Posted by Ed Welsh, Director, Security & Compliance on August 21, 2009 10:22 AM
In my three-part discussion on change management, I've covered its importance as a formalized strategy, and how to deal with security event volume. This last section will briefly touch on the role of change management in identifying unauthorized change.
The value of this capability for risk control is very high. A single case of file change without a corresponding change authorization can highlight troubling issues and generate activities in relation to them.
Scenarios that generate unauthorized change events are numerous. Is it a policy breach where someone neglected change management? Then education is applied. Has an attacker modified a vulnerable web site? Then an incident response plan is engaged and protection put in place.
The same model works for other security software, as well. Intrusion detection systems (IDS) are notorious for being event generators. Being able to match IDS events to a recent change drastically reduces the investigation time. An example could be the installation of a new product that includes a browser "help" bar, which is also spyware. This example would generate both IDS and anti-spyware alerts, both of which would be matched back to the approved installation of new software. The administrator working the event can use this information to directly address the issue.
Change management is classically an operational tool for preventing system outage. It should also be well-respected by the savvy security professional as another tool for reducing risk and acting as a force multiplier.
Further Reading
Change Management: A Hidden Security Tool - Part 1 of 3
Change Management: Event Volume - Part 2 of 3