ITGRC Software Vendors 2011

Here is the most "far-reaching" list of IT-GRC vendors that you can find on the Internet.

I stand by my statement that IT-GRC does not stick due to several reasons.

My previous posts with risk management frameworks and tools are at this link (I will update risk management tools sometime this year)

Currently there are 4 types of companies at IT GRC market:

1- IT-GRC vendors: IT Risk Management solutions with integrated workflow and compliance features.
2- Enterprise GRC vendors: ERM (Enterprise Risk Management) tools expanding into IT GRC space -sometimes called eGRC
3- Glorified Access Control Tools: This is the world of SAP, Oracle and the related vendors ( note to the vendors - GRC is not SoD - Segregation of Duties)
4- Compliance Management Tools (just targeting without risk focus)

Market is not as dynamic as 2010.IT-GRC and Enterprise Risk Management (ERM) solutions have not unified (yet). There are apps for contract management, vendor management, trading risk management, ethics management, asset management, policy management, workflow management, financial risk management, quality management, hazard management, incident management etc..All we need on the other hand is comprehensive authoritative templates, and a solid / easy to use unified GRC framework.. IT-GRC is a good starting point for merging risk management of all these activities. The effort required for this usually delays the actual quick wins IT-GRC.

2010 -11 Changes:
1- IBM acquired OpenPages and the Algorithmics Inc
2- Software AG acquired IDS Sheer
3- RSA Archer started bundle enVision (SIEM) and RSA DLP
4- Paisley's latest name is Accelus at Thomson Reuters
5- Strategic Thought is now ActiveRisk (name change)
6- Check Point (a security veteran in conventional security software - firewalls, ips, endpoint security, dlp, drm etc) acquired Easy2Comply provider Dynasec as of 10/31/201

Before moving forward, please remember that Excel is 'by far' the most common application in IT-GRC market : )

There is no order or filter on the list... I simply added all visible vendors (keep me posted)

