© 2007 Jupitermedia Corporation

Using Network Behavior Analysis (NBA) and Service Asset and Configuration Management (SACM) to Improve Management Information

February 5, 20082:00pm EDT, 11:00am PDT

George Spafford, Principal ConsultantPepperweed Consulting, LLC“Optimizing The Business Value of IT”www.pepperweed.com

© 2007 Jupitermedia Corporation

Housekeeping

• Submitting questions to speaker– Submit question at any time by using the “Ask a question”

section located on lower left-hand side of your console.– Questions about presentation content will be answered during

10 minute Q&A session at end of webcast.

• Technical difficulties?– Click on “Help” button– Use “Ask a question” interface

© 2007 Jupitermedia Corporation

Main Presentation

© 2007 Jupitermedia Corporation

Agenda

• An Overview of Service Asset and Configuration Management

• An Overview of Network Behavior Analysis• How we can leverage the two areas for the betterment of

the organization

© 2007 Jupitermedia Corporation

ITIL v3• ITIL v3 was released on May 30, 2007• The core principles are the same as v2• Five core books (11.4 pounds!) arranged as

a lifecycle– Service Strategy

• Value nets, adaptive strategies, managing uncertainty, strategy selection

– Service Design• Policies, architecture, models, outsourcing

– Service Transition• Transition Planning and Support• Change Management• Service Asset and Configuration Management• Release and Deployment Management• Service Validation and Testing• Evaluation• Knowledge Management

– Service Operation• Incident and Problem Management, alerting,

new functions– Continuous Service Improvement

• Business cases, Portfolio Alignment, Metric selection

Continuous Service Improvement

Service Strategy

Service

Tra

nsition

Service Design

Service O

peration

© 2007 Jupitermedia Corporation

An Overview of SACM

• “Manages assets in order to support other Service Management processes.”

• Service Asset = Capabilities + Resources (i.e. assets)– Asset types include management, organization, processes, knowledge,

applications, infrastructure, etc.

• Configuration Management delivers a logical view of the world– Relationships between configuration items (CIs)– Details about each CI

• Concerned with the management of service assets and the relationship of configuration items (CIs) in them– Tracking and report on assets– Manage and protect the integrity of service assets and CIs

• Ensure that only authorized components are used• Only authorized changes are made

© 2007 Jupitermedia Corporation

Categories of CIs

• Think of these as relational data tables• Service Lifecycle CIs

– Business case, service lifecycle plans, etc.• Service CIs

– Service Capability Assets: People, knowledge, processes– Service Resource Assets: Systems, applications, data

• Organization CIs– Elements about the organization that must be shared– Strategic plan, corporate policies, regulatory requirements, etc.

• Internal CIs– Hardware, software, and facilities

• External CIs– Customer agreements, vendor agreements

• Interface CIs– Service provider interfaces (SPIs)

© 2007 Jupitermedia Corporation

CI Attributes

• Think of these as data fields– What do you need to know about each CI to manage it?

• Parent CI relationships• Child CI relationships• Make• Model• Processor• OS (which could be a CI)• Memory• IP Port Requirements

© 2007 Jupitermedia Corporation

SACM and the CMS

• Provides information to other processes and functions– Change, Release and Deployment, Incident, Problem, etc.– SACM is an enabler for these processes– Accurate data is critical

• Data stored in Configuration Management System (CMS)– We used to discuss the configuration management database

(CMDDB)– Federated CMDBs make up a CMS

© 2007 Jupitermedia Corporation

Configuration Management System

Data and Information Sources And Tools

InformationIntegrationLayer

KnowledgeProcessingLayer

PresentationLayer Portal

Change & Release

View

Asset Mgt View

Config Lifecycle

View

Technical Config View

Quality Mgt View

Service Desk View

Query and Analysis

Search, Browse, Store, Retrieve, Update, Publish, Subscribe, Collaborate

Reporting Performance Mgt Modelling Monitoring

Integrated CMDB

Common Process, Data and

Information Model

Schema Mapping

Metadata Management

Data Reconciliation

Data Synchronization

Extract, Transform, Load

Mining

Data Integration

Structured DataDefinitive

MediaLibrary(s)

Physical CMDBs

Platform Configuration

Tools

Software Configuration

Mgt

Discovery, Asset Mgt & Audit

Tools

Enterprise Applications

Service Portfolio, Service Catalog, Service Model, Service Release, Service Change

Adapted from CMS graphic in the ITIL Service Transition Volume, page 68.

© 2007 Jupitermedia Corporation

SACM Problems

• Chant “meaningful and manageable” over and over– Can generate a ton of useless data that costs more to collect and

maintain than what it is worth– Don’t track because you can, track because there is real value

• Likely that 20% of the data will create 80% of the value– SACM can be a six month project that turns into a two year project with

no results– Start simple and learn

• Sustaining efforts– Launching the project to design the process is one thing– The organization must then live with the design

• Configuration drift– Production no longer matches the CMS– Why? Uncontrolled / unauthorized change– We need detective controls to detect changes

© 2007 Jupitermedia Corporation

An Overview of Network Behavior Analysis

• Evolved from looking for signatures at the firewall, IDS, and security event management– Weakness - Signatures only turn up known problems

• NBA tools monitor network activity and look for abnormal activity based on baselines and heuristics

• Monitor things such as– Communications between network nodes– Who the actual users are– Frequency of communication– What are servers and what are clients– What protocols and ports are being used– Network Traffic levels– Behaviors based on day and time of day

• Combines data collection, analytics and meaningful presentation– Need to find the needle in the haystack

© 2007 Jupitermedia Corporation

NBA is a Detective Control

• Controls mitigate risks• Three broad categories of controls• Preventive

– Policies

– Procedures

– Look and sound great but how do you know people are following them?

