It is fascinating to watch a new class of software be born. This doesn’t seem to happen that often anymore, but every once in a while a customer or a vendor discovers a gap in the current offerings and fills that gap with something we have never seen before. I recently ran into an event like this at BMC Engage. BMC has a write-up that subtly points to the impending creation of this new security automation product class. And last week, I spoke to Tony Stevens, who works for the Department of Technology, Management and Budget at the State of Michigan and is helping husband the birth of this class. Let’s talk about that this week.
Heartbleed
We’ve had a number of nasty viruses roll through the industry of late and one of the worst was Heartbleed. At the time it was disclosed, around 17 percent of the Internet’s secure web servers, or half a million, were vulnerable to the bug. As it went after security credentials, it was labeled a catastrophic problem. The cybersecurity expert for Forbes wrote that it could be classified as the worst vulnerability ever found on the web and it resulted in a massive effort for users and companies to change passwords and IDs.
Time was of the essence and the IT folks at the Department of Technology, Management and Budget at the State of Michigan stepped up. They not only provide services for the state, but host for a variety of other government organizations located in the state. A successful exploit of the Heartbleed bug could have been catastrophic for them.
The department is a big BMC account and uses both BladeLogic Server Automation and Remedy IT Service Management. It had Qualys to identify vulnerabilities. So they wrote some rough code to connect the two systems and, relatively rapidly, were able to patch all of the affected systems and protect themselves from someone exploiting the vulnerability before they were hit. But this clearly was a race against time. This time, they won the race, but what about next time?
So they went to BMC, which is now working with Qualys, and asked for an automated solution. Stevens believes that now that such a solution is being created, once it is implemented, they can cut another two-thirds off their system-wide response time to threats.
The Bigger Problem
However, in the process, the department discovered a bigger problem. Security and IT operations just aren’t used to working closely together. Qualys is used by security to identify vulnerabilities, and Ops is missioned with applying patches to eliminate them. But this separation can slow implementation because a solution needs to bridge these two functions and there could be turf issues on both sides that a product offering can’t address by itself. As threats continue to escalate and the potential for catastrophic problems like those recently identified at Sony advance, the need for ever faster identification and response accelerates. Executive management will likely drive these two organizations to work far more closely together because, after a massive breach like the one Sony is having, a turf cause for an inability to respond in a timely manner will likely result is some rather draconian staffing changes.
SIEM: Security Incident and Event Manager
While initially this class connects compliance products like Qualys to change management products like Remedy, I believe the connection could drift farther into the security space and include SIEM offerings. SIEM, or Security Incident and Event Management, is one of the ways a large organization discovers an active threat that may require rapid patching to mitigate. This class of tool has moved slowly, largely because while it is great at identifying vulnerabilities, it has little capability to mitigate them, so firms feel less secure after running them. If this were eventually looped into a solution, the result could go far farther to automate a rapid response to a detected problem. The Department of Technology, Management and Budget at the State of Michigan uses a powerful product that IBM recently acquired, called QRadar.
Wrapping Up: SecOps
Security Operations, or SecOps, is an interesting idea that combines security and operations into a team that has to work far more closely together than most organizations like this do today. The first product I know of in this class is in alpha stage and under trial at the Department of Technology, Management and Budget at the State of Michigan, where the idea apparently originated. Products based on hard customer requirements typically do well, and with the security exposure most firms have and governments developing their own malware and attack capabilities, the only way to step up to the problem is with the combined might of both security and operations. While this is a new category, in five years, I expect the folks who haven’t deployed something like this will be unable to respond to threats in a timely manner. So, if you aren’t working with BMC, you may want to meet with your favorite vendor and ask them to step up, because you don’t want to be stepped on.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+