IT-GRC vendors

Agiliance
http://www.agiliance.com/
RSA eGRC - Archer
http://www.rsa.com/node.aspx?id=3732
BWise
http://www.bwise.com/
Trustwave GRC (Control Path)
https://www.trustwave.com/GRC.php
Symantec (Control Compliance Suite)
http://www.symantec.com/business/control-compliance-suite
Modulo
http://www.modulo.com/
Relational Security - RSAM
http://www.relsec.com/rsam_overview.htm
Metric Stream
http://www.metricstream.com/
nCircle’s IT GRC Solution – Suite360 (acquired ClearPoint Metrics)
http://www.ncircle.com/index.php?s=solution_IT-Governance-Risk-Compliance
Lumension
http://www.lumension.com/Solutions/IT-Risk-Management.aspx
BPS
http://www.bpsresolver.com/
Avedos
http://www.avedos.com/en/home/home.html
Neupart
http://www.neupart.com/
Thomson Reuters (old Paisley)
http://accelus.thomsonreuters.com/solutions/risk-management/
IBM OpenPages (yes IBM acquired Openpages)
http://www.openpages.com/
Software AG GRC (IDS Scheer was acquired by Software AG)
http://www.softwareag.com/us/solutions/grc/overview/default.asp
ARC Logics - Axentis
Wolters Kluwers, the parent of Axentis; also acquired CI-3 , MediRegs ComplyTrack, CCH, TeamMate audit, FRS
http://www.axentis.com/Products/Axentis/ProductOverview.html
Methodware
http://www.methodware.com/grc/
Protiviti
http://www.protiviti.com/grc-software/Pages/default.aspx
Cura Software
http://www.curasoftware.com/pages/content.asp?SectionId=7&SubSectionID=48
Mega
http://www.mega.com/index.asp/l/en/c/grc
ControlCase
http://controlcase.com/it-grc.htm
Compliance 360 ( eGRC )
http://www.compliance360.com/
Nemea
http://www.nemea.us/
eGestalt SecureGRC -  SaaS hosted GRC offering
http://www.egestalt.com/
Aline GRC
http://www.alinegrc.com/GRC-Platform/20/
Easy2Comply (Powered by Dynasec which is Check Point now...)
http://www.easy2comply.com/
SAI Global
http://www.saiglobal.com/compliance/grc-software/
SwordAchiever Governance, Risk and Compliance (GRC) Software
http://www.sword-achiever.com/Pages/Home.aspx
Xybion eGRC Enterprise 2011 (formerly Amadeus International)
http://www.xybion.com/Products/eGRCEnterprise/eGRCProductOverview.aspx
Ethics.Point Adaptive GRC Framework (acquired HeatShield, Audit 2)
http://www.ethicspoint.com/products/
MitraTech TeamConnect GRC
http://www.mitratech.com/teamconnect-grc
Optial GRC
http://www.optial.com/Products/GovernanceRiskandComplianceGRC.aspx
Highpoint
http://www.highpointgrc.com/
RVR GRC
http://www.rvrsystems.com/IG.php
NeoGRC Compliance Manager (Neohapsis also acquired Securac Certus)
http://www.neohapsis.com/products/neogrc-compliance-manager.php
TraceSecurity Compliance Manager (TSCM)
http://www.tracesecurity.com/products/ts_compliance_manager.php
Avior BenchMark risk and compliance management platform
http://www.aviorcomputing.com/solutions/benchmark
AssurX CATSWeb Quality Risk and Compliance Management
http://www.assurx.com/solutions.html
ANX GRC (TrueARX)
http://www.anx.com/content/solutions/compliance-and-risk-management/trucomply
Telos Xacta IA Manager: Governance, risk, and compliance management
http://www.telos.com/cybersecurity/grc/index.cfm
ServiceNow IT Governance, Risk and Compliance (ITGRC) Management
http://www.service-now.com/itgrc.do
White Cyber Knight -WCK / Lancelot
http://www.wck-grc.com/Products_Lancelot_IT-GRC.htm
Simeio Solutions GRCAXS (IT GRC module)
http://www.simeiosolutions.com/
Evantix Vendor IT Risk and Compliance Management
http://www.evantix.com/what-is-evantix/
Align Alytics Risk, IT, Compliance Management
http://www.align-alytics.com/clientsolutions/

There are many other tools with ERM (Enterprise Risk Management) Compliance Management, Audit and Access Control Governance feature sets.

