A couple of years ago, Bank Mutual, a federally chartered Wisconsin savings bank that handles more than $3 billion in customer assets, decided it was time to replace its event log manager. The decision, according to IT executives, was pretty much a no-brainer.
"We were at a point in our evolution where, for audit, compliance and security purposes, we needed a better handle on what was going on in our network," said Frank Green, vice president of network administration.
The bank was using Waltham, Mass.-based Novell Inc.'s Auditcon, which had become unsatisfactory for several reasons. First, the IT department was in the process of migrating to NetWare 6, which Auditcon does not support. Second, Auditcon is a fairly basic tool, lacking monitoring and real-time notification features, and it has limited reporting capabilities. "It couldn't notify an administrator via email when a potential security breach occurred, like someone trying to salvage deleted files," Green said. "You'd have to wade through the event database to find that out."
Addressing compliance pressures
At the same time, the bank faced mounting pressure from internal and external auditors and federal regulators to get a better handle on security and network activities, noted Jerry Arata, the firm's CIO. The IT group began looking for a tool that not only collected log information, but also let the right people know immediately when a potential security event occurred, and supported ad hoc reporting for forensic purposes.
Bank Mutual was something of a pioneer. At the time, most companies didn't even try to make sense of the massive amounts of event data they collected from various servers, often in proprietary formats. However, more companies, particularly those in highly regulated industries, such as accounting and health care, were feeling the same pressures. Regulations like the Sarbanes-Oxley and Health Insurance Portability and Accountability acts "specifically require you to monitor or have an audit trail, an accurate record" of security events like unsuccessful login attempts and the granting or removal of access privileges, noted Randy Franklin Smith, CEO of Monterey Technology Group Inc., a consultancy that specializes in risk mitigation, compliance and IT audits.
"How effectively you can demonstrate that you did [a compliance] measure is as important as doing the measure," agreed Paul Stamp, a senior analyst at Forrester Research Inc. in Cambridge, Mass. "That's driven a need for companies not only to recognize when something goes wrong, but to measure what happened, when and how."
Selecting the vendor and product
When Bank Mutual went shopping a few years ago for its own event log manager, the pickings were fairly slim. After evaluating several products, Green's group chose Novell Audit. Part of the reason was the company's plan to migrate to a largely NetWare 6-based environment, Arata reports. However, Audit can also manage event logs on the company's remaining Windows systems, as well as on network devices. The bank's long-term plan is to extend the product's reach across more and more networked systems and devices, Arata said.
Another critical Audit feature is nonrepudiation. Examiners won't look at a company's reports to determine who had access to what, Arata pointed out. "They want data generated directly from the application." Audit can provide that, along with proof that the log records were not manipulated, removed or modified. "Auditors love that. We haven't had a single complaint from one since we deployed the system."
Deployment process
Deploying Audit took about two weeks. "One of my biggest challenges was understanding what I was looking for and wanted to see," Green said. His group also spent a fair amount of man-hours setting up the policies and procedure "that are the bulk of administration," he added. "We had to figure out what's interesting to management, to the audit department; who gets notified when an event occurs; do we have the system accept a change to someone's access rights, or revert back?"
Arata, Green's group and some of the bank's internal auditors hammered out the policies with help from Neenah, Wis.-based Bedrock Managed Services & Consulting, formerly a Novell Platinum partner. The fine-tuning process, however, remains ongoing, Green said. For example, the group recently tightened monitoring of system directories that contain a lot of customer data.
So far, Audit has caught no major security events, "just small misunderstandings, like a new person not knowing the right procedure," Green said.
Benefits and savings
The product's usefulness has extended beyond security administration, according to Green. "A manager will come to me asking for a report when an employee logs in and out each day, because they seem not to be getting to their station on time."
In the first week Novell Audit started monitoring network logins, it found that Novell and Windows clients "were not being routed efficiently to services over the network," Green said. His team fine-tuned the routes and saved significantly on network bandwidth usage efficiency.
Nonetheless, the event log manager's main payback, Green and Arata agreed, is peace of mind. "We know what's going on in the network," Green said, "and that our auditors and examiners are very satisfied with what we're doing."
Elisabeth Horwitt is a freelance writer based in Waban, Mass.
