There are a lot of different tools and methods to perform IT security vulnerability assessments. Making sense of all the data that various tools collect is important if an enterprise wants to truly understand its risks.
Ed Bellis knows this better than anyone after serving as the CISO of travel website Orbitz.
"We had a bunch of different tools doing assessments, including network, dynamic and static application scanning," Bellis told eSecurity Planet. "On top of that we had the usual pen testers, auditors and professional services, and they were all producing a lot of overlapping data. It just became an absolute nightmare to manage and figure out what was important."
While at Orbitz, Bellis used a set of scripts and spreadsheets to manage all that data. After discussions with some of his peers in the industry, Bellis realized that he was not alone in the challenge of managing vulnerabilities. That realization led him to help found a company called Risk I/O in 2010. The Risk I/O vulnerability intelligence platform, a software-as-a-service (SaaS)-based offering, was launched in 2011. In late 2012 the company raised over $5 million in venture funding.
"The one thing I've learned through all of this is while our problems were painful at Orbitz, they were relatively tiny in comparison to some of the folks that are using Risk I/O today," Bellis said.
Centralizing and Prioritizing Security Data
The Risk I/O platform aims to provide a centralized location for enterprises to view and report on all security issues and defects. The system also serves as a collaboration platform, enabling all the relevant personnel that need to be involved in security remediation to be connected. Additionally Risk I/O provides prioritization for vulnerabilities.
"You can look across all the vulnerabilities, and some of our customers have millions if not tens of millions of issues across their enterprise," Bellis said. "The system can help prioritize the top issues that are most likely to lead to a breach."
Prioritization involves the use of what Bellis referred to as contextual data, the information coming from log and event management systems as well as network IPS. Data is also pulled in from existing databases of known exploits.
According to Bellis, the Risk I/O platform uses the open source Ruby on Rails framework on the front end, as well as the open source Apache Solr search technology. Risk I/O's prioritization and predictive analytics capabilities are proprietary technologies. From a security perspective, all of the data used on the platform is encrypted both while at rest and while in motion.
Bellis noted that Risk I/O uses its own platform.
Same as SIEM? Not So Much
The concept of aggregating vulnerability data is not an entirely new one. The Security Information and Event Management (SIEM) market is built around the same concept, though Bellis sees Risk I/O as being somewhat different.
"We're analogous in many ways to a SIEM, but we're using the data to solve a different problem," Bellis said.
Bellis noted that when he thinks about what a SIEM does, it takes in data to look operationally at a network to see what is going on. In contrast, Risk I/O uses data to identify and prioritize the root causes of security issues.
"So when I look at this stuff and I see stuff coming from my log and event management system, I see it as one piece of the puzzle that will help me to prioritize an issue within my environment," Bellis said.
IBM and HP have both been very active in the SIEM space over the course of 2012. For IBM, SIEM is so central that the company has re-organized its security organization around the whole concept.
"We are not a vulnerability management solution and we're not a SIEM," Bellis said. "We sit above that and we take data a step up so enterprises can make better decisions."