I read The Visible Ops Handbook because a friend told me his company was considering integrating the booklet's ideas into their product line. I had not heard much about the Information Technology Infrastructure Library (ITIL), but I was familiar with the problems caused by poor administration. I perform network incident response (IR), so I am often asked to solve problems in three days that clients have been confronting for three months or years. After reading Visible Ops, I will recommend it to every IR client who asks me to remediate intrusions.
Simply put, Visible Ops provides four simple steps to stop the IT insanity. The book offers a quote attributed to Albert Einstein on p 42: "Insanity is doing the same thing over and over, and expecting a different result." Many organizations have unintentionally embraced this concept, continuing to pursue the same broken administration techniques and wondering when they will ever stop fighting fires. The Visible Ops process is the answer they have been pursuing.
My favorite aspect of the book is its narrative examples. These contain quotes by real administrators and managers and address problems like "the DHCP server, running on a DNS server, built four years ago by a college intern, that no one touches nor understands." Another similarly amusing (and sad) section presents seven steps in the "spectrum of change" on p 36. This ranges from the poor end, like "Oblivious to Change: 'Hey, did the switch just reboot?'" and "Aware of Change: 'Hey, who just rebooted the switch?'" to the most mature option, "Managing Change".
In terms of the booklet's advice, I found it rock solid, especially this recommendation: when a problem occurs, don't log into the infrastructure and begin troubleshooting. Rather, check to see who made the last configuration change. Since "80% of IT and system outages are caused by operator and application errors," and not intruders, those confronting an incident should always begin by looking at themselves, and not outside "hackers."
I also found Appendix A, Preparing for Audits, to be a succinct and helpful look at the worldview of the auditor. The "Controls 101" section described preventative, detective, and corrective controls, which reminded me of the protection, detection, and response phases of the security process. Advice on p 70 also made sense in light of the debate over intrusion detection systems vs "intrusion prevention systems": "Document your preventative controls, and have detective controls in place to show they work." If your IPS is both a preventative and detective control, how do you check when it has failed?
I found few reasons to dislike Visible Ops, but I had enough issues to give only four stars. First, the book needs to be printed in a bigger form factor. The problem with Visible Ops is that its small size (5x7) reduces some of the fonts used in various tables to be almost illegible. Second, the booklet is too internally repetitive. This is especially true in the appendices, where points continue to reappear.
Third, I fear that the book, along with all those taking an audit-centric approach to security, sees controls as the be-all, end-all of the security process. It seems too much attention is paid to preventing incidents, with not enough resources devoted to detection and response. Corrective controls, for example, do not receive the attention they deserve. Rebuilding from bare metal is the recovery action of choice in Visible Ops, but rebuilding another vulnerable server strays towards the definition of insanity mentioned earlier.
Overall, I recommend everyone associated with IT, security, operations, and audit read Visible Ops. The booklet is small enough to read in a few hours, since the main material and Appendix A ends on p 73. I look forward to more extensive materials from this excellent team of authors.