Here is a long list of indirect GRC software providers:
Oracle Enterprise Governance, Risk, and Compliance Manager
Oracle also acquired Reveleus, Mantas, Logical Apps, Ruleburst, Oracle GRC Manager
http://www.oracle.com/us/solutions/corporate-governance/grc-manager/index.html
SAP (no clear IT-GRC besides Access Control - SoD)
http://www.sap.com/solutions/sapbusinessobjects/large/governance-risk-compliance/index.epx
Greenlight
http://www.greenlightcorp.net/index.aspx
Qumas(Regulatory Compliance)
http://www.qumas.com/
Aveksa (Enterprise Access Governance)
http://www.aveksa.com/
Trintech (Financial controls- no IT)
http://www.trintech.com/
Doublecheck ERM
http://www.doublechecksoftware.com/solutions.htm
ACL - Transactional controls testing
http://www.acl.com/products/ccm.aspx
Approva (ERP Audit / SoD on steroids)
http://www.approva.net/solutions/itsecurity/
Open Text Governance, Risk Management & Compliance
http://www.opentext.com/2/global/sol-products/sol-pro-compliance-governance/pro-open-text-governance-risk-compliance.htm
Grant Thornton - ExpeditionGRC - GT acquired  Avalion Consulting ComplianceSet solution
http://bit.ly/9bvCFB (Long URL shortened)
Incom Enterprise Risk Mgr ISO 31000
http://www.incom.com.au
EIQNetworks SecureVue
http://www.eiqnetworks.com/securevue/securevue.php
Brinqa brings privacy, identity and vendor management
http://www.brinqa.com/products/brinqa-grc-platform/
SecurityWeaver (SoD tool)
http://www.securityweaver.com/Products_Separations_Enforcer.asp
ControlpanelGRC - SOX compliance for SAP users
http://www.controlpanelgrc.com/
Xpandion SAP Security -
http://www.xpandion.com/
EtQ Reliance (Quality Management, Environmental Health & Safety (EHS) Management)
http://www.etq.com/reliance/
Active Risk Management - ARM (Strategic Thought Group became Active Risk)
http://www.activerisk.com/risk-management/
Symb ERM and Aptius Risk Management
http://www.symb.com/content/c_symbhome.asp
Actimize (Fraud Prevention and ERM - acquired Syfact)
http://www.actimize.com/index.aspx?page=actimizeplatform
Guideline Risk Universe Business Intelligence (RUBI)
http://www.guidelinerisk.com/RUBI_system_intro.html
Hitec Labs Policy Hub and Ten Risk Management
http://www.hiteclabs.com/uk/solutions/policy-management-policyhub/
Horwath Software Services Magique Galileo
http://www.horwathsoftware.com/hsl/hslwebsite.nsf
IBS Compliance Pro Compliance Management
http://www.ibs-us.com/en/products/compliantpro/index.html
LRN Ethics Compliance
http://lrn.com/
Pentena PAWS Audit & Risk Management Software
http://www.pentana.com/products.asp
Prodiance ERM Spreadsheet Compliance (now Microsoft)
http://www.microsoft.com/pathways/prodiance/
policyIQ Risk & Compliance
http://www.policyiq.com/solutions_risk_compliance.asp
SAS Operational Risk Management
http://www.sas.com/industry/fsi/oprisk/index.html
FairWarning Healthcare Compliance Audit /Monitoring
http://www.fairwarningaudit.com/subpages/auditing.asp
Assuria Audit & Compliance Management
http://www.assuria.com/products-new.html
Flexeye Operational Intelligence
http://www.flexeyetech.com/operational-intelligence.html
Consult2Comply Compliance Infrastructure Management
http://www.consult2comply.com/main/
CMO Audit Compliance Risk Management
http://www.cmo-compliance.com/
ComplianceBridge Compliance Policy and Procedure Management
http://www.compliancebridge.com/
The Gartland RiskKey Continous Compliance
http://www.thegarlandgroup.net/services/continuous-compliance-service/
NextLabs Policy and Compliance Management
http://www.nextlabs.com/html/?q=control-center
McAfee Risk & Compliance Products
http://www.mcafee.com/us/products/risk-and-compliance/index.aspx
Collaborative Software Initiative - Standardized Information Gathering (SIG)
http://csinitiative.com/products/sig/overview/
LogicManager ERM
http://www.logicmanager.com/contents/why_logicmanager/model.php
Enablon ERM
http://enablon.com/products/risk-management.aspx

IT-GRC software make our lives more organized but we should not skip the motto of the CSI audit people: " ‘A fool with a tool is still a fool’"

Other Links:
http://www.gartner.com/it/content/925200/925212/ks_sd_may09.pdf
Gartner eGRC 2011 report: http://www.openpages.com/Information-Center-Registration/Campaign_88.asp
http://www.isaca.org/Knowledge-Center/Documents/COBIT-Focus-ISO-38500-Why-Another-Standard.pdf

Which Logs are Security Logs?

This was originally posted on my RSA Conference Blog

Many of the security logging discussions center about the following topics:

1-      Log Collection

2-      Log Transport

3-      Log Storage

4-      Log Taxonomy

5-      Log Analysis / Correlation

6-      Log Protection / Security

These are all good topics but a very important topic is rarely discussed, and it is usually the most important one:

What are the security logs?

