Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/10/2013
08:44 PM
50%
50%

Security Ratings Proliferate As Firms Seek Better Intel

Scoring services seek to measure the security of almost every step of the business supply chain, from suppliers and transactions to applications and services

Wondering whether a mobile app is safe? There's a score for that. What about whether a business partner takes security seriously? There's a score for that, too.

A wave of companies have launched services aimed at giving their customers a better understanding of the risks associated with different components of the business supply chain, from transactions to applications and from cloud services to partners. ThreatMetrix, for example, uses information gleaned from visitors to its customers' websites to place a risk score on transactions that can be used to decide whether a transaction is fraudulent. Startup BitSight mines public security data -- such as blacklists, fast-flux domain lists, and other indicators of compromise -- to assign a rating to its clients' partners.

The push to rate the security of each component of a business promises to give executives and managers more information with which to make decisions, says Sonali Shah, vice president of products for BitSight.

"We are bringing science to the management of security," she says. "The idea is to allow the chief information security officers to go into meetings with businesses and present data used around their decisions."

Security-conscious businesses are already moving toward finding better ways to measure the security posture of their own organizations. Some companies have launched big-data analytics projects to crunch security data and find the signs of potential attacks.

Yet information on the security of the supply chain is not as readily available. Large companies routinely require suppliers to fill out assessments for compliance to a variety of regulations, but verifying the partners' assertions can be difficult. In addition, most companies do not have the expertise to vet the security of a mobile application or to gauge the security of a cloud service, so simplifying the process into a single -- or set of -- ratings is important, says Domingo Guerra, co-founder and president of Appthority. The company offers a service for creating mobile-device security policies based on its analysis of the privacy and security attributes of mobile applications.

"Many companies are afraid of what's going on because they don't understand their current exposure or their current risk," he says.

[A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. See Threat-Intel Sharing Services Emerge, But Challenges Remain.]

Security ratings for different aspects of the business also give companies the ability to turn a binary decision -- good or bad -- into a spectrum of risk. Different companies can have different tolerances of risk and may take different actions based on a particular score, says Peter Liske, vice president of product management for ThreatMetrix. The company uses on-the-fly analysis to determine whether a person visiting one of its client's websites is a legitimate customer or trying to conduct fraud. From a computer with a strangely configured browser to a single device logging into different accounts, a variety of anomalies can tip off the service to possible fraud and result in a lower score, but what constitutes an acceptable risk is up to the company, he says. "The reputation and anomaly-checking is not binary, it is more of a percentage game," Liske says. "It comes down to a decision of how much risk do I want to take in regard to fraud versus how much inconvenience do I want to burden my users with?"

Using ratings also allow a CIO or CISO to have more flexible options -- to limit, rather than block, a low-scoring app, says Sanjay Beri, CEO and founder of startup Netskope, which came out of stealth this week. Netskope, and rival SkyHigh Networks, help their customers discover and manage their cloud services and, as part of that, rate cloud services in terms of security and maturity.

"Allowing an app or blocking an app is not the level of control that a CIO needs," he says. Instead, they should be able to allow but limit the data that can be put into the service, or allow but limit the people who can use the service. "We are giving them a scalpel rather than making them use a sledgehammer," he says.

Finally, most companies do not have the time to continuously re-evaluate the security of each component of their businesses, but regularly updating the metrics is important, says Stephen Boyer, co-founder and chief technology officer of BitSight. Having a service that automatically updates the security rating is the best way to catch changes that could impact the security of the business.

"A lot of the techniques are a single point of time, and what people really want is to have good performance over time," he says. "Security needs to be continuously monitored."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15246
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v...
CVE-2020-15247
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permi...
CVE-2020-15248
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the ...
CVE-2020-15249
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG ...
CVE-2020-28927
PUBLISHED: 2020-11-23
There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.