Proving Control of the Infrastructure



Similar documents
Enforcing IT Change Management Policy

IT Service Management Metrics Metrics that Matter

Complying with the Federal Information Security Management Act. Parallels with Sarbanes-Oxley Compliance

Real-Time Security for Active Directory

Reining in the Effects of Uncontrolled Change

Actionable Security Intelligence: Preparing for the Next Threat with a Proactive Strategy

TRIPWIRE NERC SOLUTION SUITE

Achieving Control: The Four Critical Success Factors of Change Management. Technology Concepts & Business Considerations

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

THE TOP 4 CONTROLS.

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Teradata and Protegrity High-Value Protection for High-Value Data

Configuration Audit & Control

File Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

The Power of Risk, Compliance & Security Management in SAP S/4HANA

SECURITY. Risk & Compliance Services

Improving Network Security Change Management Using RedSeal

Self-Service SOX Auditing With S3 Control

8 Key Requirements of an IT Governance, Risk and Compliance Solution

TRIPWIRE REMOTE OPERATIONS: STOP OPERATING, START ANALYZING

IT INFRASTRUCTURE MANAGEMENT SERVICE ADDING POWER TO YOUR NETWORKS

Cisco Security Optimization Service

Trend Micro. Advanced Security Built for the Cloud

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

How To Create A Help Desk For A System Center System Manager

Information Technology Auditing for Non-IT Specialist

WHITE PAPER. Meeting the True Intent of File Integrity Monitoring

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Top Ten Keys to Gaining Enterprise Configuration Visibility TM WHITEPAPER

Bocada White Paper Series: Improving Backup and Recovery Success with Bocada Enterprise. Benefits of Backup Policy Management

The Value of Vulnerability Management*

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Published April Executive Summary

Lumension Endpoint Management and Security Suite (LEMSS): Patch and Remediation

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

Autodesk PLM 360 Security Whitepaper

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Lumeta IPsonar. Active Network Discovery, Mapping and Leak Detection for Large Distributed, Highly Complex & Sensitive Enterprise Networks

Dynamic Data Center Compliance with Tripwire and Microsoft

Information Technology Solutions

Best Practices for Building a Security Operations Center

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

See all, manage all is the new mantra at the corporate workplace today.

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

How to Secure Your SharePoint Deployment

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

SOLUTION WHITE PAPER. Align Change and Incident Management with Business Priorities

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

BSM for IT Governance, Risk and Compliance: NERC CIP

Implement a unified approach to service quality management.

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

ORACLE ENTERPRISE MANAGER 10 g CONFIGURATION MANAGEMENT PACK FOR ORACLE DATABASE

Information Technology Security Review April 16, 2012

SANS Top 20 Critical Controls for Effective Cyber Defense

Maximizing Configuration Management IT Security Benefits with Puppet

File Integrity Monitoring:

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

CA Configuration Management Database (CMDB)

Leveraging Network and Vulnerability metrics Using RedSeal

How to Eliminate the No: 1 Cause of Network Downtime. Learn about the challenges with configuration management, solutions, and best practices.

Infasme Support. Incident Management Process. [Version 1.0]

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Select the right configuration management database to establish a platform for effective service management.

Change Management. Why Change Management? CHAPTER

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

IT Security & Compliance. On Time. On Budget. On Demand.

FIREWALL CLEANUP WHITE PAPER

How To Manage Log Management

Sarbanes-Oxley Compliance for Cloud Applications

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Managed Security Services for Data

integrating cutting-edge security technologies the case for SIEM & PAM

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

The problem with privileged users: What you don t know can hurt you

Product Financial Control Solutions Spreadsheet Workbench

Understanding Vulnerability Management Life Cycle Functions

Leveraging a Maturity Model to Achieve Proactive Compliance

How To Standardize Itil V3.3.5

Transcription:

WHITE paper The need for independent detective controls within Change/Configuration Management page 2 page 3 page 4 page 6 page 7 Getting Control The Control Triad: Preventive, Detective and Corrective Defining Automated Configuration Audit and Control An Automated Configuration Audit and Control Solution Proof Positive Gene Kim, CTO, Tripwire, Inc. and Rob Warmack, Senior Director of Product Strategy, Tripwire, Inc. 2007 Tripwire, Inc. Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved.

