SummaryAmenaza SecurITree is a piece of modeling software that facilitates credible risk modeling in a true quantitative environment. While modeling software is not generally thought of as a security tool, there is no doubt that this one is exactly that. In fact, this is really an analysis tool in the sense that we use it to model the risks that could impact our network.
Since I define risk as the probability that a threat against a vulnerability will result in an impact, this software suits me well as a planning tool that lets me think about risks present in an enterprise in terms of threats, vulnerabilities and impacts. Amenaza thinks about risk slightly differently, but not much. Amenaza views risk as incident probability times incident impact. Without going into the mathematical analysis of these two approaches, I can say that they are very similar - similar enough to treat the same.
So, where does SecurITree fit into the risk modeling paradigm? Simply, the tool allows a security professional to create an attack tree customized for a particular enterprise with custom weightings that can predict where attacks are more or less likely to succeed and why.
An example of a proactive use is creating a fully weighted attack tree and pruning one or more branches, both in the model and in the enterprise. The point of this approach is that pruning a branch in the right place on the tree has the effect of shortstopping a successful attack. In short, one is eliminating a vulnerability. Then, by eliminating the same vulnerability in the enterprise, a successful attack is precluded.
SecurITree is an excellent way to address risk proactively and with a level of abstraction that is useful. For that it gets our vote as one of the top 20. Anything that can make risk management easier and more effective likely will get our vote every time.