A customer had been using BindView bv-Control for Windows to analyze data and issue alerts upon discovering system vulnerabilities. When the customer contacted Symantec sales to renew their license, he was surprised to learn that the product had been incorporated into Symantec Control Compliance Suite and was no longer available as a standalone product. But after hearing about the additional features and benefits offered by Control Compliance Suite, the customer opted to give it a try. However, shortly after installing the product, he called Symantec to say that it wasn't functioning properly, so the salesperson contacted Tech Support.
Kuntal, a Control Compliance Suite specialist, called the customer and asked him to describe what he wanted the product to do. The customer had assumed that Control Compliance Suite would allow him to monitor a file-sharing system to find out when certain files were changed or deleted, when files were moved, and who had made the change or deletion and when. But he was frustrated when he found that the product couldn't do what he wanted it to do. Kuntal told him he would open a tech support ticket to research the issue and get him an answer.
"Control Compliance Suite is a reporting tool, not a real-time monitoring tool, so it doesn't have a specific feature that could provide the information the customer was looking for," Kuntal says. "But what the customer wanted to do was a reasonable request, and I knew we'd be able to figure out a solution for him."
Two heads are better than one
Kuntal got in touch with Eric, a senior tech support engineer, and after some brainstorming, came up with a clever solution. If auditing is enabled in Microsoft Windows, the operating system can audit folders so that any time a user makes a change such as creating or deleting a file, the change is noted in the security event log. But Microsoft Windows does not log a file being moved from one location to another. The trick here is knowing what happens behind the scenes when a file is being moved—the file is deleted from the source folder and created in the destination folder. Since file creation and deletion are auditable events, a user can run a query to look for those events. If the query finds that a file was deleted from one location and created in another location just a few seconds later, the file was obviously moved.
Kuntal and Eric determined that advanced query building would be the key to monitoring user activity using Control Compliance Suite. All the customer needed to do was enable auditing on the target directory and on the query engine and build an event logs query to compare the data. Control Compliance Suite could then search through the reports to identify which users created or deleted files, and when. If a customer wanted to find this information across multiple servers manually, it could take a really long time. But Control Compliance Suite can do it in just a few minutes by auditing security logs.
Documenting the solution for the future
After Kuntal and Eric collaborated on the solution, Eric wrote an article for the Symantec Tech Support Knowledgebase outlining the step-by-step advanced query building process that would provide the information the customer was looking for. He then sent the customer a link to the article on the Symantec website. The customer used Eric's instructions to create his own query and wrote Eric to let him know that the query had delivered exactly the information they were looking for. The customer was very happy and gave Eric the highest customer satisfaction rating possible.
"Query building is an advanced process, something customers really need technical expertise for," Eric says. "By thinking outside the box, Kuntal and I came up with the foundation of the solution and further refined it to meet the customer's expectations perfectly."
Thanks to Eric and Kuntal putting their heads together to come up with a solution, the customer was able to use Control Compliance Suite to access the information he needed, and Eric's article is now on the Symantec site so other Control Compliance Suite customers can use the same solution.