UPDATED 13:04 EDT / AUGUST 24 2022

SECURITY

SecurityScorecard gauges cyber resiliency and monitors third-party threat risk

The traditional security coffin is studded with nails driven into it by the swift move to the cloud and decentralization of computing. Gone are the days when security team leaders and in-house database administrators could sit down to strategize data security over lunch. Instead, companies outsource processes to specialist as-a-service providers and share sensitive data with very little ability to oversee how it is protected.

According to Gartner Inc., two-thirds of organizations work with over 1,000 different third-party partners and the number is steadily increasing. Add the statistic that organizations have a two in three chance of being hit by a supply chain attack, and the vulnerability comes into stark focus.

“We have so many virtual touchpoints with our partners, our vendors, our managed service providers, suppliers, other third parties, and all the humans that are involved in that mix,” said Sam Kassoumeh (pictured), co-founder and chief operating officer of SecurityScorecard Inc. “It creates just a massive ripple effect. Everybody in a chain can be doing things right, [but] if there’s one bad link the whole chain breaks.”

Kassoumeh spoke with theCUBE industry analyst John Furrier in advance of the “Cybersecurity — Detect and Protect Against Threats” event, an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio, airing on Sept. 7. They discussed how SecurityScorecard constantly monitors threat intelligence and digital assets to provide companies with a dynamic security scorecard that reflects their cyber resilience status. (* Disclosure below.)

Traditional security methods are unreliable

Security teams currently rely on manual questionnaires, audit forms and penetration tests to quantify a third-party company’s security stance before contracts are signed and data shared. However, Gartner Inc. research showed that 83% of companies identified third-party vulnerabilities after the original due diligence and onboarding process had been completed.

Even if security verifications are done regularly, the dynamic nature of modern DevOps practices means that results can be out-of-date within days, if not hours. In addition, the pressure on security teams and developers means that unreliable pen test results and inaccurate form or audit completion can happen by accident, oversight or deliberate misrepresentation.

“I don’t think people intentionally want to go lie, but if there’s a $50-million deal … and it’s dependent on checking this one box, someone might bend a rule a little bit,” Kassoumeh stated.

SecurityScorecard ranks companies from A to F

SecurityScorecard’s solution avoids these pitfalls because it is not a point-in-time assessment, but a fluid and holistic indicator of a company’s security landscape. Think of it like a credit rating tracking a company’s financial health but a little bit different and for security resiliency, Kassoumeh explained.

Scorecards are established through a three-part process. First is the collection of threat intelligence data. This includes simple warning signs, such as out-of-date websites, to more complex network monitoring.

We’re essentially collecting signals and vulnerabilities from the entire IPv4 space, the entire network layer, the entire web app layer, leaked credentials,” Kassoumeh said. “Everything that we think about when we talk about the security onion, we collect data at each one of those layers of the onion.”

Step two involves identifying the company’s attack surface area, also known as its digital footprint.

“We identify all of the domains, subdomains, subsidiaries, organizations that are identified on the internet that belong to that organization,” Kassoumeh said.

This inventory of a company’s digital assets is updated every 24 hours by SecurityScorecard’s automated trackers. If this sounds like a familiar process, it’s because it is. GV Management Co. LLC, commonly known as Google Ventures, invested in SecurityScorecard because it saw the similarities between what the company was doing and what Google accomplished for web search in the late 1990s.

“They looked and they said, ‘Wow, you guys are building like a Google Search Engine over some really impressive threat intelligence, and then you’re distilling it into a score which anybody in the world can easily understand,” Kassoumeh said.

A company’s score is determined through a probabilistic and deterministic process that benchmark’s a company’s resilience against its peers. Rankings follow a traditional A to F grading system, and SecurityScorecard predicts that a company with an F rating is 7.7 times more likely to be breached by a cyberattack than one with an A rating.

“More doors open to the house equals a higher likelihood someone unauthorized is going to walk in,” Kassoumeh said.

Security as a proactive motion

The company has a database of 12 million organizations accessible on its website, with 50,000 active users monitoring their ranking and that of their third-party vendors.

“We never charge a company to see the score or fix it,” Kassoumeh stated. “They can understand what we’re seeing about them, what a hacker could see about their environment. And then we empower them with the tools to fix it, and they can fix it and the score will go up.”

A free account gives access to score change alerts for up to five companies and shareable summaries. Paid tier subscriptions open enterprise-level monitoring capabilities, such as rules-based alerts, risk trend analysis, and at the highest levels, API access and integrations and fourth-party risk detection.

This enables companies to continually review all of their third-party vendors for both security risk and regulatory compliance. It also acts as a positive accreditation for companies that have a consistent A-level ranking, something that Kassoumeh believes will become an established practice, turning security from a reactive to a proactive motion.

“Anybody following my scorecard can proactively see all the great things I’m doing. They see the outside view. They see the inside view. They see the compliance view,” Kassoumeh said. “They have the Holy Grail view of my environment and can have a more intelligent conversation.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s pre-event coverage of the “Cybersecurity — Detect and Protect Against Threats” event:

(* Disclosure: SecurityScorecard Inc. sponsored this segment of theCUBE. Neither SecurityScorecard nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU