Hi there! Happy Friday.
I’m under the weather today, but thought I’d point some things out real quick.
Shrdlu at Layer8 talks about probability of action and motivation of attackers. It’s great to see probability of action and frequency of action being considered in risk analysis. Her blog post got me to thinking about something else I saw in my RSS Feeder.
There are some really cool products that are mislabeled as “risk management” products. This mislabeling is one of the factors that cause smart folks (Jaquith and Ranum among them) to claim that “risk management” is dying or dead. Rothman said last week to me that people are becoming “numb” to the term. DarkNet talks about one such product today. Now the vendor of this product has some really cool stuff, and very respected people I know utilize their technology to feed priors into FAIR. but it’s worth repeating:
- Risk analysis must use frequencies, not just “hey that looks like a bad vulnerability that someone might get to” to determine probability.
- Risk management is not just vulnerability management with risk analysis bolted on for the sake of prioritization.
Again, these are typically really great products for what they do. I’m not saying don’t buy the product - I think if you have the resources, you should really consider their stuff. I’ve heard that the specific product mentioned in the DN article is crescent fresh.
It’s just that the companies that make these products feel like they have to do the Gartner Magic Quadrant Dance in order to raise more capital and/or be acquired, which is a shame. Their use of these terms incorrectly turns off the more sophisticated of us while fooling the unsophisticated in to thinking their actually doing something that they most certainly are not.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)May 25, 2007, 12:04pm Comments
