Change Control and Change management are not just buzzwords. Though many organizations tend to think of change control as more of a concept, in reality, it is a necessity for a strong security posture.
Known as the ability to detect changes, and typically accomplished with technology such as file integrity monitoring software (FIM), change monitoring is best automated for the sake of accuracy and convenience. Using tools with built-in intelligence, such as next-gen FIM software, significantly eases time commitments needed when effectively monitoring for changes.
Change monitoring, when correctly administered consists of several aspects, including:
- Centralized audits: a single repository of changes made to critical files and configurations, which attributes changes by user, location, and time.
- Real-time change reporting: The average cybercriminal completes data retrieval in just minutes. If your FIM tool completes weekly scans instead of real-time change detection, you could miss negative changes until long after the event has concluded.
- Human-readable reporting: Alerts and reports that are easy for your administrative users to understand aren't strictly necessary, but they can reduce error margins significantly. Clear information can also reduce your time to response
- Intelligent classification of changes: With an FIM tool that's smart enough to classify changes as positive, neutral, or negative, administrators can focus on response.
- Unalterable Logs: To effectively monitor against insider information security threats, unalterable data is critical to creating accountability.
This information previously was listed in Change Control versus Change Management.
Though each element listed above may not be a necessity for change monitoring dependent upon organizational risk goals, implementation of these elements is not considered excessive. Real-time, intelligent, change monitoring maximizes risk mitigation and supports effective change management.
Change Management Policy
The process of making decisions about your network should consist of combining change monitoring and effective security policy. Though this is many times tasked to the Chief Data Officer(CDO), some predictions note that CDOs may have increased strategy and influence in coming years, along with the responsibility of defining policies.
Regardless of current ownership of responsibility, a solid change management policy should not only be defined, but execution and implementation must occur for success.
Change Management policies can vary from organization to organization, but the minimal elements included within a strong change management policy should include:
- Policy-based Accountability: Ideally, technological and policy practices should go hand-in-hand.
- Change Analysis: Changes to critical system files are necessary and frequent. Does your organization have the ability to effectively (and quickly) characterize known changes versus those that are unknown and may pose a risk?
- Access Accountability: Administrative users should have appropriate access and should also have the ability to resolve end-user access issues efficiently and quickly while granting necessary minimum user permissions.
- Workflow Accountability: Administrative users (and every user for that matter) should not have unchecked access that is not logged.
- Automated Tasks: When unknown or even negative changes occur, you should be able to remediate changes quickly and seamlessly. If this task requires hours for reconciliation, then automation may be needed.
- Documentation Accountability: Tools and policy should be transparent with the documentation of who made the change, why the change occurred, and the nature of the change. Necessary approval needed should also be documented for reference.
Documenting Real-time Change
Knowledge of changes occurring is just a small part of change management. Complete change detail is a necessity, providing deep details in each unauthorized change. Next-gen file integrity monitoring should be able to provide much-needed forensic details, such as
- Who changed information
- What information was changed
- When the information was changed
- How the information was changed, or the process used to change it.
A complete view of changes occurring, in real-time is required when needing complete change audit information.
Just knowing that a change happened is of little use without understanding the corresponding metadata associated with the change.
Though constant configuration and file changes are normal, the quality of the changes occurring is truly at the crux of maintaining compliance and identifying security issues.
- File Contents
- File Configurations
- Network Devices
- Active Directory
- POS Systems
- VMWare Configurations
As enterprise environments increase with complexity, knowledge, and policy are not always enough to eliminate vulnerabilities.
Proactive Change Control Options
Changes are many times expected, as system improvements need to be made, or corrections need to occur. However scheduled changes may need to be delayed, or may not be completed.
Not only is maintaining enterprise change considered a best practice in IT management, but it is also critical to ensure IT compliance and security. With ransomware attacks occurring every 14 seconds, the ability to decipher changes as "critical or threatening/unknown" versus "known or planned" is crucial to sustaining a solid security posture.
This knowledge, coupled with complete change reporting can provide organizations with the exact information needed to aid with change control.
Just as there is not a "one-technology fits all" for organizations, next-gen file integrity software should be able to provide complete change reporting that produces everything from management overviews, down to a granular level by identifying each change on a particular system.
Software integration should also be considered as many organizations not only want but need the option to send change data for further analytics and/or reporting to the SIEM in use.
Learn more about CimTrak's next-gen file integrity monitoring software with the technical summary today.
October 22, 2019