IT Event Management Stuck at The Crossroads

I’ve been in IT for longer than I’d like to admit and one thing I’ve seen repeatedly is companies taking a disorganized and ad-hoc approach to Event Management and monitoring of their infrastructure that includes network, servers/VMs, databases, applications, etc.. Most IT organizations I’ve worked with suffer from tool sprawl, having acquired — over time — dozens of point and siloed monitoring tools and element managers. In most cases, each tool sends an event via an text message or email to individual subject matter experts (SMEs). This approach does not provide a centralized way to proactively identify potential issues (including cyber-attacks) at an Enterprise-visible level. In addition, the high volume of “noise” generated from these different tools makes it nearly impossible to determine the real issues and take action.  This leaves IT exposed to client satisfaction issues (end-users know about problems before IT), service outages and unnoticed cyber-attacks.

Here’s what we are seeing:

  • Too many events and noise
  • No correlation or de-duplication of events coming from diverse sources
  • Too many false positives
  • Events / alerts go to multiple groups and handled independently
  • Lack of event enrichment — alerts are cryptic and not actionable
  • No business context and therefore minimal business value
  • And more…

The complete lack of prioritization, budget and a cohesive organizational strategy for Event Management and monitoring is the primary cause and this mindset clearly cannot continue.

We work with clients to develop an Event Management Architecture Plan (EMAP). An EMAP is an actionable strategic blue print and roadmap to get a handle on this tool sprawl, reduce the number of point monitoring solutions to those necessary. We put a plan in place to define Event Management from a people, process and technology perspective. How do we enable the EMAP and turn it into reality?

ServiceNow’s Event Management Solution provides for the automatic creation of actionable alerts from third-party point monitoring tools such as SCOM, Solarwinds, NNMi and others. The application brings events captured by existing infrastructure monitoring tools into ServiceNow for consolidation, analysis, and action. Events are then processed through filters that normalize and de-duplicate the incoming event stream to generate alerts. From there, our clients can simply integrate with other processes enabled within ServiceNow including Incident, Problem and Change Management. Coupled with Service Mapping and the CMDB, our EMAP and ServiceNow implementation services finally allow IT to become more proactive and predictive and bring visibility to the business via service reporting.

When you are ready to implement Event Management within ServiceNow, we will be there to help you!

Contact us at or contact us at +1.888.718.1708 to learn more about ServiceNow and our EMAP  services.

Enhancing Authentication – Don’t be late to the party

Some Banks are finally beefing up their online security for consumers.  I recently logged into Chase and they now require you to select a device/email for sending a one-time Identification code.  On a previous login I was requested to add a cell phone number, home phone or email address(es) for contacting me about account changes, etc.   So when I logged in this time, I was given the choice of where to send this one-time ID code and promptly chose my cell phone via text.  Nice touch Chase.  Hope the other banks and financial institutions are watching.

What do you think about using the above scenario more consistently for business end-user access to corporate information when accessing their networks remotely (e.g. not on the company LAN)?
The majority of companies I work with still use a single-factor authentication scheme (what I know, such as a username/password) for accessing their networks remotely or are still utilizing the much-malign hardware token that end-users are required to have on their person.  Why not take advantage and add a second-factor authentication using a device I always carry – my cell phone (most often company issued) like Chase Bank has done above?

How is your company beefing up access & authentication?

Complacency in the Cloud

I don’t like the fact that I have a trust issue.  I wish I could change — but I can’t.  Oops sorry folks, I thought I was in my therapist’s office.Last week’s issues with LastPass (LP), read here, should make me want to flame them to crispy pieces.  Alas, I have no one to blame but myself.  Unlike my other overdone, paranoid-driven steps to protect myself, I was not properly prepared for this outage.  The result:  I was completely locked out of several of my business accounts where I solely rely on LP for authentication.   LastPass is a password manager that stores passwords so you don’t have to remember them.This outage got me thinking.  Are we getting too complacent with cloud services in our business and personal lives?Sure, there were contingencies I could have put in place.  For instance, did I download pocket LastPass (the version where you can access your secure notes and passwords without having to rely on the internet)?  “No”.  Did I export my LP data to a file and encrypt it?  “Ah, no”.  (Imagine head banging against wall here).I’ve always been careful to backup my business and personal data.  I have a 1TB Firewire encrypted drive that I use to backup my PCs.  In addition I utilize Dropbox as my file system, storing these files locally AND in the cloud.  I also backup my critical business files into the cloud, periodically zipping and exporting both folders and Outlook data to Carbonite.  Way over the top?  Why yes, of course.  But that is just me.  Do you think I would follow the same paradigm with *ALL* of my authentication information for my most critical access needs?Now why did LP cut me off like a rich father cutting off his deadbeat son?  Because they experienced an “anomaly” on their network.  Learning from their past, they promptly and proactively set up safeguards, which unfortunately left many — including myself — unable access our passwords.  Let this be a lesson to all, there is no safe haven, even in the Cloud.Build your own safeguards, controls and processes into your cloud strategy for your business and don’t be complacent.- Jay Martin (

