1 / 27

Using Network Behavior Analysis (NBA) and Service Asset and Configuration Management (SACM) to Improve Management Inform

Using Network Behavior Analysis (NBA) and Service Asset and Configuration Management (SACM) to Improve Management Information. February 5, 2008 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” www.pepperweed.com.

len
Download Presentation

Using Network Behavior Analysis (NBA) and Service Asset and Configuration Management (SACM) to Improve Management Inform

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using Network Behavior Analysis (NBA) and Service Asset and Configuration Management (SACM) to Improve Management Information February 5, 2008 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” www.pepperweed.com

  2. Housekeeping • Submitting questions to speaker • Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console. • Questions about presentation content will be answered during 10 minute Q&A session at end of webcast. • Technical difficulties? • Click on “Help” button • Use “Ask a question” interface

  3. Main Presentation

  4. Agenda • An Overview of Service Asset and Configuration Management • An Overview of Network Behavior Analysis • How we can leverage the two areas for the betterment of the organization

  5. ITIL v3 • ITIL v3 was released on May 30, 2007 • The core principles are the same as v2 • Five core books (11.4 pounds!) arranged as a lifecycle • Service Strategy • Value nets, adaptive strategies, managing uncertainty, strategy selection • Service Design • Policies, architecture, models, outsourcing • Service Transition • Transition Planning and Support • Change Management • Service Asset and Configuration Management • Release and Deployment Management • Service Validation and Testing • Evaluation • Knowledge Management • Service Operation • Incident and Problem Management, alerting, new functions • Continuous Service Improvement • Business cases, Portfolio Alignment, Metric selection

  6. An Overview of SACM • “Manages assets in order to support other Service Management processes.” • Service Asset = Capabilities + Resources (i.e. assets) • Asset types include management, organization, processes, knowledge, applications, infrastructure, etc. • Configuration Management delivers a logical view of the world • Relationships between configuration items (CIs) • Details about each CI • Concerned with the management of service assets and the relationship of configuration items (CIs) in them • Tracking and report on assets • Manage and protect the integrity of service assets and CIs • Ensure that only authorized components are used • Only authorized changes are made

  7. Categories of CIs • Think of these as relational data tables • Service Lifecycle CIs • Business case, service lifecycle plans, etc. • Service CIs • Service Capability Assets: People, knowledge, processes • Service Resource Assets: Systems, applications, data • Organization CIs • Elements about the organization that must be shared • Strategic plan, corporate policies, regulatory requirements, etc. • Internal CIs • Hardware, software, and facilities • External CIs • Customer agreements, vendor agreements • Interface CIs • Service provider interfaces (SPIs)

  8. CI Attributes • Think of these as data fields • What do you need to know about each CI to manage it? • Parent CI relationships • Child CI relationships • Make • Model • Processor • OS (which could be a CI) • Memory • IP Port Requirements

  9. SACM and the CMS • Provides information to other processes and functions • Change, Release and Deployment, Incident, Problem, etc. • SACM is an enabler for these processes • Accurate data is critical • Data stored in Configuration Management System (CMS) • We used to discuss the configuration management database (CMDDB) • Federated CMDBs make up a CMS

  10. Configuration Management System

  11. SACM Problems • Chant “meaningful and manageable” over and over • Can generate a ton of useless data that costs more to collect and maintain than what it is worth • Don’t track because you can, track because there is real value • Likely that 20% of the data will create 80% of the value • SACM can be a six month project that turns into a two year project with no results • Start simple and learn • Sustaining efforts • Launching the project to design the process is one thing • The organization must then live with the design • Configuration drift • Production no longer matches the CMS • Why? Uncontrolled / unauthorized change • We need detective controls to detect changes

  12. An Overview of Network Behavior Analysis • Evolved from looking for signatures at the firewall, IDS, and security event management • Weakness - Signatures only turn up known problems • NBA tools monitor network activity and look for abnormal activity based on baselines and heuristics • Monitor things such as • Communications between network nodes • Who the actual users are • Frequency of communication • What are servers and what are clients • What protocols and ports are being used • Network Traffic levels • Behaviors based on day and time of day • Combines data collection, analytics and meaningful presentation • Need to find the needle in the haystack

