Automating technical risk analysis on the network

If this appliance can do all it's purported to do in this CW snippet, I'd like to check one out.  Seriously.  The product is from RedSeal Systems Inc. and is called the SRM 3000 security appliance and runs about $25,000.  "...the appliance's software gathers system data from routers, firewalls and servers and then creates graphical risk and threat maps based on para­meters such as patch levels, application traffic patterns and access control lists."

The way one goes about mapping risks to the network manually is a tedious process, even with automated security tools.  Once you have gathered data from individual devices and servers you sit down with a big network map (or create one) and show the risk correlation between devices, and the overall risks to the network from various points. 

I have done this many times and it takes a lot of time.  If you hire a consultant to do this, which I once was, and they charge you $175/hr (which I once did), you could've bought the appliance, configured it and run it for a lot less money.  The other problem with hiring someone from outside to do this for you, and especially if it's a manual process, that person often leaves with the most valuable information in their own head, even if they do great documentation.

It's the correlation of risks that is important.  One risk in and of itself may be deemed acceptable.  But, several risks coupled together could be deemed completely unacceptable.  That is why you have to get the big picture in front of you and take a hard look at it, leaving no stone unturned.