To produce the reports needed to comply with the Sarbanes-Oxley act—and to avoid costly manual log file analysis—defense contractor ManTech International Corp. has added system application log processing to its back-end computing infrastructure.
In 2003, ManTech embarked on an implementation of Quest Software Inc.s InTrust event-log auditing tool. The company started with InTrust 8.0 and is currently using Version 8.5.
"We were looking for a tool that would report events that we considered significant from a [SarbOx] control perspective," said David Spannare, CIO of ManTech, in Fairfax, Va. "We wanted to define upfront what those events were and then have a tool notify us when those events occurred.
"For instance, we wanted to target and track changes very specifically if someone went in and updated the files that support preparation of financial statements for our [Securities and Exchange Commission] report," Spannare said.
Getting up and running with InTrust wasnt easy, but the payoff has been worth it, according to Spannare.
For example, generating the initial reports needed to monitor events on ManTechs Hewlett-Packard Co. HP-UX systems was difficult, said Spannare—so much so that Quest provided product-manager-level help in getting the reports online.
Now that InTrust is up and running, it is helping ManTech mitigate audit compliance costs.
"In several areas, we were facing either a pretty dramatic commitment to going in and examining audit logs that are generated by the operating systems, or applying tools to the task and simplifying the task," Spannare said.
As part of its SarbOx controls, ManTech also uses InTrust to confirm certain actions.
"One of our Sarbanes-Oxley controls requires specific actions to be taken by our security administration personnel at specific times," said Spannare. "We verify that the security administrator actions have been taken by reviewing the InTrust alerts, and this provides independent evidence that the actions are completed."
As an IT operational support provider to the U.S. government in general and the Department of Defense and several intelligence agencies specifically, ManTech faces extensive reporting requirements. The company employs about 6,000 workers in 34 countries and 40 states.
According to Thomas Ware, ManTechs IT director, also in Fairfax, the defense contractor uses InTrust to monitor a mix of about 50 Microsoft Corp. Windows Server 2003 and HP-UX systems. ManTrust IT managers also use InTrust to monitor Oracle Corp. database systems and Cisco Systems Inc. network infrastructure equipment, but so far they are looking only at logging information from the operating systems.
Spannare said his staff is evaluating InTrust for use in reporting on the Oracle and Cisco systems, as well as InTrust Version 9.0 for a higher level of security monitoring services.
A raft of finely tailored reports currently tells Ware and Spannare what is happening on a daily basis. "I can look at the daily reports and tell at a glance if something is wrong," said Ware. "It takes me only about 5 to 10 minutes every day to review the daily reports."
ManTech uses many of the reports that were shipped with InTrust, but when a report needs to be customized, Ware does the work himself.
But whether hes using canned or custom reports, Ware likes that he can easily go back over the log history to pinpoint exactly who made what change to his systems.
"We had a case where an important user account came up missing—the account was not in the directory," Ware said. "We immediately took action and restored the account, and I was able to go back and see that it was a mistake made by a particular administrator. Its nice not to have any mystery about who is making changes to the system."
In addition to audit compliance, ManTech uses InTrust for real-time monitoring and alerting.
"Beyond Sarbanes-Oxley controls, we have found other benefits of using InTrust," said Ware. "For example, if one of my admins fat-fingers his password, Im getting e-mails and alerts on that event. I can literally walk down the hall and see if that person is, in fact, having trouble with his password or if someone is trying to break in to the system."
Ware also uses InTrust to get alerts when the domain administration group membership changes. The InTrust agent on the domain server has audit policies that monitor additions and changes, and it sends an e-mail alert to Ware when any change is made. "I know right away that something is happening, and, if its not authorized, I can take action right away," said Ware.
Technical Director Cameron Sturdevant can be reached at email@example.com.