Risk Mitigation Requires

Remediation at Scale
Eric Anderson
Chief Architect DSO
 Cyber Security – Two different worlds

Vulnerability Management Cloud Security & Governance

• Traditional scanning of VMs or • Ignorance - Misconfigured cloud
systems services

• Zero Days, CVE’s identified, • Education, time to value, rapid

Patch Management pace of change

“We just can’t keep up with the “We didn’t realize this was an
volume of vulnerabilities found” issue … until now.”

© Copyright 2017 BMC Software, Inc. BMC Confidential—Internal Use Only

VULNERABILITY
MANAGEMENT
 View of the Customer
Vulnerability Reactive Cybersecurity Skills
Management is Critical Not Proactive Shortage

58% 60% 51%

Reported a data Focus on response, Cybersecurity
breach last year not prevention skill shortage is
problematic

© Copyright 2018 BMC Software, Inc.

Current Situation:
Unrelenting pressure to patch vulnerabilities

Vulnerabilities
Common by Year
Vulnerabilities and Exposures
Average number of days to
16000
14000
(CVEs) by Year
84 patch vulnerabilities
12000 14,712
10000
8000
Median days to first exploit
6000
4000
5,297
7,946
6,480 6,447 30 of a known vulnerability
3,392
2000
2013 2014 2015 2016 2017 2018
0
(MAR)
2001 CVEdetails.com
Source: 2004 2010 2014 2017
Of exploited vulnerabilities
Nearly 15K CVEs in 2017 and on 99% will be known by Security and
pace to surpass that in 2018 IT for over 1 year - Gartner
Security vs Ops
“Problem” Security - Find vulnerabilities
- Prevent Intrusion

Qualys
Rapid 7
Tenable

Operations – Fix vulnerabilities

Patch
Configure

50,000 vs 5,000
What/Who/When/How?
CURRENT STATE: VULNERABILITY MANAGEMENT
PROCESS IT Typical Vulnerability Mgmt. Process Highlights
Security Operations
Weekly / Scanners do weekly or monthly scans but might not pick up all resources, leading to
Monthly Vuln.
scanners blind spots.

Scan results
Ops receives, May contain thousands of lines of data with no more context than IP address and
analyzes and vulnerability. Manual analysis can take weeks.
sent Ops
plans work

Change
ticket Manual tickets can take 30 minutes to open, including all documentation required.
SecOps Gap

opened

CAB
approval due CAB approvals can involve tens of people spending hours discussing and approving
to risk

Remediation Matching remediation tasks to vulnerabilities can be onerous. WannaCry had over
analysis and
planning
40 patch variants based on OS. Companies can have hundreds of maintenance
windows.
Remediation May include configuration changes or patches. Application owners might delay or
Execution control execution.

Rescan for Change By the time the remediation cycle is complete, new scan data might be arriving that
verification ticket closed include remediations already in process.

Security step Semi-Automated step

Ops step Manual step © Copyright 2018 BMC Software, Inc.
 REQUIRED CAPABILITIES
Vulnerability Management
Automated Discovery
The ability to automatically discover
infrastructure, applications and dependencies
within an ecosystem without needing agents
Integrated Vulnerability Assessment
The ability to integrate data from3rd party
vulnerability scanners with other business
contextual data to identify business risk
Real-Time Visualization
The ability for security and operations
CAPABILITIES
teams to visually assess the ecosystem
for vulnerabilities and non-compliance
Vulnerability Lifecycle Management
The ability to track the status of identified
vulnerabilities through the remediation to
ensure compliance with governance processes
Multi-Tier Remediation
Automated Remediation
The ability to automatically remediate
vulnerable devices or cloud services across
Servers and Network and multi-cloud
Operational Context
The ability to incorporate business
context and maintenance windows into
remediation planning and execution
REQUIRED
Configuration Compliance
Continuous Policy Based Compliance
The ability to continuously assess and
report upon network or server
compliance automatically through use of
defined standards and policies
 Automation At Scale
Public Cloud Private Cloud

Change – Closed Loop Patch

Catalog

Enrichment – Operational Intelligence

Discovery – Blind Spot Analysis Scan Patch

Maturity

Change
Mgmt
TS Server
Multi Tiered – Synergies Automation TS Orch
Change
Mgmt
Schedule
TS Vuln Mgmt
SecOps – Align Security and Ops Patch

Remedy
Vulnerabilities
Enrichment

Remediation – Increase Velocity

Discovery

Scanning – Understand Vulnerability Security

Tracking
Prioritization
TrueSight Vulnerability Management
Identify blind spots to ensure that
all systems are being analyzed

Combine security and operations

data for more accurate and
actionable analysis

Prioritize and fix the most critical

flaws first

© Copyright 2018 BMC Software, Inc.

