Network Computingwww.networkcomputing.com

Mercifully, according to a cadre of usually cynical security gurus, a new breed of product may cool the heat. Users of NetRISK, formally introduced in March by Trident Data Systems, s ay it is the first rules-based risk-assessment tool for networks. It also may be the first tool to incorporate corporate-specific network and intellectual property assets into risk assessment equations. That tally also estimates the overall cost to the user based on various procedures and the price tag on security products.

Jack Michalek, senior information security engineer at defense security consultancy Data Systems Analysts in Fairfax, Va., says NetRISK is "light-years" ahead of anything else on the market. Michalek says NetRISK let him cut a two-week job for a commercial client to three days, and he thinks most large businesses would be able to cut risk-assessment time in half.

Trident officials say its product, originally conceived as part of a U.S. Air Force-commissioned manual risk-analysis process, has been widely accepted as the risk-assessment model for the Department of Defense's commercial and information warfare traffic. In March, some of the world's largest accounting consultancies, telep hone companies and systems integrators were exploring the automated version of the software or usi ng it with clients.

The Process, the Limits With NetRISK, IS managers can train subnet managers to describe network assets--and their business value--in a database, whether the asset is Coke's secret formula or a specific hardware platform or operating system. A network map unites the assets, which are assessed for risk against a regularly updated Trident database of 250 threats.

Companies are biting. In March, AT&T was already one month into the largest risk assessment it has ever undertaken as an outsourcer, using NetRISK to evaluate security for a Fortune 100 company. David Gore, a member of AT&T's secure systems engineering department, says AT&T will consider using NetRISK itself if it can customize the tool with Trident's assistance. Gore also anticipates interesting future enhancements. For example, by late summer Trident plans to accelerate network drawing and cut-and-paste tasks and provide a first-phase autodiscovery tool to help users create network maps. Trident also is evaluating integration with asset management tools.

Small-to-midsize companies could stumble over NetRISK's $38,200 price tag. But AT&T's Gore says these companies often outsource such tasks and the cost of outsourced risk assessments will plummet if the company performing the assessment can pare the number of hours necessary for the job, as is possible with NetRISK. Trident officials add that NetRISK cuts asset-collection time by establishing strict definitions and rules for clustering asset groups into categories. For example, after a training period in asset collection via NetRISK, engineers and network security staff can list assets, either developed themselves or drawn from a standardized list. They then forward this work to the CIO for an overall risk assessment. The risk-assessment database can be updated whenever equipmen t is added or more vulnerabilities occur.