The importance of change management Enterprise Security Series White Paper 8815 Centre Park Drive Publication Date: Aug 30, 2007 Columbia MD 21045 877.333.1433
Abstract The purpose of this document is to help users to understand the concept of System Change Management and to introduce WhatChanged for centralized change management. WhatChanged is the Change Management component of EventTracker. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism Microsystems, Inc. must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, Inc. and Prism Microsystems, Inc. cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems, Inc. MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this Guide may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems, Inc. may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, Inc. the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2008 Prism Microsystems, Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Prism Microsystems, Inc. 2
Overview Ever wonder why the PC that was working perfectly before is suddenly misbehaving? Ever wonder what changed when you did nothing and suddenly things no longer work correctly? Ever felt the desire to simply go back to a previously working configuration? The file system and registry of a networked PC today changes constantly and in most cases, invisibly. The change may be voluntary or involuntary, harmless or harmful, but the change is always a mystery. Often these changes lead to incompatibilities and applications simply cease to operate, or in the worst cases you get system downtime either way a great deal of time is spent puzzling out exactly what happened or, really, what changed. An average system administrator spends around 80 to 90 percent of his system/application trouble shooting time on problems that are caused by change. They spend only around 10 to 20 % of their time with severe problems like an OS crashing or other hardware related problems. If a tool can provide change data in a user friendly manner then an average system administrator can save a large chunk of his day on minor trouble shooting and channel his energy to more constructive tasks. For Servers, nothing should change other than data files, log files and error files outside of managed maintenance windows without careful review and documentation. A minor change that causes a user inconvenience on a workstation, can cause an entire department to suffer lost productivity. What is required is a tool that can monitor both what has changed on the system, as well as alert on changes that are prohibited by policy. EventTracker and it s WhatChanged for Windows component from Prism Microsystems, Inc is a must have tool for every critical server and desktop. WhatChanged helps you understand the changes that have occurred on a computer s file system and registry and provides you with a lifeline to restore it back to a working configuration. Using Change Management Be in control of all critical systems/applications. Analyze the change data to quickly identify and back-out faulty changes. Identify and cure your systems of new viruses before your Anti-Virus provider comes up with a cure. Have insurance when installing new software or making major configuration changes. Enhance security by having detailed information about all changes and accesses. Reduce dependence on human input to diagnose and resolve system/application problems. Prism Microsystems, Inc. 3
What is Change Management? The file system and registry of every Windows system is ever changing. This change may be voluntary or involuntary and happens quickly and often without the user s knowledge. Under the current Windows OS architecture there is no easy way for the user to understand change, identify change and recover from change. Change Management is a concept by which all system changes are intelligently tracked and reported on demand for the user to analyze, understand and if needed recover from change. The advantage of change management is that it provides the user insurance against change that could be harmful. During the course of a day there are thousands of changes happening on your Windows systems. By using an effective change management solution you can view changes with only the critical ones being highlighted, while having the non-critical folders and registry hives filtered out. In short, change management is a process by which the user can monitor, analyze, understand and recover from change. Prism Microsystems, Inc. 4
The WhatChanged Component WhatChanged works by taking periodical snapshots of systems (file system & registry) and comparing between the latest snapshot and any of the previous snapshots. Snapshots can be scheduled to be taken automatically or on an on demand basis. The timing and frequency of automatic snapshots is configurable. A centralized console provides a single window for monitoring changes on all systems in an enterprise. WhatChanged is a must have tool for any organization that needs to proactively manage change on their 2000/XP/2003 machines. With WhatChanged you have the following key benefits Provides system change data in an intelligent manner, highlighting changes and filtering out non-critical folders, files and registry hives. Has a centralized console to monitor changes on all systems in the enterprise; it also provides a Client Manager that assists in the Agent deployment. Provides a powerful option to analyze, detect and prevent the spread of new viruses. Reduces fault diagnostic time. Reduces Total Cost of Ownership (TCO). Improves control of critical systems / applications. Enhances security. Provides insurance against change. Provides a 24x7 tutor that can help you understand your systems. Prism Microsystems, Inc. 5
The WhatChanged architecture The WhatChanged architecture consists of 2 main modules, namely the central Console, and the Agent. The Console in turn has 4 components; the Console Service, the Console GUI, the Client Manager and a backend database that stores enterprise change data. A typical deployment of WhatChanged can include one Console and multiple Agents installed on each client machine. The WhatChanged Architecture is as shown in the diagram below: Figure 1. WhatChanged Architecture Prism Microsystems, Inc. 6
