cutting through the software license jungle: stay safe and control costs

© 2015 IBM Corporation

Antonio Gallotti Senior Product Manager

Cutting Through the Software License Jungle: Stay Safe and Control Costs

2 © 2015 IBM Corporation

License, Contract,

Audit

Security, Vulnerability,

Stability

Wherever there is a Software there is a Risk and a Cost


You can’t protect what you can’t see Software Compliance and Usage helps reducing risks and improve Incident response

to reduce the cost of a data breach

Software Control helps to know where to protect your environment Lack of visibility and control contributes to security breaches and financial loss

*Source: 2015 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2015

“Major global bank compromised and millions of depositor records stolen

due to missed server upgrade cycle”

?

global average cost of a data breach*

$3.8M

ü ü ü


You can’t control what you can’t see Software Compliance and Usage is the No. 1 factor to reduce the license cost and be

prepared for software audits

Software Control is key to avoid overspending Lack of visibility and control contributes to unplanned license true-ups and fines

*Source: MarketWatch, April 2015

“most enterprises face frequent, unbudgeted software license true-up bills from their vendors -- often to the tune of

millions of dollars annually”

?

average cost of a license true-up*

$1.0M

ü ü ü


IBM BigFix: Bridge the gap between Security and IT Ops

ENDPOINT SECURITY

Discovery and Patching

Lifecycle Management

Software Compliance and Usage

Continuous Monitoring

Threat Protection

Incident Response

ENDPOINT MANAGEMENT IBM BigFix®

FIND IT. FIX IT. SECURE IT.

…FAST

Shared visibility and control between IT Operations

and Security

IT OPERATIONS SECURITY

Reduce operational costs while improving your security posture


Software compliance and usage – BigFix Inventory Identify what software is installed and how it’s used

!  Discover all licensed and unlicensed software with in-depth granularity across operating systems and devices

!  Reduce license compliance exposure and associated fines

!  Decrease software license costs by eliminating unused or redundant software

!  8,000+ software publishers, 40,000+ software products, 50+ cross OS virtualizations

!  Mitigate risk from unauthorized and malicious software

$ Saved $500K in unused software licenses while avoiding $1M in non-compliance fines across 15,000+ endpoints

US Foods

SW Catalogue, ISO 19770 enabled


Capabilities

IBM BigFix Inventory (AKA - Endpoint Manager for Software Use Analysis)

•  Centralized Reporting Web Portal

•  Health status and Reporting dashboards

•  Virtualization and Cloud awareness

•  Role based user access management

•  REST API for easy integration

•  IBM authorized tool for IBM Capacity •  Same as IBM License Metric Tool

Product highlights •  So$ware Catalogue with regular updates

•  ISO 19770 Tags and so$ware signatures

•  Catalogue can be expanded for coverage or custom applicaBons

•  Supported virtualizaBons such as vSphere, vCenter, ESXi, Hyper-‐V, IBM AIX LPAR and WPAR, KVM and more

•  SW Asset Inventory

•  SW Use Metering

•  SW Use ReporBng

•  HW Discovery, Inventory and Monitoring of Capacity Changes


BigFix Inventory – Control Software Costs

Compliant?

Buy more?

Detailed, real-time, current inventory and usage reports to eliminate under used or unnecessary licenses and

reduce maintenance costs Overspending?

Identify unlicensed computers. Associate SW inventory with HW data to avoid software license exposures

Accurate inventory data in support of purchasing and procurement tools and processes

You can’t control what you can’t see


BigFix Inventory – Mitigate Security Risks

Needed?

Managed?

Whitelist/Backlist filtering of inventory data to identify systems where unauthorized software is deployed or

unauthorized processes are running Authorized?

Usage reports to identify systems where software can be removed to reduce security exposures

Inventory data and newly discovered system reports to verify if assets are properly managed or unauthorized

You can’t protect what you can’t see


Inventory and status health Dashboards


Extensive Hardware Inventory Report

Extensive list of aUributes and configuraBon data

Software Control and Security Risk mitigation use case sample Which systems/computers are we managing and are they all authorized?


what’s deployed and where? Inventory tracking

Software Control and Security Risk mitigation use case sample


is the sw used and do I need to continue licensing it or can I optimize? Is the sw used and needed or can I remove it to reduce security exposures? Usage metering


14 © 2015 IBM Corporation 14


Which processes are running on my systems? How long and when was last time they were used? Process Metering data

Data can be analyzed in order to apply security risk assessments or blacklisting filter criteria to identify exposures

15 © 2015 IBM Corporation 15

Software Control and Security Risk mitigation use case sample Which are the binary files loaded on my systems? Who they are and where are they located? File System data

Data can be analyzed in order to apply security risk assessments or can be feed to blacklist/whitelist security solutions


Why is the SW still there and how was discovered? Are there executables or other left overs that could cause security exposures?



Software Compliance Use case sample

!  Entitled Computers: computers that are entitled to use the particular software associated with the contract definition, by being a part of the computer group specified in the contract.

!  Licensed Computers: entitled computers where software is installed. !  The values in the columns are links to sub-reports that list the computers

what’s the License usage? License usage tracking


Software Compliance use case sample Enhanced Oracle Database features discovery

•  Discovers Oracle DB editions (Standard/Enterprise) and used database features

•  Discovers Oracle DB instances & installation paths •  Leverages the original Oracle LMS (License Management Services)

auditing SQL script •  Relevant also for Processor-based metric

NEW


"  Flexible reporting time ranges "  No data locking (no report signing) "  Data export with digital signature "  Visibility of the PVU/RVU peak values "  Visibility of the PVU/RVU trends "  Report views accessible during

data processing "  Flexible report filtering

Trend line & peak value

IBM Capacity Licensing (PVU and RVU) Trend line & peak value

Software Compliance use case sample Enhanced reporting for IBM NEW


Questions??

© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU www.ibm.com/security

cutting through the software license jungle: stay safe and control costs

Technology