audit Trail work sort of into that segment of the application stack and sort of skim off the top, if you will, the requests that come through there, through the front door and sort of just check, hey, is this an action that we want to be auditing? If so, let's slurp up all the good information, all the data from that and save it off somewhere so that our customers can see it.

And the exciting part, I guess for me, one of the exciting parts is actually getting to see this kind of data. You know, it's one thing to know and perhaps love an application through its user interface or through its APIs. But it's a whole other, a whole other perspective to see how frequently are these called? You know, how frequently do I have, am I fetching servers or am I, you know, how often are people rebooting devices and

perhaps even who's the most active on the platform and what are they doing, what kinds of activities. And I think that's like an interesting view on a customer's perspective. What am I doing? What are my people? What are my employees doing on the Automox platform? And then just from the Automox's perspective, what are our customers doing? And that also helps just give us insight into.

David Riott: you know, how to make those experiences better if they're the ones that are most frequently being used. So, yeah.

Steph Rizzuto: Yeah, definitely. It's something that our product design team can take a look at and as well in product, like how do we improve the areas, like you said, where we're seeing the most traffic, what are the most actions being taken and how do we make that better?

So David, how are customers getting access to this data now that we're ingesting it?

David Riott: Yeah, that's a great question. For now, we brainstormed several fun ways to do it. But for now, the most straightforward is an API, wherein customers will pull for information that we've been saving. And it's fairly straightforward. You're just sort of asking for the next set of events that we're ingesting. And the API will also tell you, hey, here's where to pick up for next time. So after you request one thing,

you know from that response, I'm gonna ask this next question again to get the next set of events. And the actual event content is something that we put quite a bit of thought into and we decided to use a framework called OCSF. And that's sort of an open security framework that is an open source, basically set of schemas that try to standardize

activity that happens in all kinds of different computing systems in a way that represents, you know, all the stuff that Brandon listed at the beginning, the who, the what, the when, where, et cetera. And we've sort of taken this schema and adapted it to the Automox concepts. And so what we have then is a highly structured data set that customers can ingest into their platforms that is a standardized shape.

And so hopefully that makes things easier ingesting their data into SIMs or other applications that they might want to ingest that data into.

Steph Rizzuto: Awesome. So I feel like anyone watching this who's a customer, their first question is going to be, when can I get access to this? Do we have an ETA? Are we doing early access? What's kind of the release plan for this feature, Brandon?

Brandon Shopp: Yeah, so on this one, we're not doing early access or beta like we have with some other features. So we'll actually be going straight to GA here by the end of June. So that is when we're intending to deploy that, including API documentation, kind of outlining a lot of the things David was just touching upon.

Steph Rizzuto: I'm sure people are really excited to get this in their hands and then even better will be when you have the UI element and they can look at this in console. It will be super helpful. Well guys, unless Brandon or David, you have anything that you think everyone really needs to know about the Audit Trail, I think we can wrap up this episode of the product podcast and we will see you guys next month.