Security's Risk And Change Management Tools: Drawing A Picture Of Security Posture

Apps that track and manage change and configuration of firewalls and other security systems are finding a home as security and risk monitoring tools in large enterprises
While the SPOM concept certainly sounds like an attractive one for enterprises that must manage policies and configurations across many firewalls and other security devices, the market for the technology remains nascent. Dauber estimates that Skybox and RedSeal, the two market leaders in the U.S., have penetrated less than a quarter of the Fortune 500 combined. Experts agree that the technology currently faces two problems: a perception of high cost and confusion over who will use it.

"I think the need for these products is real, but I suspect that many organizations are put off by the associated price tag," says Andrew Hay, senior analyst for the enterprise security practice at the 451 Group consultancy.

SPOM technology is generally targeted at large enterprises, where collecting and analyzing configuration and management data from a variety of security devices can be daunting. Implementation of the technology can run well into the hundreds of thousands of dollars.

But not all implementations are that expensive, Skybox's Cobb says. "A firewall configuration installation starts at prices as low as $5,000 to $25,000," she says. "Obviously, if you have hundreds of firewalls, that price is going to go up. But when you compare it to the cost of a breach, which may be $200,000 or more on average, it's a pretty good investment."

Perhaps a bigger problem for SPOM technology is the question of who will use it. Tufin's technology, for example, is tied tightly with IT operations processes, and its primary users are IT and security technicians. RedSeal and Skybox tools are also heavily used by operations staff, but they can also be used to create "dashboards" that allow top executives to monitor the enterprise's security posture and evaluate potential risks.

Dauber compared the current SPOM situation to the one that occurred when sales force automation technology came out in the 1990s. "The salespeople wanted to use ACT, which worked better for them out in the field, but management wanted to use Siebel, which gave them better visibility into what was happening in the sales force," he recalled. In the end, the decision on which technology to use was carried by management.

"At the end of the day, executives aren't worried about firewall configuration -- they want a measure of security effectiveness. They want to know why they spent millions of dollars on security," Dauber says. "In all of the other IT disciplines, you know whether your technology is working or not. If your network isn't working, systems go down or you get phone calls from your users. With security currently, a lot of organizations have no idea whether what they're doing is working or not. With SPOM, we're at least beginning to shed some light on that."

Hay agrees that the key play for SPOM is not among line-level technicians. "The vendors really should be leading with the compliance pitch," he says. "Being able to provide a proper audit trail to risk officers, compliance officers, and external assessors will ultimately help the company reach some of its compliance-related goals." Indeed, the notion of "continuous security monitoring" is now included in compliance guidelines set by the federal government (FISMA/CyberScope) and the utility industry (NERC/Critical Infrastructure Protection), two industries where SPOM vendors say they are making significant headway.

Another question that arises in the SPOM market is how long it will continue to be led by relatively small vendors. Hay notes that Tufin, Skybox, and AlgoSec all have top management who formerly worked at Check Point Software Technologies, a pioneer and leader of the firewall market.

"Check Point appears to have been an incubator for firewall and configuration management vendors in Israel," Hay notes. "We've often found ourselves wondering why Check Point hasn't built their own [SPOM] product, or acquired one of the existing players, to handle this obvious shortcoming. We suspect that the market will likely converge, with existing firewall players -- like Check Point, Cisco, Juniper, Fortinet, or Palo Alto Networks -- looking to wrangle some of that management money in-house."

Other vendors in the security space might also begin to take a closer look at the SPOM space as the technology becomes more widely accepted, Hay says. "Though not in direct competition, adjacent technology vendors in change/configuration management and SIEM may soon begin to look at these vendors with acquisition in their eyes," he predicts.

But Dauber says the choice of a SPOM vendor needn't be dependent on its parentage. "There's been convergence in a lot of [management tool] markets in the past, but in the end the question is really which tool will work," he says. "Look at the help desk space -- most enterprises there are still using Remedy because it works, no matter what other tools or vendors you have in place. I think this is a similar situation."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.