Transcript Closing the SecOps Gap

Get Complete IT Compliance:
Reduce Risk and Cost
Jonathan Trull @jonathantrull
CISO, Qualys
Seth Corder @corderseth
Automation Specialist, BMC
The Great Divide
2
DevOps
Security
3
Attack-Defend Cycle (OODA Loop)
4
Threats + Vulnerabilities = Breaches
5
Major Constraints on DevOps and
Security Teams
6
Laws of Vulnerabilities
• Half-Life – time interval for reducing occurrence of a vulnerability by half.
• Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a
year.
• Persistence – total lifespan of vulnerabilities
• Exploitation – time interval between an exploit announcement and the
first attack
7
Half-Life
• 29.5 Days
8
Persistence
• Indefinite
• Stabilize at 5-10%
9
Exploitation
• Average: < 10 days
• Critical client vulnerabilities: < 48 hours
– Exploit Kits offer money back guarantees / Next day delivery
10
Bridging the Divide
• Vulnerability and configuration management should be an
essential part of any security program
• Learn to speak the same language
• Integrate VM/CM solution with patch & configuration
management systems, asset inventory systems, ticketing
systems, configuration systems (BMC BladeLogic), and
reporting systems for best results
11
Continuous Security and Compliance
12
Continuous Security and Compliance
13
Continuous Security and Compliance
14
Continuous Security and Compliance
15
Most breaches exploit known vulnerabilities
80%
79%
ATTACKS
PATCHES
More than 80% of attacks
target known vulnerabilities
79% of vulnerabilities have
patches available on day of
disclosure
So why do breaches still happen?
193
Days to resolve
vulnerabilities
Coverage – you can’t
patch what you don’t
know
Downtime – hard to
schedule maintenance
times with users
Complexity –
dependencies make it
hard to isolate actions
The SecOps Gap
Security
Operations
Close the window
of vulnerability
Reduce downtime
193 days to patch known
vulnerabilities
80% of downtime due to
misconfigurations
The results of disconnected security
Records breached in 2014
1,023,108,267
Number of breach incidents
1,541
Breached records increase from last year
78%
Closed-Loop Compliance
DISCOVER
REMEDIATE
GOVERN
AUDIT
DEFINE
BMC and Qualys
01
DISCOVER
05
Prioritize by vulnerability,
business priority, or logical
grouping
REMEDIATE
06
Integrate change
approval process & full
audit trail
GOVERN
Identify unmanaged
systems (“shadow IT”)
02
Reconcile data from
different repositories
DEFINE
04
03
Plan and execute complete
remediation actions
Assess true security
status
AUDIT
The SecOps Portal
Remediation
Scheduling & Approvals
How to schedule vulnerabilities to be fixed
using patches
Select what to
remediate
Request
Approval
Emergency
Fix
“Go Fix It button”
Configuration Packages
How to select and schedule vulnerabilities that can be
fixed using configuration packages.
Use a Config
package
Results
Job results for remediation group actions
Next Steps
For more information on Intelligent Compliance and Closing the SecOps Gap:
-
Contacts
- Seth Corder– @corderseth
- Jonathon Trull – @jonathantrull
- www.bmc.com/CloseSecOpsGap
-
Resources
- The webinar replay link and other resources will be emailed to you
after the webinar.
-
Additional resources online
- www.bmc.com/SecOps
- www.qualys.com
Sources
"More than 90% of recent breaches were preventable– remediation for exploited vulnerabilities was available on the day each
breach occurred and, if applied, would likely have averted the breach." - Online Trust Alliance (OTA), 2015 Data Protection Best
Practices and Risk Assessment Guides
"The average cost of a data breach to a company has reached $195 per record lost, or around US $5.85 million per breach event.",
"Research indicates 43% of firms had a data breach in the past year.
" - "Ponemon Cost of Data Breach 2013", 2014 Cost of Data Breach Study, Ponemon Institute, May 5, 2014
"70% of companies hit by data breaches in 2014 learned of the breach from outsiders." - PWC 2014 Information Security Breaches
Survey www.pwc.co.uk/assets/pdf/cyber-security-2014-exec-summary.pdf
"79% of vulnerabilities have patches available on day of disclosure." - Secunia Research: The Secunia Vulnerability Report 2014
"More than 80% of attacks target known vulnerabilities" - F-Secure: Companies Risking Their Assets with Outdated Software
"On average, it takes 193 days to patch an identified vulnerability." - WEBSITE SECURITY STATISTICS REPORT - WhiteHat Security
https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf
"1.1 billion records were compromised (that are known) across 3014 data breach incidents in 2014." - Risk Based Security has
released its 2014 Year-End Data Breach QuickView Report http://www.riskbasedsecurity.com/reports/2014YEDataBreachQuickView.pdf
"Many firms feel their annual security budgets are only about 50% of what they really need to adequately address the problem."EY, Under Cyber Attack: EY's Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/EY__2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf
"61% of CEOs are concerned about security, up from 48% last year." - PwC’s 18th Annual Global CEO Survey
"According to Mandiant, the median time taken for organizations to detect that threat groups are present on their network is 229
days— just a few days shy of eight months.
" - 2014 Threat Report - Mandiant https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf
Thank you!
Questions?
Find out more: bmc.com/secops