News of the hacking of Sony Pictures remains top of mind for everyone who manages digital assets, which is to say, all of us. It appears that professional hackers targeted Sony, but it’s not clear if Sony could have prevented the hack or not.
What is clear is that Sony’s executive management, and shareholders, will be very interested to know just what Sony was doing to protect their digital assets. No doubt there will be IT Security auditors pouring through vulnerability reports and logs, comparing them to system change logs, ensuring that reasonable business practices, company policies, and applicable regulatory standards were adhered to. This is where they may experience the post-hack audit blues!
This is the kind of audit that many companies in the past did once a year, or less frequently, because it’s difficult and can be costly. But as we’ll see in the Sony case, and in other security break-ins, not only is it important that IT remains vigilant and compliant with established guidelines, they must be able to prove that they are compliant to external parties too.
At BMC, we provide automation tools that many Fortune 500 IT organizations use as part of their defense against hackers, and satisfy the requirement for compliance and audit. We call the set of best practices, policies, and procedures “Intelligent Compliance”. Following them not only closes the gap between IT Security and Operations, but it also establishes the necessary elements for audit reporting in a most timely fashion.
Key Components of “Intelligent Compliance”
- Define Policies: What standard configurations, software components, password complexity rules are required?
- Validate Compliance: Do all of the servers comply with your policies? This includes servers in your data center, and those hosted in private and public clouds. What about databases? Networks?
- Open Change Tickets for Violations: It’s important to have a record that the validation was discovered, and to assign the remediation task to an owner.
- Trigger Remediation Procedures: this is where automation is an absolute necessity. There are thousands of things that can and do go wrong, on thousands of virtual and physical servers. Automated procedures help you get this part right.
- Gain Approvals: An integrated help desk ticketing system with automated workflow is needed to ensure the proper approvals are obtained
- Execute Remediation: Apply the patch(s), orchestrate, reboot/restart as needed
- Verify Compliance: Ensure that the jobs completed
- Close Ticket(s): Closing the integrated job ticket(s) enables the final step,
- Report Compliance: Generate reports from the system showing proof of find, fix, and ultimately systems in compliance.
Closing the SecOps Gap shrinks the window of vulnerability from security breaches and audit failures, reduces the cost and effort of compliance audits, increases the effectiveness of remediation, and ensures that processes are followed, and all required documentation is available and up to date.
Following this practice may not have saved Sony from the hacking breach itself, but if they had it would clearly demonstrate that they exercised reasonable caution, took appropriate steps, and did what they could to minimize risk and liability.