Programmatic Security Risk Management - A New Approach by Balbix

A few weeks ago, I was introduced to Balbix, a new Silicon Valley security startup. I've known Gaurav Banga for some time but didn't know what he was up to after Bromium, so I was curious to learn what Balbix was about.

Gaurav gave me a briefing and a demo on Balbix, and I was hooked. What Balbix has built is compelling - an automatic way to inventory and map your network, assets, and communications, along with a built-in DB of vulnerabilities, a risk assessment framework with learning capabilities - all to automatically assess an organization's IT risk from low-level traffic, vulnerability, and asset information. On top of that, Balbix helps you prioritize investments to effectively manage your risk. And everything is reflected in a visually compelling console. 

I invited Gaurav to talk about Balbix in my ITSP podcast - The New Factor. You can access the podcast here.

In the past, I have seen several attempts at quantifying IT risks from low-level technical data, but they were often too complex, too manual, or not actionable enough - how is it useful to know my risk is "high", but have no immediate intelligence to determine how to reduce and mitigate my risk?

As an industry, we are left with either assessment capabilities on a specific technical level with a myopic view (think vulnerability assessment), or GRC-like dashboards that enable high-level risk assessment but lack direct connections to technical remediation. Heck, many of us don't even know why we buy certain security products - we can't tell, from a programmatic standpoint, how much an Endpoint Detection and Response (EDR) capability helps with our overall security posture. We know it helps, but how much, and is that the most effective place for me to invest? If we can't answer these questions, how can we stand in front of the board and argue for the effectiveness of our security programs?

We can't continue to operate this way - we are hitting a wall fast and furious.

We need something that can be dropped into the environment, gathers necessary data, automatically assesses risks and helps IT security determine what to do next to get the best bang for your buck. And we need this process to repeat on demand or run continuously without security being burdened with managing its operations.

I can tell you that I don't mean SIEM. It is clear that, after many years of SIEM evolution, log-only views are simply not sufficient. We need logs, payload, content, identity, context, and threat intelligence, all rolled into one place to produce true intelligence. Not information, but intelligence.

It looks to me Balbix has built something along those lines. Some of the use cases that I see with Balbix's system are:

• Risk assessment - today they are focused on breach risks
• Prioritization of security investment - the ability to play "what-if" scenarios is really interesting
• Visibility of gaps and flaws - the product maps who is talking to whom, and often it gives you visibility of control gaps and system flaws beyond basic vulnerabilities.
• Assess security product effectiveness - understand how effective certain technical solutions are, assessed in the overall risk context of the environment.

As an industry observer and independent analyst, I usually don't endorse specific vendor offerings. I should also say that I don't know if Balbix's system can work as it claims in a large complex environment -- I have not seen it in action. But because of its potential impact on the industry, I think anyone who is interested in the programmatic management of security operations ought to take a look at this. And when you do, please let me know what you think, especially where the solution works and where it might not.

(The author is not affiliated with Balbix)