A UK firm, QCC, has launched an incident management system which helps companies respond to breaches and report them accurately - filling a worrying gap in the IT security world.
"It's been pretty lame of the security industry not to handle reporting well," said Neil Hare-Brown, chief executive officer of QCC. "Most organisations use proprietary in-house systems," he said. Many organisations - including one security firm monitoring 5000 incidents a month - are simply based on spreadsheets, which are likely to give data which may be false, unreliable, and inadmissible in court.
The field is not overloaded with products, although the NetIQ security compliance suite, and Symantec's Security Information Manager manage incident reports.
QCC's Blackthorn helps companies manage and report security incidents. When one occurs, a new incident is logged in a secure database that is one-way (write only) so it can be used to provide an audit trail for legal and regulatory purposes. It also links to email and other applications, so that workflow can ensure that security policies are carried out properly.
The database, originally called SID (security incident database) was written for a forensics laboratory, but has been extended for general use. Incidents, including virus outbreaks, DoS attacks, lost laptops and computer misuse, as well as non-IT events such as break-ins, are each given a custom template.
The system can be configured to raise incidents when it receives alerts from security systems such as firewalls.
Among the benefits are accurate accounting of the costs incurred by an incident - which can be easily retrieved and analysed at a later date.
The system can also be used for risk assessment - and the statistics it gathers can be used to refine the estimated risk with actual live data: "Operational risk analysis rarely takes account of measured risk - we're making operational risk assessment real-time," said Hare-Brown.
The system could be used for non-IT environments, says Hare-Brown, including systems for monitoring outbreaks of an illness.
It costs £15,000 for the basic system, with £8,000 for modules, which upgrade it to cover tasks such as risk assessment, and to add functions such as encrypting the database so that IT staff can reconfigure the system without reading what it is holding about their own activities.
There is also a workflow licence of £300 for every user receiving actions from the system in the form of emails.
So far QCC has around 18 clients for Blackthorn, including the Ministry of Defence, Swift and services company CSC.