Transcript Developing and Implementing a Rollout Plan

Using Network Behavior Analysis (NBA)
and Service Asset and Configuration
Management (SACM) to Improve
Management Information
February 5, 2008
2:00pm EDT, 11:00am PDT
George Spafford,
Principal Consultant
Pepperweed Consulting, LLC
“Optimizing The Business Value of IT”
www.pepperweed.com
© 2007 Jupitermedia Corporation
Housekeeping
• Submitting questions to speaker
– Submit question at any time by using the “Ask a question”
section located on lower left-hand side of your console.
– Questions about presentation content will be answered during 10
minute Q&A session at end of webcast.
• Technical difficulties?
– Click on “Help” button
– Use “Ask a question” interface
© 2007 Jupitermedia Corporation
Main Presentation
© 2007 Jupitermedia Corporation
Agenda
• An Overview of Service Asset and Configuration
Management
• An Overview of Network Behavior Analysis
• How we can leverage the two areas for the betterment of
the organization
© 2007 Jupitermedia Corporation
ITIL v3
•
•
•
ITIL v3 was released on May 30, 2007
The core principles are the same as v2
Five core books (11.4 pounds!) arranged as
a lifecycle
– Service Strategy
• Value nets, adaptive strategies, managing
uncertainty, strategy selection
– Service Design
• Policies, architecture, models, outsourcing
ic
rv
Se
e
pe
eO
i
rat
Service Strategy
Service Design
– Service Operation
• Incident and Problem Management, alerting,
new functions
– Continuous Service Improvement
• Business cases, Portfolio Alignment, Metric
selection
© 2007 Jupitermedia Corporation
Continuous Service Improvement
on
Transition Planning and Support
Change Management
Service Asset and Configuration Management
Release and Deployment Management
Service Validation and Testing
Evaluation
Knowledge Management
n
c
rvi
•
•
•
•
•
•
•
itio
Se
– Service Transition
s
an
Tr
An Overview of SACM
• “Manages assets in order to support other Service Management
processes.”
• Service Asset = Capabilities + Resources (i.e. assets)
– Asset types include management, organization, processes, knowledge,
applications, infrastructure, etc.
• Configuration Management delivers a logical view of the world
– Relationships between configuration items (CIs)
– Details about each CI
• Concerned with the management of service assets and the
relationship of configuration items (CIs) in them
– Tracking and report on assets
– Manage and protect the integrity of service assets and CIs
• Ensure that only authorized components are used
• Only authorized changes are made
© 2007 Jupitermedia Corporation
Categories of CIs
• Think of these as relational data tables
• Service Lifecycle CIs
– Business case, service lifecycle plans, etc.
• Service CIs
– Service Capability Assets: People, knowledge, processes
– Service Resource Assets: Systems, applications, data
• Organization CIs
– Elements about the organization that must be shared
– Strategic plan, corporate policies, regulatory requirements, etc.
• Internal CIs
– Hardware, software, and facilities
• External CIs
– Customer agreements, vendor agreements
• Interface CIs
– Service provider interfaces (SPIs)
© 2007 Jupitermedia Corporation
CI Attributes
• Think of these as data fields
– What do you need to know about each CI to manage it?
•
•
•
•
•
•
•
•
Parent CI relationships
Child CI relationships
Make
Model
Processor
OS (which could be a CI)
Memory
IP Port Requirements
© 2007 Jupitermedia Corporation
SACM and the CMS
• Provides information to other processes and functions
– Change, Release and Deployment, Incident, Problem, etc.
– SACM is an enabler for these processes
– Accurate data is critical
• Data stored in Configuration Management System
(CMS)
– We used to discuss the configuration management database
(CMDDB)
– Federated CMDBs make up a CMS
© 2007 Jupitermedia Corporation
Configuration Management System
Presentation
Layer
Change &
Release
View
Portal
Config
Lifecycle
View
Asset Mgt
View
Technical
Config View
Quality Mgt
View
Service Desk
View
Search, Browse, Store, Retrieve, Update, Publish, Subscribe, Collaborate
Knowledge
Processing
Layer
Query and
Analysis
Reporting
Performance Mgt
Modelling
Monitoring
Integrated CMDB
Information
Integration
Layer
Service Portfolio, Service Catalog, Service Model, Service Release, Service Change
Common Process,
Data and
Information Model
Schema
Mapping
Metadata
Management
Data
Reconciliation
Data
Synchronization
Extract,
Transform, Load
Mining
Data Integration
Data and
Information
Sources
And Tools
Structured Data
Definitive
Media
Library(s)
Physical
CMDBs
Platform
Configuration
Tools
Software
Configuration
Mgt
Discovery, Asset
Mgt & Audit
Tools
Adapted from CMS graphic in the ITIL Service Transition Volume, page 68.
