© Copyright 12/1/2015 BMC Software, Inc 1

Mitigate Risk with Intelligent

Compliance and Security

Operations

Brian Downey

Sr. Director, Product Management| Nov 2015

© Copyright 12/1/2015 BMC Software, Inc 2

WE LIVE IN AN INCREASINGLY DIGITAL WORLD

© Copyright 12/1/2015 BMC Software, Inc 3

The Shift to Digital Comes with New Challenges for Automation

• Compliance more of a challenge than ever

– 1 in 10 BofA customers deposited a check through mobile app in 2014

– AT&T hopes to have 80 percent of customer interactions happen in a digital form by 2020

• Increases in personal and sensitive information being stored

– In 2014 iTunes grew 40% to 800M users accounts—each with associated credit card information

How can IT groups respond to the business asks associated with digital services and help the business exploit

this opportunity?

© Copyright 12/1/2015 BMC Software, Inc 4

Records Reported Breached so far in 2015

Average Cost of Data Breach (Up 15%)

• Total Count of CVEs (October 8, 2015)

Source: NOPSEC 2015 State of Vulnerability Risk Management

© Copyright 12/1/2015 BMC Software, Inc 5

Coverage – you can’t patch what you don’t know

Downtime – hard to schedule maintenance times with users

Complexity – dependencies make it hard to isolate actions

So Why Do Breaches Still Happen?

43% of companies have had a data breech

© Copyright 12/1/2015 BMC Software, Inc 6

Automate Application Build / Deploy / Release

Build & Operate Hybrid IaaS/PaaS

Ubiquitous Integration & Task Orchestration

Discover, Provision, Deploy, Configure, Track, Patch,

Remediate, Audit, Report

BMC Solutions Datacenter Automation & Cloud Management

Server Automation

Network Automation

Middleware Automation

Atrium Orchestrator

Cloud Lifecycle Management

Release Lifecycle Management

Database Automation

BladeLogic Automation Suite

© Copyright 12/1/2015 BMC Software, Inc 7

How Is Operations Involved in Protecting Digital Services?

Scheduled

Responsive

Planned Patching

System Hardening

Security Audits

Regulatory Audits

Known Vulnerability Remediation

New Vulnerability Eradication

© Copyright 12/1/2015 BMC Software, Inc 8

DISCOVER

REMEDIATE DEFINE

AUDIT

GOVERN

© Copyright 12/1/2015 BMC Software, Inc 9

Types of Audit

Live Snapshot Policy Patch

Compare live configurations to a live reference system Troubleshoot issues caused by configuration discrepancies

Compare the current state to known good state from a week ago Compare snapshots to each other to aid troubleshooting

Compare the current state to out-of-the-box policies Use standard policies as templates to build customized operational policy

Compare the current patching level to latest vendor patch recommendations. Optionally define white/black-list policies.

© Copyright 12/1/2015 BMC Software, Inc 10

Define policy

• Sarbanes-Oxley (SOX) 404

• Health Insurance Portability & Accountability Act (HIPAA)

• Payment Card Industry Digital Security Standard (PCI DSS)

• Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG)

• Center for Internet Security (CIS)

Regulatory Security

© Copyright 12/1/2015 BMC Software, Inc 11

The Security Operations (SecOps) Gap

© Copyright 12/1/2015 BMC Software, Inc 12

Most Breaches Exploit Known Vulnerabilities

ATTACKS

80%

More than 80% of attacks target known vulnerabilities

99.9%

FIX READY

99.9% of exploits were compromised over a year

after the CVE was published

© Copyright 12/1/2015 BMC Software, Inc 13

Vulnerability Scanning

• Can Produce 1000s Pages of Reports

• Hard to Action

• Remediation Builds Bigger Reports

• Audit Trails are a series of screen shots or actions

that get added back to the report.

Do you know this man?

……and the you get to enter it all in the Change System

© Copyright 12/1/2015 BMC Software, Inc 14

BMC SecOps– Connecting Security & Ops

Vulnerability -> Deployable Remediation Mapping

BSA Patch/Remediati

on Content

Vulnerability Scan Details

Deploy

Schedule

Open Ticket

BMC SecOps Portal

© Copyright 12/1/2015 BMC Software, Inc 15

SecOps Extensions in BladeLogic 8.7

• Integrated into BladeLogic Portal

• Nessus support

• Enterprise extensions

– Honors BSA RBAC

– “Elastic search” for near immediate searching

– Support for complex many-to-one relationships

• Network SecOps availability in BNA

BMC Confidential- Subject to change

© Copyright 12/1/2015 BMC Software, Inc 16

Extending Vulnerability Scanning to the Network

• Network vulnerabilities are a black box for many customers

• Traditional deep vulnerability scanning has high impacts and take large amounts of times

• BNA supports comparing network device versions with known impacted versions

• Quickly identifies devices fitting profile

• Allows users to build remediation actions

• Cisco content out of the box

BMC Confidential- Subject to change

© Copyright 12/1/2015 BMC Software, Inc 17

BladeLogic and SecOps Ensures Security in a Digital World

• Comprehensive compliance auditing and remediation across the service

• Comprehensive and actionable view of vulnerability data

• Accelerate remediation process

• Reduce cost through out of the box automation and integration into change management

© Copyright 12/1/2015 BMC Software, Inc 18

Thank You.

Brian Downey 617.212.1389 Brian_downey@bmc.com @bridowney33