It is easy to work with security devices (Firewall, IDP, DLP, AV etc), their logs/alerts are classified as security logs, but what about regular applications or infrastructure components that are not build as a “security device” or security in mind? Do we need to process all logs from these devices? Which logs are more important?  Which logs go to “security” queue?

Let’s go with example, if you are the security architect, what would you recommend to a system owner who came up with a new application that writes the logs to a flat file or a database? Even if the logs are shipped to a syslog collector or an OS log queue; does it change the question?

The question is same “Which” logs? What do you want?

Here is a quick check list of activities to ask for the logs:

1-      Logs for all access (User, Admin, Service, Application etc)

2-      Logs for all changes (changes in monitored files, configurations, hardware,software – MACD logs)

3-      Logs for critical transactions in the applications

4-      Logs from user repository (e.g if AD, LDAP, RADIUS is used) access, change and transaction logs from user repository

5-      Logs for anomalies (changes in baseline activity, failed attempts, unexpected connections etc)

Since a security architect cannot know all applications, this is a good start to communicate with 3^rd party developers and application/system owners for security log generation.

For a structured approach here are a few good reads to start with:

NIST 800-92, Guide to Computer Security Log Management

http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

Common Event Expression White Paper (also has a history on other initiatives)

http://cee.mitre.org/docs/Common_Event_Expression_White_Paper_June_2008.pdf

Watch Your Logs! Quick intro

http://www.issa.org/Library/Journals/2007/July/Malatesti%20-%20Watch%20Your%20Logs.pdf

Microsoft's The Security Monitoring and Attack Detection Planning Guidehttp://www.dabcc.com/documentlibrary/file/MicrosoftreleasesanewSecurity,MonitoringandAttackDetectionWhitepaper.pdf

Reminder: PCI DSS 2.0 is asking for Vulnerability Risk Rating

You know the story; if your systems/applications store transmit or process credit card data, you must meet PCI data security standards.

Since Q4 2010 all PCI shops are aware that their Cardholder Data Environments need a risk ranking procedure.

But, What is it and how does it change current practices?

PCI DSS Requirement 6.2 says "Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities"

And a new recommendation may certainly effect how you manage risk…

This recommendation (which will be a requirement by June 30, 2012) can be classified as Risk Management 101, and yet it may change several cornerstones of your processes.

Here is what 6.2.a is asking for:

1- Check your processes for identifying new security vulnerabilities (make sure you have one)

2- Assign risk ranking to identified vulnerabilities

6.2.b Continues with the  recommendation that you use and outside source for this risk ranking process.

This translates into a solid scoring system for risk. Enterprise options to collect data for a scoring system are:

1- Vendor Security Alerts

2- Vulnerability Management Advisories (Usually security scanner, and IDS/IPS shops)

3- Vulnerability Intelligence Advisories (e.g. Secunia, iDefense, Deepsight)

4- Internal risk scoring systems (yes we all love academic endeavors - that is why PCI SSC asks for "outside" source : )

Either way (using one of the options, using some/all of them) PCI recommendation 6.2 will push risk management practices in the right direction and make risk prioritization a priority...Eventually PCI shops will (6/30/2012) integrate risk management with vulnerability scanning devices, security alerts, advisories and patch management solutions to audit and validate PCI 6.2 with risk rankings.

Here are a few good links:

Common Vulnerability Scoring System (CVSS-SIG) - http://www.first.org/cvss/

Common Vulnerabilities and Exposures -CVE - http://cve.mitre.org/

National Vulnerability Database - NVD - http://nvd.nist.gov/

Secunia - http://secunia.com/advisories/

Verisign iDefense - http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/index.xhtml

TippingPoint Zero Day Initiative ZDI - http://www.zerodayinitiative.com/advisories/upcoming/

Symanted DeepSight Alert Services - https://tms.symantec.com/

Cisco Security IntelliShield Alert Manager Service -http://www.cisco.com/en/US/products/ps6834/serv_group_home.html

