In the operations world, if something dies and doesn’t make a ticket, did it really die?

The answer is, of course, “yes”, but there is a caveat:  if it doesn’t make a ticket, it doesn’t get looked at.

This is a simple fact of life in the operations world.  Yes, we have the large screens with network monitoring system dashboards available 24/7, but a red light on a dashboard is not as instantaneous as a trouble ticket.  It’s because people can only do a handful of things at the same time.  They can’t field user calls and at the same time investigate potential problems shown on the big screen because they need undivided attention on the task at hand.

What does this have to do with security?  That’s an interesting question, and an explanation follows.

I’m half toying with the idea of making trouble tickets for vulnerabilities and audit findings, and here’s why:

• Tickets get assigned to the tier-3/4 administrators to fix
• Tickets are unavoidable for the most part
• The ticketing system provides metrics on what is fixed and not fixed
• The operations guys are already accustomed to having tickets introduced as a stimulus
• Our operational staff is rated on the number of tickets that they close
• Ticketing systems support the operational work flow

Notice what I didn’t explicitly say here?  I’m adapting my security mindset to the operational mindset because that is my environment.  It’s strange because I’ve always been more in the engineering world, so I have to wrap my brain around the operations way of doing things.

• Compensating Controls
• Combatting Tool Creep
• Ed Bellis’s Little SCAP Project
• Federated Vulnerability Management
• Guerilla CISO Tip: Get Inside the Data Center