One of the pieces that is very difficult to track is elasticity and dynamics, especially when you are doing DevSecOps with multiple build pipelines in the cloud environment, or against the cloud environment, since you have a development, test/QA, and production environment. What BMC Helix has allowed us to do, especially with cloud security and cloud costs, is to unify the visibility into a single source of truth. What it has facilitated is also the skills gap and being entrenched in the native cloud providers portal and having to understand how to navigate it, how to deal with those resources, and having to understand the idiosyncrasies between each of them because they have similar capabilities but with different terminologies, architecture, methodologies, and best practices.

What BMC Helix allows you to do is very easily bring that information back to be analyzed and make informed decisions on it. That simplification of IT governance is one that gives a huge value out of BMC Helix. Now, we're talking specifically about our cloud security. This is a very challenging aspect because you're always bumping between agility, control, and rigidity. So, cloud security allows you to understand, measure, and take proactive actions for critical vulnerabilities without getting in the way of the day-to-day cloud operations.

One of the big things is being able to measure the effectiveness of your corporate policy against the reality of day-to-day changes. Take a very simple thing that we see all the time when we deal with customers. They have policy on paper, which is defined. They may be very well-matured from a cloud expertise perspective, but they're dealing with hundreds, if not thousands, of accounts sometimes within just one cloud provider. When we connect BMC Helix to their environment, it's always surprising to them how there's always an Esri bucket that has the wrong information. There might be an IAM role or credential that hasn't been enrolled within a certain period of time, which is hard to detect. It's the scenario of the needle in the haystack, especially at scale.

Even organizations, who are very rigid and mature in their deployment methodologies, there are so many resources and configurations within each cloud environment that is impossible for humans to track. That is where automation comes into play. BMC Helix helps to bring that into AI with very intelligent mechanisms, predictably telling you what's wrong or how to be better.

With the Discovery portion of Helix, it is so incredible to be able to highlight the relationships being services that are very hard to detect. Anybody who has worked with AWS, Microsoft Azure, or GCP knows how intricate the relationships between services can be. A VPC has many relationships to subnets or round tables. You may have relationships to VPN gateways or IGWs with so many integrate dependencies that it is hard for one document and understand those dependencies. Also, from a risk perspective, I find a lot of financial institutions who use the BMC Discovery capability out of Helix for security baselining to determine when a baseline has changed outside of a change control mechanism and detect an insider threat as well as a deviation from policy.

In theory and practice, compliance and security vulnerability management is typically a human labor intensive activity. It's also a repetitive activity. So, the solution has increased productivity by reducing repetitive or tedious tasks related to security. Measuring those metrics is very customer dependent based on the maturity of how they audit, measure compliance, and their vulnerability controls. I have seen environments where vulnerability and compliance security audits are done orderly in massive spreadsheets, and they never get out of that cycle. There is continuous InfoSec to operations going back and forth because there is detection, then there is remediation.

I have also seen scenarios where certain vulnerabilities or configuration controls violate a certain regulatory control. These may take weeks, if not months, to remediate at scale. With automation, leveraging BMC Helix to remediate or do cloud security, once a detection of a vulnerability security is performed and identified as something that should not exist (meaning there are no waivers nor an exception process), the remediation is done in minutes. That is the benefit of this platform. 

It doesn't remediate everything. There are a lot of vulnerability controls that are manual controls. There is a large portion (80:20) between what can be remediated through automation versus manual controls, such as, physical security. Those now can be addressed by automation using BMC Helix Cloud Security and BMC Helix Remediate, which is another module capability within the helix platform. These allow you to use automation to remediate within minutes. 

For example, a customer of ours that is highly regulated in the healthcare space has quarterly audits. If they find vulnerabilities or controls that are not mitigated, which are open findings, they can define starting at million dollars, then going up, compiling the number of controls and vulnerability findings. They leverage Helix remediation for the reporting and remediation as well as the detection of regulatory controls. Before, there was a never-ending process of identification and remediation. Now, the identification has been shrunken down to below a couple of weeks for their multiple control environments. The remediation is now a fraction of what it was before. Remediation was a month-long effort with multiple bodies. Whereas now, they're able to do it within a couple of weeks with a limited amount of staff. So, that's the power of it.

Vulnerability management is one of the other big areas. Another customer of ours was doing patching parties, where they were trying to deal with vulnerabilities, and doing patching for 100 to 200 systems at a time. Moving to the automated mechanism that BMC provides, they were able to do thousands of systems for every patching exercise that they were doing. Thus, shrinking the vulnerability left for how long they have been open inside their environment.

We're aware of vulnerabilities far sooner than we were previously. The tool scans on-demand or at intervals and then notifies us of the issues and vulnerabilities that are present. That proactive feature of the tool has helped us be aware of any issues prior to their becoming a problem.

On a weekly basis the tool saves us about five or six hours. The fact that it does the automatic scanning and provides a report of what's been scanned and what's wrong, and the auto-remediating some of the vulnerabilities, are huge time savers for us.

Helix Cloud Security has made governance easier by centralizing it. The fact that it's multi-cloud, and you don't have to log into different cloud providers, is an advantage. We're at two providers right now, Azure and AWS, and it's easy to come to one place, instead of logging into both at the time, and get a holistic, 50,000-foot view. It enables us to cover both cloud providers and manage, understand, and govern all of our assets in the cloud.

In terms of productivity, the continuous scanning at the selected intervals and the reduction of false-positive vulnerabilities are helpful, based on the out-of-the-box policies. As a result, we're able to understand what vulnerabilities are really out there. And once something is remediated, it's remediated, unless a user makes a change to revert that vulnerability. That saves time because there isn't any repetitive work. That vulnerability is not going to come back the next day.

The automated remediation has decreased our mean time to repair by about 20 percent.
And the solution has also helped to eliminate or reduce the cost and complexity of writing, debugging, and maintaining remediation scripts. The remediation within the tool is there. You do have to configure it, but it gives you the means to get started.