A riot of memories

Posted on August 22, 2011 by rkeeble

As a frequent visitor to London for both work and pleasure, it was a bit saddening to see the recent riots on TV news. Whilst the original trouble might have been sparked by a protest against the police shooting someone dead (always sad but he was reportedly armed) the subsequent breakdown in law and order across London was shocking to see.

Technology played a major role in these events.  Firstly, the wall to wall news coverage quickly spread the news that rioters could “get away with it”. By that I mean that it appeared as if the police were standing back and watching as shops were looted and homes and businesses were set alight. A few days on and a lot of people are finding out they were wrong and that the law has a long arm, with thousands in custody and the courts handing out severe penalties.

It was widely reported that social media, smartphones and Blackberry devices were used to orchestrate the riots. Twitter and Facebook postings have already been used to track down those who were inciting the riots. Surprisingly, the police were able to monitor this traffic very quickly and use the information to respond quickly to planned troubles. Facebook postings have already been used in the courts as evidence against some of these criminals.

Reassuringly, social media was also used to help organise a clean-up operation.  This wasn’t so widely reported but thousands of people turned up with brooms and other cleaning equipment at sites across the country, helping communities to get back to normal.

Amongst all the reporting of the troubles, one item caught my attention.  An older lady was being interviewed, as her flat above a shop had been burned out.  She was remarkably positive given that she had lost her home and possessions.  Her biggest regret was losing her photographs which were irreplaceable.

Which set me thinking about my home and possessions, and what I would miss if something happened (it doesn’t take a riot, accidents occur).  Surprisingly there’s not much that couldn’t be replaced, simply objects.  Apart from the photos.  All those pre-digital images that sharpen the memories – weddings, christenings, birthdays and holiday snaps across so many years that make you smile, laugh or cry as you turn the pages of the album.

So I will get around to scanning negatives and photos, saving them to different electronic locations for safety.  Apart from that one of the fat kid with the hand knitted tank-top jumper – the 70’s was not a great decade for fashion – that’s best forgotten.

And my marketing “hook” into corporate archiving?  There isn’t one, not this time.  I could link into many themes but the events and tragedies that have unfolded deserve more respect.

Posted in Archive, Uncategorized | Tagged , , | Leave a comment

Bribery, corruption and hacks

Posted on July 8, 2011 by rkeeble

It’s funny how our interpretation of words changes over time.  Twenty years ago a “hack” in my mind was a slightly dishevelled journalist, usually staggering out of some bar at lunchtime to go knock out some copy for the paper’s next edition.  In light of the revelations in the UK over the past week, newspapers and hacks has a whole new meaning.

I’m not going to repeat the various reports and accusations here, they are easily found on the web, suffice it to say that it appears the News Of The World (the UK’s largest circulation newspaper) paid private investigators to illegally access the voicemails of murder victims and military personnel who died in action.  And those of their families.  As well as being morally wrong, this is a criminal offence.  Hence the Metropolitan Police are finally making a full investigation.

And the investigation spreads ever wider, with reports of the newspaper paying bribes to police officers for information.  The UK Bribery Act came into force on the 1st July 2011.  This has provision for unlimited fines and lengthy jail sentences, which is probably causing nervousness in certain news organisations.

Investigating this crime will take a very long time.  The police will require access to emails, internal memos, phone records, bank account statements and other financial records.  Let’s hope that News International has its records management policies in place, and that this information is already preserved from destruction for handing over to the authorities.  If not, then that’s a whole new scandal.

Posted in Archive | Tagged , , , , | Leave a comment

Archiving, it’s what we do.

Posted on July 4, 2011 by rkeeble

Having been always been dedicated to my job, I was working late at the end of last week entertaining one of my clients in London (The Globe pub near Moorgate tube station).  I eased my woolly head back into work on Friday by re-reading last year’s Gartner report on Enterprise Information Archiving.  AXS-One has figured in Gartner’s Magic Quadrant for email archiving for some time, and also in the old IDARS report before that.

When it first came out I admit to being a little disappointed with our position in the lower left quadrant – a ‘niche’ player.  But we’re in good company, right next to HP and in the vicinity of OpenText and some other good solution providers, so not that bad really and of course, we are in the report!

