BMC Helix Cloud Security Review

Auto-remediate takes care of a vulnerability when it's scanned, allowing us to focus on other things


What is our primary use case?

The biggest use case is for our customers who want to be proactive and not have any kind of vulnerabilities. Instead of being reactive, they want to understand where their vulnerabilities are, whether their cloud space is Azure, AWS, or Google. They want to understand and remediate those vulnerabilities before they get bigger than they really should be. 

For example, we are working with a client that is trying to be proactive. They said they don't want to be on the front page of a newspaper, and they're quite big in AWS. They wanted to check out the tool and they're doing a trial. It's meeting all their needs.

Essentially, all use cases, with regard to security. involve clients wanting to understand and get that 50,000-foot view of what their vulnerabilities are. They also want the ability to remediate inside the tool instead of having to understand what's going on and then have to go to each server and remediate the vulnerabilities.

How has it helped my organization?

We're aware of vulnerabilities far sooner than we were previously. The tool scans on-demand or at intervals and then notifies us of the issues and vulnerabilities that are present. That proactive feature of the tool has helped us be aware of any issues prior to their becoming a problem.

On a weekly basis the tool saves us about five or six hours. The fact that it does the automatic scanning and provides a report of what's been scanned and what's wrong, and the auto-remediating some of the vulnerabilities, are huge time savers for us.

Helix Cloud Security has made governance easier by centralizing it. The fact that it's multi-cloud, and you don't have to log into different cloud providers, is an advantage. We're at two providers right now, Azure and AWS, and it's easy to come to one place, instead of logging into both at the time, and get a holistic, 50,000-foot view. It enables us to cover both cloud providers and manage, understand, and govern all of our assets in the cloud.

In terms of productivity, the continuous scanning at the selected intervals and the reduction of false-positive vulnerabilities are helpful, based on the out-of-the-box policies. As a result, we're able to understand what vulnerabilities are really out there. And once something is remediated, it's remediated, unless a user makes a change to revert that vulnerability. That saves time because there isn't any repetitive work. That vulnerability is not going to come back the next day.

The automated remediation has decreased our mean time to repair by about 20 percent.
And the solution has also helped to eliminate or reduce the cost and complexity of writing, debugging, and maintaining remediation scripts. The remediation within the tool is there. You do have to configure it, but it gives you the means to get started.

What is most valuable?

The cool feature of Helix Cloud Security is that you can do all that — understand and remediate issues — in one dashboard, based on the different policies that are available for security, out-of-the-box. The dashboard is very user-friendly. Being able to remediate in-tool is valuable. There are a lot of cloud tools out there that can tell you what your vulnerabilities are, but don't necessarily have the ability to remediate with a click of a button.

It's also multi-cloud. You can look at several cloud providers: AWS, Azure, or GCP. That's one of the best features. 

In addition, the solution's automated remediation of cloud IaaS and PaaS resource misconfigurations is one of the biggest things that we need to focus on, as far as public cloud goes. There are a lot of misconceptions out there within companies that are going into the cloud. They think that the cloud provider is responsible for that security piece. There's a misunderstanding of where that line is drawn for security. A lot of companies only understand, once they're in the cloud, that it's their responsibility to ensure the security of their resources. That is where this tool fits in perfectly. You can set it to auto-remediate. As soon as it identifies an issue or a vulnerability within your environment, if you've configured it to auto-remediate, it takes care of that vulnerability and saves that time so you can focus on other things as an organization. And if you don't want to auto-remediate, if you're testing something out, for example, you don't have to.

There's also an archive of the history with a list of all the resources in the cloud environment and how they're connected. It tracks any actions that have been taken on those resources over time. You can go back several months and see how the resources were connected and what they were connected to and any vulnerabilities that were remediated within the tool.

And it gives us the ability to control who can remediate something and where. You have to be an admin. A user or viewer cannot go in and configure remediation. That allows us to see who's doing what because, as I mentioned, there can be vulnerabilities that you don't want automatically remediated. That can be true not only for testing but it's possible that a vulnerability is not a true vulnerability for that environment; or the remediation could affect other users and needs to be planned instead of remediating right then and there.

What needs improvement?

An area for improvement is that we get a lot of questions about creating customized policies in the tool. You get several out-of-the-box policies that you can delete and upload, but I would like to see them improve the understanding of how to write those policies; maybe a Help wizard. There should be a clearer understanding of how to write security policies to scan against.

Also, we've had some issues with connectors. The connectors have seemed to have caused a little bit of trouble, perhaps with the APIs trying to scan the environment. The only time I've had to reach out to tech support was for that. It seems it may not have been scanning correctly or I wasn't seeing data within a specific time.

But we've set up a couple of connectors in the past couple of weeks and they actually scanned the AWS environment and we had data within about 10 minutes. It's working a lot faster and I think they're making improvements as they go.

We've also helped identify bugs here and there, which only makes the tool better.

For how long have I used the solution?

We've been using Helix Cloud Security for just under a year.

What do I think about the stability of the solution?

The stability has been perfect. I haven't had one downtime issue yet.

How are customer service and technical support?

