2 Assessing the Threatscape Addressing compliance requirements Respond, don’t just report You’re already a statistic, how do you rebound? Q&A

3

4 91% of companies have experienced at least one IT security event from an external source. 90% of all cyber crime costs are those caused by web attacks, malicious code and malicious insiders. Security Breach Statistics* *Statistics collected from Gartner, Forrester, Ponemon, Kaspersky, Eschelon

5 Due to complexity, over 70% of organizations still not adequately securing critical systems. The median annualized cost of breaches is $3.8 million per year, (range: $1M to $52M/yr) Security Breach Statistics

6 96% of attacks were not highly difficult 94% of all data compromised involved servers 85% of breaches took weeks or more to discover 92% of incidents were discovered by a third party 97% of breaches were avoidable 96% of victims subject to PCI DSS had not achieved compliance A study conducted by the Verizon RISK Team

7 Data breaches Data loss/leakage Account/service traffic hijacking Insecure interfaces and APIs Denial of service Malicious insiders Insufficient due diligence Technology vulnerabilities Social Engineering Viruses, phishing, malware, spyware Employees exposing information Carelessness/lax security policies According to Cloud Security Alliance

8 Source: Kaspersky Bulletin

9 “ I get audited. I get audited a lot.” - Michael Tampone Chief Technology Officer Sterling Risk

10 FFIEC PCI / DSS CIP Sarbanes Oxley GLBA FISMA NERC HIPAA FERPA SB-1386 (California)

11

12

13

14 It’s expensive It’s time consuming It’s resource heavy Perceived imbalance in the risk/reward quotient -We’ve got it covered -We haven’t been attacked/complacency -We’re too small for hackers to care/notice Expertise difficult to retain …but it doesn’t have to be MSPAlliance says: Unemployment for IT security is <1%. And once found, they’re expensive to keep. In fact their salaries doubled in past 3 years.

15 Preventive/Preemptive policies Centralized control Automation Transaction Anomaly Prevention Minimize end user impact Consistency Maintain and enforce standards Minimizing management and operational cost Best practices

16 (3.11)Implement automated configuration monitoring system to analyze hardware and software changes, network configuration changes, and other modifications affecting the security of the system. *Source SANS 20 Critical Controls SANS offers 12 critical controls for implementation, automation, and measurement. Security Configuration Management applies to 8 of those guidelines, most notably

17 Continuous monitoring discovers red flags (via Log/SIEM) but too often reviewed days/weeks later Doesn’t FIX the problem Signatures will not detect anything unusual in a zero-day exploit Doesn’t maintain continuous integrity of files/apps/registry

18 Improve the success rate of patching XP Migration Avoid unauthorized changes that threaten compliance Real-time configuration mgmt Prevent & recover back to ideal state Reduce support incidents Demonstrate control of computing environment

19 Reduce, remove security threats Reduce operational downtime Reduce support incidents by 80% Automate security compliance policy Increase application availability Reduce case resolution times and repeat cases Reduce on-site or remote service requests Integrates with existing infrastructure Automated compliance reporting Improve customer satisfaction

20 Demonstration

21  Innovative Software Company ◦ Over 12 years in the marketplace ◦ 1,000’s of customer deployments globally ◦ Proven and patented technology IT organizations will fail to successfully manage their PC environment if they have not addressed the biggest issue: complexity … Persystent Suite … does provide configuration drift management functionality. Customers

22 Bob Whirley Utopic Software