Shopper Uncovers Security Compliance: 201 CMR 17.00 Already Having an Effect on Businesses

I was semi-impressed yesterday when I visited a global retail chain, signed up for a new credit card and they handed me back the application form for me to destroy.  Retail stores that manage payment card information must abide by strict rules governed by PCI — the Payment Card Industry standard developed to protect card information.The form that I filled out had Personal Information (PI) and not payment card information, so therefore would not fall under the PCI purview.I asked the retail clerk processing my information what would happened if I left the form behind – in an attempt to better understand the security process.  The retail clerk told me that they place remaining forms in the bin behind her and that a disposition company destroys everything in the bin.  They receive a certificate from the said company once the data is destroyed for proof.Good start.  The company could have taken this protection process a step further by having a more secure bin with a cover and a lock instead of using a standard looking waste paper basket.  Still, one giant leap for better InfoSec Data Protection.201 CMR is here to stay, at least until H.R. 2221 gets passed ;)How is your company doing so far with meeting the Massachusetts regulation for the protection for PI?  If you are outside the Commonwealth and do not store Mass. residence PI, are you doing anything to protect your state’s residents PI? – ITIL, CISM, ISMAS –

Connecticut Attorney General Sues Health Net Over Security Breach

I mentioned in my blog in late November that the cost to Health Net over loss of an unencrypted hard drive containing 450,000 patient records (revised down from 1.5m) would be much greater than the cost of securely controlling and protecting their information assets. Health Net will begin the process of emptying their wallets in an effort to build a defense against the lawsuit levied against them by Attorney General Richard Blumenthal.The breach occurred in May of 2009 and was not reported until November. As discussed, Connecticut’s breach notification law are fairly strict and I would assume holding off reporting such an incident for 5+ months is over the top which could cause Blumenthal to make Health Net an example for all to see. To add fuel to the fire, the American Recovery and Reinvestment Act of 2009 (also known as the HITECH act) also imposes notification mandates that were apparently neglected. See my November blog post under security entitled “Health Net Breach — A Failure of People, Process & Technology” for more details.jay.martin@service-catalyst.comCISM,

H.R. 2221: Data Accountability and Trust Act

The national Data Accountability and Trust Act, H.R. 2221 passed within the House of Representatives earlier this month (Dec. 8th, 2009).  The Bill — as with 201 CMR 17.00, the Massachusetts Protection for Personal Information — seeks to protect consumer personal information and requires notification to individuals in the event of a breach, albeit from a national level.  The bill is set to go before the Senate next and then the President.H.R. 2221 would require “for profit” organizations to develop the necessary security policies and safeguards to protect U.S. Residence personal information within 1 year of passing.More to come later…jay.martin@service-catalyst.comCISM,

SSL and TLS no longer safe?

 A huge chink in the armor of end-to-end encryption took a big hit last week when the US-CERT reported that a man-in-the-middle exploit code against SSL and TLS is publicly available.   The exploit allows a malicious attacker to insert themselves into an SSL or TLS conversation during a client or server initiated renegotiation of their security context.  The vulnerability affects pretty much every site we securely connect with including our online banking sites, paypal, etc.  It also affects all operating systems and browsers.Updates are not available to remediate the exploit, but there appears to be an Internet draft standard dated November 14, 2009 to fix TLS.  The RFC is here if you wish to review.  This means that the committee that wrote the new Internet draft was aware of the vulnerability and was secretly meeting to provide a fix prior to CERT releasing the news.As you may know, SSL will not be updated as most of us are really using TLS in our browsers when we connect to secure web sites.  We still may call it SSL, but SSL is a fallback protocol to TLS.I suspect a patch is on its way within the next few weeks, so make it a priority to update your systems through your normal patch update mechanism.

