Early in October, we asked Micro Focus ITOM product owners this important question: What one thing should IT Operations teams be doing right now to bolster enterprise security? Their best-practice recommendations span the vast realm of IT operations—from ITSM and discovery to orchestration, observability, vulnerability remediation, network security, and cloud service management.
1. Discover, Discover, Discover
How can you fix something if you can’t see it or don’t know it exists? Step one for enterprise security is to know exactly what you have. Now, this doesn’t mean sending some poor person around with a tablet and a spreadsheet poking into racks and racks of servers or asking everyone what systems they’re using. But it does mean getting started on automated discovery or scaling your discovery process to meet your enterprise needs.
You need to discover everything you have—from servers and desktops to laptops, software, services, and dependencies—on prem or in cloud. Rigorous discovery is as important for cloud systems as it is for on-prem systems. Consoles for managing cloud devices and services have no visibility to software deployed by your end users. To see your in-cloud software, you need to examine cloud devices at the OS level, which is not a capability provided by cloud service providers. But discovery will give you that detailed visibility to your installed software while keeping all your data private. —Bill Dyck, Senior Product Manager Universal Discovery and UCMDB
2. Orchestrate Your Software Updates
A surprising number of companies continue to use unsupported, exploitable applications. One big reason is lack of automation. Without automation, companies put off updates, wary of disrupting everyday operations.
It doesn’t have to be this way. An orchestrated process can help you run all necessary pre- and post-health checks to make sure nothing breaks. For example, before an update, an orchestrator can trigger a workflow to perform a full backup or check installation requirements. Once the update is complete, the orchestrator can trigger a workflow to run application regression tests and revert to the previous state if the update was unsuccessful. The orchestrator can even make sure your applications are available during the upgrade process by coordinating switchbacks between active (hot) and standby (cold) systems. —Daniel Crisan, Product Manager Operations Orchestration
3. Accelerate Vulnerability Remediation
How long does it take to remediate threats once they’re detected after a security scan? Is it days, weeks, or even months? If you’re like most companies, you’re probably great at identifying vulnerability and compliance risks, but you don’t have an automated way to address them. Manual remediation—when scanning for risks is decoupled from remediation—is a huge business risk. And it takes too long. You need to map thousands of servers to patches or compliance benchmarks, prioritize them, work within maintenance windows, manage exceptions, and push out the changes.
All these tasks can be automated. With automation in place, you can correlate vulnerabilities to all corresponding servers and create policy-based patch bundles and compliance benchmarks. You can scan, prioritize, and remediate according to SLOs. And you can even use orchestration to better coordinate with other teams and speed up the remediation of urgent CVEs. Automation makes it possible to close the lag between scans and remediation. Put another way, this is how you can lend your Security team a helping hand and make SecOps a reality. —Camilo Cuervo, Senior Product Manager Data Center Automation
4. Consolidate All Your Events—including Security Events—in One Place
The cornerstone of observability is integrating events from multiple data sources into one central place to create a single end-to-end view of your hybrid IT environment. You’ve probably been doing this for years but have been focusing mostly on performance events to correlate alerts and detect anomalies.
To get a true 360-degree view of everything that’s happening in your environment, consider bringing vulnerability and compliance events into your data lake. This will allow you, for example, to visually match vulnerabilities with services or see how prioritized applications are impacted by security risks. With all events in one place, event correlation or other AIOps analytics can point to the most likely root cause of a problem. And you can get the right team to fix it quickly. —Harald Burose, Director of Product Management Operations Bridge/AIOps
5. Maximize Network Security with a 3-Level Protection Plan
You can strengthen the security of your network by following a three-step process, in this order: access, configuration, and compliance.
First, ensure that access to network resources is granted at the absolute minimum level required to perform assigned tasks. You should also challenge access privileges at each inflection point—for example, when an employee connects from a default corporate network to a development network. Technical barriers such as multifactor authentication and industry-proven encryption should always be reinforced.
Second, follow best practices for configuration management—including peer reviews of proposed changes; approval of changes through a formal change-approval board (CAB); and the scheduling, deployment, and confirmation of all changes through an auditable automation platform. Network devices should be continuously monitored for changes—and any unexpected variations should trigger at least a notification, if not an automated correction.
Third, manage compliance proactively. Network security, industry, or organizational compliance policies must be created, deployed, and enforced. Any detected deviation from an accepted configuration must be immediately remediated, preferably by an automated system. Take advantage of policies driven by industry groups such as the Open Web Application Security Project® (OWASP) or the CVE® Program. Mature network management applications can even provide pre-built policies for scanning vulnerabilities that have not been internally reported yet. —Dave Easter, Principal Product Manager Network Operations Management
6. Make It Easier for Cloud Users to Spin Up Immutable Services
To increase provisioning predictability and eliminate configuration drift, organizations are fast moving from mutable servers to immutable servers in the cloud. Very often, breaches come from configuration drifts that could have been easily avoided—like forgetting to patch a server. This can’t happen in the immutable world where all servers have the same configuration that comes from the same image with the latest patches installed.
Immutable means better security. But it also entails a high level of automation—golden images must be patched, and when that happens all linked servers must be deprovisioned and replaced by new ones.
However, by automating all this complexity and implementing a self-service portal that uses one central catalog, you can make it easy for your cloud users to request immutable services. You’ll bolster enterprise security by making sure that the deployment of new cloud infrastructure is hyper-consistent, hyper-testable, and hyper-reliable—yet still user friendly. —Jo De Baer, Senior Product Manager Hybrid Cloud Management X (HCMX)
7. Simplify Security Incident Reporting with ITSM
Phishing scams, malware (like ominously notorious ransomware), password attacks, spoofs, stolen or lost laptops . . . The list of threats goes on. When these security incidents occur, employees are generally asked to report them immediately. But where should they report them? That’s a good question. Employees might vaguely remember seeing a cybersecurity email address that they forgot to save from last year’s security training. They might remember reading about a different email address for specifically reporting suspicious phishing emails. And for nonurgent incidents, they may have to remember how to access the service portal. So much valuable time is lost as employees try to figure out how to report security incidents.
Time to say goodbye to the old way of doing things! Offer a single service portal for reporting all types of security incidents. If possible, pair it with a mobile service desk app—especially convenient when user laptops are compromised, lost, or stolen. Your users will thank you for it.
Once an employee submits a ticket, defined security incident management best practices get triggered. These best practices include automatic ticket routing to the right team (so no time is lost); ticket tracking and resolution with role-based access controls to keep confidential data secure; and approvals and escalations with notifications to keep interested parties informed.
Going this route, where all security incidents run through ITSM, requires collaboration with the security team. ITSM can’t do it alone. But it’s worth it. Your users will be happier—and your organization safer. —Dean Clayton, Senior Product Manager SMAX (Service Management Automation X)