This last week brought major changes in the business cost of poorly automated IT security. A US federal judge ruled that banks can sue Target to recover damages because poor security played a “key role” in allowing its systems to be compromised.
Banks now have the ability to go after merchants that have been hacked. From here it is a short step to envision that the direct business cost of a security breach will be dwarfed by the follow on lawsuits from vendors and customers who were harmed by the breach.
This brings us to the SecOps Gap: this is the time between when the security team identifies a vulnerability and the time when the IT ops team fixes that vulnerability. Without automation, enterprises take on average 193 days to resolve critical vulnerabilities according to a recent White Hat security report. This is because most companies lack sufficient automation to ensure that critical problems detected by vulnerabilities scanners will be fixed in a timely fashion.
So what does a business need to do to prove that they are using reasonable care both to detect potential threats and vulnerabilities as well as acting quickly to fix those vulnerabilities? It boils down to two sets of security policies:
- Run the business security policies: these are day to day rules that will be applied consistently across all compute infrastructure including physical, virtual and cloud servers, along with security automation to apply those rules and change management to prove that the rules were applied.
- Save the business security policies: these are extraordinary rules that will be applied only when a security breach is detected , coupled with security automation to minimize the damage and change management to verify results.
In fact, Forrester just issued a report entitled “A Call To Action To Automate Breach Response” that calls for enterprises to develop an automated threat response process. This process, along with appropriate tools, allows companies to respond quickly to critical security vulnerabilities – creating automated workflows that can shut down malicious activity with minimal red tape.
At a minimum, a security automation solution requires components to perform the following tasks
- Discovery: the starting point for any security solution is making sure you know where all your servers are using a discovery tool such as Atrium Discovery and Dependency Mapping. This is becoming even more challenging as shadow IT teams adopt public cloud and internal IT teams stand up multiple private clouds, each with disparate governance policies.
- Vulnerability detection: tools to identify potential security problems such as Qualys. These tools need to be run frequently, not just once or twice a year to pass an audit.
- Automated remediation: integrating vulnerability detection with automated remediation to close the SecOps gap is the core of sound security policy using solutions such as BMC Intelligent Compliance.
- Change management: once security vulnerabilities have been addressed, the fixes need to be documented in a product such as Remedy Change Management. This is not only important for internal verification and audit needs, but also to prove adherence in case of a legal challenge.