Infrastructure services vendor VeriSign has introduced its Security Risk Profiling Service, which aims to help organisations identify, visualise and quantify information security risks, the company says. The product is targeted at large enterprises, such as investment banks.
The service provides a holistic view of threats, vulnerabilities, network access policies and business impacts, says Daniel Zatz, managed security service business manager of VeriSign Asia-Pacific.
“The service is capturing information from the customer’s devices and then analysing it all,” he says.
The security risk profiling service includes automated IT security modelling that provides a network map showing the location of assets and all associated access paths, according to VeriSign. It also includes simulation and visualisation models; business impact analysis and risk metrics; early warning analysis that identifies risks as they emerge and regulatory compliance risk management that shows whether an organisation complies with internal and external regulations, says VeriSign.
“There are [regulatory compliance] profiles already set up within the product. At the moment they’re mostly set up for the US, but the profiles are easily adaptable to localised regulatory requirements in Australia and New Zealand, such as privacy acts,” says Zatz.
One of the issues that the product is addressing is vulnerability scanning, says Zatz.
“The problem is that whichever scanner you have got, it comes out with a report and you might get a list of 10,000-odd vulnerabilities, but the scanners don’t take into account things like the value of the asset.
“The security risk profiling service allows organisations to not only find out risks within their networks, but also how it relates to their whole organisation and how it relates to their own network,” he says.
When organisations need to change firewalls, routers and configurations, for example to enable external access to an application, VeriSign’s product will allow them to test in a virtual environment how the changes would impact the organisation.
“We can grab all the configurations of routers and firewalls, build a scenario and provide a graphical map of how changes are going to impact the rest of the network,” he says.
Using technology from VeriSign’s business partner Skybox Security, a security risk management vendor, the product takes data from the customer’s firewalls, routers and vulnerability management systems and combines that with data input from the DNS for .com and .net (which VeriSign runs), input from VeriSign’s iDefence security intelligence organisation, and input from vulnerability scanners.
“We can then build a visual representation of what the customer’s network looks like, and give them a rating of what the risk is right now. So this is a real time application, constantly pulling vulnerability data from various sources, as opposed to a traditional, static risk report,” says Zatz.
The product is available in New Zealand now, but so far no one in the country is using the product.
“We are going to start approaching customers in New Zealand over the next quarter,” he says.
The price is based on the number of assets the customer has. There is a monthly charge and a one time set up cost, which covers approximately three weeks of set up and review prior to implementation, says Zatz.
The Security Risk Profiling Service is part of VeriSign’s portfolio of enterprise risk management solutions which include Managed Security Services, Global Security Consulting and iDefence Security Intelligence Services.
ICANN, the US organisation that overseas the domain name system, has awarded VeriSign the rights to manage the .com name space despite controversy surrounding its current management.