In-Depth

Cenzic Provides Risk Assessment of Risky Business

A new product provides enterprises with a risk assessment analysis that keeps everyone informed.

• By Jason Turcotte
• 11/07/2006

A security solution is only as good as its readability, and often that readability lies solely with CSOs. A new product provides enterprises with a risk assessment analysis transparent enough to keep everyone in the loop, from security managers, to executives, to CIOs, compliance officers, and privacy officers.

Cenzic, Inc. released Hailstorm Enterprise ARC (Application Risk Controller), a product that delivers enterprise-wide dashboards displaying app security views in a format functional for everyone. The Santa Clara, Calif.-based company’s product offers insight into app security by identifying trends and prioritizing risks for its users.

“As a CEO or CIO, I want to know how many apps I have in my whole corporation, and I have no idea what’s been tested and what hasn’t been tested,” John Weinschenk, CEO, Cenzic told us.

With Web applications accounting for nearly 60 percent of all vulnerabilities, as reported by the latest Symantec Threat Report, enterprises are exploring new ways to secure Web front-ends and transactional business. Since hackers are finding more creative means to exploit data, illegally transfer funds and swipe intellectual property, businesses need to identify where their risks lie, and how best to address those risks.

“Much of the focus to date has been in desktop and network security. However, the majority of attacks are at the application level, where hackers come in like a real user and hijack a transaction,” said Peter Christy of the Internet Research Group. “Needless to say, the ramifications of such an attack are serious financial impact to the organizations and individuals whose information has been stolen.”

Hailstorm’s approach to risk assessment is an inclusive one. It shows which applications have been tested, what the vulnerability trends are, and ranks—through a HARM score—which applications are most threatened. HARM (Hailstorm Application Risk Metric) scores are given to each application within the enterprise, ranging from a base score of 30 to upwards of 600. An application’s score is based on how important it is to the enterprise, how easy it is to exploit it, and the types of security holes that exist in it.

“It’s something we just created. We’re going to try to make it an industry standard,” said Weinschenk, referring to the HARM rubric.

The solution—built on a browser—mimics the behavior of a hacker, and gives its analysis through the browser. The security assessment can be arranged by months, days, and level of risk. It presents the information in a variety of tables, charts, and graphs, with more than 20 different views available. Hailstorm, which includes an attack library updated on a weekly basis, also shows enterprises applications employees do not realize they have and helps them clean up those applications which are no longer relevant to the business. The Cenzic solution also aids administrators in evaluating the performance of their security teams.

“At the deepest level, we’ll show you the vulnerability,” says Weinschenk. “We’ll give you remediation steps for how to go fix it. We can drill down on a lot of different aspects of your business.”

Weinschenk says application security holes are really a programming issue and enterprises need a flexible way to share analysis with developers, administrators, and technical officers alike. But enterprises, too, need a secure way to assess risk and limit insider threats.

“One thing we have to be aware of is that this is a loaded gun,” Weinschenk says. “So we have a whole hierarchy.”

With Hailstorm, the CEO is the sole user with viewer’s rights to the analysis in its entirety. Acting as the product’s central administrator, the CEO governs access, manages resources, sets parameters, and sets privileges. The CEO can also create user groups at satellite offices or with partners that restrict dashboard views to only data crucial within the group’s particular department or unit.

Cenzic released Hailstorm Enterprise ARC to six beta customers earlier this year. The product hits shelves on Wednesday, November 15.