How WhatChanged benefits an organization WhatChanged provides an organization with a strong handle in managing the Windows systems in their enterprise. The key benefits include: 1 Increases system availability by reducing downtime. System downtime causes significant losses in customer retention, brand reliability and most importantly revenue. 2 Reduces support response time. The support staff will be empowered with change information about the system. WhatChanged change view will restrict the data shown to only changed folders/files/registry, reducing failure isolation time and problem resolution time. 3 Reduces Total cost of ownership (TCO). TCO will be reduced drastically when system downtime is reduced. Reducing system downtime means higher availability of help desk staff for other tasks, better utilization of technical staff that uses these systems besides enabling higher system availability. 4 Enhances Security. WhatChanged can provide you with detailed change reports that can help identify breaches in security. 5 User friendly reporting. Provides flexible and user-friendly reports highlighting critical changes. 6 Provides insurance. With WhatChanged installed you can be confident when installing new software or making major configuration changes as you have information available that can help in reverting back to a good configuration in case of any problem. 7 Enterprise class solution. When combined with EventTracker, WhatChanged provides an enterprise level system and network management solution. Solve complex problems The following section provides examples of typical problems that customers are able to solve using WhatChanged. Problem: Our Oracle server was running fine till last week. It is up and running now, nothing seems obviously wrong but users complain of connection breaks in mid transaction. We have not changed anything as far as we know and the problem is intermittent and not readily reproducible. Which vendor do we call? We tried Oracle, Microsoft, our hardware vendors, software vendors too, but as we don t know exactly what happened or what caused it we can t really get much help. Our IT staff has wasted incredible amounts of time on this. Solution: In minutes WhatChanged provides a view of exactly what changed between last week (when it was working) and now (when it is not working). You can educate yourself and formulate your own plan to attack the problem with better knowledge of what has occurred. Problem: My manager is a power user. Out of the blue, a problem has occurred with their PC and they are getting cryptic error messages when sending emails. Need to get to the bottom of this quick. They think the system settings are somehow changed but which ones? Prism Microsystems, Inc. 7
Solution: WhatChanged to the rescue. View the system settings change history, restore working system settings in seconds. Problem: Our IT department supports >2000 users. Often users do not provide sufficient or accurate information on the problem. Impatient users are harder to deal with. It takes longer to first diagnose and then correct the problem. User satisfaction and timeliness of resolution is poor. We constantly feel understaffed and resort to expensive consultants to cope. Solution: As soon as a user calls with a problem, view the change history of the user machine right from your own computer. You can then ask all the right questions and often resolve the problem as the user is still explaining the impact. Increase user satisfaction and decrease time to respond. Problem: A user reports that they are unable to access services on the server. A trained IT professional goes through troubleshooting and eventually figures out that some services are simply not starting. He calls vendors but no ready answers are forthcoming. Luckily a backup is available but the only way to recover is to restore the whole system disk, which requires significant downtime and a night of testing. Solution: With WhatChanged you can restore the registry to a known working state in a few seconds. Find out which files were changed, added and deleted. No reason to recover the whole system blindly. In many cases there is no downtime and you can restore only those files from the backup which were changed or deleted. Problem: A new virus strain has infected some of your systems. Solution: WhatChanged, as a companion to antivirus software can detect changes to the registry or the file system on multiple systems from a central location. Look for patterns of change and detect and quarantine affected systems quickly. Save critical downtime. Problem: We sell new computers. We build good machines and provide quality support. Preshipment testing has minimized DOA cases. However users still call us with problems. In this competitive market, our profit margin is wiped out if we spend a lot of time supporting the end user. Is it something they did? If we don t respond, user satisfaction is poor but if we try and support them and it takes a long time, our margin is compromised. Solution: Include WhatChanged plus a snapshot of the original configuration with the shipment. Figure out what has changed since shipment. Convert a large number of one-hour support calls to five-minute calls. Increase customer satisfaction without compromising on margin. Problem: Hundreds of users at work end up installing junk, incorrect versions or unlicensed products. We could police them but it will take a great deal of time on our part and power users will get annoyed. Solution: With WhatChanged you can monitor software installs remotely and decide to take action if necessary. This keeps power users happy while still retaining control. Problem: We have less than 200 users. We are fully aware that knowledge and expertise of IT staff is key for system availability and TCO, but each IT resource has very broad responsibilities and training for all IT employees is expensive and we can t afford it. Solution: WhatChanged enables you to see what changes are made in the system with modifications or a new install and provides excellent insight to the underlying system. This can help you transform your good IT staff to the best. Problem: You installed a software package only to find that another key application stopped working. You uninstalled that newly installed software but your key application is still not working. Solution: As you install the new package, WhatChanged automatically reminds you to take a snapshot. If the new install doesn t work out, and the un-installation does not fully recover the system it enables you to recover cleanly with little effort. Prism Microsystems, Inc. 8
Problem: You are always hesitant to change key parameters. Consequently, you are reluctant to try out changes your instinct tells you will solve a user s problem, as you are worried you will not be able recover from the change, and the problem will get worse. This slows you down. Solution: WhatChanged enables you to take new snapshots before you make any changes. Give your instincts free rein to solve user problems you have insurance! Prism Microsystems, Inc. 9
Summary Modern day businesses are heavily dependant on their IT infrastructures to maximize profitability and customer retention. System downtime is a major cause for concern and an effective Change Management solution is valuable to increase system availability. WhatChanged provides an ideal solution for centralized change management and system restoration on your Windows servers and workstations. It eases the burden on the support staff and ensures that problems are either averted or solved in minimum time. Prism Microsystems, Inc. 10
About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.prismmicrosys.com/. Prism Microsystems, Inc. 11