Using Prevari metrics, executives, security experts, auditors, operators and owners all have a common understanding of the risks to information - an understanding that is expressed in quantitative, objective, repeatable and defensible metrics. These metrics provide a common language for framing risk.

Using risk focused system baselines, the impact of drift from original configuration is simple to detect, isolate, and either remediate or accept. The Prevari capability enables organizations to use the same risk measurement methodology and scale for assessing all its systems, thereby minimizing individual analyst bias. Prevari's capability to simulate alternate future states provides the capability to select between different controls, or combinations of controls, to select the most cost effective set of controls in order to meet the systems’ objectives.

Prevari calculates on data organizations already collect - the incremental procedural cost of Prevari metrics is nominal. Because Prevari's products are vendor-neutral and product-neutral the investment in risk analysis and risk scoring is preserved as sensors, scanners and tools are added or replaced in the operational computing environment.

Analytics

Prevari analytics include capabilities for comparisons and for drag and drop simulations. The analytics interface provides more than one hundred graphs, charts, lists and detailed information dialogs. A robust reporting facility enables creation of custom reporting templates and data export to spreadsheets. The underlying database is also open for analysis by business intelligence tools. Prevari analytics enable you to answer your questions about risk to information:

  • Precisely how secure is my organization?
  • How have my risks to information changed over time?
  • How will the planned new system impact my risk?
  • How risky is this acquisition candidate compared to my existing organization?
  • How do I spend my limited security/compliance budget for maximum risk reduction?

Calculations

Prevari calculations begin by factoring information at the lowest practical level of software, network services, and aggregate up to the host, enclave, subnet and network levels. Using the same calculation approach at all layers of your infrastructure enables the consistency and comparability that will establish Prevari risk indices as your common language. Prevari's risk indices for Confidentiality, Integrity, Availability and Audit enable staff and management from Business Units, Security, Operations, Compliance and Audit to develop a single harmonized understanding of the risks to information and the controls that reduce that risk.

Prevari's Information Risk Knowledge-base (IRK) stores the weighted rankings of the characteristics of over twelve thousand commonly deployed network services as well as weighted rankings of the most commonly deployed technology controls, and finally, the weighted rankings for over two thousand administrative compliance controls as defined by Network Frontiers' Unified Compliance Framework (UCF). The IRK is also an open platform by which vendors, customers, and users of the system can add additional services, controls, and applications using the TRM-defined and patented calculation process (US Patent 7,900,259).

Prevari's risk calculation engine consumes risk-relevant data describing the subject system and calculates risk indices for Confidentiality, Integrity, Availability and Accountability (CIAA) that indicate probability of compromise. CIAA risk indices are presented on a scale of zero to one hundred - zero indicates no risk and one hundred indicates compromise; both are practical impossibilities for statistical analysis, but do provide meaningful endpoints to the risk scale. Risk-relevant data includes port, service and vulnerability data from SCAP compliant scanners, XCCDF data describing OS configuration, again from SCAP compliant scanners, and compliance information loaded either automatically or through graphical user interface. The risk calculation engine consumes the risk-relevant information described and then operates on values in the IRK to calculate risk indices and variances for CIAA