RISK TOURING
Early last year, MassMutual deployed security management software--Archer Technologies SmartSuite Framework--to help its security staff quickly assess and prioritize risks. "We needed something to aggregate information, to bring data into one source," says Mandy Andress, the company's assistant VP of information security. The information being aggregated ranged from data related to security and compliance requirements to vulnerability assessments provided by Qualys' managed security services and data on server configuration settings from NetIQ's Security Management software.

SmartSuite lets companies create applications and databases that automate the storage and management of security-related information. Companies such as MassMutual use this information to assess compliance with government regulations, like the 1999 Gramm-Leach-Bliley Financial Modernization Act, which lays out rules for protecting consumers' personal financial information. SmartSuite also can be used to classify data according to its sensitivity and track change requests to firewall policies.

With the SmartSuite Framework, MassMutual has built what Andress describes as a "risk-touring engine" that assesses applications and systems, taking into consideration factors such as operating systems, programming languages, Internet exposure, and known vulnerabilities. It creates an aggregate risk score for each app and system that the company uses to determine which risks need to be addressed first. The system assigns security problems, such as a virus outbreak or an unauthorized user attempting to access a database, a weighted value that's also calculated into the risk score. It produces bar graphs, pie charts, and other visual displays from these scores to help managers make sense of the data and formulate a security strategy. When Bonsall or his team wants more detail, they click on the charts to see what factors went into assigning a particular score.

PATCH ALERT
MassMutual has configured the framework to identify high-level risks and issue alerts to its security assurance team, which has three workers assigned to evaluate risks to determine actions needed to address them. One such alert recently was triggered by an unpatched server. Further investigation revealed that although it was running one of the company's management programs, it was an older system that MassMutual wouldn't be using for much longer, so it didn't need to be patched.

LESSONS LEARNED Look At Big Picture MassMutual integrated multiple-risk data sources to get a more holistic view of threats. Offload By automating risk assessment, it could respond faster to critical threats. Make Use Of existing resources Insurer leveraged internal systems of record for key items such as application and server asset listings. Be Prepared MassMutual found it needed to provide detailed remediation options with the initial communication of an identified risk.

After its first year in operation, the risk assessment framework's ability to aggregate information about vulnerabilities and threats has led to configuration changes that improved efficiency, Andress says. Analysis that previously required months of research can be done in minutes and in much greater detail, leading to a 97.5% cost reduction in the risk analysis process, she says. But the cost savings were ancillary, she adds. "We didn't implement the Archer system specifically to save money."

The system does provide as much as 75% cost savings when MassMutual adds new sources of risk data because the process of adapting to them takes weeks rather than months. "We made sure we would be able to easily adapt to changing threats," Andress says. She sees security problems in the future mostly coming from existing threats that find new channels--such as the Web or wireless networks--into IT environments.

One of the most recent threats: toolkits that help criminals create multivector threats, Bonsall says. "The pace of this is quickening," he notes, "and the threats are more lethal than they were before." This means MassMutual, like most companies, has less time to fix an increasing number of software vulnerabilities. In such a situation, knowledge truly is power.