The world is fair; it just is not centered on you or your company. My last blog discussed yet another company who failed to protect their customers’ data and who faces a serious loss of reputation and expensive fines. The Identity Theft Resource Center reported 783 data breaches in 2014, up 27.5% over 2013. These are just the major breaches that get reported in the media or required notification to government agencies. In most cases these breaches involved exposure of information that increased the risk of identify theft to the company’s customers. The Ponemon Institute estimates the cost to a company of such a breach averages over $200 per lost record, plus any government or compliance fines. In January, Experion reported that almost half of the companies they surveyed reported at least one security incident in 2014. Cybercriminals and cyber-terrorists stole slightly over one billion records in 2014. I expect the 2015 number to be substantially higher.
As I have reported before, most of these attacks target known vulnerabilities. As anti-malware software keeps getting better, almost 80% of vulnerabilities have patches available on the day of disclosure. The obvious question is, “Why are so many companies still getting successfully attacked?” The answer varies from “We do not really care” to “It is hard.” Customer abandonment will eventually fix the first group of companies. For the rest, it is hard. It is hard to keep up with all of the patches and sometimes even harder to keep track of where everything is in your IT environment, especially as you move to the Cloud. It is hard to schedule the time to do the updates without impacting your customers or your internal operations. Sometimes the internal IT structure interferes with different organizations having seemingly contradictory priorities: “keep us up” vs. “keep us secure” vs. “reduce IT costs.” Target fell into this bind, and is still paying for that mistake.
The primarily reason the attacks that make the news are so large, impacting millions of people, is that companies are very slow to actually detect that they are being attacked, and then doing something about it. On average, it is taking companies six to nine months from the time malware is introduced into their IT environment until they have resolved the problem.
I had the privilege of talking to a couple of BMC executives in advance of their February 25, 2015, announcement of a new joint platform called the Intelligent Compliance Solution. Intelligent Compliance merges the security capabilities of Qualys into the remediation and operations management software provided by BMC. The result makes staying secure much easier and provides timely warnings of vulnerabilities and policy violations.
BMC is an American company incorporated in 1980. It’s name is not an acronym, but simply the first letter of the three founders last names: Scott Boulette, John Moores and Dan Cloer. Today it is a $2 billion company with about 6,000 employees specializing in transforming the IT digital enterprise. BMC products and services support about 20,000 companies and address six principles of digital transformation: an intuitive user experience, actionable intelligence, adaptive automation, optimized infrastructure and cost, agile applications, and compliance and risk mitigation.
Qualys is an American company founded in 1999 that provides cloud security, compliance and related services to about 7,700 companies. Qualys tag line is “Continuous Security in a Unified Cloud Solution.” Gartner Group has given Qualys a “Strong Positive” rating for these services for the past five years.
At the high level, what this partnership provides is the security scanning of Qualys feeding vulnerability information to BMC, where the vulnerabilities are matched with the appropriate software patches for automated remediation.
The bottom line:
- Reduce the window of vulnerability by reducing time from detection to resolution.
- Improve IT operations performance by correctly applying the appropriate patches automatically with minimal or no impact to customers.
Morningstar Inc. was an early user of the result. Michael Allen, Morningstar Information Security Officer, said, “With Intelligent Compliance we now have an integrated solution to automate our information security processes, greatly reducing time and cost.” Intelligent Compliance benefits reported by Morningstar include:
- Reduced audit risk by decreasing configuration compliance audit cycle time from two months to five days.
- Reduced audit and patch time by 97%.
- Reduced compliance audit time from five days to twelve minutes per system.
- Provided 100% SOX compliance.
Intelligent Compliance moves towards a concept of continuous audit. Instead of doing an audit every year or every quarter, Intelligent Compliance is auditing constantly, reporting vulnerabilities and security policy violations. It leaves audit trails so you know who did what where, and you can prove it when the actual auditors arrive for a formal audit or you need to do forensics.
The last word:
Both BMC and Qualys have historically used partnerships to expand their market and capabilities, so it seems, at least in retrospect, obvious that they would consider bringing the security scanning and monitoring capabilities of Qualys to the business service management of BMC products and services.
This solution will not protect you from every cyber attack, but it should significantly reduce your risk and free up some of your IT staff to work on additional security issues plus work on enhancing IT to better support your business.
Keep your sense of humor.