IBM ISS XForce - http://www-935.ibm.com/services/us/iss/xforce/

VUPEN - http://www.vupen.com/english/research.php

McAfee Threat Intelligence Services (MTIS) - http://www.mcafee.com/us/mcafee-labs/technology/threat-intelligence-services.aspx

Bugtraq -http://seclists.org/bugtraq/

Full Disclosure - http://seclists.org/fulldisclosure/

p.s. I have written this article for RSA Conference 

Video Notes From the RSA 2011 Conference

RSA Conference 2011

Video Blog #1
RSA Conference Video Blogger Yinal Ozkan talks about his first day at the 2011 RSA Conference in San Francisco, California.

http://www.youtube.com/rsaconference#p/u/99/88pVqQgjkH0 

Video Blog #2
http://www.youtube.com/rsaconference#p/u/96/Ss33IH0laAw

Video Blog #3
http://www.youtube.com/rsaconference#p/u/94/vUtFR_DeHOc

Talent Filtering for Information Security

I have written this article for RSA Conference blog originally (https://365.rsaconference.com/blogs/yinal-ozkan)

Great results are not achieved by mediocre teams… Building the right Information Security team does matter, and usually it becomes a full time task for the owners of Information Security initiatives at today’s enterprise.

Information Security domain might be hot, and we may have a positive influx of talent to the sector, however finding the right people with right skills sets at the right time and the right cost is close to impossible.

This post has no intention of questioning/changing years of HR practices – the goal is to give feedback from the enterprise Information Security field and to create useful short order cook content that can quickly be consumed within the next 15 minutes for the upcoming interview you are conducting…

Here are my experiences with finding/hiring talent in Information Security:

1-      Do not reinvent basics. As Buffet/Gates duo has stated the great talent should have the 3 basic skills:

• Technical Skills (This is standard – I will dig into this item more down below)
• Conceptual Thinking (Seeing the big picture)
• Communication Skills (This is not talking too much as perceived by many engineers. Effective communication is a very valuable skill in all team deliverables

It is usually simple to find any one of these skills in an individual, but when you find 3 of them together never miss the opportunity, these people will carry the workload of many!

2-      Have the right pyramid mix of talent in your team: Complex projects require good leaders who can set the target, coach others, lead by example and more important than all great leaders can take the team from A to B. Then you need good managers, who can plan, organize and delegate. It is usually a good practice to have managers who cut their teeth in project management and financial management offices. Last, but not least, the engineers (or consultants). Based on the size of the project, you must determine whether to go with specialists or generalists. This is a big decision point. The more specialists you have, the more integration glue (architects, project managers, program managers ) you need.

3-      Since generic HR topics are not my intention here, I will skip managerial skills and focus on finding the right technical resources. Project based deliverables do not require that much real-time information. Therefore, it does not make sense to filter candidates based on closed book random interview questions. My recommendation is to measure their knowledge so you may level them based on knowledge. This is management basics -  data to wisdom:

• Ask them questions starting with who?, when?, where?, what?? If you can get good answers that means your candidate has “information”. Your candidate is probably familiar with the topic.
• Ask them questions starting with “how?”. If you can get good answers that means your candidate has knowledge.This is a clear signal of experience.
• Ask them questions starting with “why?” If you can get good answers to “why” questions that means your candidate has the wisdom and the conceptual thinking skills that you are looking for.

4-      Specialists: Being a specialist does not create a rain check to omit basics of information security. I have met several consultants who were very familiar with compliance but did not understand the technical tools, or I have seen great application security people with zero understanding of network basics. The trend is to have good understanding of all domains where you excel in 1 or 2 of the domains as a specialist. Interviewing specialists should have 2 different class of questions to gauge:

• How much do they do they own their domain of specialization?
• How much do they understand about how other domains work?

5-      Generalists: I believe there are 2 types of generalists you can trust in Information Security:

• New Grads with no experience
• Project Managers, Auditors, and Managers (usually go well with the certificates like CISSP, CISM etc)
• If you are interviewing a candidate with over 3 years of Information Security experience with no particular specialty that is a big red flag.

