Published: 01 Jul 2003
Infosec professionals love to talk about risk.
It defines our profession. But we often speak of risk as if it's some omniscient entity to which we must pay tribute.
Practical enterprise risk management involves managing exposures associated with the people, places and things in an enterprise.
How about we just get over it? We grapple with risk all the time. We create computing infrastructures in the most hostile environments, driven at breakneck speeds. All while obeying regulatory stop signs.
Balancing risk and security and functionality and efficiency and budget is a big, complicated task. Most IT security pros use a "divide and conquer" strategy: compartmentalize risk into logical categories, then throw security products and loosely defined "best practices" at identified weaknesses.
While this approach addresses risk, it doesn't address RISK. That is to say, it identifies and responds to risk factors on narrowly defined levels--application, network, human, regulatory, etc.--but it ignores how the pieces add up to an enterprise-scale "risk ecosystem."
Tackling this problem head-on is an emerging class of "security resource planning" (SRP) solutions. In a nutshell, SRP solutions mix custom-built proprietary software and managed security services to automate the management and application of the information that defines an organization's constantly changing security posture. Security experts always talk about security as a process, not a product.
SRP solutions adopt that philosophy as an operational imperative. We reviewed three SRP offerings and how they help organizations address the process of enterprise risk management:
Archer Technologies' Security2003, a software solution and "knowledge portal" that helps organizations establish a security framework by defining global values and content modules.
TruSecure's Security Assurance Service, a by-the-numbers methodology for assessing and strengthening an organization's security posture through a hosted application and service.1
Xacta's Commerce Trust, a software and services framework for building security project by project and task by task.
SRP improves enterprise security by effectively merging external threat and vulnerability data (vulnerability alerts, patch advisories) with updated information about internal security posture (policies, asset inventories, audit reports, etc.). While Archer, TruSecure and Xacta aren't the only options on the market, they each offer a comprehensive approach that sets them apart.
Practical enterprise risk management involves managing exposures associated with the people, places and things in an enterprise. These exposures may surface through system audits or perhaps through the need for regulatory compliance.
At its core, risk management comprises the following functions:
- Determining the applicable risk levels associated with enterprise resources. This function involves qualifying or quantifying the value of a resource to the enterprise to identify "hot spots" and prioritize the defensive posture.
- Applying the control requirements of government regulations, industry best practices and/or enterprise policies to an organization's resources, defining high-level rules and guidelines down to specific steps that can be implemented in a computing environment.
- Identifying and remediating or mitigating vulnerabilities associated with an enterprise's resources. This function includes applying controls over potentially vulnerable points in an environment.
A robust SRP solution provides an organization with the management framework and automated tools required to retain information about the work being done. The framework helps the organization manage ongoing processes, improving overall enterprise security and potentially saving time and money.
The challenge for SRP solutions lies in the complexity of interrelated systems that must be evaluated and controlled with limited security resources.
Think of a large global enterprise: You need to consider both the physical security of mission-critical servers and the logical security constraints of supporting the receiving, manufacturing and finance departments, with users spread out over multiple sites. Those same servers, in turn, may be linked to the accounting system, which includes multiple databases and servers at other locations. Attacks may come from the geographic locations (physical), people (social engineering, malicious disgruntled employees) and any of the system architecture layers.
Regulations compound the challenge of risk management, particularly in sectors like finance and health care. For example, HIPAA requires unique user identification. This seems like a reasonable, straightforward request. However, when applied to computer systems, this requirement could spawn all sorts of discussions: Should IP addresses be mapped to operating system, database or other application accounts? Should functional activities like faxing or printing documents be included in this requirement?
The solutions chosen for this review won't solve these kinds of problems by themselves. But each, in its own way, presents an SRP framework to streamline and, to some degree, automate risk reduction and mitigation. They vary significantly in overall approach and have a wide variety of features and capabilities that make any comparison among them difficult.
Nevertheless, we were able to compare them on the basis of several fundamental criteria, from asset management and vulnerability remediation to risk measurement and task management. Further, each addresses at least the three key functions identified above: determining risk levels, applying regulations/policies to resources and remediating vulnerabilities.
Archer Technologies' portal approach stresses organization of and ready access to security information. The home page, for example, allows a security practitioner to view the latest vulnerabilities, security policies, baseline information for various systems, incident response information (procedures, reports, questions) and the security posture of various assets.
Number of Employees: 21
Headquarters: Overland Park, Kan.
Customers: 27 companies, including EDS, Lehman Brothers, Credit Suisse First Boston, Wells Fargo, DST Systems and UMB Bank
To Archer Technologies, knowledge is power. Its portal model offers access to any and all security information--regulations, policies, public vulnerability announcements, news feeds, etc.--in a single place. Even better, it allows security departments to classify and categorize the data, so that it can be integrated into the work environment.
Archer's Security2003 framework and import capabilities are perfect for organizations that have done a lot of security groundwork and are looking for a way to more effectively manage the information. Archer excels at creating relationships among the various sources of public and enterprise data available for applying controls and managing risk. Its "information at your fingertips" paradigm contrasts with the more typical "find and fix vulnerabilities" approach of TruSecure and Xacta.
