What makes this effort unique is that it integrates software, services and security practices into a comprehensive offering designed to address the kinds of threats that Target and Sony experienced. The focus is less on the products and more on the practices because BMC’s analysis showcased that the big problem isn’t the lack of tools or an inability to see the problem but an inability to implement changes fast enough to prevent the exploit.
The presentation was a mix of statistics and solutions. I’ll cover both in separate sections.
BMC, to keep its products and customers synchronized, does a lot of studies. Its latest survey showcases some rather scary things. Ninety-seven percent of the executives surveyed expect an increasing data breach exposure and 99 percent have increased investment levels to address these exposures. (Security is going to be a nice place to be in tech in 2016.) Forty-four percent of the executives surveyed admitted that they know security breaches happened after both the exposure and the fix had been identified but not implemented. In effect, they had already purchased or identified a change that was critical to their security and knew they were exposed, but couldn’t or didn’t install it in time.
Most firms are tracking the same set of exposures from CVE (Common Vulnerabilities and Exposures). These are running up to 900 potential exposures a month. Overall, 80 percent of attacks are against known vulnerabilities and nearly 100 percent of actual exploits happen over a year after the exposure was reported.
Forty-three percent of firms have had a data breach (that they know of, industry stats indicate the majority of the other 57 percent have had a breach that hasn’t been caught or reported to executive management). Eighty percent of the related downtime isn’t because of the breach but because of misconfigurations. This suggests that, not only aren’t the exposures being eliminated on time, but the remediation efforts are causing more additional harm.
Sixty percent of the firms indicate that Security and Operations are dysfunctional across both organizations. In other words, the two groups generally don’t work well together. This is because of very different performance metrics. Security is measured by how effectively they block a threat but they could care less about uptime; operations measures by uptime, not on the speed an update is applied. This pits both teams against each other. Security would rather the systems be down than vulnerable; ops would rather the systems remain up than vulnerable. The result is that patches aren’t being applied quickly enough and, when applied, are resulting in a reduction in system reliability.
Finally while 53 percent of executives surveyed (this seems really low) think compliance is either important or critical, the above stats suggest the majority of firms aren’t compliant with security or privacy regulations.
BMC’s Suggested Fix
As noted above, the BMC approach is more about process than product. First, and tied to the stats above, is aligning the measurements and goals between ops and security. You can’t make progress until these teams are fighting on the same side. You need to do a process review, the goal of which is to integrate the activities and data sets of key security and IT operations organizations. Finally, and only after the other aspects have been addressed, implement technology that automates the combined efforts of both groups.
This brings in BMC’s BladeLogic offering, which is designed to automate the correlation of discovered vulnerabilities and related patches. This is directly integrated with change management and connects the identification of vulnerabilities and related remedial actions. This is all designed to fit within a compliance process that is auditable, an aspect critical to virtually all large companies at the moment.
BMC highlighted three cases of organizations that implemented this solution. The State of Michigan moved from 32 hours for the creation of an audit report to 15 minutes. Fujitsu moved from an average of two months to provision a server to address a vulnerability to five days, and AEGON was able to reduce the hours needed for remediation by 9,000 while still remediating nearly 100K events.
Wrapping Up: Process over Product
While it is easy for any vendor to throw a product at a problem, we’ve learned over time that process is often more important. What makes BMC’s offering refreshing is that it leads with process, knowing that without a strong process, no product can fix a comprehensive problem like security exposures. Whether you consider BMC’s offering or not, the takeaway here is that you need to understand why your solution isn’t working and one of the first places to look is the conflict between the groups that ensure security and those that maintain your systems. If these two groups are in conflict, it won’t matter what tool you implement. You won’t be able to protect your organization or be in compliance.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+.