evolven pp template3 4 unknown changes: 4 things to think about . 4 | evolven proprietary &...
TRANSCRIPT
Michael Sanders
UNAUTHORIZED
CHANGES.
HOW TO IDENTIFY,
MANAGE AND ADDRESS.
2 | Evolven Proprietary & Confidential
Planning and knowing about change is helpful but sometimes, we have the dreaded
“Unauthorized Change”
• Unauthorized changes can greatly impact applications that support business
operations.
• Identifying these unknown changes is critical during impactful incidents.
• Proactively knowing about them can help in the prevention of outages and avoid
breaks in regulatory compliance.
S**T CHANGE HAPPENS
3 | Evolven Proprietary & Confidential
Unauthorized changes cause operational issues!
Critical that you can automatically detect all unauthorized changes!
You must be able to immediately validate that all planned changes are
implemented accurately!
Unauthorized changes leave you vulnerable to auditing risk!
1
2
3
4
UNKNOWN CHANGES: 4 THINGS TO THINK ABOUT
4 | Evolven Proprietary & Confidential
• You can lock your environment (only designated personnel can access
environment via an automated deployment tool or manually). This limits
agility and flexibility. Even then the designated personnel cannot verify
all the packages pushed into production. So they can easily deploy an
unauthorized change
• You can control privileged access with tools like CyberArc. However, it is
practically impossible to know what a user did once getting access unless
you review record of his activities screen by screen, keystroke by
keystroke
• You can standardize your environment so that no changes can be done at
least at infrastructure or platform levels. However it means that more
changes/customization will be required at the application level to
address business requirements using standardized platform.
The bottom line is that you need automatic change detection and analysis to
close even the most thought through automated process
Evolven can provide the insights
UNAUTHORIZED CHANGES IN MODERN ENVIRONMENTS
5 | Evolven Proprietary & Confidential
CHANGE CENTRIC CAUSAL ANALYSIS
Time
Risk
Fix
RCA
Incident
Change
Change is critical for analysis
Changes are the true
root cause of incidents.
Incident
resolved
• Configuration: Causing configuration
issues
• Data: Unexpected data inputs and
structure, data anomalies, size of data
• Capacity: Insufficient resources
causing system failures and slowdown
• Workload: Unexpected transactions
distribution, sequence or volume
• Code: Introducing new defects
95% of issues are
caused by changes
Alert
Unauthorized changes
are predominantly at
fault for long RCA time.
Once identified,
resolution is usually
quick
Cause ID’d
6 | Evolven Proprietary & Confidential
LEVERAGE EARLY DETECTION OF THE TRUE
ROOT CAUSE TO SLASH RCA TIME
Time
Risk
Fix
RCA Incident
resolved
Evolven tracks,
correlates and
analyzes changes
to slash RCA time
Change
detected Alert Incident
Change correlated
and risk analyzed
Incident
Resolved
Fix
Change
7 | Evolven Proprietary & Confidential
LEVERAGE EARLY DETECTION OF THE TRUE
ROOT CAUSE TO SLASH RCA TIME
Integrated view of alerts/changes
Detailed analytics of the
Unauthorized Change
8 | Evolven Proprietary & Confidential
DON’T WAIT FOR INCIDENTS TO HAPPEN,
PREVENT THEM
Time
Risk
Fix
RCA Incident
resolved
Evolven tracks and analyzes changes
as they happen to prevent incidents
(instead of waiting for symptoms alert
to show)
Incident
Prevented
Fix Analysis
Risk
detected Incident
Alert
Change
9 | Evolven Proprietary & Confidential
• Automatically detect all the changes anywhere in any
environment
• You need to identify changes at the most granular level
• Automatically correlate detected changes with approved
change requests or automated deployments
• Time of change
• Location of change
• Scope of change
• Nature of change
• Cope with change requests and deployment information
of any data quality
HOW TO AUTOMATICALLY DETECT UNAUTHORIZED
CHANGES
10 | Evolven Proprietary & Confidential
COLLECT ALL CHANGES
All Sources of Changes
Files, registry (Windows), database schema, master data in database tables, system commands, API calls, HTTP
requests, SNMP, import from existing tools
The Entire Environment
Server stack
• Applications: Java, .NET, SharePoint, Documentum, any custom app
• Web: IIS, Apache
• Middleware: IIS, Apache, Tomcat, WAS, OAS, Jboss, Tibco,
• DB: MS SQL, MySQL, Oracle, Db2, Sybase, MongoDB
• OS: Windows, Red Hat, SUSE, Fedora, Solaris, AIX, HP-UX
Virtualization: VMware, OpenShift, Hyper-V/Azure
Network: routers, load balancers, firewalls / Cisco, Radware, F5, Barracuda
Storage: SAN, NAS / EMC, NetApp, XIV
Most Granular Level
• App files: ASP.NET, HTML, XSS, DLL - size, version, checksum, timestamp
• App config: Parsed files and individual paremeters, registry keys, data in database tables, API based values
• DB: Schemas, stored procedures, DB server global and instance configuration
• OS: Services, drivers, updates, printers, installed software, kernel parameters, .INI filles
• Hardware: Bios, memory. CPU, disks, network cards and adapters
• Network: Routing tables, firewall policies, MIBs
You must have accurate and detailed data around all changes.
