Risk Consoles

Just when you thought security software was getting simpler, along comes security risk management, a genre of tools whose purpose is to provide CSOs with a Star Trek-like dashboard view of information security vulnerabilities and incidents across the enterprise. The idea is not only to oversee the minutiae but also to manage the enterprise’s level of risk in a holistic manner.

Well, that’s the goal anyway. Bent under the weight of terms like vulnerability, compliance configuration management and security event monitoring, security risk management is still sorting itself out, says Mike Rasmussen, director of research in information security for Giga Information Group. “If only the vendors would stop misusing the terms risk, vulnerability and threat, it would be much easier to understand,” he says.

In the vulnerability and configuration management space is Archer Technologies’ Security2002, which collects information on network vulnerabilities, baseline configurations and control standards, and distributes them to system administrators. The nice thing about Security2002 is that it includes a security feed on the latest threats, which negates the need for subscriptions to services like BugTraq.

Going one step further, Cogentric’s Alcon gives prioritized remediation plans for security incidents. It also gives on-demand views of vulnerability, incident and risk ratings; continuous and prioritized updates of security vulnerabilities and threats; accessibility rights to information by all stakeholders; and historical information on threats, complete with time- and event-based comparisons. So if you have an Oracle system and a new Oracle security threat is found, Alcon will tell you about the threat, compare it to past threats, and indicate how and which systems to protect and whether the threat is a top priority. Qinetiq Trusted Information Management is another vendor playing in this sandbox (ignore the cute spelling and pronounce it “kinetic”).

Xacta’s Web C&A product provides another variation on the theme, helping users make their systems compliant with government and industry security certifications. According to Xacta, Web C&A guides users through a step-by-step process to determine risk posture, and assess system and network configuration compliance with applicable regulations, standards and industry best practices. Those are in accordance with the Department of Defense Information Technology Security Certification and Accreditation and the National Information Assurance Certification and Accreditation processes, and the Director of Central Intelligence Directive, as well as those for the Health Insurance Portability and Accountability Act and the Graham-Leach-Bliley Act (better known as HIPAA and GLB, respectively). Xacta’s Commerce Trust product assesses systems and keeps administrators up-to-date on vulnerabilities to certification compliance.

Ideally, security risk management tools will do all of the above in one tidy package. Steve Katz says this is exactly the type of product he needed in his former CISO positions at Citigroup and Merrill Lynch; he left the practitioner’s chair and put out a shingle at Security Risk Solutions, where he consults to Qinetiq and other players in this developing market.

Right now vendors are offering pieces of the pie, but no one has the entire equation down yet, Rasmussen says. “It all needs to merge and create a single product with every aspect of strong security risk management,” he says. That day is not far offRasmussen points out the recent partnership of eSecurity and SecurityFocus as emblematic of the field’s ongoing consolidation.