© 2015 IBM Corporation
Antonio Gallotti Senior Product Manager
Cutting Through the Software License Jungle: Stay Safe and Control Costs
2 © 2015 IBM Corporation
License, Contract,
Audit
Security, Vulnerability,
Stability
Wherever there is a Software there is a Risk and a Cost
3 © 2015 IBM Corporation
You can’t protect what you can’t see Software Compliance and Usage helps reducing risks and improve Incident response
to reduce the cost of a data breach
Software Control helps to know where to protect your environment Lack of visibility and control contributes to security breaches and financial loss
*Source: 2015 Cost of a Data Breach Study: Global Analysis, Ponemon Institute, May 2015
“Major global bank compromised and millions of depositor records stolen
due to missed server upgrade cycle”
?
global average cost of a data breach*
$3.8M
ü ü ü
4 © 2015 IBM Corporation
You can’t control what you can’t see Software Compliance and Usage is the No. 1 factor to reduce the license cost and be
prepared for software audits
Software Control is key to avoid overspending Lack of visibility and control contributes to unplanned license true-ups and fines
*Source: MarketWatch, April 2015
“most enterprises face frequent, unbudgeted software license true-up bills from their vendors -- often to the tune of
millions of dollars annually”
?
average cost of a license true-up*
$1.0M
ü ü ü
5 © 2015 IBM Corporation
IBM BigFix: Bridge the gap between Security and IT Ops
ENDPOINT SECURITY
Discovery and Patching
Lifecycle Management
Software Compliance and Usage
Continuous Monitoring
Threat Protection
Incident Response
ENDPOINT MANAGEMENT IBM BigFix®
FIND IT. FIX IT. SECURE IT.
…FAST
Shared visibility and control between IT Operations
and Security
IT OPERATIONS SECURITY
Reduce operational costs while improving your security posture
6 © 2015 IBM Corporation
Software compliance and usage – BigFix Inventory Identify what software is installed and how it’s used
! Discover all licensed and unlicensed software with in-depth granularity across operating systems and devices
! Reduce license compliance exposure and associated fines
! Decrease software license costs by eliminating unused or redundant software
! 8,000+ software publishers, 40,000+ software products, 50+ cross OS virtualizations
! Mitigate risk from unauthorized and malicious software
$ Saved $500K in unused software licenses while avoiding $1M in non-compliance fines across 15,000+ endpoints
US Foods
SW Catalogue, ISO 19770 enabled
7 © 2015 IBM Corporation
Capabilities
IBM BigFix Inventory (AKA - Endpoint Manager for Software Use Analysis)
• Centralized Reporting Web Portal
• Health status and Reporting dashboards
• Virtualization and Cloud awareness
• Role based user access management
• REST API for easy integration
• IBM authorized tool for IBM Capacity • Same as IBM License Metric Tool
Product highlights • So$ware Catalogue with regular updates
• ISO 19770 Tags and so$ware signatures
• Catalogue can be expanded for coverage or custom applicaBons
• Supported virtualizaBons such as vSphere, vCenter, ESXi, Hyper-‐V, IBM AIX LPAR and WPAR, KVM and more
• SW Asset Inventory
• SW Use Metering
• SW Use ReporBng
• HW Discovery, Inventory and Monitoring of Capacity Changes
8 © 2015 IBM Corporation
BigFix Inventory – Control Software Costs
Compliant?
Buy more?
Detailed, real-time, current inventory and usage reports to eliminate under used or unnecessary licenses and
reduce maintenance costs Overspending?
Identify unlicensed computers. Associate SW inventory with HW data to avoid software license exposures
Accurate inventory data in support of purchasing and procurement tools and processes
You can’t control what you can’t see
9 © 2015 IBM Corporation
BigFix Inventory – Mitigate Security Risks
Needed?
Managed?
Whitelist/Backlist filtering of inventory data to identify systems where unauthorized software is deployed or
unauthorized processes are running Authorized?
Usage reports to identify systems where software can be removed to reduce security exposures
Inventory data and newly discovered system reports to verify if assets are properly managed or unauthorized
You can’t protect what you can’t see
10 © 2015 IBM Corporation
Inventory and status health Dashboards
11 © 2015 IBM Corporation
Extensive Hardware Inventory Report
Extensive list of aUributes and configuraBon data
Software Control and Security Risk mitigation use case sample Which systems/computers are we managing and are they all authorized?
12 © 2015 IBM Corporation
what’s deployed and where? Inventory tracking
Software Control and Security Risk mitigation use case sample
13 © 2015 IBM Corporation
is the sw used and do I need to continue licensing it or can I optimize? Is the sw used and needed or can I remove it to reduce security exposures? Usage metering
Software Control and Security Risk mitigation use case sample
14 © 2015 IBM Corporation 14
Software Control and Security Risk mitigation use case sample
Which processes are running on my systems? How long and when was last time they were used? Process Metering data
Data can be analyzed in order to apply security risk assessments or blacklisting filter criteria to identify exposures
15 © 2015 IBM Corporation 15
Software Control and Security Risk mitigation use case sample Which are the binary files loaded on my systems? Who they are and where are they located? File System data
Data can be analyzed in order to apply security risk assessments or can be feed to blacklist/whitelist security solutions
16 © 2015 IBM Corporation
Why is the SW still there and how was discovered? Are there executables or other left overs that could cause security exposures?
Software Control and Security Risk mitigation use case sample
17 © 2015 IBM Corporation
Software Compliance Use case sample
! Entitled Computers: computers that are entitled to use the particular software associated with the contract definition, by being a part of the computer group specified in the contract.
! Licensed Computers: entitled computers where software is installed. ! The values in the columns are links to sub-reports that list the computers
what’s the License usage? License usage tracking
18 © 2015 IBM Corporation
Software Compliance use case sample Enhanced Oracle Database features discovery
• Discovers Oracle DB editions (Standard/Enterprise) and used database features
• Discovers Oracle DB instances & installation paths • Leverages the original Oracle LMS (License Management Services)
auditing SQL script • Relevant also for Processor-based metric
NEW
19 © 2015 IBM Corporation
" Flexible reporting time ranges " No data locking (no report signing) " Data export with digital signature " Visibility of the PVU/RVU peak values " Visibility of the PVU/RVU trends " Report views accessible during
data processing " Flexible report filtering
Trend line & peak value
IBM Capacity Licensing (PVU and RVU) Trend line & peak value
Software Compliance use case sample Enhanced reporting for IBM NEW
20 © 2015 IBM Corporation
Questions??
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU www.ibm.com/security