REVIEWER: Dennis Strain, Network Administrator for Northgate Minerals Corporation - Kemess Mine.

BACKGROUND: Kemess Mine is a principal operation of Northgate Minerals, a gold and copper producer with mining operations, development projects and exploration properties in Canada and Australia.

PLATFORMS: Windows 2003 server.

PROBLEM SOLVED: As a publicly traded company, we are subject to stringent requirements under the provisions of the Sarbanes-Oxley Act of 2002. Under section 404 of the act, we are required to review all log activity for financial systems. In addition, we are also concerned with monitoring logs to proactively manage violations, identify security incidents and ensure enforcement with key requirements. Previously, we used a homegrown system of scripts, but it was simply not robust enough to meet increasing reporting demands. Because of the sheer number of logs, a lot of manual analysis was required to generate intelligence, and even then, the response times to incidents were unacceptable. Realizing that we needed an automated solution that would help us improve our security posture, we chose Prism Microsystems EventTracker as a centerpiece of our compliance and security efforts.

PRODUCT FUNCTIONALITY: We use EventTracker’s preconfigured SOX reports to report on log-on failures, resource access, software installs/uninstalls, user lockouts, password resets, changes in policy and more. These reports are scheduled to run automatically on a daily and weekly basis, removing the need for manual intervention. We also run ad hoc reports and analyses to monitor our systems for suspicious behavior and to ensure forensic traceability in the event of a violation. One area where EventTracker is really useful is for tracking employee activity and access to data. All our files are locked down by department, and with EventTracker’s workstation agent, we are able to ensure that employees are only accessing files that they are authorized to access. We also utilize the USB functionality to monitor inserts/removals of external devices as well as get detailed information on files added and deleted – this helps us combat insider theft without having to resort to extreme measures such as banning all USB device usage. Although we acquired EventTracker primarily for compliance and security, we now also use it to troubleshoot network and system issues and ensure high IT availability by quickly responding to disruptions with the help of real-time alerts.

STRENGTHS: A main strength of EventTracker is its breadth of coverage – we are able to monitor our entire network from the server down to the workstation and USB device level, which ensures that we have complete security, regulatory and operational visibility. Another useful feature is the real-time view of critical events that gives us a current view of what’s happening on our network. Yet another feature that we find helpful is the integrated knowledge base, which provides descriptions on more than 20,000 events via a searchable database. In the event that we do not understand a particular event, we can quickly research it through the knowledge base and get detailed cause-resolution information.

WEAKNESSES: It is a Windows-based product, so we have to ensure that patches are up to date.

SELECTION CRITERIA: We chose EventTracker primarily because it allows us to monitor workstations and USB devices in detail. Operating in a highly regulated environment, we need to know exactly where our data is going and how it is being accessed. Without the ability to monitor workstations, we get a limited security view, which is unacceptable. Another requirement for us was the ability to quickly respond to issues. EventTracker’s large number of out-of-box correlation rules and real-time security alerts met this requirement quite impressively.

DELIVERABLES: We get SOX auditor-ready reports, custom reports, real-time security alerts, real-time operational alerts, real-time monitoring of current and critical events, central consolidation and management of enterprise-wide log data, comprehensive audit trails and forensic data.

VENDOR SUPPORT: Implementation took us less than a day, and support has always been provided in a timely manner.

DOCUMENTATION: We were able to deploy EventTracker with minimal training. Documentation is comprehensive and easy to follow.

EventTracker

Prism Microsystems

8815 Centre Park Drive

Columbia, MD 21045

(410) 953-6776

www.prismmicrosys.com


Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access