This week I have been taking the temperature of the Gartner Security and Risk Management Summit in London. Security is a very hot topic right now, with a constant drumbeat of news about security breaches. I already wrote about Community health Systems, and now Home Depot are in the news, with some claiming that the consequences could be even more severe than at Target earlier in the year.
All the booths at the Summit are manned by vendors eager to talk about how to detect these issues, and there are some very interesting approaches to solving that problem. The current state of the art in the industry is to move beyond signature-based approaches to security, which attempt to identify known threats, and focus on machine learning and behavioural analysis to identify departures from normal patterns of action on the network.
One big problem, however, remains unaddressed: how to deal with those issues once they have been identified? It is certainly important to be able to detect that you have a problem, but merely knowing about it does not eliminate the issue.
I had many interesting conversations with vendors and Gartner analysts about that critical next step. The concept of the SecOps gap really resonates with the security professionals; they know what they should be doing, but they are hampered in their ability to do it. One statistic cited during the keynote was that 99% of vulnerabilities have a known, documented fix.
So how come companies still get into trouble?
Quite simply, the task of addressing the detected issues falls into that gap between Security and Operations. Sysadmins are caught between conflicting priorities: on the one hand, they do want to close the security holes that have been flagged to them – but on the other, doing that will cause disruption to the business. In the attempt to compromise with both imperatives, all too often they end up satisfying neither, with security issues taking weeks or even months to be resolved, while end users complain about the quality and timeliness of IT service that they receive.
There are two aspects that need to be addressed to close that gap. One is cultural: both security and operations people need to learn to communicate with the business in, well, business terms. Security is just another form of business risk, that needs to be correctly accounted for and prioritised. This is not a technical conversation, but a business conversation, and should be framed as such.
The other aspect is one that BMC is well placed to help resolve, and that is to bridge the technological and process gap. We have the capability to identify issues, whether using our own configuration audit capabilities, or by receiving notifications for dedicated vulnerability scanning solutions, but most importantly, we can act upon those issues in a safe and rapid manner. We are also able to enforce governance of the entire process, avoiding disruption of business-critical services due to remediation activity.