Configuration Management - Intelligent Change Control
Within any IT estate, the only constant is change.
Change Control has always been a key security best practice. With every change made to IT systems comes a risk of a weakening of security defenses, not to mention operational problems, through misconfigurations. Changes also create ‘noise’ that makes it more difficult to detect a breach when a cyber attack succeeds.
For compliance, any security auditor will advocate a zero tolerance approach to unplanned changes in order to maintain a secure hardened build standard and to improve the chances of identifying a breach or malware infection.
With Change Control notoriously difficult to operate - especially at the forensic level of detail needed for security governance - a new approach has long been needed, one that gives the level of analysis necessary for breach detection but without requiring manpower-intensive manual review of every change detected.
NNT have introduced the concept of Closed-Loop Intelligent Change Control to deliver real-time, forensic analysis of changes to spot breach activity, but with automated intelligence to identify known and expected planned changes such as patches.
How does Closed-Loop Intelligent Change Control deal with patches in a secure environment? Malware and breach activity is easily hidden by regular application operations and patching 'noise'
Traditionally the requirement for change control has been to specify a time-window within which changes are known to be made. By limiting changes to a specific period of time, any changes then detected outside of the Planned Change period are assumed to be breach activity and treated as Security Incidents. Of course, in reality, 99% of the time these changes are either
- emergency changes made without recourse to the planned change procedure
- delayed patch deployment, due to waiting for a server re-boot
- and any other change activity that happened to bypass the Planned Change procedure, because support staff are human and Change Control sometimes gets in the way
With Closed-Loop Intelligent Change Control, changes can be promoted to the baseline so that other occurrences of the same change – even past changes - are pre-approved and not flagged as security incidents. This means that changes can be automatically reviewed and approved across an estate, even for thousands of changes and devices. Pre-Approved patches can be deployed over a prolonged period of time and still recognized automatically as ‘know good’ changes.
All this means that change control is much easier to administer, but also much more precise, therefore making it a far more effective breach detection process.
There is a natural cycle of assessing systems for vulnerabilities and compliance, mitigation and remediation action taken to minimize the attack surface, then exercise change control to ensure only pre-approved changes are made after undergoing a security impact analysis, then re-scanning systems to assess compliance again.
Traditional vulnerability scanners tend to be used sparingly to avoid exerting too much load on the network and host systems so there can often be a ‘security status unknown’ period between changes implemented and the next scheduled scan, potentially leaving systems vulnerable to attack. Then there are the changes that you don’t even know have been made. Emergency changes needed urgently, or changes that are made and bypass change control for expediency, and of course, this includes cyberattack activity, be it from an insider or external hacker.
These changes all need to be made visible and reviewed as soon as possible – malware could be stealing data or damaging systems without anyone being aware – but a vulnerability scan wont help since traditional scanners are completely blind to breach activity, zero day malware and APT infections.
The only solution is to operate a system-wide file integrity monitoring function. Not only will this detect and report all changes made, but in real-time, seconds after a change has been made. Changes detected can then be assessed automatically to assist with compliance, vulnerability management and change control. Was the change a known pre-approved Planned Change? How does it impact compliance and the system’s attack surface? If the change is not recognized as a planned change, escalate for review - should it be remediated?
'Change control may maintain a secure, hardened build standard, but its just too laborious, too time-consuming and gets in the way of operating our business' Not any more...
Nearly all organizations, regardless of size, struggle to some extent with configuration management and change control. The need to review changes in advance of making them, to formulate impact analysis, testing procedures and contingency plans all serves to slow things down. No wonder so many IT Professionals acknowledge the potential benefits of Change Control while outlining reasons why it just doesn’t work for them.
Formal IT operational frameworks such as COBIT and ITIL strongly advocate the need for change control but it can easily become an overwhelmingly bureaucratic strait jacket that impairs the organizations’ ability to use IT as an agile, on-demand support service.
At least it used to be like that, but not any more.
Closed-Loop Intelligent Change Control ensures that change control is made to work for you. By wrapping around your existing processes and using intelligent and highly automated technology, change control benefits can be delivered without the red-tape and stifling resource requirements.
Closed-Loop means that changes made are made visible and reconciled automatically with your RFC (Request For Change), Incident management and Service desk systems. This closed-loop approach works either for pre-planned RFCs recorded in advance of changes being made, or retrospectively after changes have been implemented. The system simply fits your way of working.
Intelligent Change Control means that changes are detected as they are made and reviewed automatically. If the change matches any pre-defined Planned Change patterns then it can be reconciled automatically with the relevant RFC details, even for estates with thousands of devices and even more changes happening.
If an unplanned change is recorded, this is then highlighted for review – because all the known, expected and pre-approved changes are taken care of automatically, more time is freed up to investigate changes that may be security incidents.
And, when a change has been investigated and identified as OK – maybe it was an emergency change that hadn’t been assigned to an RFC – this can now be reconciled with an approved Planned Change record and also promoted to the Approved Baseline. This way, other occurrences of the same change will now be classified as ‘known good’ meaning that any similar past changes or future instances can be instantly assigned a Planned Change status.
And the number one solution that delivers
all the key security and compliance benefits of file integrity monitoring is NNT Change Tracker™
Easiest To Use – Most Fully Featured – Most Affordable
Learn more about NNT Change Tracker here
Configuration Management White Papers
One thing about NNT you can’t fault the support. This is outstanding stuff!! Thanks Phill.