Avoiding Data Breaches in 2016: What You Need to Know

Avoiding Data Breaches in 2016:
What You Need to Know
David Monahan
Research Director
Enterprise Management Associates (EMA)
David Cramer
VP of Product Management
BMC

Today’s Presenters
Slide 2 © 2016 Enterprise Management Associates, Inc.
David Monahan – Research Director, Risk and Security
David is a senior information security executive with several years of experience.
He has organized and managed both physical and information security programs,
including security and network operations (SOCs and NOCs) for organizations
ranging from Fortune 100 companies to local government and small public and
private companies.
David Cramer, VP of Product Management, BMC
David joined BMC in 2015 and serves as Vice President of Product Management for
the Cloud/DCA business unit. Prior to BMC, David was head of product management
for CA Technologies. During his tenure at CA, David was responsible for application
delivery, cloud management, virtualization and Infrastructure automation solutions.
Before joining CA, David held executive positions at AlterPoint, Motive, NetSolve, and
Nortel Networks.

Logistics for Today’s Webinar
Questions
• An archived version of the event recording
will be available at
www.enterprisemanagement.com
• Log questions in the Q&A panel located on the
lower right corner of your screen
• Questions will be addressed during the Q&A
session of the event
Event recording
Event presentation
• A PDF of the PowerPoint presentation will be
emailed to you as part of the follow-up email.

© Copyright 5/20/2016 BMC Software, Inc5
WE LIVE IN AN INCREASINGLY
DIGITAL WORLD

© 2016 Enterprise Management Associates, Inc.
• Cyber-security/ Information Security
was an afterthought, Obligation, or
low priority insurance policy
• 51%: Spending Between 10%-24% of
IT Budget on Security
• 26%: Spending Between 20% and 30%
(They are Playing Catchup)
Have We Been Sitting in a Pot Coming to a Boil?

Keeping Organizations Secure Against Cyber
Criminals Has Never Been Tougher
97% of executives expect a rise in data breach
attempts in the next 12 months
As a result, 99% plan to invest more in security in the
next 12 months than they did in 2015.

BMC Study Shows:
Many Breaches Are Avoidable
of executives say security
breaches occur even when
vulnerabilities and their
remediation have already been
identified
44% “There’s so many more vectors that are
easier, less risky and quite often more
productive than going down that route.
This includes, of course, known
vulnerabilities for which a patch is
available but the owner hasn’t installed it.”
Rob Joyce, Chief of NSA’s Tailored Access
Operations

Decline of Baselines and Asset Prioritization

Decline in Monitoring High Value Assets

Decline in Security Confidence
79% of organizations were only “somewhat confident” to “highly doubtful” that
their security program could detect a security incident before it had a significant
impact on their environment.

CVE®
(Common Vulnerabilities and Exposures)
Total Count (Oct 8, 2015): 71,951
Total Count (Nov 15, 2015): 72,805
854
(New bulletins)
38 Days
22
(per day)
8030
(per year)
“A dictionary of common security exposures and vulnerabilities”
What you know and don’t fix can
hurt you

Even “small” threats can cause “BIG” issues……
ATTACKS
80%
More than 80% of attacks target
known vulnerabilities
99.9%
FIX READY
99.9% of exploits were
compromised over a year after
the CVE was published

Visibility – you can’t
patch what you don’t
know
Downtime – hard to
schedule maintenance
times with users
Complexity –
dependencies make it
hard to isolate actions
So Why Do Vulnerabilities Go
Unaddressed?
193Days to resolve
average vulnerability

Complexity and Lack of Visibility
 Drivers for Lack of Value in Tools
 #2 Tools do not provide adequate correlation of data to
business impact
 #5 Tools do not provide enough visibility into the ways
threats appear and/or propagate in the environment
 Over 90% of Outages Caused by Unscheduled or
Undocumented Changes
 #2 Tools do not provide adequate correlation of data to
business impact
 Complexity is the bane of Security
 Complexity in Tools = shelf-ware, thus lack of ROI
 Complexity in Architectures= Security Gaps and failures

OperationsSecurity
Reduce downtime
80% of downtime due to
misconfigurations
Close the window of
vulnerability
43% of companies have
had a data breach

A Three-Pronged Game Plan
To stay on top of today’s complexities, threats and opportunities,
large enterprises are developing SecOps strategies that focus on
three core areas:
People
Security and operations professionals share aligned goals for
making business systems more secure and reliable
Processes
Guide and integrate the activities and data sets of key
stakeholders in security and IT operations
Technology
Enable efficient, consistent and integrated processes to enable IT
Operations and Security efforts

People Problems
68% of Organizations are Experiencing Security Staffing Problems!

Integration and Scalability are Crucial for Security!
• We Can’t Just Throw People at the Problem!
• 95% Organizations with 10 or less FTE
Experienced More Than 100 Severe/Critical
security alerts PER DAY
• 70%: Scalability of Automation is Important to
Meet Compliance Needs
• 93%: Integration is Important for Security

Where Do Organization Stand
• 88%: Integration is important for
Vulnerability Mgmt.
• 71%: Ease of Use Important for Vulnerability
Mgmt.
• 82%: Scalability is Important for Automation
solutions
• 87% : Scalability is Important when dealing
with Vulnerability Mgmt.

BMC BladeLogic: Relentless Remediation
Drag picture to placeholder or click
icon to add
Automate to eliminate threats before they become a breach
entry point
• Automatic correlation of discovered
vulnerabilities and BSA patches
— Filter to systems through operational
views
— Deploy remediation actions
• Network vulnerability identification and
remediation action capabilities
• Direct integration with Change
Management
Reduce cost and time
associated with remediating
vulnerabilities

Threats are neutralized….is that it?
52% of enterprise leaders equate
regulatory compliance with tighter security.
“We must sustain our operations and defenses before, during, and after an attack
by reducing the attack surface, continually improving defensive cyberspace
operations, and effectively commanding and controlling the DODIN.”
DISA Strategic Plan

BMC BladeLogic: Vigilant Compliance
Drag picture to placeholder or click
icon to add
Manage by policy, not just by alert…

Criteria That Decision Makers Consider Important in
SecOps Solutions
62% 58% 50%
Want flexibility to tailor the
solution to the specific
regulations in their industry
want integration with
service desks and change-
management processes
Share that they want
reporting for compliance
audits

Customer Success with SECOPS
State of Michigan
Reduced time for Audit report creation from
32 hours to 15 minutes
Reduced time for server provisioning from
2 months to 5 days
Reduced 9,000+ staff hours by
automatically remediating 94,273events

Log Your Questions in the Q&A Panel
Learn More About Leading IT Analyst Firm Enterprise
Management Associates:
http://www.enterprisemanagement.com

Avoiding Data Breaches in 2016: What You Need to Know

More Related Content

What's hot

Viewers also liked

Similar to Avoiding Data Breaches in 2016: What You Need to Know

More from Enterprise Management Associates

Recently uploaded

Avoiding Data Breaches in 2016: What You Need to Know