“SandWorm,” yet another zero-day vulnerability, was announced on Tuesday, Oct. 14, 2014. The vulnerability, which affects every supported version of Microsoft Windows, as well as Windows Servers 2008 & 2012, has been exploited by Russian hackers to spy on The Ukrainian Government, Nato, several other Western private and Government agencies according to The New York Times. Another two were announced later that same day alone.
If it hasn’t become apparent yet, 2014 has called attention to the need to be prepared for anything. Zero-day vulnerability announcements are becoming broader in scope and impact and are occurring more frequently. This is driving a change for our customers in the ways in which they inventory their critical infrastructure and services, and also in how they keep track of their more common systems.
Previously, UCMDB and Universal Discovery best practice tended to eschew keeping large amounts of installed software, running software, processes and non-critical systems in UCMDB. However the trauma resulting from events like “Shellshock”, “CCS Injection” (and countless other operating and applications system library vulnerabilities) is forcing a shift in thinking about Configuration Management, and how HPE UCMDB and Universal Discovery can help to reduce risk, time, and cost needed to identify and resolve these vulnerabilities.
Here at Effectual, we are identifying new integrated use cases and supporting best practices for Change and Release Control between UCMDB and Service Manager. We stay on top of these zero-day problems and how they affect our customer environments by providing detailed queries and reports for each issue. We also make modifications to discovery scope, and modify discovery packages to help customers track the impact and manage change effectively with Service Manager.
All of these aforementioned problems (and others that don’t get as much press) create unplanned critical changes. Even though UCMDB isn’t a single-source for detecting problems, it can be a single-source to track the actual state of your environment including related change requests, tasks, the change history related to specific problems, and impacted business services, locations, and people.
Using this approach, we were able to see that one of our recent customers had spent nearly $50,000 in unplanned cost resolving “Heartbleed,” subsequently spending nearly as much for “Shellshock.” Unplanned changes from vulnerabilities cost organizations a lot of time, effort and capital, but these costs aren’t always managed or even tracked accurately. By properly identifying and communicating the scope of the initial business impact, by accounting for the work performed, then the the value chain of their people, the process, the software and solutions they have deployed are validated. Without this maturity and investment having been in place, the customer easily could have spent much more, over a much longer period of time, to resolve the same incident.
As the future becomes more interconnected and heterogeneous, we’re going to become less responsible for actually finding problems and issues, and held more accountable for how quickly and efficiently our organization can respond to them. Knowing how long a business service or a database has been exposed to a vulnerability will become just as important as knowing where that database is located and what systems depend on it. Our stakeholders and their budgets are going to depend on the ability to quickly identify impact, and the ability to measure and validate that a thorough response has been performed.
In order to immediately identify the scope and impact of vulnerabilities (and to properly account for their costs), you need a clear method. Without one, your stakeholders (and their respective budgets) will be quickly depleted responding to these types of costs. You can’t control when or how these unknown issues throw you a curve, but you can properly document and share the cost and value your organization provided in resolving it.
By using the UCMDB to keep a full and fresh inventory of your entire IT environment, you can greatly reduce your time to resolve such incidents. You can also reduce cost and labor by managing and communicating business impact clearly, quickly and with a degree of accountability that improves stakeholder confidence. Universal Discovery scope must be expanded beyond just “business applications,” to also include installed library files and “non-enterprise” applications that may have been previously excluded.
Having more on-hand, real-time information about all your system and infrastructure CIs is a business imperative that far outweighs the costs of additional effort and some extra licensing. Keeping this message simple and focused to these kinds of zero-day incidents will help you adopt this approach for your own organization. This will make future budgeting, and further justification for investment in capabilities and solutions easier, without making your team look like an endless cost center, constantly fighting unforeseen fires.
If you need help understanding this challenge, or how to make the cost benefit analysis simple and easy to socialize, please feel free to: