Get Complete IT Compliance:Reduce Risk and Cost
Jonathan Trull @jonathantrullCISO, Qualys
Seth Corder @cordersethAutomation Specialist, BMC
The Great Divide
2
DevOps
Security
3
Attack-Defend Cycle (OODA Loop)
4
Threats + Vulnerabilities = Breaches
5
Major Constraints on DevOps and Security Teams
6
Laws of Vulnerabilities• Half-Life – time interval for reducing occurrence of a vulnerability by half.
• Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year.
• Persistence – total lifespan of vulnerabilities
• Exploitation – time interval between an exploit announcement and the first attack
7
Half-Life
• 29.5 Days
8
Persistence
• Indefinite• Stabilize at 5-10%
9
Exploitation• Average: < 10 days
• Critical client vulnerabilities: < 48 hours– Exploit Kits offer money back guarantees / Next day delivery
10
Bridging the Divide
• Vulnerability and configuration management should be an essential part of any security program
• Learn to speak the same language
• Integrate VM/CM solution with patch & configuration management systems, asset inventory systems, ticketing systems, configuration systems (BMC BladeLogic), and reporting systems for best results
11
Continuous Security and Compliance
12
Continuous Security and Compliance
13
Continuous Security and Compliance
14
Continuous Security and Compliance
15
ATTACKS
80%
More than 80% of attacks target known vulnerabilities
79%
PATCHES
79% of vulnerabilities have patches available on day of
disclosure
Most breaches exploit known vulnerabilities
So why do breaches still happen?
193Days to resolve vulnerabilities
Coverage – you can’t patch what you don’t knowDowntime – hard to schedule maintenance times with usersComplexity – dependencies make it hard to isolate actions
The SecOps Gap
OperationsSecurityReduce downtime
80% of downtime due to misconfigurations
Close the window of vulnerability
193 days to patch known vulnerabilities
Records breached in 2014
1,023,108,267Number of breach incidents
1,541Breached records increase from last year
78%
The results of disconnected security
Closed-Loop Compliance
DISCOVER
REMEDIATE DEFINE
AUDIT
GOVERN
BMC and Qualys
DISCOVER
REMEDIATE DEFINE
AUDIT
GOVERN
Identify unmanaged systems (“shadow IT”)
01
Reconcile data from different repositories
02
Plan and execute complete remediation actions
04Assess true security status
03
Prioritize by vulnerability, business priority, or logical grouping
05Integrate change approval process & full audit trail
06
The SecOps Portal
Remediation
How to schedule vulnerabilities to be fixed using patches
Emergency FixRequest
Approval
“Go Fix It button”
Select what to remediate
Scheduling & Approvals
How to select and schedule vulnerabilities that can be fixed using configuration packages.
Use a Config package
Configuration Packages
Job results for remediation group actions
Results
Next StepsFor more information on Intelligent Compliance and Closing the SecOps Gap:
- Contacts- Seth Corder– @corderseth- Jonathon Trull – @jonathantrull- www.bmc.com/CloseSecOpsGap
- Resources- The webinar replay link and other resources will be emailed to you
after the webinar.
- Additional resources online- www.bmc.com/SecOps- www.qualys.com
Sources"More than 90% of recent breaches were preventable– remediation for exploited vulnerabilities was available on the day each breach occurred and, if applied, would likely have averted the breach." - Online Trust Alliance (OTA), 2015 Data Protection Best Practices and Risk Assessment Guides"The average cost of a data breach to a company has reached $195 per record lost, or around US $5.85 million per breach event.", "Research indicates 43% of firms had a data breach in the past year." - "Ponemon Cost of Data Breach 2013", 2014 Cost of Data Breach Study, Ponemon Institute, May 5, 2014"70% of companies hit by data breaches in 2014 learned of the breach from outsiders." - PWC 2014 Information Security Breaches Survey www.pwc.co.uk/assets/pdf/cyber-security-2014-exec-summary.pdf"79% of vulnerabilities have patches available on day of disclosure." - Secunia Research: The Secunia Vulnerability Report 2014"More than 80% of attacks target known vulnerabilities" - F-Secure: Companies Risking Their Assets with Outdated Software"On average, it takes 193 days to patch an identified vulnerability." - WEBSITE SECURITY STATISTICS REPORT - WhiteHat Security https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf"1.1 billion records were compromised (that are known) across 3014 data breach incidents in 2014." - Risk Based Security has released its 2014 Year-End Data Breach QuickView Report http://www.riskbasedsecurity.com/reports/2014-YEDataBreachQuickView.pdf"Many firms feel their annual security budgets are only about 50% of what they really need to adequately address the problem."- EY, Under Cyber Attack: EY's Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/EY_-_2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf"61% of CEOs are concerned about security, up from 48% last year." - PwC’s 18th Annual Global CEO Survey"According to Mandiant, the median time taken for organizations to detect that threat groups are present on their network is 229 days— just a few days shy of eight months." - 2014 Threat Report - Mandiant https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf
Thank you!Questions?
Find out more: bmc.com/secops