This article can also be found in the Premium Editorial Download "Information Security magazine: Balancing act: Security resource planning helps manage IT risk."
Download it now to read this article plus other related content.
One of the difficulties in evaluating solutions in the nascent security resource planning market niche is selecting a representative sample of vendors. Identifying and addressing IT risk isn't a linear process, and for every step in the risk lifecycle, there are multiple solutions.
While the three providers examined in this article (Archer, TruSecure, Xacta) offer the most complete solutions for addressing the SRP process, several other IT and infosecurity vendors market products and services that target parts of the process on both technical and infrastructural levels.
Vulnerability assessment solutions identify vulnerabilities on specific platforms--operating systems, databases and applications. These solutions can probe for weaknesses from the network with no knowledge of the environment or with administrator privileges and full access to system information. They seek out exposures and weaknesses, both active and latent. But their strength is in identification, which is only half the battle.
Among others, Internet Security Systems, Symantec, NetIQ, Foundstone and Qualys provide traditional vulnerability assessment tools and services. These solutions identify vulnerabilities in various platforms, systems and applications. In some cases, they can also remediate vulnerabilities.
These solutions don't incorporate the concept of non-system-related vulnerabilities, such as unlocked data center doors or untrained administrators. While some VA solutions integrate workflow and task management processes, these capabilities typically are platform- or system-specific. Other companies such as Latis Networks and Citadel Security provide workflow and remediation capabilities, but also don't incorporate the concept of nonsystem vulnerabilities.
Security management framework vendors like IBM/Tivoli and Computer Associates have broad frameworks to manage various components of a security architecture, including proprietary and third-party solutions. Each of these solutions has many distinct offerings in the security space, performing activities like identity management, access control and threat management.
A number of industry captains, including Big 4 accounting firms, global systems integrators and security consultancies like @stake and Guardent provide numerous services to identify and remediate vulnerabilities. No doubt, they could create a one-off solution that meets our requirements. However, they don't have a recurring offering that's comparable across enterprises and focused on not only identifying vulnerabilities but fixing them--and managing the process therein.
Cisco Systems' SAFE Blueprint also fits in loosely with consulting companies, since it's more of an architectural approach. It provides best practice information on designing and implementing secure networks with Cisco products. This is typically a follow-up step to assessing and measuring risk, but doesn't provide insight into the value of the assets being protected or the process followed to remediate and mitigate vulnerabilities throughout the enterprise.
There are, undoubtedly, a number of other companies that have a story to tell here--for example, the area of risk assessment and quantification includes products like Risk Watch that specifically quantify the value of assets and provide a container for risk-related information. But, clearly, the smattering of approaches-and lack of agreement in the vendor community about how to address the problem-shows that the security resource planning space has a lot of growing up to do.
Pete Lindstrom is research director for Spire Security and a member of Information Security's editorial advisory board.
This was first published in July 2003