  13. NBA is a Detective Control • Controls mitigate risks • Three broad categories of controls • Preventive • Policies • Procedures • Look and sound great but how do you know people are following them? • Detective • Review data about historical events and look for a condition • Can be used to confirm that people are following policies and procedures • Can be used to detect unauthorized activity in general • Corrective • Return the CI to its last known good state

  14. Defense in Depth • Think of the rings of walls in a castle. More walls equate to an overall better defensive posture • We need preventive controls • We need detective controls • Configuration integrity management – change detection at the device level • NBA – last line of defense because it’s based on behavior

  15. NBA can benefit security, compliance and operations • NBA’s roots are in security but with proper integration, other process areas can benefit. • Consider the benefits of understanding: • Changes in behavior due to changes • End-User Experience • Actual dependencies • Unauthorized services • Configuration errors • Misuse of services • Security incidents

  16. Leveraging the Two Disciplines

  17. Service Transition - Change Management • Concerned with managing the risk of making a change • A balancing act between the risk of making and not making a given change • Steps include: Recognition of need, record the request, review, authorize, plan, schedule the implementation • Change Mgt is responsible to ensure the CMS is updated accordingly • From SACM and the CMS we know what changes were authorized • How do we know about changes when people do not follow the process? • Problems with Change Management are SACM’s Achilles' Heel • NBA allows us to identify that something has changed: • Network behavior • Application behavior • User behavior

  18. Must Understand What Changed • Authorized Person, Authorized Change • Authorized Person, Unauthorized Change • Well intentioned • Malicious (a security event) • Erroneous • Unauthorized Person, Unauthorized Change – A security event • The only valid level of unauthorized change is zero • Vital that other processes • Have reliable accurate data from SACM • Understand if there are changes that can’t be reconciled and what has changed • NBA serves as a last defense

  19. Service Transition – Release & Deployment Management • Need to ensure that there is proper requirements definition, testing and deployment of releases into production • Can review historical activity to improve rollout planning • Can confirm production releases match tested releases • Can profile and fingerprint releases • Could highlight tampering or errors with the deployment into production

  20. Service Transition – Service Validation & Testing Releases • Can identify in testing if behaviors meet standards • Only authorized ports are used • No connection to certain hosts • A better understanding of the impacts of new or changed services based on historic observed user behaviors • Can also determine if actual behaviors = expected behaviors

  21. Service Operation – Event Management • Event Management is concerned with interpreting the monitored data and taking an appropriate action • Outputs from NBA are routed appropriately by Event Management • Rejection • Manual Review • Automatic Processing • Create an Incident • Create a Problem • Trigger a standard change

  22. Service Operation – Incident and Problem Management • The first triage question to ask should always be “What changed?” • 80% of MTTR is spent trying to answer/determine “What changed?” • Need to arm the resolution processes with detected change information • Understand how current behavior differs from normal behavior • Understand if a change happened and where • If a change is not detected, then rule change out

  23. Continuous Service Improvement • Review NBA and SACM data to determine potential service improvement opportunities • We can use NBA to understand and improve the user experience of IT services • Capacity planning for services and component CIs including networks, servers and other devices • Usage patterns and potential demand management • Server consolidation • IT Service Continuity Management

  24. Key Points • SACM gives us a logical view of the world with relationships • Integrity of its data is vital • NBA is a control that can help us • Understand behavior in production and testing • Better plan projects – Consolidation, DR/BCP, etc. • Confirm relationships between CIs • Detect configuration errors • Detect unauthorized changes • Drive down MTTR by better understanding what changed • Overall, we can use NBA to help ensure that we have accurate data to share with other process areas

  25. Thank you for the privilege of facilitating this webcast George Spafford George.Spafford@Pepperweed.com http://www.pepperweed.com

  26. Questions?

  27. If you have any further questions, e-mail webcasts@jupitermedia.com For future ITSM Watch Webcasts, visit www.jupiterwebcasts.com/itsm Thank you again for attending

More Related