Gartner states that the leading vendors have a solution that handles compliance supervision, integrated discovery, archive SMS and Blackberry and structured and unstructured data.  A tick in all those boxes then.  Hey!  We’re doing OK!

So a quick look into the top right “leaders” box – Symantec, Autonomy and Iron Mountain (their last appearance I guess).  I’m sure they have great archiving solutions that also sit alongside all that anti-virus, backup and content management product.  Big corporations with a global reach.

By contrast, AXS-One is relatively small and focused; having around 60 dedicated Archiving specialists world-wide.  And do you know what; I think that’s a good thing.   There is no smoke and mirrors and we are not big enough to be arrogant.  Being in the business for 17 years we have some of the world’s biggest companies as clients, and many of these have been with us from the start – storing petabytes of information into our scalable archive.  But these huge corporations have people working in small departments.  And these people develop business relationships with our support and consulting staff.  When they call to get advice or help with a problem they get through to someone they know or have met, not some unknown voice in a call centre somewhere.

So we offer a fully functional archive and a personal service.  We are focused on delivering archiving solutions that address our client needs, not all that other stuff.  And as we grow and move up and right in the quadrant we will try our hardest to retain this approach.  Because it’s important.

At the end of the day, “Archiving, it’s what we do.”

Posted in Archive | Tagged , , , , | Leave a comment

A Cloudy Future

Posted on June 27, 2011 by rkeeble

A thought occurred to me whilst re-reading the last blog (someone has to read it) about the IMF hack, and the World Bank cutting links to them.  If you’re under attack and want to guarantee that no-one is looting your vital information then the simplest option is to pull the plug on the infrastructure links to the outside world.  That solves the immediate problem and gives you a breathing space to assess the situation and get things under control.

However, in this world of the Cloud it’s not that simple.  Now this is hypothetical, but assume that the IMF was using a Cloud provider for email.  By pulling the internet plug out, you lose your email.  No big deal?  But what if your legal team was involved in a legal case and they were searching through that Cloudy email for evidence?  Imagine they are involved in a high profile case and have to assess emails and present this to the Court, on a very tight deadline.

And operationally, employees need access to email.  I had problems this morning when my mail account was locked and I couldn’t access our email system.  I don’t keep everything locally on my PC and there are contracts and discussions on email that I need to access in order to work.  Thankfully I could access all my emails on our corporate compliance archive – every email sent and received is captured there.  So I could continue to work.

If all your email is on the Cloud, and you can’t access it, what’s the impact to the business?  From my point of view this is a major argument in favour of having an in-house archive.  Employees can continue to access their old email.  Legal and compliance teams can continue to search and package information.  Business can continue.  And this is easy to achieve – we just journal the email from the Cloud provider to our archive – it’s possibly the simplest archiving that we do.

And I’ve just thought of another benefit to doing this.  If you decide to change Cloud provider in the future you don’t have to worry about transferring email from the users’ mailboxes to the new service – they can access their old email from the on-premise archive.  Just transfer the last week or two’s messages and job done.  Simple.  Probably saving a small fortune too, as most providers include a transfer out clause in their agreement and this tends to get overlooked or ignored when entering an agreement.

I’d appreciate views and comments on this – if there’s enough interest then I’ll work through the ideas fully and create a white paper.  Let me know.

Posted in Archive | Tagged , , | Leave a comment

Hacked off?

Posted on June 17, 2011 by rkeeble

First of all let me apologise. I promised last time to publish details of how to add log files to our archive and a guide for using the interface. No excuses, I simply haven’t got it done yet. It will be there soon, I promise.

So back to the subject of hacking. And there’s been no shortage of news on the topic over the past two weeks! As you may be aware, this topic hit the news “big time” with the Sony attack which resulted in major data loss. That site was down for some time, so it must have hit Sony financially (but that’s not been reported) as well as damaging their reputation.

And since then other games companies have been subject to attack – Nintendo, Epic, Square Enix, Bethesda and most recently Codemasters have all been hit. At one time I did think that games companies were being singled out for hackers’ attention. But I was so wrong.

