Once the need for a patch is determined, 34 percent of respondents indicated it takes between one day and one week to implement them while 29 percent of respondents need between a week and a month. 23 percent say they are able to implement patches within 24 hours while 13 percent of respondents indicated that they do not know how long their patch implementation takes. The survey, conducted during a November 2006 RedSeal Webinar, sought to learn more about how enterprises address fundamental security efforts like patching and more proactive practices like vulnerability scanning. When asked about their approach to vulnerability scanning, the majority of respondents seem to have adopted an "all or nothing" approach. 34 percent currently do not use vulnerability assessment scanning, while 34 percent scan most of their networks with 22 percent scanning critical network segments only. Some 8 percent scan only the DMZ. In sum, 65 percent of networks scan have some type of proactive scanning in place, but the other 35 percent have no sense of the vulnerabilities on their networks whatsoever. "Recently, hackers have considerably shortened the time it takes to develop an exploit for new vulnerabilities, forcing security pros to both test and implement patches immediately," said Brian Laing, chief security officer at RedSeal Systems. "Though patching as fast as they can, these survey results show that security teams may not be keeping pace with hackers. This makes it necessary to offset patching latency periods by understanding and restricting network access to limit the attack surface area." The survey also looked at the difficulty of auditing firewalls and filtering devices with 40 percent of respondents indicating they find auditing "somewhat difficult" because of the diversity of devices spread across different groups. 25 percent have dedicated staff for this purpose, making audits "somewhat easy." 22 percent do not audit, while 5 percent find it either "very easy" or "difficult" due to excessive complexity. The RedSeal SRM 3000 is designed to assist this complex task. The technology creates a single network security risk and threat picture from many types of configuration data inputs, including firewalls, routers, vulnerability assessment scanners and patch management systems. The SRM 3000 is powered by RedSeal's Adaptive Risk Analysis (ARA™) engine that models and analyzes the configurations of complex networks and hosts, clearly identifying security risk "hot spots."

RedSeal's SRM gathers and analyzes network configuration information in order to create a unified picture of the network topology which clearly pinpoints the areas of security exposure. The output is an intuitive graphical prioritization of risk mitigation across those security devices and critical assets. With its newest product release, RedSeal enables enterprises and consultants of all sizes to conduct thorough security audits in minutes, giving users a more efficient solution to correct and improve the network's overall security posture. New functionality includes:

• Single Click Risk Map Queries - The results of SRM's security audit are presented as a map of risk hot spots which can be queried to show which servers are most at risk, where mitigation efforts should focus, and even where to place additional vulnerability assessment scanners. Users can navigate and filter the map at will to see details on specific areas of the network or simply click on a built-in query to automatically populate the map with the requested information.
• Risk Dashboards - Additional reporting functionality now provides multiple at-a-glance dashboards of risk and exposure metrics for subnets, device groups and hosts. These key metrics show how security is trending and give network administrators and managers visibility on the speed and effectiveness of mitigation efforts.
• Expanded technology support - RedSeal has expanded support for market leading products and technologies which now include firewalls, routers, vulnerability assessment scanners, patch management systems, and network diagram software from Check Point Software Technologies, Cisco Systems, Juniper Networks, Qualys, McAfee, PatchLink Corporation, and Microsoft among others. Through broad infrastructure support, RedSeal is able to bring security risk management to all environments regardless of what technology is in place.

"Our need for a system to help us plan and verify network configurations led us to RedSeal Systems," said Shane Milam from Mercer University. "The SRM system will let us audit network configurations as often as we wish so that we can deal with security issues proactively." "This set of enhancements represents the feedback and direction from our customers, and executes on our broad company commitment to bring ease of use to security risk management for all enterprises," said Joel Evanier, president and CEO of RedSeal Systems. The newest release for RedSeal's SRM 3000 appliance is available today for all current and new customers. The SRM 3000 appliance is priced by the number of security devices to be analyzed. In addition to outright purchase, customers may optionally enroll in a subscription program for a monthly use fee.

