The document discusses the significant security risks associated with known vulnerabilities, emphasizing that many attacks exploit these vulnerabilities despite available patches. It highlights the importance of intelligent compliance in transforming the approach to compliance from manual and incomplete processes to routine, secure, and comprehensive measures. Key takeaways stress the need for collaboration between security and operations teams, the complexity of compliance, and the necessity to address issues in manageable stages.

1. The SecOps Gap
© Copyright 1 12/12/2014 BMC Software, Inc

2. Intelligent Compliance
Dominic Wellington
@dwellington
© Copyright 2 12/12/2014 BMC Software, Inc

3. The Solution is Known
Most breaches exploit known vulnerabilities for which patches are available.
Attacks Patches
© Copyright 3 12/12/2014 BMC Software, Inc
Time
More than 80% of attacks
target known vulnerabilities
(source: F-Secure)
79%
30+
days
80%
79% of vulnerabilities have patches
available on day of disclosure
(source: Secunia)
On average, it takes 30+ days to
patch an identified vulnerability
(source: Qualys)

4. Heartbleed
© Copyright 4 12/12/2014 BMC Software, Inc
March 14 2012:
Vulnerable code introduced into OpenSSL library
What happened?

5. Heartbleed: a timeline
Heartbleed bug
disclosed
heartbleed.com
registered,
logo created
© Copyright 5 12/12/2014 BMC Software, Inc
Patch available
(1.0.1g)
309,197
public web
servers remain
vulnerable
318,239
public web servers
remain vulnerable
Community
Health Systems
hack disclosure
April 1 April 3 April 7 May 8 June 21 August 18
2014

6. “ […] the breadth of at-risk machines is going to be
significantly higher with Shellshock than with Heartbleed.
6 © Copyright 12/12/2014 BMC Software, Inc ”
Shellshock
NIST: 10/10
A new bug every week

7. Security problems are
like vampires
© Copyright 7 12/12/2014 BMC Software, Inc

8. Clone
old VM
template
© Copyright 8 12/12/2014 BMC Software, Inc
Reinstall old
vulnerable
software
version
Boot
unpatched
server
Missed the
“unofficial”
IT
How do companies
get bitten?

9. The SecOps Gap
© Copyright 9 12/12/2014 BMC Software, Inc

10. © Copyright 10 12/12/2014 BMC Software, Inc
Intelligent compliance
transforms compliance
from an activity that is
exhausting, risky and
incomplete into one that
is routine, secure and
comprehensive.

11. Best Practices Guidance for Intelligent Compliance
ADVANCED
STANDARDIZED
PROCESS
TOOLS PATCH
AD HOC
© Copyright 11 12/12/2014 BMC Software, Inc
ASSESS
COMPLY
INTELLIGENT
LEVELS
TIME

12. Intelligent Compliance
© Copyright 12 12/12/2014 BMC Software, Inc
DISCOVER
REMEDIATE DEFINE
GOVERN
AUDIT
Server
Network
Database
Middleware

13. Status Quo Intelligent Compliance
Incomplete data
Out of date – systems provisioned
faster than discovered
© Copyright 13 12/12/2014 BMC Software, Inc
Data accuracy you can verify and trust
Effortless continuous mapping of
infrastructure and applications
Discover

14. You can’t manage what you can’t measure
© Copyright 14 12/12/2014 BMC Software, Inc
Replace manual data collection
with automatic inventory &
relationship discovery
Leverage inventory &
relationship data in other IT
processes
Application Mapping: Connect
data center infrastructure to
business applications

15. Status Quo Intelligent Compliance
Disconnected from operational details
Incomplete specification of
requirements
© Copyright 15 12/12/2014 BMC Software, Inc
Pre-defined policies – short time to value
Detailed, actionable definition of desired
state
Define

16. Regulatory Compliance
Sarbanes-Oxley (SOX) 404
Health Insurance Portability & Accountability
Act (HIPAA)
Payment Card Industry Digital Security Standard
(PCI DSS)
Security Compliance
Defense Information Systems Agency
Security Technical Implementation
Guides (DISA STIG)
Center for Internet Security (CIS)
© Copyright 16 12/12/2014 BMC Software, Inc

17. Status Quo Intelligent Compliance
Based on individual interpretation
Inconsistent and incomplete
implementation and coverage
© Copyright 17 12/12/2014 BMC Software, Inc
Granular configuration visibility – avoid
false positives & false negatives
Regular, scheduled and automated
Audit

18. Identify drift away from desired state
Different comparison types support different use cases.
LIVE SNAPSHOT POLICY
Compare live
configurations to a live
reference system
Troubleshoot issues
caused by configuration
discrepancies
© Copyright 18 12/12/2014 BMC Software, Inc
Compare the current state
to known good state from
a week ago
Compare snapshots to
each other to aid
troubleshooting
Compare the current state
to out-of-the-box policies
Use standard policies as
templates to build
customized operational
policy

19. Status Quo Intelligent Compliance
No way to verify success
Risk of introducing additional issues
No way to roll back changes
© Copyright 19 12/12/2014 BMC Software, Inc
Granular configuration changes – co-exist
with other tools and approaches
Built-in rollback in case of failure or
unforeseen consequences
Remediate

20. Close the SecOps Gap
© Copyright 20 12/12/2014 BMC Software, Inc
Automated remediation – no
scripting
Automated rollback in case of
problems
Support for exceptions to
standard policy
44%
Reduction 32%
Reduction
45%
Reduction

21. Status Quo Intelligent Compliance
Manual entry (time consuming, error prone)
Lack of trust in data
No process enforcement
© Copyright 21 12/12/2014 BMC Software, Inc
Consistent audit trail and automatic
documentation of actions & exceptions
Process governance – change approval,
maintenance windows, collision avoidance
Govern

22. Orchestrate Automation and ITSM
© Copyright 22 12/12/2014 BMC Software, Inc

23. Key takeaways
1. Compliance is a big problem
The consequences of getting it wrong are severe
2. Neither Security nor Operations can fix it alone
Different teams need to work together
3. There is no one size fits all solution
No single product can solve this problem either
4. Tackle this problem in stages
No need to solve the whole problem at once
© Copyright 23 12/12/2014 BMC Software, Inc
Dominic Wellington
@dwellington
http://www.bmc.com/it-solutions/intelligent-compliance.html

24. Thank You.
© Copyright 24 12/12/2014 BMC Software, Inc