• Detective– Review data about historical events and look for a condition

– Can be used to confirm that people are following policies and procedures

– Can be used to detect unauthorized activity in general

• Corrective– Return the CI to its last known good state

© 2007 Jupitermedia Corporation

Defense in Depth• Think of the rings of walls in a

castle. More walls equate to an overall better defensive posture

• We need preventive controls

• We need detective controls

• Configuration integrity management – change detection at the device level

• NBA – last line of defense because it’s based on behavior

Policies &Procedures

IntegrityManagement

NBA

© 2007 Jupitermedia Corporation

NBA can benefit security, compliance and operations

• NBA’s roots are in security but with proper integration, other process areas can benefit.

• Consider the benefits of understanding:– Changes in behavior due to

changes

– End-User Experience

– Actual dependencies

– Unauthorized services

– Configuration errors

– Misuse of services

– Security incidents

Operations

ComplianceSecurity

© 2007 Jupitermedia Corporation

Leveraging the Two Disciplines

© 2007 Jupitermedia Corporation

Service Transition - Change Management

• Concerned with managing the risk of making a change• A balancing act between the risk of making and not making a given

change• Steps include: Recognition of need, record the request, review,

authorize, plan, schedule the implementation• Change Mgt is responsible to ensure the CMS is updated

accordingly • From SACM and the CMS we know what changes were authorized• How do we know about changes when people do not follow the

process?– Problems with Change Management are SACM’s Achilles' Heel

• NBA allows us to identify that something has changed:– Network behavior– Application behavior– User behavior

© 2007 Jupitermedia Corporation

Must Understand What Changed

• Authorized Person, Authorized Change• Authorized Person, Unauthorized Change

– Well intentioned

– Malicious (a security event)

– Erroneous

• Unauthorized Person, Unauthorized Change – A security event• The only valid level of unauthorized change is zero• Vital that other processes

– Have reliable accurate data from SACM

– Understand if there are changes that can’t be reconciled and what has changed

• NBA serves as a last defense

© 2007 Jupitermedia Corporation

Service Transition – Release & Deployment Management

• Need to ensure that there is proper requirements definition, testing and deployment of releases into production

• Can review historical activity to improve rollout planning

• Can confirm production releases match tested releases– Can profile and fingerprint releases– Could highlight tampering or errors with the deployment into

production

© 2007 Jupitermedia Corporation

Service Transition – Service Validation & Testing Releases

• Can identify in testing if behaviors meet standards– Only authorized ports are used– No connection to certain hosts

• A better understanding of the impacts of new or changed services based on historic observed user behaviors

• Can also determine if actual behaviors = expected behaviors

© 2007 Jupitermedia Corporation

Service Operation – Event Management

• Event Management is concerned with interpreting the monitored data and taking an appropriate action

• Outputs from NBA are routed appropriately by Event Management– Rejection– Manual Review– Automatic Processing

• Create an Incident

• Create a Problem

• Trigger a standard change

© 2007 Jupitermedia Corporation

Service Operation – Incident and Problem Management

• The first triage question to ask should always be “What changed?”

• 80% of MTTR is spent trying to answer/determine “What changed?”

• Need to arm the resolution processes with detected change information– Understand how current behavior differs from normal behavior

• Understand if a change happened and where

• If a change is not detected, then rule change out

© 2007 Jupitermedia Corporation

Continuous Service Improvement

• Review NBA and SACM data to determine potential service improvement opportunities

• We can use NBA to understand and improve the user experience of IT services

• Capacity planning for services and component CIs including networks, servers and other devices– Usage patterns and potential demand management– Server consolidation

• IT Service Continuity Management

© 2007 Jupitermedia Corporation

Key Points

• SACM gives us a logical view of the world with relationships– Integrity of its data is vital

• NBA is a control that can help us– Understand behavior in production and testing– Better plan projects – Consolidation, DR/BCP, etc.– Confirm relationships between CIs– Detect configuration errors– Detect unauthorized changes– Drive down MTTR by better understanding what changed

• Overall, we can use NBA to help ensure that we have accurate data to share with other process areas

© 2007 Jupitermedia Corporation

Thank you for the privilege of facilitating this webcast

George SpaffordGeorge.Spafford@Pepperweed.com

http://www.pepperweed.com

© 2007 Jupitermedia Corporation

Questions?

© 2007 Jupitermedia Corporation

Thank you again for attending

If you have any further questions, e-mail webcasts@jupitermedia.com

For future ITSM Watch Webcasts, visit www.jupiterwebcasts.com/itsm