The integration of the two products will allow RedSeal to retrieve Check Point VPN-1 data via the Check Point Policy Management Interface (CPMI). Check Point's VPN-1 configurations are a crucial source of information for RedSeal's network topology modeling and network traffic flow analysis. Check Point's SmartCenter management console provides the SRM 3000 with configuration data such as interfaces, network objects, filtering rules, network address translation rules and service objects. RedSeal's SRM analyzes this data to create a unified picture of the network indicating areas in need of immediate risk mitigation. "RedSeal enables organizations to practice proactive security, giving them visibility and actionable information about their heterogeneous network infrastructures," said Joel Evanier, chief executive officer of RedSeal Systems. "This OPSEC certification guarantees that our customers get deep integration with Check Point, one of the undisputed leaders in the security marketplace." Recognized worldwide as the standard for interoperability, Check Point's OPSEC certification will ensure that its customers are offered "best-of-breed" solutions built on the most comprehensive security architecture with appliances like RedSeal's SRM 3000. "OPSEC certification with RedSeal ensures our customers receive seamless integration and interoperability between our products," said Amir Ben-Efraim, Head of Business Development, Check Point Software Technologies. Through the integration of the RedSeal Security Risk Manager and Check Point VPN-1 Power, our joint customers will benefit from comprehensive network security audits, guaranteeing even greater network security." The SRM 3000 creates a singular network security risk and threat picture from many types of configuration data inputs, including firewalls, routers, vulnerability assessment scanners and patch management systems. The SRM 3000 is powered by RedSeal's Adaptive Risk Analysis (ARA^™) engine that models and analyzes the configurations of complex networks and hosts, clearly identifying security risk "hot spots." About Check Point's OPSEC^® OPSEC (Open Platform for Security) is the industry's open, multi-vendor security framework. With over 350 partners, OPSEC guarantees customers the broadest choice of best-of-breed integrated applications and deployment platforms that support Check Point's Secure Virtual Network Architecture. Products that carry the OPSEC Certified seal have been tested to guarantee integration and interoperability. For complete OPSEC Alliance program information, including partner and product listings, the freely available OPSEC SDK (software development kit) and evaluation versions of OPSEC Certified products, visit www.opsec.com.

Steve Garritano and the RedSeal Systems engineering team set out to build an application that could holistically visualize and measure security risk across an entire network independently of installed technologies. The resulting work by this RedSeal team is the Security Risk Management 3000 (SRM 3000) application which provides unified insight into network security and its effectiveness by measuring security and business risk, pinpointing threats and exposures and giving actionable information to proactively improve a network's security posture. "This award is testament to the hard work our team has put in to make security risk management attainable for all enterprises," said Steve Garritano, vice president of engineering at RedSeal Systems. "With RedSeal's innovation in the SRM 3000, companies can now clearly visualize the state of their IT security and proactively utilize their resources to make their networks safer." The SRM 3000 is the only security risk application that includes a unique set of analytics algorithms that comprise Adaptive Risk Analysis (ARA^™), a body of mathematics, security and development work. RedSeal's SRM 3000 is the only security management product to illustrate risk exposure and prioritize remediation, needing only a subset of router and firewall data to get started. This makes the application unique among security risk management approaches in that it is pragmatically deployable with no prerequisites for technologies or services. To read more about Steve Garritano's team's contribution, please visit: www.infosecurityproductsguide.com/people/SteveGarritano.html. "Behind every successful security vendor there is one thing in common, a dedicated team of great people," said Rick Justice, chief technology editor with Info Security Products Guide. "We are proud to honor Steve Garritano and his team with this year's Shaping Info Security 2006 award to acknowledge their positive contribution to the industry and the users of security products and services all over the world." RedSeal's open framework is vendor-agnostic, working with all existing security products regardless of vendor or technology type. Moreover, RedSeal's Adaptive Risk Analysis (ARA^™) technology allows for adaptive security risk management enabling organizations to see results with available network security data, frequently just router and firewall information. SRM 3000 is available now and it is sized by the number of security devices in the network with entry level pricing starting at $25K. The SRM 3000 is also available on a monthly subscription basis. About Silicon Valley Communications Awards Info Security Products Guide, published by Silicon Valley Communications, plays a vital role in keeping end-users informed of the choices they can make when it comes to protecting their digital resources. It is written expressly for those who are adamant on staying informed of security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow's technology today, best deployment scenarios, people and technologies shaping info security and independent product evaluations that facilitate in making the most pertinent security decisions. The Info Security Products Guide Awards recognize and honor excellence in all areas of information security. To learn more, visit www.infosecurityproductsguide.com and stay secured.