 TrueSight Server Automation
Provisioning
– Bare metal, virtual
Configuration Management
– Remote administration
– Access Management
– Snapshot/Audit/Live Browse
– File and Software deploy
Security and Regulatory Compliance TrueSight

– PCI/DISA/CIS/SOX/HIPPA
– Open Standard – SCAP1.2
– Vulnerability management
Patching
– Scan & Patch Deployment
Analytics and Dashboard
© Copyright 2014 BMC Software, Inc. Internal Use Only 11
 TrueSight Network Automation
Vulnerability Remediation: Combine with TrueSight Vulnerability Out of In Band
Management for an unprecedented visibility and remediation Band Change
planning. Out-of-box content for Cisco® security advisories. Change
Router VPN
Compliance: Use the compliance engine to apply standards for
regulatory and security rules such as SOX, PCI-DSS, HIPAA, NIST,
DISA, and CIS.

Configuration: Implement a policy-based approach to configure Network

or change network devices with templates based on best Switch Firewall
practices to simplify administration and ongoing maintenance.

OS Image Management: Manage OS images with built-in OS

image library and deploy actions. Content Load
Switch Balancer

Wireless
Administration: Fine-grained RBAC, engineering and executive
reporting, heterogeneous management,

© Copyright 2018 BMC Software, Inc.

 Strategic Direction – Vulnerability Management

Current
TS Vulnerability Management
 Fix SecOps Gap
 Increased visibility
 Operational Intelligence
 Automate for velocity
2019
Patch Orchestration Self Service Patching
• Orchestrate Patches • Service based Risk
• Dev/QA/Prod lifecycle Scoring
• Automate for • Self-Service Remediation
complexity • Lifecycle aware
 CLOUD
GOVERNANCE
AND SECURITY

© Copyright 2017 BMC Software, Inc. BMC Confidential—Internal Use Only

© Copyright 2017 BMC Software, Inc. 14
 *Through 2020, 95 percent of cloud security failures will
be the customer’s fault. “Gartner Predicts 2016 and Beyond”: Cloud Security”

Massive Verizon data breach exposes 14 million user records due to

an unsecured S3 bucket

60,000 sensitive DOD files left on publicly accessible AWS Service

Dow Jones became the latest organization affected by an AWS

cloud data leakage due to misconfiguration and user error

Time Warner Hacked – AWS Config exposes 4 Million subscribers’ data

Bitcoin miners hacked Tesla’s AWS and GCP Kubernetes clusters

© Copyright 2017 BMC Software, Inc. 15

 AWS Account

IAM

IAM
Lambda Lambda Lambda

IAM

RDS
Elastic Search
Your Policies
IAM

Glacier S3

© Copyright 2017 BMC Software, Inc. 16

 AWS Account
AWS Pre-Prod

AWS Quality

Your Policies
AWS Development

© Copyright 2017 BMC Software, Inc. 17

 AWS
AWS Azure
AWS Azure Softlayer
AWS Azure GCP Softlayer

VMWare
VMWare Hyper-V

© Copyright 2017 BMC Software, Inc. 18

 BMC Truesight Cloud Security – Core
Capabilities
 SaaS Delivery: Get started quickly, rapid time-to-value

 Cloud and On-Premise Connectors: Multiple feeds, single dashboard

 OOTB Connectors/Policies: Easily extended or customized as code

 Continuous or On-Demand Scans: Monitor resources as needed

 Auto Remediation: Fix non-compliant cloud resources in one step

 Secure #MultiCloud Resources: EC2, S3 buckets, ElasticSearch, etc

 Secure Containers: Kubernetes, Docker Host, daemon and images

 Secure Applications: Embed compliance in DevOps processes

 RESTful API: Utilize service from scripts or applications

© Copyright 2017 BMC Software, Inc.

© Copyright 2017 BMC Software, Inc. 19
Strategic Direction – Cloud Management Services

Cloud Management Platform

KEY VALUE CASES
Cloud Security Cloud Cost Optimization Guard Rails Automation Cloud Performance
(Today) (Dec 2018) (2018) & Orchestration

Cloud Platform Services

User & Tenant
UI Portal Policy Engine Remediation Cloud Compliance
Management
& Actions Connectors

CLOUD NATIVE APPLICATIONS | AWS | AZURE | GCP | CONTAINERS | KUBERNETES

© Copyright 2017 BMC Software, Inc. 21

© Copyright 2017 BMC Software, Inc.