Avoiding Data Breaches in 2016: What You Need to Know

Avoiding Data Breaches in 2016:

What You Need to Know

David Monahan

Research Director

Enterprise Management Associates (EMA)

David Cramer

VP of Product Management

BMC

Today’s Presenters

Slide 2 © 2016 Enterprise Management Associates, Inc.

David Monahan – Research Director, Risk and SecurityDavid is a senior information security executive with several years of experience.

He has organized and managed both physical and information security programs,

including security and network operations (SOCs and NOCs) for organizations

ranging from Fortune 100 companies to local government and small public and

private companies.

David Cramer, VP of Product Management, BMCDavid joined BMC in 2015 and serves as Vice President of Product Management for

the Cloud/DCA business unit. Prior to BMC, David was head of product management

for CA Technologies. During his tenure at CA, David was responsible for application

delivery, cloud management, virtualization and Infrastructure automation solutions.

Before joining CA, David held executive positions at AlterPoint, Motive, NetSolve, and

Nortel Networks.

Logistics for Today’s Webinar


Questions

• An archived version of the event recording

will be available at

www.enterprisemanagement.com

• Log questions in the Q&A panel located on the

lower right corner of your screen

• Questions will be addressed during the Q&A

session of the event

Event recording

Event presentation

• A PDF of the PowerPoint presentation will be

emailed to you as part of the follow-up email.

http://www.enterprisemanagement.com/

Avoiding Data Breaches in 2016:

What You Need to Know

David Monahan

Research Director

Enterprise Management Associates (EMA)

David Cramer

VP of Product Management

BMC

© Copyright 5/20/2016 BMC Software, Inc5

WE LIVE IN AN INCREASINGLYDIGITAL WORLD

© Copyright 5/20/2016 BMC Software, Inc6© 2016 Enterprise Management Associates, Inc.

• Cyber-security/ Information Security was an afterthought, Obligation, or low priority insurance policy

• 51%: Spending Between 10%-24% of IT Budget on Security

• 26%: Spending Between 20% and 30% (They are Playing Catchup)

Have We Been Sitting in a Pot Coming to a Boil?


Keeping Organizations Secure Against Cyber Criminals Has Never Been Tougher

97% of executives expect a rise in data breach

attempts in the next 12 months

As a result, 99% plan to invest more in security in the

next 12 months than they did in 2015.

BMC Study Shows:Many Breaches Are Avoidable

of executives say security

breaches occur even when

vulnerabilities and their

remediation have already been

identified

44% “There’s so many more vectors that are easier, less risky and quite often more productive than going down that route. This includes, of course, known vulnerabilities for which a patch is available but the owner hasn’t installed it.” Rob Joyce, Chief of NSA’s Tailored Access Operations

Decline of Baselines and Asset Prioritization

© 2016 Enterprise Management Associates, Inc.

Decline in Monitoring High Value Assets


Decline in Security Confidence


79% of organizations were only “somewhat confident” to “highly doubtful” that their security program could detect a security incident before it had a significant impact on their environment.

CVE®(Common Vulnerabilities and Exposures)

Total Count (Oct 8, 2015): 71,951

Total Count (Nov 15, 2015): 72,805

854(New bulletins)

38 Days

22(per day)

8030(per year)

“A dictionary of common security exposures and vulnerabilities”

What you know and don’t fix can hurt you


Even “small” threats can cause “BIG” issues……

ATTACKS

80%

More than 80% of attacks target known vulnerabilities

99.9%

FIX READY

99.9% of exploits were compromised over a year after the CVE was published


Visibility – you can’t patch what you don’t know

Downtime – hard to schedule maintenance times with users

Complexity –dependencies make it hard to isolate actions

So Why Do Vulnerabilities Go Unaddressed?

193Days to resolve

average vulnerability

Complexity and Lack of Visibility


Drivers for Lack of Value in Tools #2 Tools do not provide adequate correlation of data to

business impact

#5 Tools do not provide enough visibility into the ways

threats appear and/or propagate in the environment

Over 90% of Outages Caused by Unscheduled or

Undocumented Changes #2 Tools do not provide adequate correlation of data to

business impact

Complexity is the bane of Security Complexity in Tools = shelf-ware, thus lack of ROI

Complexity in Architectures= Security Gaps and failures


OperationsSecurityReduce downtime

80% of downtime due to

misconfigurations

Close the window of

vulnerability

43% of companies have

had a data breach


A Three-Pronged Game Plan

To stay on top of today’s complexities, threats and opportunities,

large enterprises are developing SecOps strategies that focus on

three core areas:

PeopleSecurity and operations professionals share aligned goals for

making business systems more secure and reliable

ProcessesGuide and integrate the activities and data sets of key

stakeholders in security and IT operations

TechnologyEnable efficient, consistent and integrated processes to enable IT

Operations and Security efforts


People Problems


68% of Organizations are Experiencing Security Staffing Problems!


Integration and Scalability are Crucial for Security!

• We Can’t Just Throw People at the Problem!

• 95% Organizations with 10 or less FTE Experienced More Than 100 Severe/Critical security alerts PER DAY

• 70%: Scalability of Automation is Important to Meet Compliance Needs

• 93%: Integration is Important for Security



Where Do Organization Stand


• 88%: Integration is important for Vulnerability Mgmt.

• 71%: Ease of Use Important for Vulnerability Mgmt.

• 82%: Scalability is Important for Automation solutions

• 87% : Scalability is Important when dealing with Vulnerability Mgmt.



BMC BladeLogic: Relentless Remediation

Drag picture to placeholder or click icon to add

Automate to eliminate threats before they become a breach

entry point

• Automatic correlation of discovered vulnerabilities and BSA patches

— Filter to systems through operational views

— Deploy remediation actions

• Network vulnerability identification and remediation action capabilities

• Direct integration with Change Management

Reduce cost and time associated with remediating

vulnerabilities

Threats are neutralized….is that it?

52% of enterprise leaders equateregulatory compliance with tighter security.

“We must sustain our operations and defenses before, during, and after an attack by reducing the attack surface, continually improving defensive cyberspace operations, and effectively commanding and controlling the DODIN.” DISA Strategic Plan


BMC BladeLogic: Vigilant Compliance

Drag picture to placeholder or click icon to add

Manage by policy, not just by alert…


Criteria That Decision Makers Consider Important in

SecOps Solutions

62% 58% 50%Want flexibility to tailor the

solution to the specific

regulations in their industry

want integration with

service desks and change-

management processes

Share that they want

reporting for compliance

audits


Customer Success with SECOPS

State of Michigan

Reduced time for Audit report creation from

32 hours to 15 minutes

Reduced time for server provisioning from

2 months to 5 days

Reduced 9,000+ staff hours by

automatically remediating 94,273 events

Log Your Questions in the Q&A Panel

Learn More About Leading IT Analyst Firm Enterprise

Management Associates:

http://www.enterprisemanagement.com


http://www.enterprisemanagement.com/