Measure and manage the risk inherent in your IT infrastructure

You've got a limited budget to spend on IT security measures. Wouldn't it be nice to have an advisor tell you precisely how to apply your resources to improve the security of your infrastructure and reduce the inherent risks to your business? Prevari's Technology Risk Manager uses predictive analytics to show you your risk level and what you can do to mitigate the risks.

Your organization has invested significant resources in securing your IT infrastructure. You have safeguards such as firewalls, intrusion detention/prevention systems, data-loss prevention systems, and you (hopefully) keep your patches up to date and your vulnerabilities to a minimum. Nevertheless, an auditor will tell you that remaining weaknesses in the IT infrastructure will put the business at risk. It's this risk level that keeps the CISO up at night.

It's the CISO's job to measure and understand this risk and lower it to the extent possible within the budget he is given. Sounds simple, doesn't it? But how do you measure the inherent risk level within an entire IT infrastructure? And how do you know what additional controls you can apply to lower that risk?

10 of the worst moments in network security history

This is the conundrum that Prevari addresses with its Technology Risk Manager (TRM) solution. TRM is a risk-based decision support system that provides predictive analytics to enable senior leadership and technology managers to quantitatively measure information risk using a common scoring/metric system. The managers can then make risk-based decisions on how and where to apply additional controls or resources to further protect the infrastructure and reduce the risk.

To construct the analytics, TRM uses data from a variety of sources, including:

* Security scan data from vulnerability scanners, whether they be Open Vulnerability and Assessment Language (OVAL), eXtensible Configuration Checklist Description Framework (XCCDF) or a proprietary format.

* Data from compliance frameworks such as ISO, PCI-DSS, HIPAA, GLBA and so on.

* Administrative, technical and compliance controls that are in place on the infrastructure.

Assembling this data provides an objective, quantitative, repeatable measurement of both inherent and residual risk. Inherent risk is the risk associated with a particular device based upon its configuration; for example, a server and the operating system running on it. Residual risk is an examination of the supporting mitigating technical and administrative controls on top of that device that can result in risk reduction; for example, applying regular security patches to that server.

The risk measurement is provided in a dashboard, with the initial view being the measurement of the confidentiality, integrity, availability and audit of the infrastructure. The chart might show, for example, that your infrastructure has a high risk of becoming unavailable (i.e., down time). Drilling down, you can see the root cause of this risk assessment—perhaps something like a critical network component is showing signs of imminent failure. The confidentiality risk score might be high due to a known vulnerability in software / OS patching, or a lack of encryption in a mobile device.

Risk can be measured over time so that you can see the effects of applying mitigating controls. In the example above, you could see how the "availability" measurement is affected by the replacement of the troublesome component.

TRM helps organizations by performing all the hard work in terms of going through all the regulations and compliance requirements and putting together the master checklist and comparing it against what is implemented in a data center. From a financial perspective, Prevari TRM provides organizations actionable risk-based analytics to answer the question, "If we have a limited budget to spend on security, where should we spend it?"

In addition to measuring existing risk, TRM allows organizations to model and simulate war game vulnerabilities and attacks on specific devices and the organization as a whole. This strategy allows you to simulate the impact of additional controls to mitigate future attacks from "not known vulnerabilities." In simple terms, this allows you to ask "how thick are the castle walls, and what should we be doing to reinforce them, whether or not there are attackers outside my gate?"

David Grandstrand is a financial services industry executive who helps organizations prepare themselves for sale. He has used TRM at his past three employers. "As I financial guy, what I love about TRM is that it provides quantitative measurement of how information security is performing. This allows me to make decisions about spending more or less on information security," Grandstrand says.

He says that two of the companies he worked with had high-risk postures. TRM allowed the companies to make a clear and concise decision that information security would be the top priority within the IT organization for the next year. According to Grandstand, "Because of TRM's insight, we were able to develop a plan and measure our progress as we implemented each new control. From a corporate perspective we were able to allocate our human and financial resources to the right spots based upon what TRM told us."

Grandstrand adds that the IT department was initially against deploying TRM, but then came to embrace it because this tool can measure the impact on improvements they made. "The strength of the Prevari tools is that they tell you specific areas that need improvement," according to Grandstrand. "You can identify and plug very specific holes in the environment. It's a tactical solution that helps a company shore up security and compliance. This tool got the IT people very excited because they could see exactly what needed improvement and they could do it and get measureable results."

If your organization has a limited budget to spend on information security -- and what organization doesn't? -- Prevari's Technology Risk Manager can help you figure out where to apply your resources to get the most bang for your bucks.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT