avoiding data breaches in 2016: what you need to know
TRANSCRIPT
Avoiding Data Breaches in 2016:
What You Need to Know
David Monahan
Research Director
Enterprise Management Associates (EMA)
David Cramer
VP of Product Management
BMC
Today’s Presenters
Slide 2 © 2016 Enterprise Management Associates, Inc.
David Monahan – Research Director, Risk and SecurityDavid is a senior information security executive with several years of experience.
He has organized and managed both physical and information security programs,
including security and network operations (SOCs and NOCs) for organizations
ranging from Fortune 100 companies to local government and small public and
private companies.
David Cramer, VP of Product Management, BMCDavid joined BMC in 2015 and serves as Vice President of Product Management for
the Cloud/DCA business unit. Prior to BMC, David was head of product management
for CA Technologies. During his tenure at CA, David was responsible for application
delivery, cloud management, virtualization and Infrastructure automation solutions.
Before joining CA, David held executive positions at AlterPoint, Motive, NetSolve, and
Nortel Networks.
Logistics for Today’s Webinar
Slide 3 © 2016 Enterprise Management Associates, Inc.
Questions
• An archived version of the event recording
will be available at
www.enterprisemanagement.com
• Log questions in the Q&A panel located on the
lower right corner of your screen
• Questions will be addressed during the Q&A
session of the event
Event recording
Event presentation
• A PDF of the PowerPoint presentation will be
emailed to you as part of the follow-up email.
Avoiding Data Breaches in 2016:
What You Need to Know
David Monahan
Research Director
Enterprise Management Associates (EMA)
David Cramer
VP of Product Management
BMC
© Copyright 5/20/2016 BMC Software, Inc5
WE LIVE IN AN INCREASINGLYDIGITAL WORLD
© Copyright 5/20/2016 BMC Software, Inc6© 2016 Enterprise Management Associates, Inc.
• Cyber-security/ Information Security was an afterthought, Obligation, or low priority insurance policy
• 51%: Spending Between 10%-24% of IT Budget on Security
• 26%: Spending Between 20% and 30% (They are Playing Catchup)
Have We Been Sitting in a Pot Coming to a Boil?
© Copyright 5/20/2016 BMC Software, Inc7
Keeping Organizations Secure Against Cyber Criminals Has Never Been Tougher
97% of executives expect a rise in data breach
attempts in the next 12 months
As a result, 99% plan to invest more in security in the
next 12 months than they did in 2015.
BMC Study Shows:Many Breaches Are Avoidable
of executives say security
breaches occur even when
vulnerabilities and their
remediation have already been
identified
44% “There’s so many more vectors that are easier, less risky and quite often more productive than going down that route. This includes, of course, known vulnerabilities for which a patch is available but the owner hasn’t installed it.” Rob Joyce, Chief of NSA’s Tailored Access Operations
Decline of Baselines and Asset Prioritization
© 2016 Enterprise Management Associates, Inc.
Decline in Monitoring High Value Assets
© 2016 Enterprise Management Associates, Inc.
Decline in Security Confidence
© 2016 Enterprise Management Associates, Inc.
79% of organizations were only “somewhat confident” to “highly doubtful” that their security program could detect a security incident before it had a significant impact on their environment.
CVE®(Common Vulnerabilities and Exposures)
Total Count (Oct 8, 2015): 71,951
Total Count (Nov 15, 2015): 72,805
854(New bulletins)
38 Days
22(per day)
8030(per year)
“A dictionary of common security exposures and vulnerabilities”
What you know and don’t fix can hurt you
© Copyright 5/20/2016 BMC Software, Inc13
Even “small” threats can cause “BIG” issues……
ATTACKS
80%
More than 80% of attacks target known vulnerabilities
99.9%
FIX READY
99.9% of exploits were compromised over a year after the CVE was published
© Copyright 5/20/2016 BMC Software, Inc14
Visibility – you can’t patch what you don’t know
Downtime – hard to schedule maintenance times with users
Complexity –dependencies make it hard to isolate actions
So Why Do Vulnerabilities Go Unaddressed?
