Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/20/2020
10:00 AM
Dr. Tim Junio
Dr. Tim Junio
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Ratings Are a Dangerous Fantasy

They don't predict breaches, and they don't help people make valuable business decisions or make users any safer.

Security professionals don't like security ratings, also known as cybersecurity risk scores. Partly this is because people don't like being criticized. But mostly it's because security ratings don't work, and cannot work as presently conceived and sold. The industry is a marketing facade. Security ratings do not predict breaches, nor do they help people make valuable business decisions or make anyone safer.

Why are security ratings so bad? For starters, the data is terrible. The quality of security ratings is contingent on the quality of the underlying data and the science with which this data is interpreted. Unfortunately, the cybersecurity ratings industry has nowhere close to the depth and breadth of data of other ratings sectors.

Security ratings companies do not have accurate network maps, and ratings are regularly deflated due to misattribution or improper understanding of network configurations. Security ratings companies typically use incomplete third-party data and do not communicate caveats or error estimates to their customers.

By the time you read them, security ratings are already out of date, because the data is not quickly refreshed and refresh timestamps aren't clearly communicated.

Another challenge is that ratings aren't scientific or statistically relevant. Given those problems, vendors committed to a ratings product have no choice but to hack their way to a partial solution. The partial solutions manifest in a subjective weighting of multiple factors that will almost never perfectly align with real security priorities.

Ratings are whatever product managers want them to be, and they are not based on standards or risk science. Ratings also don't make sense for the vast majority of businesses, which are small, third-party-managed, increasingly cloud-hosted networks with a tiny Internet attack surface.

Today's security ratings can't tell us what to care the most (or least) about; the worst cyber incidents are large, unpredictable events like wildfires. That's why these vendors provide subjective ratings, not probabilities.

Because security ratings are unreliable, companies cannot use them to make important business decisions or drive security outcomes.

What Would Be Better Than Ratings?
First, large companies and government agencies can subsidize downstream cybersecurity, using threat intelligence and information sharing programs to benefit small-to-midsize businesses that can't afford full security programs. A key part of such an initiative should include in-sector information exchange; it's probably not a secret which of the vendors that share information have regular technical issues.

Second, risk assessment partnerships can cut across levels of the security stack to correlate data from endpoints, internal network activity, and public Internet data to more comprehensively evaluate the posture of an organization. An accurate shared perspective on the state of cybersecurity requires buy-in from on-premises and network product manufacturers and/or the evaluated organizations themselves.

Why Are Ratings Dangerous?
Ratings companies have distorted reality for the sake of a cheap, nearsighted market advantage. These distortions have the potential to misallocate valuable and scarce resources, like expert labor hours and dollars for technology.

If we really want to make cybersecurity and Internet safety better, then we have to start with a common understanding of the problems, and then build technology and process solutions. Reducing the complexity and nuance of a highly technical practice to a round number or letter grade takes us further away from reality, creating an unwelcome distraction from those of us still living in it.

Related Content:

 

Dr. Tim Junio is the co-founder and CEO of Expanse, a San Francisco-based software company. He has over a decade of experience in cyber operations and large-scale distributed sensing. Prior to co-founding Expanse, he worked at DARPA, RAND Corporation, Office of the Secretary ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Azuratii
50%
50%
Azuratii,
User Rank: Apprentice
3/24/2020 | 10:28:34 AM
Vendor bias?
This post comes across as being written by a tech company CEO with a chip on his shoulder. Assuming that the buyer has done his/her research and understands the data sources and methodologies used by the ratings provider, that should be acceptable. But, that is the same for any purchase. Caveat emptor.
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15864
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
CVE-2021-3113
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
CVE-2020-25533
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
CVE-2021-3162
PUBLISHED: 2021-01-15
Docker Desktop Community before 2.5.0.0 on macOS mishandles certificate checking, leading to local privilege escalation.
CVE-2021-21242
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...