Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/20/2020
10:00 AM
Dr. Tim Junio
Dr. Tim Junio
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Ratings Are a Dangerous Fantasy

They don't predict breaches, and they don't help people make valuable business decisions or make users any safer.

Security professionals don't like security ratings, also known as cybersecurity risk scores. Partly this is because people don't like being criticized. But mostly it's because security ratings don't work, and cannot work as presently conceived and sold. The industry is a marketing facade. Security ratings do not predict breaches, nor do they help people make valuable business decisions or make anyone safer.

Why are security ratings so bad? For starters, the data is terrible. The quality of security ratings is contingent on the quality of the underlying data and the science with which this data is interpreted. Unfortunately, the cybersecurity ratings industry has nowhere close to the depth and breadth of data of other ratings sectors.

Security ratings companies do not have accurate network maps, and ratings are regularly deflated due to misattribution or improper understanding of network configurations. Security ratings companies typically use incomplete third-party data and do not communicate caveats or error estimates to their customers.

By the time you read them, security ratings are already out of date, because the data is not quickly refreshed and refresh timestamps aren't clearly communicated.

Another challenge is that ratings aren't scientific or statistically relevant. Given those problems, vendors committed to a ratings product have no choice but to hack their way to a partial solution. The partial solutions manifest in a subjective weighting of multiple factors that will almost never perfectly align with real security priorities.

Ratings are whatever product managers want them to be, and they are not based on standards or risk science. Ratings also don't make sense for the vast majority of businesses, which are small, third-party-managed, increasingly cloud-hosted networks with a tiny Internet attack surface.

Today's security ratings can't tell us what to care the most (or least) about; the worst cyber incidents are large, unpredictable events like wildfires. That's why these vendors provide subjective ratings, not probabilities.

Because security ratings are unreliable, companies cannot use them to make important business decisions or drive security outcomes.

What Would Be Better Than Ratings?
First, large companies and government agencies can subsidize downstream cybersecurity, using threat intelligence and information sharing programs to benefit small-to-midsize businesses that can't afford full security programs. A key part of such an initiative should include in-sector information exchange; it's probably not a secret which of the vendors that share information have regular technical issues.

Second, risk assessment partnerships can cut across levels of the security stack to correlate data from endpoints, internal network activity, and public Internet data to more comprehensively evaluate the posture of an organization. An accurate shared perspective on the state of cybersecurity requires buy-in from on-premises and network product manufacturers and/or the evaluated organizations themselves.

Why Are Ratings Dangerous?
Ratings companies have distorted reality for the sake of a cheap, nearsighted market advantage. These distortions have the potential to misallocate valuable and scarce resources, like expert labor hours and dollars for technology.

If we really want to make cybersecurity and Internet safety better, then we have to start with a common understanding of the problems, and then build technology and process solutions. Reducing the complexity and nuance of a highly technical practice to a round number or letter grade takes us further away from reality, creating an unwelcome distraction from those of us still living in it.

Related Content:

 

Dr. Tim Junio is the co-founder and CEO of Expanse, a San Francisco-based software company. He has over a decade of experience in cyber operations and large-scale distributed sensing. Prior to co-founding Expanse, he worked at DARPA, RAND Corporation, Office of the Secretary ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Azuratii
50%
50%
Azuratii,
User Rank: Apprentice
3/24/2020 | 10:28:34 AM
Vendor bias?
This post comes across as being written by a tech company CEO with a chip on his shoulder. Assuming that the buyer has done his/her research and understands the data sources and methodologies used by the ratings provider, that should be acceptable. But, that is the same for any purchase. Caveat emptor.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25826
PUBLISHED: 2020-09-23
PingID Integration for Windows Login before 2.4.2 allows local users to gain privileges by modifying CefSharp.BrowserSubprocess.exe.
CVE-2020-25821
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2020-3130
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
CVE-2020-3133
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
CVE-2020-3135
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...