Three Levels of Change: Approval, Purpose, and Careful Monitoring

Image

I logged into one of my online accounts today, and the entire interface was different. At first, I checked to make sure that I was actually on the correct site. Once I confirmed that, I just accepted that the company who runs the software made changes that would improve the performance and functionality of the software. Once I logged in, I noticed that even the desktop icon had changed.

Change is a normal expectation in the digital world. Sometimes, a change can be merely cosmetic, improving the user experience. Many times, changes are implemented to remediate a coding error, or to patch a vulnerability that, if exploited, could disrupt an organization. However, there are some important levels that must be observed prior to initiating a change. Three of the most notable levels are: approval, purpose, and careful monitoring.

Level #1: Approval

The first level of change needs to center on whether the change is approved. A question to consider is whether the change is coming from an expected business process? There are various ways you can determine if a change is approved. One of the best ways is to reconcile the changes against an existing change management process while at the same time validating that only approved changes are occurring. There are other indicators that can be used to know whether a change is part of normal business operations.

Testing work in a staging or QA environment can also be re-used for production by referencing the test changes that are approved when the production deployment happens. The recent change debacle that halted operations at all the US airports is a glowing example of how an unapproved change can have devastating effects.

Level #2 Purpose

Change for the sake of change is usually inefficient and unnecessary. Technological changes should be evaluated to address multiple purposes. Is the change being performed for security purposes? Security-driven changes should be assessed against known authoritative sources, such as NIST guidance, the ISO series, and the MITRE ATT&CK framework. 

These guides can help you determine not only if a change is required for general security hygiene, but also if a change is required to protect against known attack vectors.  Along with that, if your organization is a covered entity under some of the established and emerging standards and regulations, changes should be evaluated against those criteria as well. A change to adhere to a compliance rule is always a necessary improvement.

Level #3: Monitoring

Even the most well researched change may not work out as planned. We have all seen failed patches, as well as feature upgrades that were not applied as smoothly as planned. Change monitoring gives an organization the ability to know exactly what was changed, and roll back to a previous state if the change is problematic. 
We all need to patch and update the systems to reduce vulnerabilities and attack surfaces. But how do you tell if the changes to your systems were indeed part of patches, or if someone was making some other changes?

For instance, you can compare the changes to a manifest from a software provider to make sure that the patch is legitimate. In this instance, if the change matches what is to be expected, then it will allow you to capture unexpected changes that happen at the same time as the patching process.

One key to a successful change management program is understanding your applications and your systems, and what's critical to their efficient operation. Each environment is different, and the knowledge of the system owners can be used to fine-tune the change alerting settings to collect information about changes. However, benign changes, such as a file that changes every day through a normal windows process should not set off any alarms. If special software is being used to deploy the changes, then those changes would be anticipated. As a result, only changes that aren’t expected would be flagged.

Using Tripwire to navigate these three levels of change will help protect your critical infrastructure from misconfigurations and zero-day attacks, and it will allow you to focus on the actionable changes rather than trying to swim through an upstream current of noise.