Tech support is top-notch. They were very responsive and eager to help get the problem resolved.

Which solution did I use previously and why did I switch?

We didn't have a previous cloud solution. We had the responsibility ourselves. When we would set up an account or a resource in the cloud, we would go through what needed to be done to secure it. Having Helix Cloud Security saves us time it would take us to do that. We still have to do some setup of proper protocols, but when you attach this tool and scan your resources, it catches things you may have never seen: an open S3 bucket, or that the routing security groups to AWS are wide open. We know what we need to do, but sometimes that doesn't get transferred to the keyboard to do it. This tool is like that double-checker in the back of the room saying, "Hey, by the way, you forgot to do this." It really catches those potentially big vulnerabilities that may be detrimental to our organization.

We realized we needed a tool like this as we moved more to the cloud. More companies are going to the cloud and using the cloud on a more frequent basis. We all know that there are vulnerabilities out there that people would want to access and use to do things that shouldn't be done. So we needed to have a tool in place to be that "big brother" to catch the things that we didn't catch, or that we didn't do during the creation of the resources.

How was the initial setup?

The initial setup was a little complex at first because of the different moving parts. In hindsight, it's security and the vulnerabilities. It's similar, as a tool, to what we've used previously, but now it's in the cloud. Once you get to know your way around the tool, things start becoming second-nature. But the initial view feels like there's a lot of information in terms of understanding what is what and where it's located.

It's a SaaS tool so there's no deployment required. Once you get set up with BMC, you get an account, you log in, and you can start working right away to set up your connectors to scan your environment. It only takes a few minutes. It only takes one person to deploy it across an organization.

What was our ROI?

I don't have a number for how much we've saved or for return on investment, but there has been a return because of the time we've saved. We're not using man-hours to fix the vulnerabilities or search for them. That's where our biggest ROI is.

What's my experience with pricing, setup cost, and licensing?

The pricing is based on an annual subscription, upfront, and it's based on cloud assets. Whether your assets are in Azure and AWS combined, the tool tells you how many assets are being scanned and that's the number used for pricing.

The subscription model is good. It makes sense that you are paying for cloud assets. There are so many different types of resource assets, specifically with AWS, so that number can really grow. But at the same time it's telling you how many assets you have. You understand what you're paying for. The license is very simple. There's no gray zone or muddy water in understanding how the pricing and licensing work.

Which other solutions did I evaluate?

BMC was the first one that we started evaluating. We liked it so much that we stuck with it.

They provided a 14-day free trial for us. We had 14 days to connect to our information, scan it, and get familiar with the tool. It was a nice little treat to take it for a test drive around the block for 14 days.

What other advice do I have?

Don't be surprised if you see some things that you thought were secure that were not secure. You think you're 100 percent, or you think you're close, but when you get in there and scan...

Also, take it piece by piece and understand. It might be good to scan your resources using just one security policy to start. Don't jump in too deep. If you jump in too deep you get overwhelmed with all the different policies that are scanned and all the vulnerabilities. It's just easier to take it day-by-day. Learn one section of the tool and then promote yourself as you get better and better versed in the application.

It can be deployed on AWS, Azure, and BMC has its own cloud as well. We've done integrations with dev environments, production environments, and test environments. Customers can have several environments within AWS. If those environments are within one main account — as long as that account from the high level has been integrated with the tool — that account is scanned and monitored by Helix Cloud Security. We can scan and remediate any vulnerabilities within any environment within a cloud account.

We have just under 10 people using it. They are systems engineers, security engineers, an analyst, and management. They're all using it in different ways. There are the admins, the users, and the viewers — people who are just viewing the data. Management is able to see a 50,000-foot view of the vulnerabilities. We can notify them and send emails reports of vulnerabilities on a daily basis, which helps them understand from a management perspective.

It's being used on a daily basis in our organization. It's integral to our operations. The tool scans to make sure our environments are secure. And if they're not, it's going to let us know what's not secure so that we can resolve it, or if it's set to auto remediate, then we'll understand what the vulnerability was and that it has been fixed. 

There's no maintenance, per se, as a SaaS product, but it does require making sure the connectors are running and that your scans are working and scanning on whatever basis you set them up to do, whether ad hoc or interval. There's also the need to create users. But if something is not working within the tool itself, that's really on the BMC side to handle. BMC owns that piece and would be responsible for any maintenance, upgrades, etc.

Using this solution is an eye-opener. It really is. We thought we had a pretty good handle on security. Colleagues I've talked to at other organizations have that same mentality: "Yeah, we're good. We do this, this and this and this." But when you connect it and take that free trial, it's like, "Wow, I didn't know that S3 bucket was open. I thought we were good there." Having that holistic view is the biggest eye-opener. You understand, from any of your connected cloud accounts, what your vulnerabilities are with it. We saw data within 10 minutes of connecting to our AWS account. When I say data, I mean that we saw our resources popping in there and showing if there were vulnerabilities. We were immediately seeing data regarding our cloud infrastructure.

I'd give it a nine out of 10. It provides a multi-cloud experience, it's easy to use, the dashboard is user-friendly, and you really can see what your environment looks like.

**Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Add a Comment
Guest