© 2007 Jupitermedia Corporation
Enterprise
Applications
SACM Problems
• Chant “meaningful and manageable” over and over
– Can generate a ton of useless data that costs more to collect and
maintain than what it is worth
– Don’t track because you can, track because there is real value
• Likely that 20% of the data will create 80% of the value
– SACM can be a six month project that turns into a two year project with
no results
– Start simple and learn
• Sustaining efforts
– Launching the project to design the process is one thing
– The organization must then live with the design
• Configuration drift
– Production no longer matches the CMS
– Why? Uncontrolled / unauthorized change
– We need detective controls to detect changes
© 2007 Jupitermedia Corporation
An Overview of Network Behavior Analysis
• Evolved from looking for signatures at the firewall, IDS, and security
event management
– Weakness - Signatures only turn up known problems
• NBA tools monitor network activity and look for abnormal activity
based on baselines and heuristics
• Monitor things such as
–
–
–
–
–
–
–
Communications between network nodes
Who the actual users are
Frequency of communication
What are servers and what are clients
What protocols and ports are being used
Network Traffic levels
Behaviors based on day and time of day
• Combines data collection, analytics and meaningful presentation
– Need to find the needle in the haystack
© 2007 Jupitermedia Corporation
NBA is a Detective Control
• Controls mitigate risks
• Three broad categories of controls
• Preventive
– Policies
– Procedures
– Look and sound great but how do you know people are following them?
• Detective
– Review data about historical events and look for a condition
– Can be used to confirm that people are following policies and
procedures
– Can be used to detect unauthorized activity in general
• Corrective
– Return the CI to its last known good state
© 2007 Jupitermedia Corporation
Defense in Depth
• Think of the rings of walls in a
castle. More walls equate to an
overall better defensive posture
NBA
• We need preventive controls
Integrity
Management
• We need detective controls
• Configuration integrity management
– change detection at the device
level
• NBA – last line of defense because
it’s based on behavior
© 2007 Jupitermedia Corporation
Policies &
Procedures
NBA can benefit security, compliance and
operations
• NBA’s roots are in security but
with proper integration, other
process areas can benefit.
• Consider the benefits of
understanding:
– Changes in behavior due to
changes
– End-User Experience
– Actual dependencies
– Unauthorized services
– Configuration errors
– Misuse of services
– Security incidents
© 2007 Jupitermedia Corporation
Operations
Security
Compliance
Leveraging the Two Disciplines
© 2007 Jupitermedia Corporation
Service Transition - Change Management
• Concerned with managing the risk of making a change
• A balancing act between the risk of making and not making a given
change
• Steps include: Recognition of need, record the request, review,
authorize, plan, schedule the implementation
• Change Mgt is responsible to ensure the CMS is updated
accordingly
• From SACM and the CMS we know what changes were authorized
• How do we know about changes when people do not follow the
process?
– Problems with Change Management are SACM’s Achilles' Heel
• NBA allows us to identify that something has changed:
– Network behavior
– Application behavior
– User behavior
© 2007 Jupitermedia Corporation
Must Understand What Changed
• Authorized Person, Authorized Change
• Authorized Person, Unauthorized Change
– Well intentioned
– Malicious (a security event)
– Erroneous
• Unauthorized Person, Unauthorized Change – A security event
• The only valid level of unauthorized change is zero
• Vital that other processes
– Have reliable accurate data from SACM
– Understand if there are changes that can’t be reconciled and what
has changed
• NBA serves as a last defense
© 2007 Jupitermedia Corporation
Service Transition – Release & Deployment
Management
• Need to ensure that there is proper requirements
definition, testing and deployment of releases into
production
• Can review historical activity to improve rollout planning
• Can confirm production releases match tested releases
– Can profile and fingerprint releases
– Could highlight tampering or errors with the deployment into
production
© 2007 Jupitermedia Corporation
Service Transition – Service Validation &
Testing Releases
• Can identify in testing if behaviors meet standards
– Only authorized ports are used
– No connection to certain hosts
• A better understanding of the impacts of new or changed
services based on historic observed user behaviors
• Can also determine if actual behaviors = expected
behaviors
© 2007 Jupitermedia Corporation
Service Operation – Event Management
• Event Management is concerned with interpreting the
monitored data and taking an appropriate action
• Outputs from NBA are routed appropriately by Event
Management
– Rejection
– Manual Review
– Automatic Processing
• Create an Incident
• Create a Problem
• Trigger a standard change
© 2007 Jupitermedia Corporation
Service Operation – Incident and Problem
Management
• The first triage question to ask should always be “What
changed?”
• 80% of MTTR is spent trying to answer/determine “What
changed?”
• Need to arm the resolution processes with detected
change information
– Understand how current behavior differs from normal behavior
• Understand if a change happened and where
• If a change is not detected, then rule change out
© 2007 Jupitermedia Corporation
Continuous Service Improvement
• Review NBA and SACM data to determine potential
service improvement opportunities
• We can use NBA to understand and improve the user
experience of IT services
• Capacity planning for services and component CIs
including networks, servers and other devices
– Usage patterns and potential demand management
– Server consolidation
• IT Service Continuity Management
© 2007 Jupitermedia Corporation
Key Points
• SACM gives us a logical view of the world with
relationships
– Integrity of its data is vital
• NBA is a control that can help us
–
–
–
–
–
–
Understand behavior in production and testing
Better plan projects – Consolidation, DR/BCP, etc.
Confirm relationships between CIs
Detect configuration errors
Detect unauthorized changes
Drive down MTTR by better understanding what changed
• Overall, we can use NBA to help ensure that we have
accurate data to share with other process areas
© 2007 Jupitermedia Corporation
Thank you for the privilege of facilitating this
webcast
George Spafford
[email protected]
http://www.pepperweed.com
© 2007 Jupitermedia Corporation
Questions?
© 2007 Jupitermedia Corporation
Thank you again for attending
If you have any further questions, e-mail
[email protected]
For future ITSM Watch Webcasts, visit
www.jupiterwebcasts.com/itsm
© 2007 Jupitermedia Corporation