Ever wondered how your IT security environment stacks up against another organization’s? What your weak products are? Or which applications create the most problems for a given malware?
Until now making comparisons has been impossible. But this week NSS Labs, an analyst firm which tests equipment, began selling a new service it says lets CISOs do that.
Called the Cyber Advanced Warning System, it lets subscribers test a system around five categories of products (consumer and end-point protection, intrusion prevention, next-generation firewall and unified threat management) against an up to the minute database of threats.
“You’re not in the short run going to change your security products,” CEO Vikram Phatak said in an interview. “But would help you understand where are the areas you need to avoid.”
For example, he said, if the chief executive wants an update on the IT security posture, the CISO can say tests show the organization is vulnerable in particular places. To improve the situation the recommendation is long-term to replace certain hardware, and in the short-term put more priority on patching specific applications.
So far 41 products can be tested against a wide number of applications.
Users can pick as many products and applications as needed and the system will show the number of vulnerabilities that will slip through — and, just as importantly, why.
For example, it may show an environment lets most Adobe Flash vulnerabilities in, and which product is guilty. The CISO then can decide whether to replace the product or ensure the application doesn’t pose a threat (either by removing or updating it). Users can also compare products within a category (such as all next-gen firewalls listed).
Because threats change over time, users can evaluate products over a period of time — say the last 60 days — to get an idea of whether their performance is even.
The catch: the service isn’t cheap. It starts at US$10,000 a year for a single seat in an organization that has up to 500 employees, and goes up to $300,000 for 50 seats and an organization with 50,000 employees.
All subscribers get unlimited use of the service for a year. That way they can test their environment (if it includes products in the system) against up to the minute threats.
For SMBs the company is thinking of a lower priced service which might offer lesser access — for example use only four times a day.
There will also be a service aimed at consumers to test their personal PCs.
At the moment, with only 41 products, the enterprise version of the service may not go so far as a New York Times writer suggested, which is to “hold security vendors accountable.”
Phatak merely said he hopes vendors will see the results and strive to improve their products.
He also says the service will give CISOs a way to measure the effectiveness of their cyber security strategy and investments, as well as — if run often — a tool that warns users when they are at risk of being breached.