In virtually every industry, the success of an organization is inextricably linked to the reliability, availability and security of its Information Technology (IT). Consequently, IT management must identify and analyze the relevant risks facing its production environment and then put controls in place to prevent, detect, and correct for them. Not only are these controls required for effective management, they are also good for business and fundamental to meeting regulatory compliance requirements. Unauthorized access due to security breaches is a high-profile risk. Hackers from outside the network, or more likely, employees or contractors with means, motive and opportunity, manage to bypass or defeat security defenses and make malicious changes to software files and system configurations. These unauthorized changes can have dire consequences, such as financial loss, disruptions to IT operations, and negative public perception. Although security often gets the spotlight, the much greater risks to the organization are system reliability and availability issues. Gartner asserts that 80 percent of unplanned downtime is caused by people and process issues, including poor change management practices, while the remainder is caused by technology failures and disasters. 1 IDC cites similar findings that indicate that operator error is the single largest source of outages causing nearly 60 percent of overall infrastructure downtime. 2 Many IT organizations, in the spirit of being nimble and responsive to their customers, are actually putting themselves at risk in the everyday process of making changes to their own systems. If industry analysts are correct, and practical experience certainly indicates that they are, the greatest point of leverage for increasing the overall reliability, availability and security of information systems, and addressing related compliance requirements, is controlling change across the IT infrastructure. Getting Control IT management has tried many things to control change. They have invested in a variety of change and configuration management (C/CM) products or developed their own sets of tools to manage infrastructure changes. They have improved the efficiency and speed of the C/CM process, such as automating the change approval process workflow, automating the deployment of software and configuration changes, as well as automating the discovery of information assets and mapping these assets to the services they provide. Despite all this technology and automation, reliability, availability and security issues still exist and proving compliance remains difficult. Consider the case of patch management technologies that inadvertently result in servers that will never boot again, all deployed at speeds never possible without automation. The mistaken assumption is that by automating and systemizing the way change is authorized and implemented, human error is also reduced. All too often, these tools don t actually improve service quality and can even exacerbate the situation by enabling more undesired changes to be made more frequently. Why is it essential that changes to IT infrastructure be controlled? First, IT risks create real business risks because the most critical business processes are often run entirely on IT. Second, effective management of IT hinges on the effective management of IT infrastructure you cannot manage the IT service or IT value without first effectively managing the IT infrastructure. IT infrastructure spans all the servers, network devices, and databases that IT application services are built upon, as well as the controls that protect them, such as firewalls and intrusion detections systems. 1 Donna Scott, VP and Research Director, Best Practices for Operational Change Management, Gartner, Inc. 2003 2 Stephen Elliot, IDC, Senior Analyst Network and Service Management, 2004 Page 2

Integrity of the IT infrastructure is foundational. Like a building built on unstable ground, when the integrity of the IT infrastructure lacks stability, reliability or security, the integrity of the entire system dependent upon that infrastructure, and perhaps even the entire organization, is not stable, reliable or secure. But why has change management failed for some organizations and flourished in others? Two industry organizations, the Software Engineering Institute and the IT Process Institute, have been studying IT organizations that have demonstrated superior levels of availability with the greatest efficiencies, the lowest amount of unplanned work, and the best security process integration. Their change volumes are among the highest and yet, they enjoy the highest change success rates. What makes these high performing IT organizations successful is that they have a culture of change management with effective controls in place that enforce the change management process. They also have a culture of causality that ensures that change is ruled out first in the repair cycle. 3 Like any operation striving for high quality, high-performers detect production variances early, before they cause downtime or a security event, and evaluate their performance based on defined metrics. They, too, have made varying degrees of investment in automated C/CM tools, but the difference is that the high performers have also implemented effective processes and controls that continually assess the effectiveness and efficiency of their change management processes. Without such controls, IT organizations lack an effective, proactive way to quickly discover when the wrong change was made, or when the right change was made but at the wrong time. The Control Triad: Preventive, Detective and Corrective Driven by Sarbanes-Oxley legislation and a growing list of other regulations, IT management is quickly coming to appreciate both the importance of internal process control to the organization at the highest levels, as well as the significant effort required to continually prove that internal process controls are both in place and effective. Likewise, the audit industry is working to provide IT management open control frameworks, such as Control Objectives for Information and related Technology (COBIT) and ISO17799, to help identify, document, and evaluate IT controls. In the language of audit, high performing IT organizations must have internal process controls to mitigate the inherent risks of change. Internal process controls are policies, procedures, and practices put in place to ensure that business objectives are achieved and risk mitigation strategies are carried out. 4 According to the Institute of Internal Auditors, there are three categories of internal process controls, all of which are relevant to change management: Preventive Controls Controls that define the roles and responsibilities, processes, and policies intended to manage change management risks; Detective Controls Controls that automatically track and reconcile production changes, and detect when preventive controls fail, and; Corrective Controls Controls that provide recovery mechanisms to mitigate the impact of failed changes. 3 Best in Class Security and Operations Round Table Report, Software Engineering Institute/Carnegie Mellon University, 2004. 4 IT Control Objectives for Sarbanes-Oxley, IT Governance Institute, 2004 Page 3

