© Copyright 12/12/2014 BMC Software, Inc1
The SecOps Gap
© Copyright 12/12/2014 BMC Software, Inc2
Dominic Wellington @dwellington
Intelligent Compliance
© Copyright 12/12/2014 BMC Software, Inc3
The Solution is Known
Attacks Patches
Most breaches exploit known vulnerabilities for which patches are available.
Time
More than 80% of attacks target known vulnerabilities
(source: F-Secure)
79%30+ days
80%
79% of vulnerabilities have patches available on day of disclosure
(source: Secunia)
On average, it takes 30+ days to patch an identified vulnerability
(source: Qualys)
© Copyright 12/12/2014 BMC Software, Inc4
Heartbleed
March 14 2012: Vulnerable code introduced into OpenSSL library
What happened?
© Copyright 12/12/2014 BMC Software, Inc5
Heartbleed: a timeline
Heartbleed bug disclosed
heartbleed.com registered,
logo created
Patch available (1.0.1g)
309,197public web
servers remain vulnerable
318,239 public web servers remain vulnerable
Community Health Systems hack disclosure
April 7April 3 June 21April 1 May 8 August 182014
© Copyright 12/12/2014 BMC Software, Inc6
“ ”[…] the breadth of at-risk machines is going to be significantly higher with Shellshock than with Heartbleed.
Shellshock
NIST: 10/10
A new bug every week
© Copyright 12/12/2014 BMC Software, Inc7
Security problems are like vampires
© Copyright 12/12/2014 BMC Software, Inc8
Clone old VM
template
Reinstall old vulnerable software version
Boot unpatched
server
Missed the “unofficial”
IT
How do companies get bitten?
© Copyright 12/12/2014 BMC Software, Inc9
The SecOps Gap
© Copyright 12/12/2014 BMC Software, Inc10
Intelligent compliancetransforms compliance from an activity that is exhausting, risky and incomplete into one that is routine, secure and comprehensive.
© Copyright 12/12/2014 BMC Software, Inc11
Best Practices Guidance for Intelligent Compliance
AD HOC
PROCESS
STANDARDIZED
ADVANCED
TOOLS PATCH
ASSESS
COMPLY
INTELLIGENT
LEVELS
TIME
© Copyright 12/12/2014 BMC Software, Inc12
DISCOVER
REMEDIATE DEFINE
AUDIT
GOVERN
Server
Network
Database
Middleware
Intelligent Compliance
© Copyright 12/12/2014 BMC Software, Inc13
Status Quo Intelligent Compliance
Incomplete data
Out of date – systems provisioned
faster than discovered
Data accuracy you can verify and trust
Effortless continuous mapping of
infrastructure and applications
Discover
© Copyright 12/12/2014 BMC Software, Inc14
You can’t manage what you can’t measure
Replace manual data collection with automatic inventory & relationship discovery
Leverage inventory & relationship data in other IT processes
Application Mapping: Connect data center infrastructure to business applications
© Copyright 12/12/2014 BMC Software, Inc15
Status Quo Intelligent Compliance
Disconnected from operational details
Incomplete specification of
requirements
Pre-defined policies – short time to value
Detailed, actionable definition of desired
state
Define
© Copyright 12/12/2014 BMC Software, Inc16
Regulatory ComplianceSarbanes-Oxley (SOX) 404
Health Insurance Portability & Accountability Act (HIPAA)
Payment Card Industry Digital Security Standard (PCI DSS)
Security ComplianceDefense Information Systems Agency Security Technical Implementation Guides (DISA STIG)
Center for Internet Security (CIS)
© Copyright 12/12/2014 BMC Software, Inc17
Status Quo Intelligent Compliance
Based on individual interpretation
Inconsistent and incomplete
implementation and coverage
Granular configuration visibility – avoid
false positives & false negatives
Regular, scheduled and automated
Audit
© Copyright 12/12/2014 BMC Software, Inc18
Identify drift away from desired state
Compare live configurations to a live reference system
Troubleshoot issues caused by configuration discrepancies
Compare the current state to known good state from a week ago
Compare snapshots to each other to aid troubleshooting
Different comparison types support different use cases.
Compare the current state to out-of-the-box policies
Use standard policies as templates to build customized operational policy
LIVE SNAPSHOT POLICY
© Copyright 12/12/2014 BMC Software, Inc19
Status Quo Intelligent Compliance
No way to verify success
Risk of introducing additional issues
No way to roll back changes
Granular configuration changes – co-exist
with other tools and approaches
Built-in rollback in case of failure or
unforeseen consequences
Remediate
© Copyright 12/12/2014 BMC Software, Inc20
Close the SecOps Gap
Automated remediation – no scripting
Automated rollback in case of problems
Support for exceptions to standard policy
44%Reduction 32%
Reduction
45%Reduction
© Copyright 12/12/2014 BMC Software, Inc21
Status Quo Intelligent Compliance
Manual entry (time consuming, error prone)
Lack of trust in data
No process enforcement
Consistent audit trail and automatic
documentation of actions & exceptions
Process governance – change approval,
maintenance windows, collision avoidance
Govern
© Copyright 12/12/2014 BMC Software, Inc22
Orchestrate Automation and ITSM
© Copyright 12/12/2014 BMC Software, Inc23
Key takeaways
1. Compliance is a big problem The consequences of getting it wrong are severe
2. Neither Security nor Operations can fix it aloneDifferent teams need to work together
3. There is no one size fits all solutionNo single product can solve this problem either
4. Tackle this problem in stagesNo need to solve the whole problem at once
Dominic Wellington@dwellington
http://www.bmc.com/it-solutions/intelligent-compliance.html
© Copyright 12/12/2014 BMC Software, Inc24
Thank You.
Top Related