201 CMR 17.00 – The 5 Things You Need to Do Right Now

As many of you are aware, the new Massachusetts Standards for the Protection of Personal information (201 CMR 17.00) will hit the books on January 1, 2010.  The law establishes protection standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts in both electronic and paper format.  So even if you do not run your business in the Commonwealth you are still affected if you keep personal information about a resident of Massachusetts. 

Personal information (PI) is defined here.

Here are the 5 things you need to do today to begin the process for compliance:

1.  Read the Regulation ( and the 201 CMR 17 checklist (  Roles and Responsibilities – Assign ownership for the overall security program within your organization.  Next, elect a Security Council comprised of senior staff or management that are stakeholders in protecting personal (and other sensitive corporate) information.  The Security Council facilitates consensus relative to the risks, impacts and priorities for compliance and will help with achieving (or changing) the security culture for your organization3.  Find the Personal Information (PI) – Through interviews with Business Managers, Data Owners and Subject Matter Experts.  Additionally, the use of technology such as IdentityFinder can facilitate speedier PI discovery. Once discovered:

  • Determine whether this data is still required and needed in the discovered location
  • Do you need all the PI data or can you do without (do you still need your old customer’s credit card number)?
  • Determine who requires mandatory access to the information and plan for the modification of your access lists to comply
  • Ensure other safeguards are in place to protect this information (Physical access, firewalls, strong authentication/passwords, encryption).  If not, budget and plan accordingly

4.  Review your current Written Information Security Policies, if they exist, and plan for their update to include compliance.  If they do not exist, develop a project plan to begin the development process.  The larger the organization, the longer this will take for development and approval.5.  Determine if your Third-Parties, partners, consultants, etc. have access to PI and begin the process of discovering their protection mechanisms

Compliance doesn’t happen overnight.  The sooner your company develops a strategy for 201 CMR 17.00 compliance the better your organization’s chances to meet the January 1, 2010 mandate.  These safeguards not only make good business sense, they will soon be the law.

Third-Parties — Mass. Standards for the Protection of Personal Privacy

Just an update.  The amended or revised 201 CMR 17.00 has softened the requirement for third-parties you do business with and that have access to personal data.  The original regulation slated for a May 1, 2009 compliance date stated that businesses would require “certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations”.The revised regulation scheduled for January 2010 now states that businesses should ensure that third-parties are taking all reasonable security measures — at least as stringent as those provided in the 201 CMR 17.00 regulation — in protecting personal information.Ensure?  How are you going to “ensure” that your third-parties are protecting themselves? Here’s what I recommend, and I suggest you follow my advice.  Send each of your third-parties (whether they do business in the Commonwealth or not) the 201 CMR 17.00 Audit Compliance Checklist that I provided a link for in my first blog on this very subject.  Take the checklist and add a signature page and have your third-parties sign it.  If they don’t fully comply, have them put together a letter that outlines their security improvement plan with dates and have them sign that. If your third-party is not willing to go the extra mile, you’ll have not choice but to move on.  The eventual financial risks and public image drubbing may be too high.  Are you willing to chance it?Let me know your thoughts.

201 CMR 17.00 Postponed Until January 2010

The Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) this week pushed back the compliance date for its Standards for the Protection for Personal Information from May 1, 2009 to January 1, 2010.  This is the second delay to the Mass. legislation which was initially scheduled for January 2009. The revision was filed on Thursday, February 12th, 2009 and OCABR Undersecretary Daniel C. Crane stated, “We understand the impact of the current business environment, and feel this is an appropriate timeframe for companies to implement the necessary protections.”As I stated in my blog last week, this regulation sets strict guidelines for businesses and other holders of Massachusetts residence’s personal information.  The policy states that personal information (a combination of a residence’s name and a social security number, driver’s license number, credit card number or financial institution account number) must be encrypted when stored or transmitted electronically over a public network.  Protection for paper documents is also included.I recommend that you do not wait until the last minute.  As I suggested, developing and fine tuning your Information Security Policy, educating your staff, planning your budget and making any necessary purchases and deploying them should start ASAP.