6-      Send consultants the questions that you will ask in advance. This will eliminate the “it is not at the top of my head /it has been a while” excuse. Since you send the technical interview questions in advance you can ask any particular sub question. This asynchronous Q&A style is more close to real life. This way you can also ask really tough questions as well.

7-      Ask for a sanitized copy of deliverables from the past assignments. Good samples are good indicators of pitched skills. Obtaining samples are problematic especially in Information Security due to security and Intellectual Property concerns but checking is better than not checking.

8-      Classify Information Security resource types (this is subjective) Classification will help you to identify your candidates specialty, customize your questions and assess them more evenly. In today’s IS world, I see the following backgrounds We can dig into each area in separate articles. Here is the bird’s eye view for the 15m intro:

• Network Security Specialists: This is the most abundant resource.  Most of the resources have strong networking background and they do have operational and engineering know-how about common tools like firewalls, IDP, content security, OS hardening.  Ask for the enterprise know how instead of small shops, that is completely different skill-set. It usually makes sense to get “Security Operations” resources from this background since their operational background fits well with the SOC (Security Operation Centers)
• Vulnerability Testers:  This is another domain where you can find a lot of resources. (not necessarily the best ones) From network testing, to penetration testing, this area requires a lot of technical skills. Ask for methodologies, frameworks, references and sample deliverables in addition to basic checks. Network Vulnerabilities, Application Vulnerabilities, operational Vulnerabilities, and the Physical Vulnerabilities are different so make sure that you have the right skill sets.
• Single Domain Specialists: If your project is big enough you can acquire a domain specialist (e.g. SIEM) or a technology (e.g. RSA envision) specialist. Be sure to question other skills as discussed above. DLP, DRM, Virtualization Security,  Social Media, and Mobile Security-type of next generation projects usually require specialists so it makes sense to start with a consultant specialists to acquire the skills sets.
• Application Security Specialists: Securing SAP, Siebel, Oracle is a life time goal. It does require life time experience. Again the same rules with hiring specialists.
• Desktop Security: Understanding desktop security is different than all other security areas where the end users are non-IT users. Lately desktop security domain is crisscrossing a lot of other domains like NAC, 802.1x, VDI so be very careful to filter.
• Code Security: This is a hot domain, possible candidates interact with application security, vulnerability testing. It is not possible to understand code security in every development framework so an eclipse environment  expert cannot be very useful in the .NET environment
• Security Architects: Even if you see a lot of titles with Security Architect, the real ones are tough to come by, look for understanding of EA frameworks like TOGAF, Zachman etc. Also look for special frameworks like ISO 27001, CoBIT, and NIST. Generic frameworks like ITIL, 6 Sigma, and other compliance frameworks are important. In addition, look for perfect understanding of operations and the technology.
• Compliance Specialists: Audit background helps. Top 4 experience helps. Compliance has 2 important parts, meeting compliance and an accreditation. Make sure that you acquire the right internal resources to meet your compliance goals.  Instead of going with multiple security compliance specialists, it will make more sense to build an information security management program that can answer the common 80% requirements of all frameworks.

9-      Classify candidate backgrounds based on the verticals; it makes sense to find Information Security resources with vertical specialization. I find it amusing to mark “government” background as we start discussing topics with “cyber” word… So far I have seen the following backgrounds in the field. Based on your project’s requirements, different backgrounds provide different outcome.. You can find Information Security professionals with the following backgrounds

•   Enterprise
  • Financials
  • Healthcare
  • Manufacturing
  • Utility
  • High Tech
  • Media
  • Other
• Government
  • Federal
  • State
• Military
• SMB
• Consultancy
• Higher-Ed
• Service Provider
• New Grad
• Vendor
• Reseller
• Out of Sector

Wrap Up: Look for talent with specific skill-sets – To help you better identify the right skill sets, customize your questions based on experience background, vertical background and universal skills such as conceptual thinking.