Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/20/2020
10:00 AM
Dr. Tim Junio
Dr. Tim Junio
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Ratings Are a Dangerous Fantasy

They don't predict breaches, and they don't help people make valuable business decisions or make users any safer.

Security professionals don't like security ratings, also known as cybersecurity risk scores. Partly this is because people don't like being criticized. But mostly it's because security ratings don't work, and cannot work as presently conceived and sold. The industry is a marketing facade. Security ratings do not predict breaches, nor do they help people make valuable business decisions or make anyone safer.

Why are security ratings so bad? For starters, the data is terrible. The quality of security ratings is contingent on the quality of the underlying data and the science with which this data is interpreted. Unfortunately, the cybersecurity ratings industry has nowhere close to the depth and breadth of data of other ratings sectors.

Security ratings companies do not have accurate network maps, and ratings are regularly deflated due to misattribution or improper understanding of network configurations. Security ratings companies typically use incomplete third-party data and do not communicate caveats or error estimates to their customers.

By the time you read them, security ratings are already out of date, because the data is not quickly refreshed and refresh timestamps aren't clearly communicated.

Another challenge is that ratings aren't scientific or statistically relevant. Given those problems, vendors committed to a ratings product have no choice but to hack their way to a partial solution. The partial solutions manifest in a subjective weighting of multiple factors that will almost never perfectly align with real security priorities.

Ratings are whatever product managers want them to be, and they are not based on standards or risk science. Ratings also don't make sense for the vast majority of businesses, which are small, third-party-managed, increasingly cloud-hosted networks with a tiny Internet attack surface.

Today's security ratings can't tell us what to care the most (or least) about; the worst cyber incidents are large, unpredictable events like wildfires. That's why these vendors provide subjective ratings, not probabilities.

Because security ratings are unreliable, companies cannot use them to make important business decisions or drive security outcomes.

What Would Be Better Than Ratings?
First, large companies and government agencies can subsidize downstream cybersecurity, using threat intelligence and information sharing programs to benefit small-to-midsize businesses that can't afford full security programs. A key part of such an initiative should include in-sector information exchange; it's probably not a secret which of the vendors that share information have regular technical issues.

Second, risk assessment partnerships can cut across levels of the security stack to correlate data from endpoints, internal network activity, and public Internet data to more comprehensively evaluate the posture of an organization. An accurate shared perspective on the state of cybersecurity requires buy-in from on-premises and network product manufacturers and/or the evaluated organizations themselves.

Why Are Ratings Dangerous?
Ratings companies have distorted reality for the sake of a cheap, nearsighted market advantage. These distortions have the potential to misallocate valuable and scarce resources, like expert labor hours and dollars for technology.

If we really want to make cybersecurity and Internet safety better, then we have to start with a common understanding of the problems, and then build technology and process solutions. Reducing the complexity and nuance of a highly technical practice to a round number or letter grade takes us further away from reality, creating an unwelcome distraction from those of us still living in it.

Related Content:

 

Dr. Tim Junio is the co-founder and CEO of Expanse, a San Francisco-based software company. He has over a decade of experience in cyber operations and large-scale distributed sensing. Prior to co-founding Expanse, he worked at DARPA, RAND Corporation, Office of the Secretary ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Azuratii
50%
50%
Azuratii,
User Rank: Apprentice
3/24/2020 | 10:28:34 AM
Vendor bias?
This post comes across as being written by a tech company CEO with a chip on his shoulder. Assuming that the buyer has done his/her research and understands the data sources and methodologies used by the ratings provider, that should be acceptable. But, that is the same for any purchase. Caveat emptor.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2005-0394
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2007-3733
PUBLISHED: 2021-06-18
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
CVE-2021-21997
PUBLISHED: 2021-06-18
VMware Tools for Windows (11.x.y prior to 11.3.0) contains a denial-of-service vulnerability in the VM3DMP driver. A malicious actor with local user privileges in the Windows guest operating system, where VMware Tools is installed, can trigger a PANIC in the VM3DMP driver leading to a denial-of-serv...
CVE-2021-26834
PUBLISHED: 2021-06-18
A cross-site scripting (XSS) vulnerability exists in Znote 0.5.2. An attacker can insert payloads, and the code execution will happen immediately on markdown view mode.
CVE-2021-26835
PUBLISHED: 2021-06-18
No filtering of cross-site scripting (XSS) payloads in the markdown-editor in Zettlr 1.8.7 allows attackers to perform remote code execution via a crafted file.