Catching Rogue Configuration Changes
THERE IS ALWAYS a lot of hype about the external threats faced by IT departments, such as from hackers. But many believe internal threats are a bigger problem. That’s a primary reason for the accelerating growth of audit and configuration solutions, part of the broader change management software category.
Configuration auditing software is an automated way for a company to watch for any unwarranted change to the IT environment. It produces an alert whenever configuration settings, software, or files change from a predetermined “desired state.”
Even when an employee makes these changes unintentionally or without malice, they can disrupt the system. In a recent survey, 73 percent of Forrester Research clients said that they must continually deal with downtimes and other problems caused by unplanned IT adjustments.
Currently, use of these programs is mainly fueled by business concerns with regulatory compliance requirements, such as the need to ensure that data is protected as required by privacy rules, says Evelyn Hubbert, a senior analyst at Forrester Research. Auditors want to know that there are rules for how changes that could affect access to protected data are made, she says.
But companies should monitor changes for operational and security reasons generally, not just for compliance.
Small data center changes can have serious repercussions, says Hubbert. She gives an example of a bank, which, after an unauthorized change, was unable to process transactions for four days. “It had to waive fees for a month and lost millions of dollars. And it faced a class action lawsuit,” she says.
Products from some of the main vendors, such as Portland, Oregon-based Tripwire and Cupertino, California-based Solidcore Systems, produce on-demand reports detailing an organization’s compliance with virtually any regulation.
Since implementing Tripwire’s Enterprise solution in early 2005, the Washington, D.C.-based educational software company Blackboard, Inc., has found the product helpful for complying with regulations such as Sarbanes-Oxley and more recently the Payment Card Industry Data Security Standard, says John Lambeth, vice president of IT and security. But, he says, the product is equally helpful for protecting corporate data and customer information.
“We wanted a strong layered network of defense. Sometimes your weakest link is the internal employee who makes changes without understanding the risk—or a disgruntled employee,” says Lambeth.
To help clients reach a “desired state,” Tripwire, which has more than 5,700 customers, first runs a series of “health assessments” in areas including security and regulatory compliance.
From a security standpoint, “many customers have no idea how things are configured,” says Dan Schoenbaum, Tripwire senior vice president of marketing and business development. He says Tripwire examines configurations and network devices and compares them to an industry benchmark, such as from the Center for Internet Security.
At Blackboard, Tripwire continuously monitors border routers, firewalls, switches, the company’s e-mail server, and other devices. It also examines the operating system settings. Lambeth says that it both monitors for unwanted changes and ensures that desired changes occur.
In managing the system, Schoenbaum says, it’s necessary to think about which devices and applications need the highest priority. “If it’s a small switch, you may not want it paging everybody; maybe it can just post an alert to the console,” he notes.
Sixty percent of critical system and application outages are caused by faulty data center alterations, according to Boulder, Colorado-based Enterprise Management Associates.
The solutions can also be helpful in detecting some external threats. Tripwire is especially useful in detecting any changes or additions in code that a hacker might make to software applications and files, says Lambeth. “If you’re trying to alter the code to make something vulnerable to attack, Tripwire would note a change to the data or time stamp.”
Audit and compliance software is often used with other software as part of the overall change management process. Other products can automatically make changes or turn configurations back to their desired state, for example. For Blackboard, Tripwire is part of a larger security monitoring effort. The firm uses other software to monitor network traffic, and for intrusion detection, says Lambeth.