The document discusses best practices for implementing intelligent compliance to protect systems from security vulnerabilities, emphasizing the importance of addressing known vulnerabilities through timely patching. It highlights the challenges organizations face in maintaining compliance and outlines the need for collaboration between security and operations teams, automated processes, and continuous monitoring. Key takeaways stress that compliance is complex and must be addressed in stages with no one-size-fits-all solution.

1. © Copyright 1/6/2015 BMC Software, Inc1
Protect Your Systems From the Next
Security Scandal
Best Practices Guidance
for Intelligent Compliance

2. © Copyright 1/6/2015 BMC Software, Inc2
Dominic Wellington
@dwellington
Intelligent Compliance

3. © Copyright 1/6/2015 BMC Software, Inc3
The Solution is Known
Attacks Patches
Most breaches exploit known vulnerabilities for which patches are available.
Time
More than 80% of attacks
target known vulnerabilities
(source: F-Secure)
79%
30+
days
80%
79% of vulnerabilities have patches
available on day of disclosure
(source: Secunia)
On average, it takes 30+ days to
patch an identified vulnerability
(source: Qualys)

4. © Copyright 1/6/2015 BMC Software, Inc4
Heartbleed
March 14 2012:
Vulnerable code introduced into OpenSSL library
What happened?

5. © Copyright 1/6/2015 BMC Software, Inc5
Heartbleed: a timeline
Heartbleed bug
disclosed
heartbleed.com
registered,
logo created
Patch available
(1.0.1g)
309,197
public web
servers remain
vulnerable
318,239
public web servers
remain vulnerable
Community
Health Systems
hack disclosure
April 7April 3 June 21April 1 May 8 August 18
2014

6. © Copyright 1/6/2015 BMC Software, Inc6
“ ”
[…] the breadth of at-risk machines is going to be
significantly higher with Shellshock than with Heartbleed.
Shellshock
NIST: 10/10
A new bug every week

7. © Copyright 1/6/2015 BMC Software, Inc7
Security problems are
like vampires

8. © Copyright 1/6/2015 BMC Software, Inc8
Clone
old VM
template
Reinstall old
vulnerable
software
version
Boot
unpatched
server
Missed the
“unofficial”
IT
How do companies
get bitten?

9. © Copyright 1/6/2015 BMC Software, Inc9
The SecOps Gap

10. © Copyright 1/6/2015 BMC Software, Inc10
Intelligent compliance
transforms compliance
from an activity that is
exhausting, risky and
incomplete into one that
is routine, secure and
comprehensive.

11. © Copyright 1/6/2015 BMC Software, Inc11
Best Practices Guidance for Intelligent Compliance
AD HOC
PROCESS
STANDARDIZED
ADVANCED
TOOLS PATCH
ASSESS
COMPLY
INTELLIGENT
LEVELS
TIME

12. © Copyright 1/6/2015 BMC Software, Inc12
DISCOVER
REMEDIATE DEFINE
AUDIT
GOVERN
Server
Network
Database
Middleware
Intelligent Compliance

13. © Copyright 1/6/2015 BMC Software, Inc13
Status Quo Intelligent Compliance
Incomplete data
Out of date – systems provisioned
faster than discovered
Data accuracy you can verify and trust
Effortless continuous mapping of
infrastructure and applications
Discover

14. © Copyright 1/6/2015 BMC Software, Inc14
You can’t manage what you can’t measure
Replace manual data collection
with automatic inventory &
relationship discovery
Leverage inventory &
relationship data in other IT
processes
Application Mapping: Connect
data center infrastructure to
business applications

15. © Copyright 1/6/2015 BMC Software, Inc15
Status Quo Intelligent Compliance
Disconnected from operational details
Incomplete specification of
requirements
Pre-defined policies – short time to value
Detailed, actionable definition of desired
state
Define

16. © Copyright 1/6/2015 BMC Software, Inc16
Regulatory Compliance
Sarbanes-Oxley (SOX) 404
Health Insurance Portability & Accountability
Act (HIPAA)
Payment Card Industry Digital Security Standard
(PCI DSS)
Security Compliance
Defense Information Systems Agency
Security Technical Implementation
Guides (DISA STIG)
Center for Internet Security (CIS)

17. © Copyright 1/6/2015 BMC Software, Inc17
Status Quo Intelligent Compliance
Based on individual interpretation
Inconsistent and incomplete
implementation and coverage
Granular configuration visibility – avoid
false positives & false negatives
Regular, scheduled and automated
Audit

18. © Copyright 1/6/2015 BMC Software, Inc18
Identify drift away from desired state
Compare live
configurations to a live
reference system
Troubleshoot issues
caused by configuration
discrepancies
Compare the current state
to known good state from
a week ago
Compare snapshots to
each other to aid
troubleshooting
Different comparison types support different use cases.
Compare the current state
to out-of-the-box policies
Use standard policies as
templates to build
customized operational
policy
LIVE SNAPSHOT POLICY

19. © Copyright 1/6/2015 BMC Software, Inc19
Status Quo Intelligent Compliance
No way to verify success
Risk of introducing additional issues
No way to roll back changes
Granular configuration changes – co-exist
with other tools and approaches
Built-in rollback in case of failure or
unforeseen consequences
Remediate

20. © Copyright 1/6/2015 BMC Software, Inc20
Close the SecOps Gap
Automated remediation – no
scripting
Automated rollback in case of
problems
Support for exceptions to
standard policy
44%
Reduction
32%
Reduction
45%
Reduction

21. © Copyright 1/6/2015 BMC Software, Inc21
Status Quo Intelligent Compliance
Manual entry (time consuming, error prone)
Lack of trust in data
No process enforcement
Consistent audit trail and automatic
documentation of actions & exceptions
Process governance – change approval,
maintenance windows, collision avoidance
Govern

22. © Copyright 1/6/2015 BMC Software, Inc22
Orchestrate Automation and ITSM

23. © Copyright 1/6/2015 BMC Software, Inc23
Key takeaways
1. Compliance is a big problem
The consequences of getting it wrong are severe
2. Neither Security nor Operations can fix it alone
Different teams need to work together
3. There is no one size fits all solution
No single product can solve this problem either
4. Tackle this problem in stages
No need to solve the whole problem at once
Dominic Wellington
@dwellington
bmc.com/intelligentcompliance

24. © Copyright 1/6/2015 BMC Software, Inc24
Thank You.