The combined offering gives enterprises the ability to model the network topology, determine what vulnerabilities are present on their network, and understand which vulnerable systems can actually be accessed based upon the network traffic filtering policies. All of this information is used to ultimately measure risk for asset groups and prioritize remediation. RedSeal Systems is offering the Security Risk Manager (SRM) 3000 appliance at a promotional price that includes a complimentary trial of QualysGuard^® Enterprise for a 90 day period. "Customers want a solution that correlates vulnerability data with network access information in order to prioritize patching and mitigation activities," said Philippe Courtot chairman and CEO of Qualys, Inc. "RedSeal visualization capabilities combined with the Qualys platform provides organizations with proactive risk intelligence in a package that is accurate, simple to deploy and easy to use." "We are pleased to see these two providers of proactive security come together in what is a natural technology partnership," said Brad Robinson, Security Manager, Postini Inc. "The merging of Qualys' results with RedSeal's appliance makes high priority risk information quick and easy to identify, significantly reducing our time to remediation. It allows our security team to focus on keeping our systems as secure as they can be." The SRM 3000 provides a visualization of network risk and threat traversal by analyzing the configuration data of firewalls and routers as well as the detailed information provided by QualysGuard^®. The output is a RiskMap^™ or graphical display of network areas and key business assets that are at risk from threats. By navigating the RiskMap^™, users see a consolidated view of network security exposure and can track the progress of remediation efforts through the SRM's detailed out of box reports. "Security risk management is quickly becoming an imperative for enterprises of all sizes and vulnerability scanning is a key input to that process," said Joel Evanier, president and CEO of RedSeal Systems. "Our Qualys-based offering dramatically lowers the barriers to deployment while providing all of the components required for comprehensive security risk management." Pricing & Availability The RedSeal-Qualys SRM bundle is available today. Subscription service pricing begins at $5,000 for the first 90 days and includes the SRM 3000 appliance and support as well as the complimentary ninety-day QualysGuard^® Enterprise trial subscription. About Qualys Qualys, Inc., the leader in on demand vulnerability management and policy compliance serves more than 2,200 enterprise subscribers around the world including 200 of the Forbes Global 2000. QualysGuard Software as a Service (SaaS) solutions help security managers effectively strengthen the security of their networks, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys' cost effective on demand technology requires no capital outlay, infrastructure or maintenance and can be deployed in a matter of hours anywhere in the world. Qualys global customers include AXA, DuPont, eBay, ICI Ltd, Kaiser Permanente, Novartis, Oracle and many others. Qualys is headquartered in Redwood Shores, California, with business units in Europe and Asia. For more information, please visit www.qualys.com.

"RedSeal's core aim is to earn SRM market leadership by delivering accurate, high value information quickly with a package that is easy to acquire, deploy and use," said Joel Evanier, President and CEO of RedSeal Systems. "To that end, our newest offering addresses the requirements of those customers who need alternatives to purchasing in order to implement risk management expediently with minimal upfront costs." RedSeal's SRM 3000 is a proactive security management system that creates a unified picture of the network and the areas of security risk. It does so by analyzing the configuration data of security devices like firewalls, routers, vulnerability assessment scanners and patch management systems among others. The output is an intuitive and navigable graphical display of those network areas in need of immediate risk mitigation. The SRM 3000's actionable reports also provide a compliance and audit trail of the network's security posture. The SRM 3000 is distinguished by the Adaptive Risk Analysis (ARA™) engine that adjusts the analysis granularity based on the data which is available in the customer network. The end result is a proactive security system which is adaptable to an environment independently of the network's size, complexity or installed technology. Combined with cost-efficient sourcing options and a hardened, third party tested appliance, RedSeal's SRM is the industry's most comprehensive system for security risk management. The RedSeal Subscription offering is available today. Pricing for up to 50 security devices (i.e. firewalls and routers) is $5,000 for the first ninety days and $2,500 per month thereafter with no term commitment. Customers may optionally purchase the SRM 3000 appliance for $25,000 plus annual maintenance for up to 50 network security devices. RedSeal also offers subscription and purchase options for larger networks as well as migration paths between pricing segments.