Archer's portal features "My Yahoo"-like controls that help determine what information--such as security news feeds, new vulnerability announcements and custom work queues--will appear on your home page. The portal concept should be extremely valuable to enterprises with large security teams.
Archer excels at knowledge management. Out of the box, the database incorporates HIPAA, GLBA and ISO 17799/BS 7799, Basel Accord, Federal Financial Institutions Examining Council (FFIEC) and Information Security Forum (ISF) standards. In addition, it can manage imported content from any provider.
Archer provides its own daily summary of vulnerabilities and accepts feeds from Symantec's SecurityFocus and TruSecure's IntelliShield (from an agreement with Vigilinx, which was acquired by TruSecure in February). This reliance on information supplied by competitors could prove a potential liability, should either provider decide to pull the plug.
The final pieces of the content puzzle are sets of predefined control requirements for each of the regulations and standards described above, and baseline standards for many technical platforms, such as Microsoft operating systems, Oracle databases and Apache Web servers.
Security2003 allows organizations to establish a security framework by defining global values and content modules in its Knowledge Center. Careful attention must be paid to this setup, because everything else flows from here.
Global values are standing data that will be applied to enterprise resources. These might include risk classification (e.g., high, medium and low); data ownership categories (e.g., by department or title); and control types (e.g. for confidentiality, integrity or availability). Content modules may include assets, baselines, control standards, external feeds for news and public vulnerabilities, etc.
Once these values are set, an enterprise may follow a number of different paths. One common approach is to use Archer's policy management capabilities to import policies, classify them as appropriate, and link them to baselines, control standards and regulations. Another approach is to import asset information and begin a risk assessment with a questionnaire customized in the Risk Management module.
Archer doesn't ship with tools for asset discovery and vulnerability assessment. Instead, it imports log information from mapping tools such as Nmap and VA scanners in standard formats such as ASCII and comma separated values (CSV). The imported information can then be applied to the appropriate asset based on an IP address or name.
The Asset Module displays all the information associated with a particular resource, including specific vulnerabilities. Each asset has its own "Vulnerabilities Scorecard" and "Baselines Scorecard" to highlight incomplete work in progress. This is very good as far as it goes, but there's no overall "dashboard" view that shows comparative risks across the environment or aggregates specific vulnerability information based on various platforms. There's no way to drill down for more information about a particular asset. Overall platform trending is difficult, though Archer plans to add a "statistics" search capability in its next release.
Archer's solution will be of greatest value to large organizations with strong security departments and plenty of information that needs to be captured, categorized and integrated into the department. Organizations that are confident in its processes will find ways to leverage Security2003 to create significant value. Smaller companies that are a bit more tentative may find the solution overwhelming.
TruSecure's Security Assurance Service is rooted in a methodology that establishes "essential practices," a foundation level of security through specific, achievable safeguards or control recommendations. Customers' security is regularly measured against these practices using a Web-based security management console to track their progress.
Solution: Security Assurance Service
Number of Employees: 250
Headquarters: Herndon, Va., with operations in North America, Central America, Europe and Asia-Pacific
Customers: About 500 customers, including Discover, Lexis-Nexis, Fiserv, ExoStar, First American Credco, Moen, e-Travel and CUNA Mutual
TruSecure's turnkey approach to managing risk requires full acceptance of the TruSecure methodology for strongest impact. While the other products have flexibility, TruSecure's Security Assurance Service (SAS) requires a religious conversion.
This missionary approach sets TruSecure apart from Archer and Xacta, which tend to give enterprises the tools to build their own risk management frameworks. And unlike security consultants, who often perform annual evaluations, TruSecure stays with the customer as a managed service--complete with hosted software--to implement their recommendations. The client organization does the work, with TruSecure consultants providing expert assistance. Working with TruSecure is like engaging one of the Big 4 to "continuously" improve an organization's security posture.
TruSecure's method is grounded in developing strong overall enterprise security, rather than a "check box" approach that tends to be narrowly tactical. By following TruSecure's methodology, you receive certification, which is the TruSecure way of saying "good job."
The process is a cycle of work and reports that follow a fairly typical process for consultants:
- Perimeter discovery. Using Nmap and some proprietary discovery tools, TruSecure identifies network attack points in the form of IP addresses and services that are accessible outside the firewall.
- Perimeter risk assessment. TruSecure conducts a quarterly vulnerability scan that identifies specific weaknesses, using automated tools like Nessus and Kismet, and hands-on evaluation of vulnerabilities.
- Desktop risk assessment. Analysts look at things like screen savers, antivirus and modem settings for security issues, proper configuration and currency.
- Internal risk assessment. TruSecure conducts on-site visits, policy evaluation and runs a number of vulnerability scanners inside the firewall.
TruSecure employs a set of "secret sauce" algorithms to score the assets and determine risk in each of five areas. The criticality score measures all assets' importance to the business (e.g., a database server with a large number of users vs. a server running FTP with a single user). The historically broken score measures a platform's likelihood of exploit based on known vulnerabilities. The unusual use score accounts for unique architectures, such as a desktop being used as a database server. The time- and data-sensitivity scores evaluate the significance of availability and value of data, respectively.
