BladeLogic
Software-as-a-Service (SaaS) Solution
Help reduce operating cost, improve
security compliance, strengthen
cybersecurity posture
•
The Configuration Security Compliance Challenge
•
Federal Agency Case Study
Copyright © 2014 Deloitte Development LLC. All rights reserved.
3
Today’s ever-changing cyber threat landscape requires
organizations to effectively maintain secure standard
configurations and continuous awareness
Source: Verizon 2013 Data Breach InveSecurityations Report
Why important – “66% of the breaches in our 2013 report took
months or even years to discover …”
Source: SANS Critical Controls for Effective Cyber Defense
Three of the “First Five” quick wins identified by SANS Critical Controls for Effective Cyber Defense deal with secure
standard configurations and timely patching of application and system vulnerabilities
(2) secure standard configurations
(3) application security patch installation within 48 hours
(4) system security patch installation within 48 hours
Source: NSS Labs
System and application vulnerabilities still remain a primary
cyber threat exploitation risk for most organizations
Maintaining standard secure configured and patched
servers in a timely and effective manner remains a
serious challenge for most large, complex organizations
Configuration management
•
Inconsistent configurations subvert operational effectiveness
•
Difficult to track and trend changes across the enterprise
•
Network-wide changes are labor-intensive and error-prone
Security compliance auditing
•
Inconsistent results due to individual interpretation
•
Out of date because of constant change
•
Inconsistent implementation of audits
•
Incomplete audits (often to save time)
Security compliance remediation
•
No way to verify success
•
No way to back out changes
Security compliance reporting
•
No trust in data
•
Must be keyed in by hand
•
Out of date
•
No enterprise view of risk
Labor Intensive processes and locally implemented tools do not achieve timely, effective
end-to-end risk management
Volume
Managing large volumes of security
requirements and configuration data
Manual
Labor-intensive custom-scripting to support
scanning and review of compliance data
within large server environments
Partial
Lack of integrated tool suite covering full set
of secure configuration and patching
requirements
Federal is required to deal with a highly diverse and
complicated set of security requirements to maintain
secure systems
Overview
Security challenges
Provides processing capability, systems management,
communications and storage in support of Department of
Defense services, agencies, and combatant commands
• Secure facilities strategically located throughout the
world
• Support millions of users with petabytes of storage
Transitioning from a traditional software implementation
and sustainment model to a service provider delivered
enterprise SaaS operating model
• Reduce operating cost
• Increase operational efficiency
• Improve customer access to a simple, flexible utility
pricing
• Improve security compliance consistency across its
Computing and Data centers
•
Transparency of server security configurations
‒
Windows Server (32 and 64 bit)
‒
RED HAT Linux
‒
SUSE Linux (x86, x86_64, s390x and s390)
‒
HP-UX
‒
Sun Solaris
‒
Solaris on INTEL X86
•
Auditing against stringent security controls – over
11,000 Security Requirements compliance rules for
servers alone
•
Enterprise-wide visibility of security posture
•
Inventory lifecycle control of tens of thousands of
servers
•
Long discovery, incident response, and compliance
reporting times
Copyright © 2014 Deloitte Development LLC. All rights reserved.
7
Federal Agency Services and Operations - Overview
Content Development
Continuously develop compliance and remediation content
Sustainment
Update BladeLogic patch repository
Manage automated reports
Address user incidents
Sustain BladeLogic system software, configuration, and architecture
PMO
Engage user community
Manage logistics and reporting
Enterprise Services
enables
Operations
Patch Analysis and Deployment
Compliance
Remediation
• Determine patch level of a server
• Identify patching needs
• Download and install patches
•
Develop compliance checks for
Security Guidelines
•
Analyze servers for compliance
•
Report server deviations to
enterprise security standards
•
Develop automated remediation
scripts to address compliance findings
Content - Development
Identify gaps in existing content against Security Requirements
Gap Analysis
Baseline Content
Sustain Platform
Develop &
Deploy Content
Federal Operations: Content Development
Approach:
Document gaps and implement change control for content
Develop content for each operating environment
Maintain content and address incidents reported by enterprise users
End Product(s):
Component Template & Remediation Packages
(one set for each operating environment)
Copyright © 2014 Deloitte Development LLC. All rights reserved.
9
A structured approach has been established for
developing and testing Federal enterprise
compliance content
Content - Testing and Release
Develop and Test
Compliance Content to
latest Security
Visit Agency site and
conduct UAT
Conduct User
Acceptance Test (UAT)
virtually with Agency
Brief Agency Leadership
and obtain approval for
Enterprise Readiness
Announce and roll-out
content to community
Development and Testing Approach
Federal Operating Environments
Red Hat Linux 5
Windows 2012 DC
Windows 2012 MS
Windows 2008 R2 DC
Windows 2008 R2 MS
Windows 2008 DC
Windows 2008 MS
Windows 2003 DC
Windows 2003 MS
Solaris 10 SPARC
Solaris 10 x86
HP-UX 11.23
HP-UX 11.31
Solaris 9
Red Hat Linux 6
SUSE Linux 9
SUSE Linux x86
Oracle 11
MS SQL Server 2005
The Federal Agency is realizing measurable benefit in
performing its scanning Security requirements, inventory
configurations, and change tracking activities
Task
Before BladeLogic
With BladeLogic
Scan server for Security Audit
20 minutes
3 minutes
Security Analysis using Gold Disk
(Security vs. Actual and Remediate back to
compliance) per server
3 days
(without rollback or audit trail)
10 minutes
(with rollback and audit trail)
Security Analysis using Gold Disk for 100
Servers.
300 days
2 days
Server Inventory/Config/ Remediate
15 days
15 minutes
Change Tracking/Server Drift Tracking
N/A
Continuous/Automated
Copyright © 2012 Deloitte Development LLC. All rights reserved.
This publication contains general information only, and none of the member firms of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collective, the “Deloitte Network”) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication.
As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2014 Deloitte Development LLC. All rights reserved.