evolven pp template3 4 unknown changes: 4 things to think about . 4 | evolven proprietary &...

Michael Sanders

UNAUTHORIZED

CHANGES.

HOW TO IDENTIFY,

MANAGE AND ADDRESS.

2 | Evolven Proprietary & Confidential

Planning and knowing about change is helpful but sometimes, we have the dreaded

“Unauthorized Change”

• Unauthorized changes can greatly impact applications that support business

operations.

• Identifying these unknown changes is critical during impactful incidents.

• Proactively knowing about them can help in the prevention of outages and avoid

breaks in regulatory compliance.

S**T CHANGE HAPPENS


Unauthorized changes cause operational issues!

Critical that you can automatically detect all unauthorized changes!

You must be able to immediately validate that all planned changes are

implemented accurately!

Unauthorized changes leave you vulnerable to auditing risk!

1

2

3

4

UNKNOWN CHANGES: 4 THINGS TO THINK ABOUT


• You can lock your environment (only designated personnel can access

environment via an automated deployment tool or manually). This limits

agility and flexibility. Even then the designated personnel cannot verify

all the packages pushed into production. So they can easily deploy an

unauthorized change

• You can control privileged access with tools like CyberArc. However, it is

practically impossible to know what a user did once getting access unless

you review record of his activities screen by screen, keystroke by

keystroke

• You can standardize your environment so that no changes can be done at

least at infrastructure or platform levels. However it means that more

changes/customization will be required at the application level to

address business requirements using standardized platform.

The bottom line is that you need automatic change detection and analysis to

close even the most thought through automated process

Evolven can provide the insights

UNAUTHORIZED CHANGES IN MODERN ENVIRONMENTS


CHANGE CENTRIC CAUSAL ANALYSIS

Time

Risk

Fix

RCA

Incident

Change

Change is critical for analysis

Changes are the true

root cause of incidents.

Incident

resolved

• Configuration: Causing configuration

issues

• Data: Unexpected data inputs and

structure, data anomalies, size of data

• Capacity: Insufficient resources

causing system failures and slowdown

• Workload: Unexpected transactions

distribution, sequence or volume

• Code: Introducing new defects

95% of issues are

caused by changes

Alert

Unauthorized changes

are predominantly at

fault for long RCA time.

Once identified,

resolution is usually

quick

Cause ID’d


LEVERAGE EARLY DETECTION OF THE TRUE

ROOT CAUSE TO SLASH RCA TIME

Time

Risk

Fix

RCA Incident

resolved

Evolven tracks,

correlates and

analyzes changes

to slash RCA time

Change

detected Alert Incident

Change correlated

and risk analyzed

Incident

Resolved

Fix

Change


LEVERAGE EARLY DETECTION OF THE TRUE

ROOT CAUSE TO SLASH RCA TIME

Integrated view of alerts/changes

Detailed analytics of the

Unauthorized Change


DON’T WAIT FOR INCIDENTS TO HAPPEN,

PREVENT THEM

Time

Risk

Fix

RCA Incident

resolved

Evolven tracks and analyzes changes

as they happen to prevent incidents

(instead of waiting for symptoms alert

to show)

Incident

Prevented

Fix Analysis

Risk

detected Incident

Alert

Change


• Automatically detect all the changes anywhere in any

environment

• You need to identify changes at the most granular level

• Automatically correlate detected changes with approved

change requests or automated deployments

• Time of change

• Location of change

• Scope of change

• Nature of change

• Cope with change requests and deployment information

of any data quality

HOW TO AUTOMATICALLY DETECT UNAUTHORIZED

CHANGES


COLLECT ALL CHANGES

All Sources of Changes

Files, registry (Windows), database schema, master data in database tables, system commands, API calls, HTTP

requests, SNMP, import from existing tools

The Entire Environment

Server stack

• Applications: Java, .NET, SharePoint, Documentum, any custom app

• Web: IIS, Apache

• Middleware: IIS, Apache, Tomcat, WAS, OAS, Jboss, Tibco,

• DB: MS SQL, MySQL, Oracle, Db2, Sybase, MongoDB

• OS: Windows, Red Hat, SUSE, Fedora, Solaris, AIX, HP-UX

Virtualization: VMware, OpenShift, Hyper-V/Azure

Network: routers, load balancers, firewalls / Cisco, Radware, F5, Barracuda

Storage: SAN, NAS / EMC, NetApp, XIV

Most Granular Level

• App files: ASP.NET, HTML, XSS, DLL - size, version, checksum, timestamp

• App config: Parsed files and individual paremeters, registry keys, data in database tables, API based values