This prestigious award recognizes security vendors with advanced network security solutions that are helping set the bar higher for others in all areas of information security. RedSeal's ARA technology was selected by the editors of Info Security Products Guide based on an assessment of technologies that are making the most positive impact on security given today's highly sophisticated and blended attacks. Adaptive Risk Analysis is at the core of RedSeal's SRM 3000 security risk management appliance. This breakthrough technology generates a composite view of security risk across a network starting with a subset of information like router and firewall data. ARA provides an easy-to-use path for adding more data sources such as application flow data, patch history, and vulnerability scans to further strengthen the composite network security risk view. ARA can compensate for areas of the network where little information is available by using sophisticated computations to accurately infer missing network data. RedSeal's SRM technology gives enterprises of any size a never before seen view of their infrastructure — a visualization of security risk exposure and guidance on where and how to remediate. To read more about this winning technology, please visit: http://www.infosecurityproductsguide.com/technology/AdaptiveRiskAnalysisARA.html. "We are very pleased with Info Security Products Guide's recognition of our ARA technology, acknowledging our hard work in making security risk management practical for all enterprises," said Joel Evanier, President and CEO of RedSeal Systems. "Technologies like ARA deliver on the promise of proactive security without restrictions based on company size and deployed technology." RedSeal Systems' Security Risk Management 3000 (SRM 3000) provides unified insight into network security and its effectiveness by measuring exposure and business risk, pinpointing threats and giving actionable information to proactively improve the network's security posture. RedSeal's open framework is vendor-agnostic: it works with existing security products regardless of vendor or technology type. Moreover, RedSeal's Adaptive Risk Analysis (ARA^™) allows organizations to see results quickly, frequently within minutes of analyzing network security configuration data. SRM 3000 is available now and it is sized by the number of security devices in the network with entry level pricing starting at $25K for outright purchase or available as a monthly subscription. About Silicon Valley Communications Awards Info Security Products Guide, published by Silicon Valley Communications, plays a vital role in keeping end-users informed of the choices they can make when it comes to protecting their digital resources. It is written expressly for those who are adamant on staying informed of security threats and the preventive measure they can take. You will discover a wealth of information in this guide including tomorrow's technology today, best deployment scenarios, people and technologies shaping info security and independent product evaluations that facilitate in making the most pertinent security decisions. The Info Security Products Guide Awards recognize and honor excellence in all areas of information security based upon the highest customer trust and satisfaction. To learn more, visit http://www.infosecurityproductsguide.com and stay secured.

"Our global datacenters meet the most stringent certifications for security and redundancy which means that all network configurations must be closely monitored for errors and resiliency to new threats," said Brad Robinson, IT security manager at Postini. "RedSeal helps us prevent exposure by conducting thorough triage of our firewall configurations when changes are made and by daily auditing of our network's security posture. This helps us mitigate risk and ensures that no security incident occurs." The SRM 3000 is powered by RedSeal's Adaptive Risk Analysis (ARA^™) engine that models and analyzes the configurations of complex networks and hosts, clearly identifying security risk "hot spots." A key output of the SRM 3000 is RiskMap^™, a visual layout of network areas and key business assets that are at risk. By navigating the RiskMap, users can see the best places to eliminate network security risk exposure. RedSeal provides end-users with information on how a threat might traverse the network, as well as options for remediation and reports on the risk posture of key business resources. The SRM 3000 creates a singular network risk and threat picture from many types of configuration data which it takes as inputs including firewalls, routers, vulnerability assessment scanners and patch management systems. RedSeal's open and highly extensible product framework allows the company to add new device and technology types quickly, often out of band of scheduled release cycles in as little as a few weeks. "All enterprises want to make sound security decisions that optimize the network's defenses before the next attack," said Joel Evanier, RedSeal's president and chief executive officer. "We focus on providing accurate intelligence in an intuitive way that makes it easy to deploy and use SRM, and brings the benefits of proactive security to enterprises." Pricing & Availability Sold directly and through select partners, RedSeal's SRM-3000 hardened appliance is available now. Pricing starts at $25,000 and is based on the number of network security devices analyzed. About Postini Postini is the global leader in Integrated Message Management, providing compliance, security, availability, and visibility solutions for corporate email, instant messaging and web. Postini offers a complete suite of services including archiving, spam and virus blocking, content control, encryption, and business continuity. The company's powerful managed services infrastructure seamlessly integrates with customers' environment, providing uncompromising security for more companies than any other provider in the world. Postini's services protect organizations from a wide range of threats, reduce compliance and legal risks, ensure reliable communications, and enable the intelligent management and enforcement of enterprise policies that protect companies' intellectual property, reputations and business relationships. For more information please contact Postini at info@postini.com or visit http://www.postini.com.

Led by chief executive officer Joel Evanier, RedSeal's executive management team includes recognized networking, security and application luminaries from Cisco, Bell Labs, ISS, Sun Microsystems, Check Point Software and Juniper. To build its system, RedSeal secured more than $14 million in Series A financing from leading security investment venture capital firms Venrock Associates, Sutter Hill Ventures and Leapfrog Ventures. "RedSeal has registered an extraordinary achievement in converting best practices theory into a manageable business process," said Ray Rothrock, managing general partner, Venrock Associates. "Joel and the RedSeal team have applied experience and thorough market research to meeting a true challenge for any IT professional: measuring security." With today's launch, RedSeal is offering organizations of all sizes a practical, easily-deployed way to quantify network security, giving IT operations personnel, compliance managers, CIOs and CSOs a unified way to visualize security and risk. At the system's core is RedSeal's Adaptive Risk Analysis (ARA^™) engine that models and analyzes the configurations of complex networks, clearly identifying risk "hot spots." RedSeal's unique ARA^™ architecture enables IT organizations to see dramatically faster results in return for minimum up-front effort. "Any organization with more than ten firewalls and routers in place can derive near immediate benefits from deploying RedSeal's SRM solution," said Joel Evanier, chief executive officer for RedSeal. "We are pleased to announce our uniquely easy-to-use approach to risk quantification. With world-class expertise and the confident enthusiasm of our investors, we are excited to meet the security risk management needs of our customers in this rapidly growing market segment." RedSeal's SRM is designed with functional roles in mind, allowing users to quickly locate network areas and key business assets that are the targets of threats and get precise guidance on the best places to preempt exposure. The risk metrics and remediation information from RedSeal can be used daily to maintain security at desired levels, while the system's reporting and auditing capabilities allow for tracking security efficiency over time, thereby helping guide compliance efforts and future technology investment. "Effective enterprise security management requires metrics to track key indicators of security processes and deployed technologies," said Andrew Jaquith, senior analyst for the Security Solutions & Services, Yankee Group. "Risk quantification tools can help enterprises measure their relative exposure. To satisfy business imperatives and assist with compliance initiatives, risk quantification tools must help firms identify those risks with the greatest potential impact. They must also fit into existing processes and integrate with the most common third-party technologies." The RedSeal system is being demonstrated for the first time publicly at a corporate launch event at the Burton Group Catalyst Conference in San Francisco on the evening of June 15.

