Change is inevitable, especially in technology where change is not only inevitable but is expected and constant. IT Security Management (ITSM) tools like ServiceNow are now deployed in enterprise organizations worldwide as a result so IT and operations teams can assess submitted change requests, test them, then execute approved changes. For many companies, this process is sufficient, but it falls just short of assessing risk within an enterprise’s IT ecosystem. What traditional ITSM leaves out is everything that happens after a change request is executed: Did the change actually happen? Were there any downstream impacts on systems? Was the requestor able to sneak in unapproved changes? Is any unexpected behavior occurring as a result of the change?
Change can be good, bad, or neutral, but you won’t know unless you understand the impacts of change. All companies have governance and audit mandates that make tracking change a critical business function. In the worst cases, failure to govern changes and assess risk from IT change could lead to system disruption, breach, negative impacts on customer loyalty, and financial losses resulting from a breach and/or failure to meet compliance.
Founded in 2005, New Net Technologies (NNT) has built a change control tracking platform that aims to help businesses get a better grip on the changes within organizations’ IT ecosystems—and to improve cyber risk by identifying potential vulnerabilities or compromise throughout the change process. “Change is at the root cause of most security problems,” said Mark Kerrison, NNT’s CEO and co-founder, during a recent call. “The genesis of every effective breach is change. If you understand changes that are happening, and if those changes are good or bad, you have better control over your environments.”
NNT’s platform, Change Tracker, can be delivered on-prem, as SaaS, or can be completely outsourced via integrations with leading ITSM providers. Once deployed, Change Tracker automates discovery and analysis of companies’ controls and configurations through hardware/software asset discovery, file integrity monitoring, event logging, and continuous scanning. It collects the data contained within the ops side of the business and provides operators/admins a federated view into what’s normal—”a complete library of what’s expected,” said Mark Kedgley, NNT’s CTO and co-founder.
From there, as would be expected in a governance tool, Change Tracker continuously scans the environment to log security controls, configurations, change requests, approved and executed changes, and compliance posture. All events are benchmarked against baseline policies, security frameworks like NIST and CIS, and compliance requirements, and forensically analyzed to highlight any risk introduced or reduced as a result of the change. Change Tracker also ensures that only approved users are affecting change and only valid changes are executed—another excellent risk mitigation strategy. It's the focus on continuous monitoring and continuous, real-time verification that makes Change Tracker effective in surfacing software/hardware vulnerabilities and operational issues.
One obvious question the TAG Cyber team had for Kerrison and Kedgley was how the platform handles changes submitted by a privileged user who may not have approval for changes. Their answer was that Change Tracker uses “unplanned change detection” to identify all changes that happen outside of approved processes. The technology leverages every change submitted in the company's ITSM and validates changes before they can be approved. This won’t stop every out of band change request, but it should catch the most obvious or risky ones. Plus, the system has a backup of sorts: All changes are logged, beginning when a change request is submitted, to the automated analysis and verification, through when change control is invoked and implemented. This process won’t necessarily stop an approved admin from making certain changes, but unplanned changes are logged as incidents and admins are alerted, giving them the ability to review and/or dial back anything risky before damage is done.
Some of the differentiators Kerrison and Kedgley say make NNT special is the platform's scalability; the team spent more than two years building a proprietary component-ized architecture that allows for “infinite” processing power anywhere along the chain of events. In addition, NNT works uniformly across any hybrid environment, meaning, on-prem to cloud, microservices to legacy applications, and data center to desktop. Enterprises in the midst of migrations are especially prone to mistakes and misconfigurations, so a technology that can mitigate unplanned or unapproved changes will be a particular boon to the business.
Another differentiator, they say, is Change Tracker’s by-the-second visibility into suspicious activity, found vulnerabilities, and configuration drift that allows NNT’s customers to drive down risk. Because the entire change management lifecycle is automated, IT and ops teams have reduced manual workflow and security can triage events immediately, if need be. Kerrison says, “If you think about a breach of any kind, that breach will precipitate change. With Change Tracker, those changes won’t be approved and rogue changes will be flagged immediately,” driving down the potential for malware or some other exploit to propagate.
A company that fails to act on IT misconfigurations or security vulnerabilities could find itself in a sea of hot water. Similarly, unplanned changes or changes that have not been thoroughly vetted could lead to disasters, a fact to which anyone who has dealt with an outage or significant performance issues can attest. While one incident won’t bring a company down, iterative issues will, especially if the issues impact the business's ability to serve customers and partners. Thus, understanding change risk becomes a business—not just cyber security—priority.
Effective change control is a foundational hygiene issue all companies need. While businesses can track changes within many of their deployed change management tools like ITSM or several of the next-gen asset management techs, these tools don’t provide an analysis of the changes and thus the ability control risk. NNT change tracking analyzes every change made to see if it was good, bad, out of band, unexpected, or has additional implications on systems—which is beyond traditional.