The emergence of the cyber risk assessment space marks a strategic shift in how enterprises handle digital threats, from traditional, ineffective security-centric approaches to blended frameworks that combine layered security and risk management. Let's see how Cavirin and RiskRecon stack up when it comes to measuring enterprise cyber risk.
Data breaches are continually on the rise and won't be letting up any time soon, especially with digital transformation in the works across the globe. And despite a marked rise in enterprise cybersecurity spending year-on-year, security incidents continue to increase in volume and severity.
In order to capitalize on technology's benefits, enterprises must maintain a healthy, albeit grounded appetite for technological risk—without endangering the livelihood of the business. Solutions like Cavirin ARAP and RiskRecon enable enterprises to ascertain the impact existing IT assets and/or third party vendors have on their cyber risk postures.
Founded in 2012, Santa Clara-based Cavirin Systems offers risk analysis and assessment through its Automated Risk Assessment Platform (ARAP) and Pulsar, its elastic security platform. Its solutions provide risk assessment and policy compliance monitoring/reporting services for on-premise, cloud, and containerized infrastructures.
The Cavirin UI. Source: cavirin.com.
Among others, a feature worth noting is ARAP's Docker support: the platform provides an integrated, menu-driven tool for ensuring that Docker containers are in line with CIS Docker v1.11.0 benchmarks.
You may recall last year's Australian Red Cross and Michael Page/Capgemini data breaches and 2015's CVS/Costco/PNI Photo hack, all security fiascos resulting from third party security failures. RiskRecon emerged out of stealth mode last year with its solution for helping firms avoid these incidents, specifically—with its SaaS platform for assessing third party cyber risk.
The RiskRecon UI. Source: riskrecon.com.
The platform enables enterprises to build a portfolio of third party vendors and partners to monitor/track; assessments are based on external data like website perimeter security, DNS security, and email security, among others.
Side-by-Side Scoring: Cavirin vs. RiskRecon
1. Capability Set
Cavirin ARAP provides continuous monitoring and automated assessment and reporting for both cloud and on-premise IT infrastructures. In contrast, RiskRecon is fairly limited in scope—the solution only measures third party risk based on external data sources.
2. Usability / Learning Curve
Both platforms are trivial to get up to speed with, featuring modern web-based interfaces and sensibly laid out menus and visual controls. Cavirin in particular provides a range of features designed for simplicity, including one-button assessments and easy-to-configure/run compliance report cards.
3. Community Support
As relatively new, specialized enterprise security offerings, neither Cavirin or RiskRecon have much to offer in terms of community support. That said, Cavirin's public support resources are more plentiful than RiskRecon's—in fact, the latter does not provide any support resources via its website.
4. Release Rate
Currently on version 8.4.2, Cavirin has seen regular releases over the years since its initial release back in 2012; in contrast, RiskRecon—having debuted in 2016—has a limited release history.
5. Pricing and Support
Cavirin's pricing model varies depending on deployment architecture and infrastructure size—for example, its AWS virtual appliance costs $495/month for a subscription on top of metered pricing per instance.
RiskRecon's pricing is not publicly available; similarly, support resources are noticably absent from its website. In contrast, Cavirin provides a decent corpus of public support materials as well as an online help desk/knowledgbase and support portal (password protected).
6. API and Extensibility
Cavirin's ARAP does not come with a REST API, though it does provide an SDK for its Scripted Policy Framework. That said, the company's forthcoming Pulsar platform does leverage a RESTful API architecture. RiskRecon does not provide any API with its solution.
7. 3rd Party Integrations
Cavirin features integrations with the leading cloud service providers such as AWS, Microsoft Azure, and Google Cloud Platform. Additionally, the platform supports VMware, KVM, and Docker, among others. In contrast, RiskRecon does not have any third party integrations to speak of.
8. Companies that Use It
RiskRecon does not provide a list of its marquee customers on its website, though it claims that the top 500 businesses in the U.S. have signed up as customers. In contrast, Cavirin's customer list includes prominent enterprises such Zephyr Health, Grainger, SCOR, Gainsight, and Jitterbit, to name a few.
9. Predict Capabilities
Cavirin's platform continuously discovers, monitors, and tracks the state of IT assets in the cloud or datacenter, but doesn't provide other critical capabilities like vulnerability testing and security analytics. Again, according Cavirin—these advanced security features will be available in its forthcoming Pulsar solution. RiskRecon's coverage is even more limited in scope, focusing only on third party vendor risk assessment.
Cavirin's 532 CSTAR score is a reflection of numerous website perimeter security flaws: server information leakage, lack of HTTP strict transport security, missing secure cookies, lack of DMARC/DNSSEC, and database ports open to the public. RiskRecon's 561 CSTAR score is better, but still suffers due to numerous security flaws like lack of sitewide SSL, missing HTTP strict transport security, and disabled DMARC/DNSSEC.
Scoreboard and Summary
|Usability / Learning Curve|
|Pricing and Support|
|API and Extensibility|
|3rd Party Integrations|
|Companies that Use It|
|Total||3.9 out of 5||2.3 out of 5|
Cyber risk is multi-faceted and the two solutions in this comparison focus on different measures of it: RiskRecon only gauges digital risk as it pertains to the firm's digital supply chain, while Cavirin focuses on the state of internal IT assets in the cloud or on-premise. If you're looking for a solution designed solely for assessing third party risk, RiskRecon is a safe bet—otherwise, Cavirin provides more granular, comprehensive risk assessments based on the infrastructure's internal state, though it leaves out external risk factors that may impact the enterprise's security posture.
Monitoring tools have come a long way since the early days of Big Brother. Today's solutions have evolved into powerful software troubleshooting and performance analytics platforms capable of deconstructing and analyzing the entire application stack—infrastructure up—for bugs and issues.
As perimeter-based cyber protection falls to the wayside, a new breed of continuous security solutions are emerging that combine traditional endpoint protection with newer technologies like security information and event management (SIEM) and crowdsourced threat intelligence.