Speaking at the Canadian IT Security Conference on Tuesday, WestJet’s senior manager of IT security Bruce Elliott said that the company finalized an agreement the evening before to purchase software from Intellitactics. The suite, a portion of which will go live this summer, will pool data from various security and enterprise application logs to give the company a better idea of where it stands.
Calgary-based WestJet has spent the last five years building its infrastructure, said Elliott. The company has slowed its pace somewhat recently, but is still growing at the rate of one new aircraft and 55 employees a month. The company currently employs about 5,000 people in 33 cities across North America. Its business and IT operations are centralized in Calgary, where it runs approximately 700 servers in three separate locations. The company also contends with IT that falls under the aegis of various airport and aviation authorities. In security alone, WestJet has refreshed its anti-virus, anti-spam intrusion detection software, as well as multi-layer firewalls.
“There’s way too much complexity taking information from various sources and correlating it into something that makes sense,” said Elliott.
WestJet’s security applications generate 27MB of text files per day, he said. “Ninety per cent of that has no value. It’s that 10 per cent you want to weed out and keep. It’s impossible to analyze all that information manually” hence the decision to lean on a software solution from Intellitactics.
The balance of WestJet’s IT, including e-mail, Windows, Unix servers, and network traffic, generates another 30 to 50 MB of logs.
Elliott said the company had to meet a list of requirements before it could settle on a vendor. The solution had to work with existing systems (WestJet is almost exclusively a Microsoft shop); had to correspond to major log file formats; and to deliver information in real-time. “There’s no point in being alert to something that happened in your system yesterday or even a few hours ago,” he said.
WestJet has expended some effort on organizing policy around security not only to meet legislation like Sarbanes-Oxley, but to make sure the right employees are accessing the right log data. The company has implemented security awareness training for all of its new hires and is looking to add an online learning component that will be mandatory for all staff.
Employees will be able to schedule their own learning sessions, but if they don’t compete them within a set timeframe, they could lose network access, said Elliott.
Until a few years ago, the company experienced some issues with employees using IT resources for reasons other than work. WestJet cleaned a slew of MP3 files off its network and even whole movies. Employees are explicitly told that their hard drives and e-mail accounts are WestJet property and may be viewed by the company at any time.
Training and employee orientation continues to be an issue for any enterprise, said David Stolovich, assistant vice-president of IT and security governance for Sun Life Financial. Using network resources to download music and movie files is a phenomenon that tends to occur amongst younger users, said Stolovich, who also spoke Tuesday at the IT Security Conference.
“Some of our younger employees seem to have a different set of values or, more troublingly, no set of values at all,” he said. “Culturally, they have no problem with file-downloading and sharing and don’t understand how it could impact their employer if they use company resources.”
Too many companies overlook the human element in favour of technology, said Stolovich, and most security meltdowns can be traced back to a person. “As long as we have humans involved in the process, there will always be a flaw in the process,” he said.
The Canadian IT Security Conference concludes on Thursday.
Comment: [email protected]