Information systems risk management is a very difficult proposition. First, risk is hard to quantify in a credible manner because in today’s complicated networks even defining information assets can be dicey. Once the assets are defined, valuing them and figuring out loss expectancies is more difficult yet. In short, the old ways of calculating risk are tedious and unreliable. That all may be ending with the emergence of a new class of risk management tool called security risk managers (SRM).
Red Seal Systems is a pioneer in introducing this type of tool and they deliver it as an appliance. The appliance is not exactly plug and play, but configuration actually is somewhat simpler than we expected. That said, once you start playing in this arena there are no really simple solutions. The problems simply have become too complex. If you plan to deploy an SRM, give yourself the time and resources to implement it fully and correctly. The alternative is yet another boat anchor that looked good on paper, but never really realized its potential.
A swing to shift management
Red Seal boasts that their product can allow you to benefit from risk management in minutes. What that means is that you can plug it in and turn it on. You’ll get some simplistic responses. But to realize the real power of this product you need to give serious thought to what you want it to use as a basis for risk calculation.
On the other hand, if you give this product its due, you will gain an extremely useful tool for identifying and managing risk. This product bases its risk calculations on a true combination of threats, as well as data flows. It begins by mapping the network, but not in a simplistic device discovery mode. Instead, it examines data flows and decides where the information is moving on your enterprise.
The SRM automatically detects firewalls and routers and begins to gather data about them. This reveals misconfigurations, data flows and some other vulnerabilities. As it gathers an increasing amount of information about the network, its analysis becomes more finely tuned. The user can add additional information and, if the device is fully and appropriately populated with enterprise details, the SRM can calculate quantitative risk values, mitigation and patching strategies and a host of other useful, actionable factors.
The key benefit of the SRM is that it provides actionable information that engineers can use to improve security on the network and, in some cases, actually improve network efficiency.
The SRM natively supports several flavors of routers and switches, firewalls, patch management systems and vulnerability scanners. It can be configured to understand certain applications running in your environment, thus preventing wasteful analysis of vulnerabilities on non-existent applications.
Powerful analysis tool
A characteristic of the SRM is its displays. It uses a combination of network topologies with overlaid risks, risk maps and reports to allow a combination of rapid visual identification of threats and risks, and detailed drill-down.
There is a lot to like about this product, but there also are pitfalls. As simple as it seems on the surface, to make it really dance you need to understand your enterprise and how risk management fits into your security plan. This is not the magic bullet that plugs into the enterprise and suddenly makes all risks go away. This is a very powerful analysis tool for savvy network administrators and security professionals.
Risk management is not trivial. Interestingly, C-level officers in many organizations do not view information systems risk management as important in the grand scheme of things. This is a case where the integration of information systems risk, along with other forms of risk that are more universally accepted as important, is the only way to "sell" IT risk management. SRM products can help you change that perception.
The approach of the SRM 3000 is to integrate risk management with threat and vulnerability management. Thus, the SRM 3000 becomes yet another tool to help make the IT and IT security functions more efficient by offering a risk-based view into the enterprise. In my opinion this is its most important and useful function. Highly recommended.
— Peter Stephenson
What it does:
The SRM 3000 is a security risk manager that provides views of threats, vulnerabilities and both qualitative and quantitative risks in a variety of formats and at a variety of levels of granularity, as well as suggesting risk mitigation strategies.