BladeLogic Software-as-a- Service (SaaS) Solution. Help reduce operating cost, improve security compliance, strengthen cybersecurity posture

Transcription

1 BladeLogic Software-as-a- Service (SaaS) Solution Help reduce operating cost, improve security compliance, strengthen cybersecurity posture February 20, 2014

2 Contents The Configuration Security Compliance Challenge Federal Agency Case Study 2

3 Today s ever-changing cyber threat landscape requires organizations to effectively maintain secure standard configurations and continuous awareness System and application vulnerabilities still remain a primary cyber threat exploitation risk for most organizations Why important 66% of the breaches in our 2013 report took months or even years to discover Source: NSS Labs Source: Verizon 2013 Data Breach InveSecurityations Report Three of the First Five quick wins identified by SANS Critical Controls for Effective Cyber Defense deal with secure standard configurations and timely patching of application and system vulnerabilities (2) secure standard configurations (3) application security patch installation within 48 hours (4) system security patch installation within 48 hours Source: SANS Critical Controls for Effective Cyber Defense 3

4 Maintaining standard secure configured and patched servers in a timely and effective manner remains a serious challenge for most large, complex organizations Common Challenges Volume Managing large volumes of security requirements and configuration data Manual Labor-intensive custom-scripting to support scanning and review of compliance data within large server environments Partial Lack of integrated tool suite covering full set of secure configuration and patching requirements Organizational Impact Configuration management Inconsistent configurations subvert operational effectiveness Difficult to track and trend changes across the enterprise Network-wide changes are labor-intensive and error-prone Security compliance auditing Inconsistent results due to individual interpretation Out of date because of constant change Inconsistent implementation of audits Incomplete audits (often to save time) Security compliance remediation No way to verify success No way to back out changes Security compliance reporting No trust in data Must be keyed in by hand Out of date No enterprise view of risk Labor Intensive processes and locally implemented tools do not achieve timely, effective end-to-end risk management 4

5 Federal Agency Case Study

6 Federal is required to deal with a highly diverse and complicated set of security requirements to maintain secure systems Overview Provides processing capability, systems management, communications and storage in support of Department of Defense services, agencies, and combatant commands Secure facilities strategically located throughout the world Support millions of users with petabytes of storage Transitioning from a traditional software implementation and sustainment model to a service provider delivered enterprise SaaS operating model Reduce operating cost Increase operational efficiency Improve customer access to a simple, flexible utility pricing Improve security compliance consistency across its Computing and Data centers Security challenges Transparency of server security configurations Windows Server (32 and 64 bit) RED HAT Linux SUSE Linux (x86, x86_64, s390x and s390) HP-UX Sun Solaris Solaris on INTEL X86 Auditing against stringent security controls over 11,000 Security Requirements compliance rules for servers alone Enterprise-wide visibility of security posture Inventory lifecycle control of tens of thousands of servers Long discovery, incident response, and compliance reporting times 6

7 Federal Agency Services and Operations - Overview Enterprise Services Patch Analysis and Deployment Compliance Remediation Determine patch level of a server Identify patching needs Download and install patches Develop compliance checks for Security Guidelines Analyze servers for compliance Report server deviations to enterprise security standards Develop automated remediation scripts to address compliance findings Operations enables Content Development Continuously develop compliance and remediation content Sustainment Update BladeLogic patch repository Manage automated reports Address user incidents Sustain BladeLogic system software, configuration, and architecture PMO Engage user community Manage logistics and reporting 7

8 Content - Development Federal Operations: Content Development Approach: Gap Analysis Baseline Content Develop & Deploy Content Sustain Platform Identify gaps in existing content against Security Requirements Document gaps and implement change control for content Develop content for each operating environment Maintain content and address incidents reported by enterprise users End Product(s): Component Template & Remediation Packages (one set for each operating environment) 8

9 Content - Testing and Release A structured approach has been established for developing and testing Federal enterprise compliance content Federal Operating Environments Red Hat Linux 5 Windows 2012 DC Windows 2012 MS Windows 2008 R2 DC Windows 2008 R2 MS Windows 2008 DC Windows 2008 MS Windows 2003 DC Windows 2003 MS Solaris 10 SPARC Solaris 10 x86 HP-UX HP-UX Solaris 9 Red Hat Linux 6 SUSE Linux 9 SUSE Linux x86 Oracle 11 MS SQL Server 2005 Development and Testing Approach Conduct User Acceptance Test (UAT) virtually with Agency Develop and Test Compliance Content to latest Security Brief Agency Leadership and obtain approval for Enterprise Readiness Announce and roll-out content to community Visit Agency site and conduct UAT 9 *IAVMs

10 The Federal Agency is realizing measurable benefit in performing its scanning Security requirements, inventory configurations, and change tracking activities Task Before BladeLogic With BladeLogic Scan server for Security Audit 20 minutes 3 minutes Security Analysis using Gold Disk (Security vs. Actual and Remediate back to compliance) per server 3 days (without rollback or audit trail) 10 minutes (with rollback and audit trail) Security Analysis using Gold Disk for 100 Servers. 300 days 2 days Server Inventory/Config/ Remediate 15 days 15 minutes Change Tracking/Server Drift Tracking N/A Continuous/Automated Documentation (exceptions/changes) Limited if done Automatic real time reporting 10

11 Copyright 2012 Deloitte Development LLC. All rights reserved. This publication contains general information only, and none of the member firms of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collective, the Deloitte Network ) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication. As used in this document, Deloitte means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Member of Deloitte Touche Tohmatsu Limited