1. Get Complete IT Compliance: Reduce Risk and Cost Jonathan Trull @jonathantrull CISO, Qualys Seth Corder @corderseth Automation Specialist, BMC

2. The Great Divide 2

3. DevOps Security 3

4. Attack-Defend Cycle (OODA Loop) 4

5. Threats + Vulnerabilities = Breaches 5

6. Major Constraints on DevOps and Security Teams 6

7. Laws of Vulnerabilities Half-Life – time interval for reducing occurrence of a vulnerability by half. Prevalence – turnover rate of vulnerabilities in the “Top 20” list during a year. Persistence – total lifespan of vulnerabilities Exploitation – time interval between an exploit announcement and the first attack 7

8. Half-Life 29.5 Days 8

9. Persistence Indefinite Stabilize at 5-10% 9

10. Exploitation Average: < 10 days Critical client vulnerabilities: < 48 hours – Exploit Kits offer money back guarantees / Next day delivery 10

11. Bridging the Divide Vulnerability and configuration management should be an essential part of any security program Learn to speak the same language Integrate VM/CM solution with patch & configuration management systems, asset inventory systems, ticketing systems, configuration systems (BMC BladeLogic), and reporting systems for best results 11

12. Continuous Security and Compliance 12

13. Continuous Security and Compliance 13

14. Continuous Security and Compliance 14

15. Continuous Security and Compliance 15

16. ATTACKS 80 % More than 80% of attacks target known vulnerabilities 79 % PATCHES 79% of vulnerabilities have patches available on day of disclosure Most breaches exploit known vulnerabilities

17. So why do breaches still happen? 193 Days to resolve vulnerabilities Coverage – you can’t patch what you don’t know Downtime – hard to schedule maintenance times with users Complexity – dependencies make it hard to isolate actions

18. The SecOps Gap

19. OperationsSecurity Reduce downtime 80% of downtime due to misconfigurations Close the window of vulnerability 193 days to patch known vulnerabilities

20. Records breached in 2014 1,023,108,267 Number of breach incidents 1,541 Breached records increase from last year 78% The results of disconnected security

21. Closed-Loop Compliance DISCOVER REMEDIATE DEFINE AUDIT GOVERN

22. BMC and Qualys DISCOVER REMEDIATE DEFINE AUDIT GOVERN Identify unmanaged systems (“shadow IT”) 01 Reconcile data from different repositories 02 Plan and execute complete remediation actions 04 Assess true security status 03 Prioritize by vulnerability, business priority, or logical grouping 05 Integrate change approval process & full audit trail 06

23. The SecOps Portal

24. Remediation

25. How to schedule vulnerabilities to be fixed using patches Emergency Fix Request Approval “Go Fix It button” Select what to remediate Scheduling & Approvals

26. How to select and schedule vulnerabilities that can be fixed using configuration packages. Use a Config package Configuration Packages

27. Job results for remediation group actions Results

28. Next Steps For more information on Intelligent Compliance and Closing the SecOps Gap: -Contacts -Seth Corder– @corderseth -Jonathon Trull – @jonathantrull -www.bmc.com/CloseSecOpsGap -Resources -The webinar replay link and other resources will be emailed to you after the webinar. -Additional resources online -www.bmc.com/SecOps -www.qualys.com

29. Sources "More than 90% of recent breaches were preventable– remediation for exploited vulnerabilities was available on the day each breach occurred and, if applied, would likely have averted the breach." - Online Trust Alliance (OTA), 2015 Data Protection Best Practices and Risk Assessment Guides "The average cost of a data breach to a company has reached $195 per record lost, or around US $5.85 million per breach event.", "Research indicates 43% of firms had a data breach in the past year. " - "Ponemon Cost of Data Breach 2013", 2014 Cost of Data Breach Study, Ponemon Institute, May 5, 2014 "70% of companies hit by data breaches in 2014 learned of the breach from outsiders." - PWC 2014 Information Security Breaches Survey www.pwc.co.uk/assets/pdf/cyber-security-2014-exec-summary.pdfwww.pwc.co.uk/assets/pdf/cyber-security-2014-exec-summary.pdf "79% of vulnerabilities have patches available on day of disclosure." - Secunia Research: The Secunia Vulnerability Report 2014 "More than 80% of attacks target known vulnerabilities" - F-Secure: Companies Risking Their Assets with Outdated Software "On average, it takes 193 days to patch an identified vulnerability." - WEBSITE SECURITY STATISTICS REPORT - WhiteHat Security https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf https://www.whitehatsec.com/assets/WPstatsReport_052013.pdf "1.1 billion records were compromised (that are known) across 3014 data breach incidents in 2014." - Risk Based Security has released its 2014 Year-End Data Breach QuickView Report http://www.riskbasedsecurity.com/reports/2014- YEDataBreachQuickView.pdfhttp://www.riskbasedsecurity.com/reports/2014- YEDataBreachQuickView.pdf "Many firms feel their annual security budgets are only about 50% of what they really need to adequately address the problem."- EY, Under Cyber Attack: EY's Global Information Security Survey http://www.ey.com/Publication/vwLUAssets/EY_- _2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdfhttp://www.ey.com/Publication/vwLUAssets/EY_- _2013_Global_Information_Security_Survey/$FILE/EY-GISS-Under-cyber-attack.pdf "61% of CEOs are concerned about security, up from 48% last year." - PwC’s 18th Annual Global CEO Survey "According to Mandiant, the median time taken for organizations to detect that threat groups are present on their network is 229 days— just a few days shy of eight months. " - 2014 Threat Report - Mandiant https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdfhttps://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf

30. Thank you! Questions? Find out more: bmc.com/secops