These three controls are independent of one another and must provide verifiable evidence proving not only that each control exists, but that the controls are effective against identified risks. 5 Though IT organizations vary in sophistication, most are likely to have some preventive controls in place to define change management and security policies. For instance, they may have policies that require changes to be formally requested, approved and tested before deployment. From a security perspective, effective perimeter defenses and identity management tools and technologies are expected to be in place to maintain a defensible barrier around the network. However, merely having preventive controls is not enough: Organizations with just preventive controls still have unscheduled and protracted downtime, low change success rates and high levels of unplanned work. This shows that preventive controls alone are not adequate for reducing change and security-related business risks. Without the balance and enforcement of a detective control, preventive processes are easily circumvented or simply ignored. Unintended and unauthorized changes made to production infrastructure go unchecked and often result in unplanned downtime. Likewise, it is possible for malicious changes to either penetrate the security perimeter or originate from within the organization unnoticed to only be discovered after IT service is impacted. And if a failure in a preventive control goes undetected, corrective actions aren t likely to be triggered until the failure becomes visible throughout the organization. A detective control serves as a tripwire that discovers the failure or circumvention of preventive controls and alerts IT or triggers associated processes to take corrective action. To be effective against the increasing volume of changes, a detective control must cover the breadth of the infrastructure and independently discover change made by any source. By reconciling desired changes and exposing those that are undesired, an effective detective control automatically (audits change and provides IT managers and auditors comprehensive, meaningful reports of change activity). Defining Automated Configuration Audit and Control Configuration audit and control isn t a new concept. Manual inspections and custom scripts are commonly used to verify that changes are made correctly. However, several trends create very real challenges for IT: the growing volume of changes driven by the business, the increased rate of change driven by automated change deployment technologies (e.g., patch management and software distribution), and the inability to manually reconcile these changes to authorized work orders. Consequently, the majority of changes and the integrity of the change management process is simply assumed to be properly managed. To auditors and a growing number of IT executives, management by good intentions is unacceptable. On-the-fly modifications, work-arounds, and untested quick fixes eventually take their toll as system configurations drift slowly away from a known and trusted state and processes break down from a lack of enforcement. The price is paid later when unexplained outages result after patches fail or servers can t be quickly rebuilt, and unplanned work is required to resolve the issues. More and more time is spent on rework and unplanned work, detracting from completion of planned work. 5 Change and Patch Management: Critical for Organizational Success, Institute of Internal Auditors, 2005 Page 4

