This is an interesting product. It clearly is vulnerability-centric - vulnerabilities being the easiest elements of risk to manage - but this year the company has taken up the slogan "Threat is a new risk". We don't agree and we wish that the marketing mavens at this company would take a look at the traditional definition of risk that includes threats, vulnerabilities, and impacts. That said, our hats are off to a company that actually has stopped referring to vulnerabilities (or threats, or impacts) alone as "risks" and started to mix in the elements to achieve a useful risk profile. This is a big step for a company that has been vulnerability-centric.
What is even more exceptional is the depth of analytics it applies to typical threat streams. We really like the way the pieces fit together neatly for security orchestration, analysis, and remediation on a well-constructed platform. The new landing page is meant for the CISO and contains mapping and correlation of risk metrics optimized for your organization. To achieve this there are 600 reports out of the box. The company supplies a multi-regulatory compliance framework of more than 50 standards and policies, supporting over 400k controls and sub-controls.
There are lots of new capabilities built around visualizations. The tool provides several visualizations - 150 dashboards - out of the box to cover most common things that are important to understanding. A key capability is RiskVision's trending accuracy for handling the security/vulnerability management process using such tools as closed-loop remediation.
While RiskVision doesn't provide a one-size-fits-all analysis, it does provide a standardized risk scoring process and adds the ability for you to tune their algorithms to your organizational needs. We think that this capability not only is pretty important - obviously, not all organizations are alike - but we also found it unique in that rather than simply adding a rule or two, editing a few more and perhaps deleting a couple, RiskVision allows you to tune the way it analyzes the data that it finds.
The Asset repository is where you capture and organize the metadata around the organization's inventory of devices, applications, databases, etc. Another key aspect that drives this tool is the concept of relationships based upon metadata. These relationships allow several types of analysis but one that really impressed was the ability to decide which vulnerabilities to remediate first based upon the damage that a compromise of those assets could do to the company, its data and its brand - in other words, how a breach could damage the business.
We have used that technique for years by looking at vulnerabilities and mapping the vulnerable assets against the rest of the network using link analysis and social network analysis to determine which vulnerable assets have the greatest impact on the rest of the network.
We found pricing to be very reasonable, even this is not a true next-generation tool. The website has a lot of support information but you need a customer account to access it, something that we don't encourage. Standard support is included but extended support is quite expensive (30% of the cost of the product) but includes 24X7 support while the standard support package is only 8X5. Documentation is good - about what we've come to expect from top-line products, and in that regard, it does not disappoint.