EMC’s RSA subsidiary has been successfully attacked (embarrassing for a security company), and that appears to be linked to the subsequent breach of Lockheed Martin’s security (for a good report on this see here ). Google has been attacked, reportedly emanating from China. And we now have two reports of serious compromises in security in the financial sector at the International Monetary Fund and at Citigroup Inc. These last two are worth looking at in detail.

We’ll start with the Citi intrusion, which the Bank has stated affects 360,083 accounts (I love the accuracy). Initially they reported 200,000 accounts were at risk, and they are now getting criticism that they under-reported the scale of the incident – a big mistake in public relations, which affects reputation. Citi insist that the stolen data didn’t give enough information for fraud to be committed, but they are still re-issuing new cards, which isn’t a cheap exercise. It is probably a testament to Citi’s implementation of the PCI DSS standard that the stolen data is of limited use.

The IMF attack is a totally different type of incident, apparently motivated by political opposition to their terms for lending money to Greece. It pre-dates the media circus and feeding-frenzy around Dominique Strauss-Khan, so that isn’t the motivation but it does make it more high-profile. As does the news that the World Bank temporarily cut its network connection to the IMF. The extent of the data loss isn’t known, but I have seen reports that emails and documents were taken – in my book that’s a significant loss.

The FBI is now publicly involved in investigations at Google, Lockheed and the IMF. They have old links with RSA, so you can bet they are there too. And what do you think one of the FBI’s first questions will be? “Where are your log files?” is my bet. These logs will be key to the investigation by electronic forensic examiners, working backwards to figure out how the attack was made (so they can plug the hole) and who did it (so they can prosecute them). Undoubtedly these attacks will have been prolonged, so hopefully they still have several months’ of logs to trawl.

The question is, if this happened to you would you have the evidence? At the very least, check that your operations team has a process to rotate and store the system and application log files. And test they can retrieve them. But if you want to store these logs in a secure, scalable, auditable repository that can retrieve them instantly, then drop me a line.

Posted in Archive | Tagged , , , , , , , | Leave a comment

Log files, the latest IT nightmare?

Posted on June 3, 2011 by rkeeble

Log file management is becoming a problem for many companies – storing, retaining and deleting these files is a hidden cost, tying up operations staff time. And finding the right log file and analysing it in case of problems such as investigating a hack or fraud can be difficult and time consuming.

Why do I suspect this is a concern? Because a friend of mine is a SysAdmin and he’s worried. And contacts at three different companies have discussed this same thing with me very recently. I suspect there are many others out there facing the same problems.

There are actually 2 or 3 linked problems here. Firstly there’s the simple log file management logistics. Almost all system administrators will have scripts implemented for log rotation, moving the log and truncating it on a regular interval. Depending upon the speed of growth of the log, the rotation could be hourly, daily or weekly but most sites use a daily rotation. The number of logs that must be kept varies, but it is easy to identify 10 logs on a server that should be retained – that’s 70 files each week, over 3,500 per year if they are kept for only 1 year. That’s a lot of files, and quite a lot of storage (even with compression). And most sites have 4 or 5 servers, so a relatively simple task has transformed into the management of 15-20 THOUSAND files.

Not so trivial.

Having stored these logs, the admin team now has to spend time moving these files to cheap storage locations – even though disk is cheap, most places don’t have enough – making sure that nothing is lost in the migrations. And then there is the task to delete the files at the end of the retention period. This all takes time and is easily overlooked. As is including these files in tape backup schedules – cheap storage and no backup is a business risk.

Definitely not so trivial.

And then the third problem arrives – the internal security team, investigating a fraud or external attack, asking for log files for a certain period. Not forgetting their loaded question “…can you confirm that these logs have not been tampered with since creation?”

So I thought I’d test our archive software (uCOOL) to see how it might help address these problems. What I will try to do is explain my thought process in trying to solve the issues and put the results of my work into the public domain – I’m interested in hearing whether my approach is of interest to anyone and in finding out what alternatives people are using.

