Keeping Data in Its Place
RICHMOND, VIRGINIA, which dates to 1607, has its share of ghosts, but when city officials learned that employees were seeing things they shouldn’t, what they glimpsed turned out to be far more hair-raising than an apparition: it was each other’s files, containing confidential records, and other sensitive databases. To ascertain where rights assignment had led to problems, the city’s IT department turned to a product that provides activity information, alerts, and auditing capabilities.
“We have about 4,000 city employees and about 3,200 end-point computers out there, and all of these are connected to the neighborhood of 200 to 250 servers in the data center,” says Daniel McRae, IT manager for the city of Richmond, who is responsible for IT infrastructure, networking, and security. “We cover everything from the smallest path, which might be just as simple as a small spreadsheet or small access database application, all the way up to the big enterprise applications.”
McRae explains that the IT department was first alerted to the rights-assignment problem last year by a user who was able to view coworkers’ files and knew that he should not be able to. The employee reported the situation, and an IT investigation was launched.
“During the course of the investigation, we found the problems were not malicious in intent. The file share rights that these users had been assigned were inappropriate…. It was a misconfiguration done by an administrator,” McRae states.
The immediate errors were corrected, but McRae was left wondering how to monitor the actions of city administrators who assign file-share access rights to employees to catch any future mistakes. The IT department decided to look for a technology solution that would allow it to quickly spot any future rights-assignment mistakes. McRae says that any solution the city purchased needed to reveal “classic security things—who, what, when, and how: Who accessed what, when did they do it, and how did they manage it?”
Last spring, McRae began talking to vendors. “When we spoke to our Microsoft representative, he said, ‘Microsoft doesn’t have anything in particular that would work, but I know of a product called PacketSentry that can help with this.’ So we got in touch with the company, researched, and subsequently scheduled a demo.”
PacketSentry, by PacketMotion of Sunnyvale, California, provides detailed activity tracking, real-time alerting, protection of sensitive data, and compliance and auditing controls and reporting. The system consists of one or more (depending on the size and complexity of the user’s network) “Probe” devices and a “Manager” appliance box.
The Probes are deployed in key locations within the network, such as network switch monitor (SPAN) ports in front of data centers and fiber taps in data centers. Each Probe passively gathers data, decodes application-level activity, and sends the resulting user activity records to the Manager.
All communication between the Manager and Probes is authenticated and encrypted. The Manager appliance combines data from all the Probes into a unified, user-correlated transaction database and provides the Web-based administration interface.
Installation was simple, according to McRae. On the morning of the 30-day demo, an engineer from PacketMotion “came in, set it up, and had it up and collecting data within four to five hours,” he says. “Once we racked the device and had it powered up, all we had to do was create a spam port on one of our networks to tell it to copy all traffic over to the spam port connected to the Manager device.”
McRae liked that there was no network degradation, because, as he explains, “it doesn’t get in the middle of the user and their traffic. It sits off to the side just listening in. It doesn’t slow anything down.”
The engineer also provided the IT department with hands-on training on PacketSentry’s use, especially on search methods. “I think it’s kind of like Google in that when you type in a general search term, you get a lot of info back, but to drill down to get the information you really need required some training,” he says.
IT department personnel can access the database through a Web-based interface. “You just pull up a blank Web page and type in the IP address of the Manager device. It pops up, you log in, and you’re presented with the dashboard,” McRae says. “For example, if I want to see which user accessed a particular spreadsheet this morning, I can type in the name of the spreadsheet, and it will give me a list of when it was touched by any machine or any user,” he explains. “It’s not anything that you have to learn complex scripting languages to run; you don’t have to write queries.”
During the demo period, says McRae, “We exercised the box, and made sure we could get the information we needed and [could run] reports, set up rules, and other things.”
After putting it through its paces, he concluded that “Everything that PacketMotion said the product could do, it did and it did it well.”
McRae says that the report-generating function of the product is especially helpful. He was able to create a daily rundown of all of the changes made to his active directory, such as whether a new user was added or deleted. “That makes things easy, because all that’s required is just pulling up your e-mail to look at the report.”
He can also get more detailed reports, such as the history of a particular file from its creation, including when it was copied, accessed, or deleted. “With the databases, I can run a report that helps me see patterns of access,” he states.
PacketSentry also helped the IT department meet auditing requirements more easily. “Auditors like you to log everything… but that can slow down databases and make the users’ experience abysmal,” he explains. “PacketSentry takes care of all of the logging that the auditors ask for. It audits everybody, so if you’re on my network, and you’re accessing one of my servers, it’s logging it.”
At the end of the demo period last June, McRae says that the city moved forward to purchase PacketSentry with some additional data storage. “The base unit comes with a certain amount of storage. As we were using it during the demo, we realized that for the amount of data we were capturing, the base amount of storage wouldn’t be sufficient,” McRae says. The cost of the system with the extra storage was about $90,000.
McRae says that the return on investment is coming “primarily in the form of time saved by my engineers…. I can find out what I need to know in minutes as opposed to my engineers’ taking hours to find out.”
One example he puts forth is when one of the city’s divisions asked him to trace the activity of a particular user. “So I hopped in there and took a one-week snapshot of the user’s activities,” he says. “I could see when that person logged in, when he accessed his normal spreadsheets and documents, when he updated them, when he saved, Internet access—all of that.”
The task took McRae an hour. Before installing the new system, “I would have had two engineers working on it for a couple of days, because it’s that difficult to track everything accurately,” he states.
McRae says that he has had no technical issues with PacketSentry whatsoever. “I have not had to call support one time. Support actually contacted me because it was due for an update for new software,” he states. And there was no charge, which was something McRae says was new. “I have never run across a situation where support called me and said we want to schedule this upgrade, and it isn’t going to cost you a dime. That was great.”