For many years security experts have expounded on the need to formulate security strategy based on solid policy and comprehensive risk assessment and analysis. Over the years we have looked at tools to do exactly that, but for a long time those tools were big, expensive and complicated to use. That all may be changing.
First, pricing for both of these product types is all over the map. High end is the price one would expect to pay for a good appliance. Low end can be under $1,000. So, the bottom line has moved down significantly. Also, many of the products are SaaS - and while that does not materially affect pricing in some cases, it does affect ease of use and if administration costs, hardware costs and other lifecycle costs are figured in there is, in fact, usually a savings.
But the biggest improvement is accessibility. Most of the tools we looked at are not as arcane as those of earlier days. That is not to say that they are simplistic. There is every bit of sophistication - and lots more in most cases - under the hood than we have seen in prior years. However, user interface, configuration and policy options and functionality are greatly improved with time. In short, there now likely is something for just about anyone.
There is a traditional cycle in securing an enterprise. First, we evaluate the security needs of the organization. What kind of organization is it? How big is it? What kinds of data does it use and need to protect, etc. Today, we also need to recognize that a small organization may be seen by attackers as low-hanging fruit. The old bit about, "I'm small... why would anyone want to break into my system for?" no longer makes sense. Every organization with an internet-facing presence is a target whether it has anything worth stealing or not. At least it can be used as a pivot to attack other systems. Or, as is currently common, it can be a launch pad for bots such as Bitcoin miners.
So we need to take that into consideration as we evaluate the security needs of the enterprise. Next, we need to consider the enterprise's architecture. Is it distributed? International (or multinational)? Is administration centralized or decentralized? Is it virtual? Does it use cloud providers heavily? Once we know those things we can begin to formulate policies.
Once we have policies we need to conduct testing. That means a combination of vulnerability and penetration testing to find exploitable vulnerabilities and then threat analysis at the perimeter and inside to determine the risk posture of the organization. That means identifying assets and looking for weak points. It also means identifying patching sequences and assessing the patch status of all devices as a starting baseline.
The final step is to put all of those pieces together to determine risk. Risk is the product of threats, vulnerabilities and countermeasures. Last is what we refer to as a closed loop. That means that when you have policies and you know your risk, what steps can you take to remediate those risks and how do you know that you have taken those steps effectively. That means starting the whole cycle over. This cycle needs to repeat constantly and automatically and the two product types we are examining this month, taken together, do exactly that.
With all of that in mind, how do you select products or services? First, cost can be an issue, but more important is usability within the context of your organization. Just because the tool will provide the answers to your questions does not mean that it is a good choice. More products of this type sit on the shelf unconfigured than we would like to think about. It is not uncommon for an organization to buy a risk assessment tool, for example, and then find that they do not have anyone who can run it. They get no benefit from it or the reporting that does come out of the tool is less than useless. Select for your specific organization, your needs and your resources. With this batch you cannot go wrong.