First step, get some log files to play with! As I’m publishing this work I can’t use any client files or any “live” data. One of our consultants has kindly provided some example files from his test Unix server – there is enough data there to prove the point and create examples. I’m going to focus on Unix to start with, but if there is interest then I’ll extend this to Windows logs too.

He’s sent me 5 different log files – access_log; error_log; messages; sulog and syslog. My first impression? What a mess these log files are! Each line has a structure, but there’s no consistent field placing or field delimiters. We’ll come back to that. The first task is to simply move the logs into a secure storage.

The uCOOL archive allows documents to be stored and key fields indexed, allowing users to quickly find the information they are searching for. Once located, information can be exported for further analysis. At its simplest, uCOOL simply acts as a secure repository – files can be located based upon their name and the date they were recorded. To enable the recording of the access_log I simply copied the archive definition files for similar Unix files, updated a few basic details such as file name references and ran the recording function from the command line, specifying a 12 month retention period – 5 minutes work! Simple. The log rotation script created at any site could easily be adapted to move the logs to the uCOOL input directory and run the record command.

I don’t want to bore everyone with the geeky details of setting up the uCOOL recording here, but I will be posting a simple slideshow demonstrating how easy it was. I’ll post that later.

Now that the file is in uCOOL it can be forgotten about. At the end of the 12 months the archive will delete it (unless it’s on legal hold, but that’s a different subject). And uCOOL can be configured to use any storage device – as long as the server’s O/S can “see” the storage then uCOOL can read/write to it. And it allows for the definition of multiple storage locations, so low cost disk can be used or compliant, non-erasable storage if necessary.

The business users (security team in this case) can have their own login to the archive and access the data without IT involvement, a major win for everyone involved! uCOOL offers a number of features designed for end users, such as “sticky notes” that can be added to archived files to record audit or security investigation thoughts – these are shared amongst all users accessing the document.

As I mentioned previously, I only have a little test data – the access_log has been split into 4 year files for 2006, 2009, 2010 and 2011. These have all been recorded into uCOOL. As well as the slideshow mentioned earlier, I’m creating a brief video that will be posted on YouTube showing you how to access this (bear with me, I’m learning as I go on this!). The demo is a live system, available on-line here for you to try out yourselves. The login and password is “LogDemo” – I would appreciate your feedback, so please leave a comment!

So I’ve now dealt with the file management issue, the next question is “How do I extract information from the log?”

 

Posted in Uncategorized | Tagged , , , , , , | Leave a comment

Yet another blog?

Posted on May 26, 2011 by admin

OK. Hands up.  I admit it. I’m just another corporate blogger trying to convince you to buy my software. There – out in the open and upfront. That’s how we are in this company – honest and open.  Honest!

So what I’m aiming to do in this blog is to look at various archiving requirements that I come across at our clients, to share some real world experiences.  Hopefully I can explain what is driving these needs, such as changes in regulations or legislation, or security threats, or eDiscovery.  Or whatever.  As long as it’s interesting and relevant – so let me know if there is a topic you want to cover and I’ll try my best.  And whilst I might show how our software can help address these things, I won’t be doing the “hard sell”.  There are other solutions on the market that do the same thing as us, I might even name them in some blogs.  They just don’t do it as well as we do, IMHO.

So first up,  what is uCOOL? At its simplest it is an archive, used by companies large and small to store huge volumes of report data.  You know what I mean – all those old print-outs of financial information from accounts applications, or telephone call records, or contact details from CRM systems.  The list is endless.  They all get printed in column format onto paper, are read for a few days and then stored in a box for several years in case of an audit, or if the Regulator comes knocking on the door.  Instead of printing these reports, uCOOL takes the spool file and stores it for however long you want. Simple!

But then it does a lot more.  Such as indexing the data allowing you to find that needle in the haystack.  And it secures the data against unauthorised access, and keeps a log of who has seen what and when.  And finally deletes it when its reached the end of its life.  Did I mention it also stores files, Sharepoint, SAP and email too?  And it can be used to distribute content across the internet?  No?  Well it does.  And more besides.

If you’re interested and want to find out more then have a look here at our product site.

Next time – Log file management.  Can’t wait eh?

 

 

Posted in Uncategorized | Leave a comment