User activity monitoring answers the age-old questions of who, what and when

The city of Richmond, Va., had a user access problem. Due to an inadvertent misconfiguration of Active Directory, internal users were able to access systems and databases that they shouldn't have had access to. A user activity monitoring tool helped the city see the inappropriate access and lock down their systems.

At the beginning of the year, the analyst group Gartner identified "Security – Activity Monitoring" as one of its top 10 strategic technologies for 2010. In today's environment of heightened threats, privacy needs and compliance requirements, it's easy to understand why this type of security tool would be so important. Organizations must prepare for the possibility (or eventuality) that an attacker will get past the border defense or an internal user will accidentally or intentionally get to systems or data that he shouldn't be able to access.

Quiz: Do you know IT security?

Conventional approaches for file activity monitoring and managing file permissions aren't sufficient for many organizations. Third-party administrative tools and other widely used solutions, such as directory services groups and the file auditing built in to operating systems, often cannot keep pace with organizational changes or the sheer volume and growth of unstructured data.  Many times with these approaches, there is also a home grown or manual system required to aggregate data across the multiple point solutions to support the ever increasing need to answer the burning questions:  Who has accessed What? When? And perhaps even Why?

This was the exact problem that Daniel McRae's organization was experiencing. McRae is an IT manager for the city of Richmond, Va. Not long ago, he was instructed by his IT auditors to improve access security for the city's databases and applications. "We needed to assure lock down of our file systems and databases," McRae says. "Due to an undetected misconfiguration in our Active Directory, this was not happening, and our monitoring efforts did not provide us with the clear information we needed." 

McRae went to Microsoft, looking for a proactive tool that would provide information and snapshots to discover whether a folder or database was only being accessed by the appropriate groups of people, or if there was an access problem. Microsoft steered him to PacketMotion and the vendor's user activity management (UAM) solution PacketSentry to address the city's needs.

PacketMotion's approach to UAM augments network security and compliance by capturing and saving detailed user activity across the enterprise. PacketSentry correlates this activity to identity management systems such as Active Directory; indexes the data for quick access; and applies comprehensive reporting and proactive rules to the activity data. This correlation helps to cut across control and reporting point solutions to provide a single information source about detailed insider behavior across the network. What's more, PacketSentry is deployed out-of-band, so it is unobtrusive to regular network operations.

Using PacketSentry, the City of Richmond IT security and compliance teams were able to monitor and record all user and privileged user activities across operating systems, databases and applications; enforce access policies; and provide segmentation of information assets from unauthorized users without internal firewalls. According to McRae, "PacketMotion's solution allows us to lower our risk by providing control and visibility over users and information assets while improving our efficiency by reducing the complexity associated with internal audits and the governmental compliance mandates we have."

For all users, and specifically for privileged users, PacketSentry allows organizations to bolster their segregation of duties and change management controls. "I can easily demonstrate access to specific resources, as well as blocked access to the same resources," McRae says. "It's a great tool for audit and compliance. Unlike other tools we have used and evaluated, PacketSentry allows us to cut across all the silos of information to provide concise and timely information due to PacketSentry being on the network and capturing the traffic."

McRae was pleased with his deployment experience. "We had PacketSentry up and receiving valuable information within an half a day," he says. "The tool is easy to use and very intuitive, and most important, it has no agents, which means no bottlenecks that slow down the network. That allows users to access their data in a timely manner as it sits off to the side and does what it needs to do. This is very important for us because, due to limited resources and processing allocation, we try not to use database logging." In addition, McRae says PacketSentry's tracking and monitoring capabilities have helped the IT department to meet or exceed the auditors' needs and expectations for logging and monitoring access to resources. "The information is very easy to review and present," he adds.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT