Despite his one-time appearance in the film The Prestige as Nikola Tesla, it’s unlikely David Bowie spent much of his time studying up on the challenges of technology. Still, he seemed to know what he was talking about when the glam rock and fashion icon encouraged us to “Turn and Face the Strange, Ch-Ch-Changes.” Bowie would fully understand that all data breaches or malware vectors are tied to changes. Facing those changes with a proper change control implementation has become so crucial for that very reason: Any change that slips by the team could introduce a malware disaster.
Gartner reports that 85 percent of all problems faced by IT teams, whether they’re operational or security, are often tracked to some form of change. They likewise predict that 90 percent of security breaches could have been detected with an effective change and configuration management process. Given that the average Mean Time to Detect (MTTD) a data breach runs about 190 days after infiltration, the longer a firm goes without a fully-implemented change control process, the more likely they are to suffer a devastating breach or even a ransomware attack. To properly implement change control, companies must start by understanding it.
This technology lets security teams identify changes in any environment so that any changes that represent a threat or open software up to a vulnerability are correctly identified as such. Unlike “change management,” which focuses on a given company’s process in introducing change, in change control security teams understand what those changes are and their effect on the software environment.
Consider a zero-day attack, which by its nature can bypass whitelists and firewalls. The malware may go undetected, but the underlying changes to existing functions which enable that malware must occur. Change management helps firms avoid unexpected changes, but it’s in the realm of change control that they can determine those unexpected changes and deal with them.
We can identify these changes in four essential types:
- Approved Good: Brought on by operational activities and are typically used to improve upon any existing IT changes, such as new user accounts and configuration alterations.
- Approved Bad: Often linked to a legitimate change, but have a crucial flaw introducing some sort of error or vulnerability. Though they lack malicious intent, it’s important to spot these changes to maintain a secure environment.
- Unexpected Harmless: Unplanned changes that have no negative effect. Though harmless, it’s critical to ensure that these changes are accounted for to potentially spot rogue behavior and Change Noise (alert overload).
- Unexpected Bad: Scary changes, the ones that security teams can’t correlate with any internal action. It’s often that the first sign in indicating a compromise and spotting these changes as early as possible can avert or minimizing disaster.
Effective change control analyzes all changes, discerning between those that were harmless and ideally approved and those that were neither approved nor harmless. There are a few critical integrations an effective solution should leverage. Security teams should integrate data from change management into the change control solution. They need to empower that solution with analysis and Threat Intelligence to learn the patterns and behaviors of good changes, so that the team can reduce “change noise” and they can assess unexpected changes and assigned risk context.
Once detecting those risk-associated changes, an effective technology should offer remediation, using that risk context to help operations teams prioritize in the remediation process. Leveraging intelligent change control products and processes will better protect organizations from a breach, and also help spot potential breaches and contribute to enhanced IT operations.
Mark Kerrison, chief executive officer, New Net Technologies