11 | Evolven Proprietary & Confidential
• Who? Who will do the change? Who actually did it?
• What? What will be changed? What is the scope? What was actually
changed?
• Scope identification:
• Understanding change request description using natural language processing techniques to identify affected environments
• Scope anomaly detection:
• Loneliness factor identifying what environments are usually modified within the same change request
• Patter discovery evaluating consistency of change execution
• When? What is the authorized time window? When change was made?
• Time based correlation
• Time scope anomaly:
• Automatically identify scheduled maintenance windows per environment/host
• Detect changes outside of authorized time window
CORRELATE ACTUAL AND PLANNED CHANGES
1
2
3
12 | Evolven Proprietary & Confidential
Linguistic analysis input: Natural Language
Sematic parse tree understanding the objects
and their relations: Understanding Natural Language Requests
LOW-QUALITY SERVICE DESK DATA: “We don’t fill our data well”
ENVIRONMENT SCOPE
Execute SQL scripts against MLN_HUB_STG database to
update Views and Stored Procedures, update SSIS packages
GetCV.dtsx, getCVDESC.dtsx on SSIS server at
ukappstg007
Action Environment CI CI
Environment Host CI
CI
Action Sub-Environ. CI
Action
Semantic dependency parsing
Named-entity recognition
Part of speech tagging
| *Advanced research in lab
13 | Evolven Proprietary & Confidential
• Prevent incident
• Improve your process
• Automate auditing
• Accelerate root cause analysis
DETECTING UNAUTHORIZED CHANGES
ALLOWS YOU TO…
14 | Evolven Proprietary & Confidential
PREVENT INCIDENT DETECT WHAT ACTUALLY CHANGED AND ANY UNAUTHORIZED CHANGES
Immediate data about
what changed
Detailed Change
Request
Ability to see the actual
changes
15 | Evolven Proprietary & Confidential
IMPROVE PROCESS PROTECT TARGET STATE OF ENVIRONMENT
Required configuration
conditions Compliance issues are
detected and reported on
All targeted environment
hosts are evaluated to
policy standard
16 | Evolven Proprietary & Confidential
AUTOMATE AUDIT
Review Relevant
Change Results
Immediate Compliancy
Data
17 | Evolven Proprietary & Confidential
ACCELERATE ROOT CAUSE ANALYSIS
Breakdown by
Risk Automated
Highlights
Correlated View
Detect early all actual changes, assess
their risk based on number of risk
dimensions and alert on high risk
Detect authorized vs unauthorized
changed with integration into your
Service Desk tools
Identify most probable root cause
based on change risk
SOLUTION
PROBLEM Although changes are responsible for most
performance and availability incidents, existing
tools can’t detect and correlate changes with
investigated incidents. Unauthorized or
undocumented changes makes it even harder.
1
2
3
4 Detect out-of-policy configuration and
changes against rules defining desired
environment state
18 | Evolven Proprietary & Confidential
• Unauthorized change is an unknown factor that can
impact your business at any time
• Better processes, automated deployments, environment
standardization reduce the chance of unauthorized
change but never bring it to 0%
• Use automation - actual change detection and analytics
to close the loop of your processes and guarantee zero
unauthorized change impact to your bottom line.
CLOSE THE LOOP OF YOUR PROCESSES
19 | Evolven Proprietary & Confidential
Demo
20 | Evolven Proprietary & Confidential
DON’T WAIT FOR INCIDENTS TO HAPPEN,
PREVENT THEM
Time
Risk
Fix
RCA Incident
resolved
Evolven tracks and analyzes changes
as they happen to prevent incidents
(instead of waiting for symptoms alert
to show)
Incident
Prevented
Fix Analysis
Risk
detected Incident
Alert
Change
Michael Sanders
UNAUTHORIZED
CHANGES.
HOW TO IDENTIFY,
MANAGE AND ADDRESS.
THANK YOU