Know What You Have: Baselining, Change Anomalies, and Group Differencing

Last updated by Greg Pollock on July 24, 2019

scroll down
More than ever, UpGuard provides the ability to know how your environments are changing and to identify the deviations that increase your risk for failed change, outages, and security incidents. Here we quickly cover how UpGuard addresses the needs that every IT organization has through visualizations that allow you to start solving your problems today.

Baseline Discovery

UpGuard records the configuration state of every node on a regular schedule, typically at least once a day. Those scans are surfaced as a visual tree that can be traversed through a graphical interface to understand everything about how a machine is configured. More importantly, those baselines can also be compared to other nodes or to previous scans to understand the salient differences between any two machine states. Those differences are color-coded on the visualization so you can tell at a glance what types of items vary, allowing you to drill down into them. If you find a configuration item that you want to search for across all nodes, click on the attribute and it will populate in the search box with a global query (more about search below).

Problem: A problem was reported today, but you haven't made a change in a week. The problem condition must have been created earlier but not detected. Where do you start digging?

UpGuard solution: Compare the misbehaving asset to ones that appear to function normally. If they are the same, compare it to previous scans to find the culprit.

UpGuard Cluster

Configuration Search

Node scans provide a breadth-first investigation mechanism to find everything that may need remediation on a given system(s). Additionally, UpGuard's configuration search engine gives you the ability to conduct depth-first searches for particular items of interest. The search syntax is designed to efficiently search for configuration items; for example, packages:openssl will give you a list of all versions of openssl in your system and which nodes they are on. Search also accepts an optional WITH argument to include attributes of an item– for example, packages:openssl WITH version:1.0.2a. Once you've found the version you want to investigate, clicking the list icon will take you to a list of those nodes.

deploy linux servers securely

If you find one server with an out of date patch level, search allows you to easily find other nodes that are similarly lagging and get them all in one place for remediation. Conversely, you can search for versions you should not find as a check that patches have been universally applied.

Problem: A critical vulnerability for a software package you use has just been announced. How can you get a list of every system it's installed on? After patching is "done" how can you check that there are no lagging versions?

UpGuard solution: Too easy. Just scan your nodes and search for the package. UpGuard will display a list of versions. You can then zoom in on the affected versions and the nodes where they are installed.

UpGuard package search 

Group Change Visualization

The node list view now has a visual summary of the most recent changes to each node. If the last scan had an error or a node has gone offline, there will be a red or black bar on the far left. Hovering the node name will show the scan status. To the right of the node name you will see a visual summary of how many changes happened to each type of configuration in the last change. Each segment of the visualization represents one type of configuration item that UpGuard monitors– files, ports, users, group policies for Windows– so that it is easy to visually determine whether a group of servers were updated identically or whether your last change introduced configuration drift. 

Not only can you detect failed or unplanned change by looking for visualizations that deviate from their peers, you can also do a preliminary investigation of the significance of that deviant change. When a new port is opened on only one node, you may be seeing the aftermath of cowboy development practices or the final stages of data exfiltration. In either case, UpGuard immediately alerts you to this anomaly in your configuration state. 

Stop IIS Configuration Drift 

Problem: You had a scheduled change across your fleet of servers. Your team executed the change and everything appears normal, but did they miss anything? Were there any additional unintended changes?

UpGuard solution: Skim through visualizations of each node's last change to catch any deviations at a glance.

UpGuard change anomaly detection

Group Differencing

A common problem every organization faces is knowing whether information systems that are supposed to be the same actually are. We have a simple solution: a visual diff that shows every item that differs and how many nodes have each version of the item.

First, navigate to a group of nodes that should be same. Click "Diff this group" and you will be taken to a heatmap of all the configuration items on those nodes and how they differ. For each configuration item we count the number of nodes that agree on each attribute. For example, packages have attributes for version and install status. We then compare how many nodes "voted" in the majority to the total number of nodes. Items where there is a strong consensus– where nine nodes out of ten agree on the configuration state– will be lighter in color than items where there is more disagreement.

Problem: You manage multiple clusters where servers are supposed to be identical but configuration drift keeps causing incidents. 

UpGuard solution: Restore a healthy baseline by using group differencing to find the problems you already have, then repeat after every change to prevent regressions.

Group differencing with UpGuard

Start Today

Whether you use Linux or Windows, on premises or in the cloud, UpGuard can provide visibility into the most common and frustrating problems in IT operations management. Contact us to today to see these features in action. 

See What UpGuard Can Do For You

More Blogs

How CSR Works

All the information needed to perform a CSR assessment is bundled into the UpGuard platform. Learn more about CSR.

Read Blog >

What's In the Website Risk Grader?

The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.

Read Blog >

Understanding Risk in the 21st Century

And as we enter 2016, the risk of data breaches in particular threatens to hamper business innovation.

Read Blog >

Related posts

Learn more about the latest issues in cybersecurity