TruSecure won't reveal how it calculates these scores, nor does it publish any kind of scale that can be used as a relative measure between enterprises. That's unfortunate. The scores would be much more useful if there were a way to compare the information within industries or with peer groups.
SAS maps all of its findings against its universe of 80 essential practices, which are satisfied by various combinations of more than 136 different controls. TruSecure has a proven process, but keeps the actual elements themselves secret, and we have to wonder what all the fuss is about.
This secrecy seems a bit silly. The real value of the SAS framework isn't in the elements themselves--security principles are a dime a dozen--as much as it is the structured approach and detailed reporting that is provided to enterprises. TruSecure's regimented, repeatable process is the real strength of its methodology.
Once TruSecure completes its risk assessment, it sets remediation and control tasks. SAS doesn't customize vulnerability feeds, but rather sends out alerts and advisories as necessary to highlight general security problems or challenge hype. This is changing, however, with TruSecure's recent acquisition of Vigilinx and its IntelliShield service. Now, vulnerability alerts can be tailored to each customer.
The TruSecure framework is particularly valuable for two classes of enterprises--those that lack a strong security program and are looking for a proven way to ramp up; and those looking for a "second opinion" to evaluate their own security management program. However, companies with their own strong risk and controls program may feel like they are reinventing the wheel.
Xacta's Commerce Trust dashboard, called "My Home," provides management with a real-time, system-by-system view of compliance, risk and project status. It allows users to receive alerts, execute tasks and drill down to risk element detail.
Solution: Commerce Trust
Number of Employees: 110
Headquarters: Ashburn, Va., with offices in Washington, D.C., and Shrewsbury, N.J.
Customers: 20 customers, including Wright Patman Congressional Federal Credit Union and Montgomery County Teachers Federal Credit Union.
Xacta's Commerce Trust takes a project-oriented approach, allowing an organization to manage multiple security projects. Commerce Trust is most useful in an environment where specific projects are completed and require backup and support documentation.
Commerce Trust focuses on process and deliverables--an auditor would feel very comfortable working within the Xacta framework. The Commerce Trust Site is the root of the logical organization, with content and templates that can be reused within a "Project," the high-order entity used for data collection and analysis.
Projects can be defined in many ways--for example, addressing a specific platform, such as Web application security; or department function, such as HR systems. The next level contains Tasks and Process Steps, which are document sections complete with templates for free-form paragraphs and placeholders for audit results. These templates are of great value to consultants and auditors who must produce written deliverables.
Unlike Archer's Security2003, Commerce Trust has no universe of global values to work from. Instead, things like regulations, test procedures and document templates can be copied into a specific project and then modified to fit the need. This provides a very functional task orientation, but there's a risk of redundant work because each project is an entity unto itself.
Perhaps Commerce Trust's most impressive attribute is its database of more than 170 policies, procedures and regulations that can be applied to individual projects. This is a comprehensive list, primarily associated with the U.S. government, covering topics like the Army's SIPRNET Policy, the GSA's IT Security Policy, the Department of Defense's Directive on Information Assurance, as well as the more commonly applied HIPAA, GLBA and ISO 17799. Xacta began with the government in mind and is clearly strong in that market.
Commerce Trust users assign roles for submitting, reviewing and approving actions correlating to the task section, where specific tasks are defined and progress reports can be viewed. Users can view project and task status, alerts and so on, through a personalized dashboard.
Commerce Trust can collect system information automatically through its integrated VA scanner (adapted from the open-source Nessus tool) or from enterprise management solutions from Tivoli or Computer Associates. In addition, it can import data from various sources via XML.
Xacta provides support through its portal for clients, where security analysts assist with security advice and tech support engineers solve any application problems. The portal includes a chat function and user forum so that people can share ideas and issues. Like Archer, Xacta also has its own vulnerability notification service.
Commerce Trust uses a straightforward folder model for managing information. It will feel very familiar to any IT auditor who is used to slicing and dicing the environment to assess the security of a particular subset of the whole. Navigation is similar to its folder metaphor, but be forewarned that clicking on the folder, the title or the properties of a particular line item pops up a different screen, such as definitions, details or another hierarchical list. It takes a little getting used to.
The measurement of risk today is still primarily at the "know-it-when-I-see-it" stage. We'd like to see more robust features that quantify risk by matching the value of the assets with the associated threats.
Enterprises are always going to take risks, and they should deploy security solutions like firewalls and VPNs where they'll be of most value. The concept of protection from sources other than a remediated vulnerability is somewhat vague in these solutions. Building in some decision analysis around when and where to deploy security would be of significant value in designing an enterprise security architecture.
Each of these solutions takes a different approach to reducing enterprise risk. Ultimately, though, they share in some way the ability to link the various aspects of a security program to enhance efficiency and effectiveness in security processes. As these solutions grow, security management is poised to move from art to science.
1 As of July 2003, TruSecure published Information Security.
Pete Lindstrom is research director for Spire Security and a member of Information Security's editorial advisory board.