Visible Ops - Is it worth investing in?

[rgula at tenablesecurity.com (Ron Gula)]

On 1/12/2010 9:01 AM, Monkey Daemon wrote:
> I have a friend who is interested in investigating "visible ops"
> however he's having a real issue getting anyone in the organisation to
> accept a proposal for a change management system, never mind a culture
> change towards a new way of doing things.
>
> Does anyone have any experience of using Visible Ops that I might be
> able to pass on to him in order that he can sell this (or another
> improved way of working) to his managment team?

This sort of conversation comes up a lot at the IANS forums Tenable
participates with. I hear end users all the time ask for tips on how to
get buy-in for change management, standard builds, executive governance,
.etc. It has many different names.

In the face of non-believers, my advice is as follows:

- Use whatever regulations your organization MUST comply with as a
starting point. For example, I've seen pristine PCI server farms yet the
CEO's desktop has a random configuration. Use what is working elsewhere
to fix things that are broken.

- Show how you can save money. A big principal of Visible Ops is that
controling change also tends to control when you have bugs or outages.
Keep in mind that saving money could mean lowering the number of people
working in IT, lowering the number of help desk calls, .etc.

I speak a lot about this sort of stuff, and use the slant of log
analysis, configuration auditing and vulnerability scanning as a view
into how the IT management process works. Some of these are online:

Winning at the Compliance Game
https://www1.gotomeeting.com/register/706770928
(requires an email address)

If you want a specific view on Visible Ops, I wrote a paper on how vuln
scanning and network monitoring can help map into this process which is
here:

http://www.nessus.org/whitepapers/tenable_and_visible_ops.pdf

-- 
Ron Gula, CEO
Tenable Network Security