Evolving IT…

March 10, 2010 · Filed under Automation, Cloud Computing · Tagged ,

With the advent of cloud computing, the way information technology professionals go about their everyday tasks is dramatically changing. With the emergence of SaaS – most IT organizations are finding themselves in a role that is quickly evolving. IT services are becoming more of a utility – with the expectation that the services will always available – anytime, and from anywhere – like electricity. IT is truly becoming more transparent. That said – the functions of IT are the most critical component to any business, because without it – the business cannot function.

As we look into the future – the functions of IT will become more and more automated. The ability to leverage cloud based tools and services – that provide more advanced levels of automation, at a lower price to serve will be the norm. Today…the average IT administrator can manage 50 users effectively – in the not too distant future…that same individual will be able to manage 1,000 users – due in large part to impact of cloud based technology. This new paradigm will truly be an enabler for business – allowing the IT professionals of today to shift their focus from the tedious day-to-day task – to more strategically important activities.

Dave Eike

Shavlik Technologies

Leave a comment »

The Changing Fabric Of IT…

February 26, 2010 · Filed under Asset & Inventory Management, Automation, Cloud Computing, Virtualization, patch management · Tagged , , ,

The advent of virtualization has changed the very fabric of IT, and has ignited a new era in computing. Virtualization has been a significant catalyst for change – promoting every IT organization to rethink the methods by which they provide computing services to their customers. Today…virtualization and cloud based technologies are becoming much more mainstream, transforming the way IT functions – providing a means of both reducing costs, and driving up efficiency and productivity.

That said…there are corresponding challenges as well. As VM’s continue to sprout up in just about every organization…the dilemma is the ability to manage what’s there. Let me elaborate:

1) Do you know the extent of your virtual infrastructure? VM images that get spun up – that aren’t visible for any reason to IT presents a risk.

2) Are you able to discover VM’s that are offline. An VM image that is maintained in an offline state, and then brought online after an extended period may be improperly secured.

3) Once discovered, can you quickly assess the current state of the VM’s you’ve now discovered – are they patched and configured properly? The ability to manage and secure these images is critical!

4) Additionally, do you know what software assets have been deployed to these systems…that may impact any current software license agreements?

So…to ensure the proper level of security, and facilitate the management of your virtual infrastructure – you’re going to need the right set of tools. That said, the tool should be both easy to use, as well as comprehensive in what it will discover (virtual and non-virtual machines). It should be able to clearly illustrate;

1) The extent of your virtual infrastructure – including systems that are both online and offline.

2) It should also be able to provide a perspective on the complexion of the risk you might be facing…missing security patches, systems configuration issues, unnecessary services that may be running, etc.

3) It should provide a detailed list of your current software assets – to ensure that you’re not over or under spending.

4) Last but not least…if there are risks that are discovered, the ability to remediate or remove the risks (or vulnerabilities) is critical!

As reference to the above, I wanted to comment on an excellent article I just read that really does a good job of illustrating the challenge I’ve just described – which is the gap between the complex new requirements of virtual machine management and the ability of systems tools vendors to meet them. Enjoy

http://www.information-age.com/channels/data-centre-and-it-infrastructure/perspectives-and-trends/1109528/wanted-management-tools-for-the-virtual–cloud-era.thtml

So…to summarize, the proper tools exist to ensure you can keep your virtual environment in check…and you don’t have to look to far ;-)

Thanks for reading!!

Dave Eike

Shavlik Technologies

Leave a comment »

Transforming IT…

February 17, 2010 · Filed under Automation, Cloud Computing · Tagged

Over the past 20 years, information technology has made some radical transformations. The Internet has changed the way we work, and continues to provide an excellent foundation for innovation. That said, IT executives continue to look for ways to improve operational efficiencies, reduce risk and save money. Unfortunately, with the day-to-day demands on IT ever increasing, the opportunity to innovate is an ongoing challenge. With competitive market pressures, and the pressures to lower the cost of doing business, IT organizations need to look for ways to transform themselves.

Now what do I mean by transform? Well, most IT organizations today are forced (because of resource limitations) into having to focus on the “blocking and tackling” aspects of IT (Uptime, Help Desk, Operations, Security, etc.).  While a requirement, the day to day activities consumes both time and energy…not leaving much time to dwell on the strategic.

IT is the most important strategic asset (staff, information, systems, etc.) in any organization. Without IT, business can’t operate. That said, IT needs to continue to elevate it’s level of importance in the organization…and can do so by making time to innovate. This is why I believe IT has to transform itself from the position of service delivery, to critically strategic. This happens when:

1)      The business leaders recognize the strategic importance of IT, and make it a priority vs. purely an necessary expense.

2)      IT is enable to look inside itself…and look for ways to innovate, and employ that innovation / automation to help re-purpose the “people” assets involved in IT towards more important tasks – tasks that will help advance position of the business (i.e., Market Share, Revenue, Profitabilty, etc.)

Allowing IT the opportunity to explore and leverage the concept of innovation will have a marked impact on the capabilities of IT, but more importantly the people involved.

Dave Eike

Shavlik Technologies

Leave a comment »

Automation – The Impact Point For IT Operations

January 27, 2010 · Filed under Asset & Inventory Management, patch management, vulnerability management · Tagged

With ever tightening budgets, and the constant requirement to continue to improve operational efficiency – the impact that automation can have on IT operations is quite dramatic! Considering all the operational elements that have to be considered to provide the proper levels of service to the user community…the injection of automated tools into the process is no longer an option.

For many IT organizations, the solution to the problem has centered around the deployment of a series of point solutions to address the core set of requirements from the discovery and management of asset and inventory data (virtual or non-virtual), the assessment of any potential for risk (vulnerability scanning, patch management, AV…), as well as performance management and monitoring…just to name a few.

This approach, while acceptable…does not promote what I would categorize as “aggregated efficiency”. Trying to evaluate the condition or state of your environment by collecting (independently) the results derived for various point solutions is OK, but not the most efficient way to address the day to day challenges of managing an IT environment. In order to truly drive greater efficiencies, save money while at the same time improving service levels…what’s necessary is a single solution (one with as complete a set of functionality as possible) to aid IT operations relative to managing the time-consuming daily tasks that are currently disconnected.

There is a better way! There are solutions on the market today that will help assist IT operations with this quest. Selfishly, here at Shavlik…we’re moving quickly into the IT Management area with a SaaS based platform, that over time could become the Swiss army knife for IT operations. This technology of ours is being designed to address the core set of requirements necessary to effectively manage an IT operation – but in a far more aggregated manner. If you get a chance…check out what we’ve developed so far, you might find it of interest! The URL to access the application is https://it.shavlik.com/. The application will go into a Public Beta phase in mid-February.

Dave Eike

Shavlik Technologies

Leave a comment »

Apple iTunes – Addressing The Necessary Risk

January 12, 2010 · Filed under Microsoft WSUS, patch management, risk management · Tagged , ,

With the advent of the iPod, and more recently the iPhone…the presence of Apple applications in the enterprise is continuing to expand. The challenge…how to address the vulnerability risk that these devices present. At the center of it all is iTunes…one of the most widely used applications in the world. It’s the primary delivery vehicle for the music used by the iPod, but also the connection and update vehicle for the iPhone. However, this application carries with it a good deal of risk if left unchecked!

There are many organizations today that rely solely on Microsoft to perform the critical function of patch management. Who better…? Well…Microsoft does a good job of addressing any risks that may apply to their new applications, but what about their older OS’s and applications, and more importantly…the non-Microsoft applications that you will find in most any environment. This is where the challenge resides! Without technology to accurate assess the presence of iTunes, and more importantly…whether it’s patch appropriately is critical.

So, the questions you have to ask yourself are as follows:

1)      Do you have any users in your environment using iTunes?

2)      If you do, are you aware of their current patch as it relates to iTunes?

3)      Additionally, if you are currently using Microsoft WSUS to patch exclusively, and have discovered the presence of iTunes – how will you address any potential vulnerability related risks.

If you struggled with any of these questions…don’t feel bad, you’re not alone!! To address this issue, and certainly the risks associated with the presence of other non-Microsoft related applications, you’ll need a tool that enables you to scan for and remediate these types of risks.

Dave Eike

Shavlik Technologies

Leave a comment »

Do You Know Where Your VM’s Are…?

December 15, 2009 · Filed under Automation, Configuration Management, Virtualization, information security, patch management · Tagged , , , ,

With the advent of virtualization…the ability companies now have to optimize existing system platform resources is at an all time high. If you told me 15 years ago that you would be able to convert a single physical server to one that contained a series of virtual servers on the same box – and amplify their performance, I would have thought you were crazy!

Fast forward to today…there isn’t a company out there who hasn’t played with or deployed some form of virtual system in their environment. If they haven’t – they’ve been living under a rock! With this rapid deployment of VM’s comes an incredible challenge! Because of the ease of which an VMware ESXi server can be deployed, it’s extremely important to be able to track any new “virtual system” that may be introduced into your environment. You may be asking why…?

Well…much like any physical system, they are exposed to the same vulnerabilities and risks. VM’s can operate in either an online of offline state, and need the same level of attention as their physical counterparts…to prevent what I would characterize as “unplanned or unexpected risk”. The best way to ensure any new VM you may spin up is properly secured – I would recommend the following:

1)      You need some form of technology or tool set to accurately assess your environment for any existing or recently added VM’s – either online or offline. (Note: You can’t protect what you can’t see!)

2)      Once discovered, you need to evaluate their current patch and security configuration status. The two largest areas of potential for risk center around systems that are either poorly patched or poorly configured.

3)      If you in fact discover gaps or deficiencies, then you’ll need some form of automated remediation to rectify matters.

By following these recommendations, you can rest assured that you’ll know where your VM’s really are!

Dave Eike

Shavlik Technologies

Leave a comment »

Reporting Dilemma…

December 4, 2009 · Filed under Anti-Virus, Configuration Management, Reporting, Security Intelligence, information security, patch management · Tagged , ,

One of the most important elements of any good information security program is the ability to generate good, consumable reporting. The dilemma that most organizations face around this subject are as follows:

1) What type of reports do I need, and what should  they include, and with what level of detail?

2) How can I use this reporting to make informed decisions?

Let me touch on each of these areas:

What type of reporting do I need, and what level of detail should it include? Well…if you look at information security on broad scale, there are some very specific reports that I would categorize are the most important. They are as follows:

Patch Status Report – This report should include an assessment of your entire environment – inclusive of both virtual and non-virtual machines, and provide a sense for your patch posture – covering all Microsoft OS’s, Microsoft Applications, Non-Microsoft Applications, and any Unix or Linux systems. The level of frequency should be no less than once a month.

Firewall Logs – This report should clearly illustrate the level of both inbound and outbound traffic, any alerts that were triggered, and any URL attacks that may have been discovered. This type of report should be reviewed on a daily basis, with separate alerts sent if any form of  malicious behavior is detected.

Anti-Virus Status – This is another report that should be created on a daily basis. It should provide you with a listing of the top threats that were discovered and removed, it should also illustrate if any user’s .dat file is not up-to-date. Additionally, if for any reason there’s any unusual activity or traffic volume detected, you should set the application to provide you with the appropriate alerts.

Intrusion Detection – In this particular category, reporting is critical. The type of reports you should create should illustrate; 1) how often did hackers attempt to attack You. 2) What parts of your network were they targeting. 3) What kind of attack was it? And, 4) Was the network breached? These types of reports should be reviewed at a minimum on a daily basis. You should also create (if available) a set of automated alerts, if any type of anomalous behavior is detected.

Configuration Status – One of the most overlooked areas of information security centers around system hardening and security configuration settings. The type of report that you should create should include an assessment of “current state” against your current baseline. It should also include detail regarding any settings that have drifted from what established policy is. This type of reporting should be done at a minimum monthly.

