Security Ratings Proliferate As Firms Seek Better Intel

Wondering whether a mobile app is safe? There's a score for that. What about whether a business partner takes security seriously? There's a score for that, too.

A wave of companies have launched services aimed at giving their customers a better understanding of the risks associated with different components of the business supply chain, from transactions to applications and from cloud services to partners. ThreatMetrix, for example, uses information gleaned from visitors to its customers' websites to place a risk score on transactions that can be used to decide whether a transaction is fraudulent. Startup BitSight mines public security data -- such as blacklists, fast-flux domain lists, and other indicators of compromise -- to assign a rating to its clients' partners.

The push to rate the security of each component of a business promises to give executives and managers more information with which to make decisions, says Sonali Shah, vice president of products for BitSight.

"We are bringing science to the management of security," she says. "The idea is to allow the chief information security officers to go into meetings with businesses and present data used around their decisions."

Security-conscious businesses are already moving toward finding better ways to measure the security posture of their own organizations. Some companies have launched big-data analytics projects to crunch security data and find the signs of potential attacks.

Yet information on the security of the supply chain is not as readily available. Large companies routinely require suppliers to fill out assessments for compliance to a variety of regulations, but verifying the partners' assertions can be difficult. In addition, most companies do not have the expertise to vet the security of a mobile application or to gauge the security of a cloud service, so simplifying the process into a single -- or set of -- ratings is important, says Domingo Guerra, co-founder and president of Appthority. The company offers a service for creating mobile-device security policies based on its analysis of the privacy and security attributes of mobile applications.

"Many companies are afraid of what's going on because they don't understand their current exposure or their current risk," he says.

[A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. See Threat-Intel Sharing Services Emerge, But Challenges Remain.]

Security ratings for different aspects of the business also give companies the ability to turn a binary decision -- good or bad -- into a spectrum of risk. Different companies can have different tolerances of risk and may take different actions based on a particular score, says Peter Liske, vice president of product management for ThreatMetrix. The company uses on-the-fly analysis to determine whether a person visiting one of its client's websites is a legitimate customer or trying to conduct fraud. From a computer with a strangely configured browser to a single device logging into different accounts, a variety of anomalies can tip off the service to possible fraud and result in a lower score, but what constitutes an acceptable risk is up to the company, he says. "The reputation and anomaly-checking is not binary, it is more of a percentage game," Liske says. "It comes down to a decision of how much risk do I want to take in regard to fraud versus how much inconvenience do I want to burden my users with?"

Using ratings also allow a CIO or CISO to have more flexible options -- to limit, rather than block, a low-scoring app, says Sanjay Beri, CEO and founder of startup Netskope, which came out of stealth this week. Netskope, and rival SkyHigh Networks, help their customers discover and manage their cloud services and, as part of that, rate cloud services in terms of security and maturity.

"Allowing an app or blocking an app is not the level of control that a CIO needs," he says. Instead, they should be able to allow but limit the data that can be put into the service, or allow but limit the people who can use the service. "We are giving them a scalpel rather than making them use a sledgehammer," he says.

Finally, most companies do not have the time to continuously re-evaluate the security of each component of their businesses, but regularly updating the metrics is important, says Stephen Boyer, co-founder and chief technology officer of BitSight. Having a service that automatically updates the security rating is the best way to catch changes that could impact the security of the business.

"A lot of the techniques are a single point of time, and what people really want is to have good performance over time," he says. "Security needs to be continuously monitored."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.