Analytics // Threat Intelligence
10/10/2013
08:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Security Ratings Proliferate As Firms Seek Better Intel

Scoring services seek to measure the security of almost every step of the business supply chain, from suppliers and transactions to applications and services

Wondering whether a mobile app is safe? There's a score for that. What about whether a business partner takes security seriously? There's a score for that, too.

A wave of companies have launched services aimed at giving their customers a better understanding of the risks associated with different components of the business supply chain, from transactions to applications and from cloud services to partners. ThreatMetrix, for example, uses information gleaned from visitors to its customers' websites to place a risk score on transactions that can be used to decide whether a transaction is fraudulent. Startup BitSight mines public security data -- such as blacklists, fast-flux domain lists, and other indicators of compromise -- to assign a rating to its clients' partners.

The push to rate the security of each component of a business promises to give executives and managers more information with which to make decisions, says Sonali Shah, vice president of products for BitSight.

"We are bringing science to the management of security," she says. "The idea is to allow the chief information security officers to go into meetings with businesses and present data used around their decisions."

Security-conscious businesses are already moving toward finding better ways to measure the security posture of their own organizations. Some companies have launched big-data analytics projects to crunch security data and find the signs of potential attacks.

Yet information on the security of the supply chain is not as readily available. Large companies routinely require suppliers to fill out assessments for compliance to a variety of regulations, but verifying the partners' assertions can be difficult. In addition, most companies do not have the expertise to vet the security of a mobile application or to gauge the security of a cloud service, so simplifying the process into a single -- or set of -- ratings is important, says Domingo Guerra, co-founder and president of Appthority. The company offers a service for creating mobile-device security policies based on its analysis of the privacy and security attributes of mobile applications.

"Many companies are afraid of what's going on because they don't understand their current exposure or their current risk," he says.

[A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. See Threat-Intel Sharing Services Emerge, But Challenges Remain.]

Security ratings for different aspects of the business also give companies the ability to turn a binary decision -- good or bad -- into a spectrum of risk. Different companies can have different tolerances of risk and may take different actions based on a particular score, says Peter Liske, vice president of product management for ThreatMetrix. The company uses on-the-fly analysis to determine whether a person visiting one of its client's websites is a legitimate customer or trying to conduct fraud. From a computer with a strangely configured browser to a single device logging into different accounts, a variety of anomalies can tip off the service to possible fraud and result in a lower score, but what constitutes an acceptable risk is up to the company, he says. "The reputation and anomaly-checking is not binary, it is more of a percentage game," Liske says. "It comes down to a decision of how much risk do I want to take in regard to fraud versus how much inconvenience do I want to burden my users with?"

Using ratings also allow a CIO or CISO to have more flexible options -- to limit, rather than block, a low-scoring app, says Sanjay Beri, CEO and founder of startup Netskope, which came out of stealth this week. Netskope, and rival SkyHigh Networks, help their customers discover and manage their cloud services and, as part of that, rate cloud services in terms of security and maturity.

"Allowing an app or blocking an app is not the level of control that a CIO needs," he says. Instead, they should be able to allow but limit the data that can be put into the service, or allow but limit the people who can use the service. "We are giving them a scalpel rather than making them use a sledgehammer," he says.

Finally, most companies do not have the time to continuously re-evaluate the security of each component of their businesses, but regularly updating the metrics is important, says Stephen Boyer, co-founder and chief technology officer of BitSight. Having a service that automatically updates the security rating is the best way to catch changes that could impact the security of the business.

"A lot of the techniques are a single point of time, and what people really want is to have good performance over time," he says. "Security needs to be continuously monitored."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.