• DB: Schemas, stored procedures, DB server global and instance configuration

• OS: Services, drivers, updates, printers, installed software, kernel parameters, .INI filles

• Hardware: Bios, memory. CPU, disks, network cards and adapters

• Network: Routing tables, firewall policies, MIBs

You must have accurate and detailed data around all changes.


• Who? Who will do the change? Who actually did it?

• What? What will be changed? What is the scope? What was actually

changed?

• Scope identification:

• Understanding change request description using natural language processing techniques to identify affected environments

• Scope anomaly detection:

• Loneliness factor identifying what environments are usually modified within the same change request

• Patter discovery evaluating consistency of change execution

• When? What is the authorized time window? When change was made?

• Time based correlation

• Time scope anomaly:

• Automatically identify scheduled maintenance windows per environment/host

• Detect changes outside of authorized time window

CORRELATE ACTUAL AND PLANNED CHANGES

1

2

3


Linguistic analysis input: Natural Language

Sematic parse tree understanding the objects

and their relations: Understanding Natural Language Requests

LOW-QUALITY SERVICE DESK DATA: “We don’t fill our data well”

ENVIRONMENT SCOPE

Execute SQL scripts against MLN_HUB_STG database to

update Views and Stored Procedures, update SSIS packages

GetCV.dtsx, getCVDESC.dtsx on SSIS server at

ukappstg007

Action Environment CI CI

Environment Host CI

CI

Action Sub-Environ. CI

Action

Semantic dependency parsing

Named-entity recognition

Part of speech tagging

| *Advanced research in lab


• Prevent incident

• Improve your process

• Automate auditing

• Accelerate root cause analysis

DETECTING UNAUTHORIZED CHANGES

ALLOWS YOU TO…


PREVENT INCIDENT DETECT WHAT ACTUALLY CHANGED AND ANY UNAUTHORIZED CHANGES

Immediate data about

what changed

Detailed Change

Request

Ability to see the actual

changes


IMPROVE PROCESS PROTECT TARGET STATE OF ENVIRONMENT

Required configuration

conditions Compliance issues are

detected and reported on

All targeted environment

hosts are evaluated to

policy standard


AUTOMATE AUDIT

Review Relevant

Change Results

Immediate Compliancy

Data


ACCELERATE ROOT CAUSE ANALYSIS

Breakdown by

Risk Automated

Highlights

Correlated View

Detect early all actual changes, assess

their risk based on number of risk

dimensions and alert on high risk

Detect authorized vs unauthorized

changed with integration into your

Service Desk tools

Identify most probable root cause

based on change risk

SOLUTION

PROBLEM Although changes are responsible for most

performance and availability incidents, existing

tools can’t detect and correlate changes with

investigated incidents. Unauthorized or

undocumented changes makes it even harder.

1

2

3

4 Detect out-of-policy configuration and

changes against rules defining desired

environment state


• Unauthorized change is an unknown factor that can

impact your business at any time

• Better processes, automated deployments, environment

standardization reduce the chance of unauthorized

change but never bring it to 0%

• Use automation - actual change detection and analytics

to close the loop of your processes and guarantee zero

unauthorized change impact to your bottom line.

CLOSE THE LOOP OF YOUR PROCESSES


Demo


DON’T WAIT FOR INCIDENTS TO HAPPEN,

PREVENT THEM

Time

Risk

Fix

RCA Incident

resolved

Evolven tracks and analyzes changes

as they happen to prevent incidents

(instead of waiting for symptoms alert

to show)

Incident

Prevented

Fix Analysis

Risk

detected Incident

Alert

Change

Michael Sanders

UNAUTHORIZED

CHANGES.

HOW TO IDENTIFY,

MANAGE AND ADDRESS.

THANK YOU

evolven pp template3 4 unknown changes: 4 things to think about . 4 | evolven proprietary &...

Documents