RedSeal's SRM 3000 is the first security management product to illustrate risk exposure and prioritize remediation using Adaptive Risk Analysis (ARA™). This breakthrough technology generates initial actionable results even with a subset of router and firewall data, and then provides an easy-to-use path for adding more information on the as-built security posture of the environment. The additional information can include application flow data, patch history, and vulnerability scans. RedSeal gives enterprises of any size a never before seen view of their infrastructure — a visualization of risk exposure and concise guidance on where and when to remediate. "A typical network and security environment comprises many layers of technology, so maintaining your security posture through threat outbreaks and changes is often complicated when imposed with strict compliance standards," said Ken Pfeil, Coauthor of "Network Security Assessment — From Vulnerability to Patch". "Of the solutions I have evaluated, the RedSeal SRM solution has been unique in automating both network configuration checking, as well as threat mitigation. Within a network, RedSeal can help prioritize where to patch and block and gives the necessary documentation needed as record of your security profile." RedSeal has taken an open, vendor-agnostic approach to SRM, allowing it to be easily adapted to almost any customer environment regardless of installed technology. It provides organizations of all sizes with a practical, easy to implement way of quantifying network security. RedSeal's SRM 3000 analyzes and models complex networks and hosts to give actionable information for mitigating exposure of high-valued business assets, in most cases within minutes. Additionally, it tracks the security posture of the network over time, providing a thorough audit trail of security performance. "Managing risk and complexity in large, networked security infrastructure is very difficult. One powerful approach to address this problem is the use of visualization," said Trent Henry, senior security analyst at Burton Group. "By gathering data from disparate architecture components and creating visual processes, dependencies and risk analyses, security teams and network operations groups can better predict and manage their IT infrastructure and trends that impact the business." At the system's core is RedSeal's Adaptive Risk Analysis (ARA^™) engine that models and analyzes the configurations of complex networks and hosts, clearly identifying risk "hot spots." Displaying the ARA engine's modeling and analysis is RedSeal's unique RiskMap^™ visual layout, designed with functional roles in mind, allowing users to quickly locate their network areas and key business assets that are the targets of threats and get precise guidance on the best places to eliminate exposure. The risk metrics and remediation information from RedSeal can be used daily to maintain security at optimal levels, while the system's reporting and auditing capabilities allow for tracking security efficiency thereby helping guide compliance efforts and future technology investment. "RedSeal's solution is distinguished by its ease of deployment and use, yielding value in minutes," said Joel Evanier, RedSeal's chief executive officer. "We are very proud to introduce a significant evolution in this rapidly emerging product category and our innovations in risk computation remove technology prerequisites to deployment and allow us to bring SRM to every organization that is using firewalls and routers." Key features and capabilities of RedSeal's SRM include: • Risk quantification — measures the network's risk posture based on calculation of the exposure and value of business assets. RedSeal's unique approach employs Adaptive Risk Analysis, a method by which the granularity of the output adjusts based on the amount of input to the system. • Proactive mitigation — compiles prioritized listing of vulnerabilities and misconfigurations to indicate where to remediate first to gain the greatest reduction in risk. • Threat analysis — displays graphically, one breach at a time, the multi-step path an exploit may take in penetrating critical business resources. The threat map is based on the traffic analysis, any host patch & vulnerability data, and RedSeal's own knowledge base of vulnerabilities and impacts. • Network configuration checking — verifies that the configuration details on devices such as routers and firewalls do not have unintended consequences, such as inadvertently allowing too much access, along with highlighting best practices. • Traffic flow analysis — computes the real-world permitted traffic which can be compared to security policy requirements to quickly identify and pinpoint important infrastructure discrepancies that affect security and availability of key services. • Actionable trending and reporting — summarizes the network's security posture over days, weeks, or months. Trending data is grouped to highlight vulnerabilities, changes in risk, and the security posture of important devices and groups (i.e. SOX Servers). The RedSeal system is being demonstrated for the first time publicly at a corporate launch event at the Burton Group Catalyst Conference in San Francisco on the evening of June 15. Pricing & Availability: Sold directly and through select partners, RedSeal's SRM 3000 is currently available for beta testing and will be generally available on July 31. Pricing starts at $50,000 and is based on the number of network devices.

The patent, U.S. Patent number 7,003,562, issued on February 21, 2006, covers, among other things, RedSeal's technology for correlating network device configurations with application, security, and corporate policies. Users of RedSeal's Security Risk Manager (SRM)™ will be able to quickly identify and pinpoint important infrastructure discrepancies that affect the security and availability of their business. "Policy-based analysis of network configuration is an important part of measuring security effectiveness. Since 2001, when RedSeal Systems invented our method for identifying policy deviations, we knew that this technology would change the way that people think of risk management and its value," said Joel Evanier, CEO of RedSeal Systems, Inc. "Some security vendors tout similar approaches to network analysis, and our collective efforts have validated the technology and driven the creation of a widely acknowledged new category within the security management market, IT security risk management." About RedSeal Systems RedSeal Systems develops enterprise security software that streamlines and automates the security management lifecycle. Red Seal's solutions enable companies to quantify overall security, assess critical areas of risk, and validate that their security infrastructure successfully stops attacks. With RedSeal, enterprises can measure and reduce security risks, increase responsiveness to business demands, and reduce operational costs.