- Changes that we accept
- Changes that are good
- Changes that are bad
- An easily understood series of steps. A recipe. A playbook. Call it what you want, but it needs to be repeatable and not overly complicated. Make sure to build in an emergency break/fix plan, as well.
- An effective system of record that is accessible. Something automated is preferable, but again, a spreadsheet on a SharePoint server is better than nothing at all. It also certainly beats shouting across the cubicles: “HEY, I’M ABOUT TO MAKE SOME CHANGES TO THAT SERVER!”
- Identify who the stakeholders are. There should be a mix of technical and non-technical folks involved who have a vested interest in the process. Segregation of duties will be a key component here. The folks making the changes should not be the ones approving them.
- Reporting is a huge issue. Not just deep detailed byte-level changes, mind you. No business unit owner will understand that. This is why service-level reporting is also critical. If three servers and a database make up a critical application, have reporting that allows you to drill down to the individual servers but present higher-level reports around the service itself to which the business owner can relate.
- Methods to detect change and map them back to the process. Auditors love automation. Anything that saves and lowers the chances for mistakes. This is usually why scripts and/or relying on logging to detect changes does not scale beyond a few servers very well. Purpose-built applications that integrate directly with your change process software reduces the opportunity for errors.
- Understand that authorized change is not necessarily good change. Just because an employee has an authorized change request to install and enable telnet on a server doesn’t make it a good change. You might as well plug the server into the wall at the local Starbucks with the password taped to the monitor.
Tripwire EnterpriseThis is where Tripwire comes in. Tripwire Enterprise (TE) gives you the visibility you need in order to track all file changes so that you know exactly where, when, and how all changes occur. As you go through your change management reconciliation process, you may discover files that you’re not familiar with and therefore don’t understand how they will behave. Now, you can now extend TE’s capabilities even further and reap the benefits of advanced file analysis to learn the behavior of files and executables using Tripwire File Analyzer. https://www.youtube.com/watch?v=s2UZs6rljpQ
Tripwire File AnalyzerWhen a new file or executable appears on the systems monitored with Tripwire Enterprise, Tripwire File Analyzer can immediately inspect it to identify its behavior and assign it a score from 1–100, flagging it as benign, nuisance or malicious. It analyzes several common file types, including:
- File hashes
- Libraries loaded
- I/O: Console I/O, Device I/O
- File system activity
- Registry activity
- Process interactions and operations
- Network activity
- Threat potential
Key Benefits of Tripwire File AnalyzerAn integration to Tripwire Enterprise, Tripwire File Analyzer supplements its core file integrity monitoring (FIM), security configuration management (SCM), and foundational controls enforcement. Get detailed behavioral reports on files and executables in minutes straight from your Tripwire Enterprise console. Tripwire File Analyzer:
- Keeps environments safe using a quarantined sandbox area for analysis
- Offers behavioral visibility into files and executables across all monitored systems
- Supports all of the same platforms as Tripwire Enterprise
- Automates time-consuming manual file and executable analysis efforts
- Delivers immediate notifications within the Tripwire Enterprise console