193Days to resolve
average vulnerability
Complexity and Lack of Visibility
Slide 15 © 2014 Enterprise Management Associates, Inc.
Drivers for Lack of Value in Tools #2 Tools do not provide adequate correlation of data to
business impact
#5 Tools do not provide enough visibility into the ways
threats appear and/or propagate in the environment
Over 90% of Outages Caused by Unscheduled or
Undocumented Changes #2 Tools do not provide adequate correlation of data to
business impact
Complexity is the bane of Security Complexity in Tools = shelf-ware, thus lack of ROI
Complexity in Architectures= Security Gaps and failures
© Copyright 5/20/2016 BMC Software, Inc16
OperationsSecurityReduce downtime
80% of downtime due to
misconfigurations
Close the window of
vulnerability
43% of companies have
had a data breach
© Copyright 5/20/2016 BMC Software, Inc17
A Three-Pronged Game Plan
To stay on top of today’s complexities, threats and opportunities,
large enterprises are developing SecOps strategies that focus on
three core areas:
PeopleSecurity and operations professionals share aligned goals for
making business systems more secure and reliable
ProcessesGuide and integrate the activities and data sets of key
stakeholders in security and IT operations
TechnologyEnable efficient, consistent and integrated processes to enable IT
Operations and Security efforts
© Copyright 5/20/2016 BMC Software, Inc18
People Problems
© 2016 Enterprise Management Associates, Inc.
68% of Organizations are Experiencing Security Staffing Problems!
© Copyright 5/20/2016 BMC Software, Inc19
Integration and Scalability are Crucial for Security!
• We Can’t Just Throw People at the Problem!
• 95% Organizations with 10 or less FTE Experienced More Than 100 Severe/Critical security alerts PER DAY
• 70%: Scalability of Automation is Important to Meet Compliance Needs
• 93%: Integration is Important for Security
© 2016 Enterprise Management Associates, Inc.
© Copyright 5/20/2016 BMC Software, Inc20
Where Do Organization Stand
© 2016 Enterprise Management Associates, Inc.
• 88%: Integration is important for Vulnerability Mgmt.
• 71%: Ease of Use Important for Vulnerability Mgmt.
• 82%: Scalability is Important for Automation solutions
• 87% : Scalability is Important when dealing with Vulnerability Mgmt.
© Copyright 5/20/2016 BMC Software, Inc21
© Copyright 5/20/2016 BMC Software, Inc22
BMC BladeLogic: Relentless Remediation
Drag picture to placeholder or click icon to add
Automate to eliminate threats before they become a breach
entry point
• Automatic correlation of discovered vulnerabilities and BSA patches
— Filter to systems through operational views
— Deploy remediation actions
• Network vulnerability identification and remediation action capabilities
• Direct integration with Change Management
Reduce cost and time associated with remediating
vulnerabilities
Threats are neutralized….is that it?
52% of enterprise leaders equateregulatory compliance with tighter security.
“We must sustain our operations and defenses before, during, and after an attack by reducing the attack surface, continually improving defensive cyberspace operations, and effectively commanding and controlling the DODIN.” DISA Strategic Plan
© Copyright 5/20/2016 BMC Software, Inc24
BMC BladeLogic: Vigilant Compliance
Drag picture to placeholder or click icon to add
Manage by policy, not just by alert…
© Copyright 5/20/2016 BMC Software, Inc25
Criteria That Decision Makers Consider Important in
SecOps Solutions
62% 58% 50%Want flexibility to tailor the
solution to the specific
regulations in their industry
want integration with
service desks and change-
management processes
Share that they want
reporting for compliance
audits
© Copyright 5/20/2016 BMC Software, Inc26
Customer Success with SECOPS
State of Michigan
Reduced time for Audit report creation from
32 hours to 15 minutes
Reduced time for server provisioning from
2 months to 5 days
Reduced 9,000+ staff hours by
automatically remediating 94,273 events
Log Your Questions in the Q&A Panel
Learn More About Leading IT Analyst Firm Enterprise
Management Associates:
http://www.enterprisemanagement.com
Slide 27 © 2016 Enterprise Management Associates, Inc.