The solution is automated configuration audit and control to simultaneously address reliability, availability, and security, which has three critical functions within the C/CM process: independent detection of change regardless of source or intent reconciliation of detected change with intended and authorized change independent reporting of all change activity across production systems Independent change detection: The fundamental role of configuration audit and control is to serve as an independent detective control with the ability to automatically detect system changes across an entire infrastructure comprised of a disparate, far-flung mix of servers, routers, firewalls, databases, etc. As an independent detective control properly segregated from the persons or technologies making the changes, the configuration audit and control system detects changes regardless of who made the change or why the change was made. This means capturing automated and manual changes, authorized and intended changes, as well as the occasional unauthorized, unintended, or potentially malicious change, in sufficient detail to determine the date, time, implementer, system, and the details of the change made. 6 Detecting change at this level requires first maintaining a baseline for each system to define a known and trusted state of software files and configurations, and then continually checking all systems to discover when deviations from baselines occur. By logging and accepting only those changes that are authorized and intended, IT management has continual proof that the integrity of the infrastructure is intact. Change reconciliation: The majority of infrastructure changes are authorized and intended and must be independently validated to prove that desired changes occur as planned. But more importantly, desired changes must be resolved and filtered out to uncover any undesired changes. If a change can t be correlated back to change approval or release management processes, preventive controls have been compromised and corrective controls must be triggered. Integration with other C/CM tools enables the configuration audit and control system to automatically correlate detected changes with approved intentions and trigger recovery whenever necessary. Change ticketing systems define which changes are approved, may describe the intended changes, as well as indicate when the changes should be made and by whom. Within release management, software distribution or configuration management tools can also define what changes were expected to be deployed. When undesired change is detected, the configuration audit and control system must alert appropriate systems and network monitoring tools, plus open incident tickets within the service desk so the undesired change can be further explored. For practicality and usability within an enterprise, it is essential that the system be highly scalable, centralized and offers sufficient interfaces to facilitate these various integrations. Independent reporting: A configuration audit and control solution provides IT management and auditors proof of systems and process integrity by generating an independent accounting of actual changes across the breadth of the infrastructure, reconciled with authorized and intended changes. These reports offer ongoing proof that effective change controls are in place, as well as provide decision support tools for problem management. 6 Change and Patch Management: Critical for Organizational Success, Institute of Internal Auditors, 2005. Page 5

Complementing what a change ticketing or configuration management tool can provide, a configuration audit and control solution provides an independent, verifiable audit log of all actual change activity, not just planned changes. Performance indicators generated by the system can serve as IT operational metrics, as well as security and assurance metrics, reporting: the number of actual changes made to the IT infrastructure; the number of those changes that were authorized; the variance between planned and actual changes, and; where the most frequent changes are being made and who is making them. 7 Change activity reports are also essential as decision support tools when restoring service interruptions and outages, and resolving service incidents and problems. Configuration audit and control data can be used to determine if change was a causal factor to an incident or problem. If changes are discovered, the detailed change information can be used to establish when the system was last in a known and trusted state, then identify exactly what changed from that baseline, when it changed, and even who made the change. An Automated Configuration Audit and Control Solution Other C/CM products offer pieces of configuration audit and control, but lack the comprehensive capabilities previously described that are essential to an effective independent detective control. Change ticketing systems are aware of authorized changes, but can t automatically determine if its approved changes are ever actually made. Software distribution and patch management tools understand the intended changes they are instructed to deploy, but ignore those changes that occur outside of their defined scope of responsibility and cannot deal effectively with manual or scripted changes. Server and network configuration management tools are limited to the domains they manage (e.g., just servers or network devices) and aren t able to automatically reconcile with other C/CM systems the changes that they may detect, nor report on the effectiveness of the overall change management process for the infrastructure. Tripwire provides configuration audit and control solutions that specifically address the enterprise s need for independent detective controls. Its solutions provide a single point of control for detecting, reconciling, and reporting change activity across servers, workstations, network devices, and a growing number of other infrastructure components. Its library of graphical reports and executive dashboards document detailed change activity and provide essential change performance indicators. This information enables IT management to better manage change and the overall integrity of the infrastructure, and therefore IT as a whole. 7 Change and Patch Management: Critical for Organizational Success, Institute of Internal Auditors, 2005. Page 6

Proof Positive Configuration audit and control assures compliance by demonstrating that internal control structures for change management and security are in place and effective. When combined with a change approval process that allows only approved and tested changes to be implemented, it increases the availability of information systems both through enforcement of better change management processes and by offering decision support tools to quickly remediate outages and incidents when they inevitably occur. Finally, configuration audit and control enhances security and instills greater confidence in IT systems by demonstrating that only authorized and intended changes have been made to the production environment. These capabilities demonstrate that an independent solution is essential for proving control as well as systems and process integrity across the IT infrastructure. To Learn More For additional information on configuration audit and control solutions as they relate to IT auditing, regulatory compliance, the IIA and GTAG, best practices such as ITIL/Visible Ops and CobiT, the ITPI and the ITGI, please visit www.tripwire.com/solutions. www.tripwire.com US TOLL FREE: 1.800.TRIPWIRE MAIN: 503.276.7500 FAX: 503.223.0182 326 SW Broadway, 3rd Floor Portland, OR 97205 USA Page 3 Page 7 WPPDS01 WPPC6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information