Biztech blog

Anil Menon, CEO, Secure Synergy talks to Biztech about the practice of Security Vulnerability Assessment (SVA) and its scope in the enterprise landscape.

How do Indian enterprises perceive SVA?
We have been offering Vulnerability assessment services over the last 5 years and we’ve got around 100 odd Indian clients for whom we provide VA services. This can be done onsite and onsite plus off site in conjunction with Penetration Testing (PT).
Indian organizations have over the last 2 years or so started looking at periodic assessments (often quarterly) in order to assess their security readiness.  Indian Enterprises are well aware of the importance of SVA and PT. However, despite this awareness, a quarterly process is done only by around 200 odd companies, while the rest are content with a yearly scan. Some of them only do SVA as part of compliance requirement or ISO 27001 processes. Security aware CIO’s are quite clear of the role played by a thorough SVA process in assessing their security posture.

SVA can also be performed in-house, is it advisable?
It is true that SVA can be performed in-house with the help of automated tools. In fact, this is what many organizations with limited view of security posture actually do. However, such SVAs suffer from several shortcomings like automated tools tend to scrutinize each system they target as a distinct entity and not as a component of an organization’s infrastructure. This is obviously not a very intelligent process. Automated tools are unable to synthesize and correlate the information they gather and very often they throw up lot of false positives as they err on the side of caution. In fact substantial experience is required to decipher the false positives from actual vulnerabilities. Also automated tools cannot measure operational and management issues related to security. Areas such as Social Engineering are given a complete miss by automated scanners.
In essence, automated tools cannot provide in-depth and substantive analysis whereas specialist vendors have expertise across platforms and tools that do so. Specialists are trained to sift through tons of data and correlate between a PT and a SVA and align them with the organizational security policy. Automated scanners or in house staff cannot do this.

How does one measure the ROI on this?
To be honest, measuring a clear ROI is difficult. However, you can definitely quantify through some examples. For instance, everyone will acknowledge that data protection is less expensive than a data breach. Databroker Choice Point is a classic case. ChoicePoint mistakenly granted record access to an illegitimate business that exposed and potentially abused 145,000 customer accounts. In the first and second quarters of 2005, the company reported $11.4 million in charges directly related to the incident. Gartner estimated the cost of this exposure to ChoicePoint to be in the range of $90 per exposed account.
Gartner says that the actions a company will take (or not take) to address the concerns of shareholders, boards of directors, regulators and other external parties can often multiply the financial impact of a large compromise. ROI can also happen through increased shareholder trust, client confidence etc. as has been seen by Indian ITES firms who have moved forward and got certified under ISO27001.

As SVA is not a onetime practice, how does one justify the investment in it?
Security is a moving target. Every process change that you make, every device you add, every employee credentials you change can alter the security properties. Your partner/supplier/customer chain can add vulnerabilities. Hence there is a clear justifiable need for periodic assessments even continuous assessments. As and when a new vulnerability is reported or a new location opened or during employee attrition it is a good practice to go through a level of assessment.

Do you think that in the future SVA will only exist in combination with security and network management tools?
A good vulnerability management program will include elements like classification of assets, measuring effectiveness of your controls, integration with processes like patching, configuration management as well as audit mechanisms.  The VA & PT process has already changed to integrate this practice.

Rajendra Chaudhary

This entry was posted on Tuesday, February 6th, 2007 at 5:32 pm and is filed under Security, People, Interview. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.