Moving on…so how should you use this information to make informed decisions. By simply having a consistent stream of information (consistent with what I mentioned above), you will have the necessary data to make rational decisions on any issues or challenges that may arise. I would also encourage you to consider the use of some form of IT policy framework (i.e.; ISO, ITIL, NIST, etc.) as a basis for your security policy and baseline development…because it will enhance the recommended reports that I described…but provide added measurability.

In summary…be proactive with your reporting, and don’t settle for less than what you need! You can protect yourself from what you’re not aware of…!

Dave Eike

Shavlik Technologies

Leave a comment »

You Can’t Protect What You Don’t Know You Have…

November 24, 2009 · Filed under Asset & Inventory Management, Automation, information security, risk management, vulnerability management · Tagged , ,

One of the most important IT business practices that every company large and small should engage in is IT asset management. To ensure your various software and hardware assets are both visible, and measurable over their useful life – generally the use of automated tools to manage the discovery of these types of assets is very important. The ability to establish a complete and accurate picture of your current base of information technology assets not only will have an impact on your ability to properly support your current base of users, but it will also have a direct impact your ability to identify and remediate any type of previously unidentified vulnerabilities.

One of the key steps that necessary to take relative to the implementation of a good IT asset management methodology is the ability to define a measurable process to manage these assets from acquisition through final disposition. This process should include the following components:

Item 1 – Establish a clear set of policies around the acquisition and appropriate use of these type of assets. This process should include a means of tracking existing software and hardware assets, capturing, at a minimum, product name, version, and manufacturer. Additionally, this information can be used to proactively determine software license compliance – which should be measured annually.

Item 2 – Once the asset(s) (software or hardware) have been acquired, you’ll need to implement some form of automation to track their status – from their initial deployment to their disposition. Considering the frequency by which systems and applications change, this type of “best practice” will help optimize the use and performance of these assets throughout their useful life.

There was an excellent article published recently titled, “Back to Basics: 5 Things IT Could Do Better in 2010” – that does an excellent job touching on the importance of asset inventory management. The author and I agree – we both firmly believe that asset inventory management is important security best practice.

http://www.technewsworld.com/story/Back-to-Basics-5-Things-IT-Could-Do-Better-in-2010-68662.html?wlc=1258469771

Other advantages that can be realized from a well throughout IT asset management program centers around:

Help Desk / Support Reduction – The asset management information you able to garner is invaluable in terms of diagnosing individual system problems, as well as minimizing end-user downtime. Help Desk or Client Support should have access to individual system details directly from whatever system you put into place – which will certainly help improve support levels via a more accurate diagnosis of the problem.

Risk Reduction – These days, with the sheer number of vulnerabilities on the rise, the ability to accurately assess your inventory of both software and hardware go a long way towards helping you reduce risk. It’s very difficult to protect yourself from things that your unaware of…thus (again) the importance of good automation to assist with the process.

In summary…by better understanding the types of assets you currently manage, you’ll quickly realize a much greater level of efficiency, as well as reduce your potential for risk.

Dave Eike

Shavlik Technologies

Leave a comment »

Addressing The Vulnerabilities That Matter…

November 11, 2009 · Filed under Automation, Compliance, Configuration Management, information security, patch management · Tagged , , ,

If you consider the subject of vulnerability management, which is quite broad – there are two specific areas that present the most likely potential for risk. They center around the ability to ensure that your various systems (be it servers or workstations) are properly patched and properly configured.

If you were to conduct a random vulnerability assessment of most any corporation these days, the mix of vulnerabilities that you would discover would be quite consistent. Based on research that is supported by the broader analyst community, and personal experience, what you should expect to discover (on average) is as follows; 50% of the vulnerabilities would be tied systems that were poorly patched, 40% would be tied to systems that are poorly configured, and the remaining 10% would be tied to a set of medium grade vulnerabilities…that were more nuisance than anything else. So what does this tell us…well, it suggests that 90% of your potential for risk centers around either systems that are poorly patched or poorly configured. By injecting a set of well defined policies, process and automation into the mix…you can shield yourself from the vast majority of the critical vulnerabilities that could affect your environment.

So what should you do? Well the first thing you need to consider is the development of a good patch and configuration management methodology. This would include the following:

  • The development and implementation of a policy that is both enforceable and measurable.
  • You should also factor in some form of testing – to ensure that prior to actual policy enforcement / remediation, that nothing breaks in the process. This has become far easier to accomplish…especially with the advent of VMware.
  • You should also include an adequate level of automation. Look for technology that will help you establish a solid baseline – for both the patch and configuration posture you’re looking to maintain. This type of automation should provide you with the ability to accurately assess for risk (vulnerabilities), enforce (or remediate) any discovered vulnerabilities…as well as provide a means of measuring what you’ve established as policy.

There was a great example of this (specific to the patch management process) that was illustrated in a recent article written by Eric Schultze. The title of the article is “Structuring Patch Management in Seven Steps”. The link to the article is as follows:

http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1373373,00.html?track=NL-1108&ad=733390&asrc=EM_NLT_9811497&uid=4164928#

So to summarize…by applying the approach I outlined above, you’ll be well on your way towards limiting your risk!

Dave Eike
Shavlik Technologies

Leave a comment »

Measurable, Continuous Compliance

November 5, 2009 · Filed under Automation, Compliance, Framework Standards, Governance and Risk Management, information security · Tagged , , , ,

The subject of compliance as it pertains to information security continues to demand a great deal of attention…for some very obvious reasons. There is a big difference between compliance and security. To consider yourself compliant, doesn’t necessarily mean you’re secure. Generally, compliance rituals such as assessment and audits are conducted either quarterly or annually, and the results of these “point-in-time” activities only offers a snapshot of your current state of security at that time. So to assume that your secure because you passed an audit today that states you’re compliant, doesn’t equate to you being secure tomorrow. This is probably best illustrated by some of the very well publicized breaches that took place over the last couple years – like Heartland, Choicepoint and TJX, just to name a few. Each of these notable entities thought they were compliant, and thus secure…boy were they wrong, and they are still recovering from the damage.

More often than not, compliance (specific to information security) is viewed as a project not as an ongoing, strategic business requirement. Here in lies the problem, but more importantly, the opportunity. The key is to make compliance activities part of the normal course of business operations:

If you consider the subject of risk management as it pertains to compliance, many companies today who have compliance requirements are faced with the monumental task of establishing and maintaining a compliant state.

For many, compliance is;

  • A semi-automatic task at best, that leverages a basic policy structure, with the absence of any form of automated remediation to address any risks once discovered. This method is both expensive, and time consuming, and certainly puts any company faced with addressing compliance requirements in this manner at risk.
  • For those that are more fortunate – a quarterly process may exist, that may leverage some form of best practice based policy structure, as well some measure of remediation and reporting. This approach is much improved vs. the semi-automatic method…however, there are still gaps. Without a more “real-time” approach, the gaps in time between each quarterly assessment could pose a significant potential for risk. Even with a positive audit result, with the ever increasing number of threats companies are being exposed to these days, even great vigilance is required.
  • The best approach, is what I will categorize as “continuous compliance”. This approach is one fully supported by management, and measured like any other critical business operational requirement.

To achieve this, the following approach should be taken…

Establish a measurable set of security policies (controls), that are standards based, and well recognized. Examples of these can be found via ISO, NIST, ITIL, etc. Additionally, the frequency by which these established controls should be measured should be monthly or weekly if possible…thus leaving no stone unturned! It’s also important that you apply the appropriate level of automation to the process, to ensure that the process of assessment, decisioning, remediation and reporting are completely automated.

The impact to the business by adopting some form of measurable, repeatable means of ensuring compliance will not only save you money, but drastically reduce your potential for risk. I can assure you…it will be money well spent.

Dave Eike
Shavlik Technologies

Leave a comment »