Keeping on top of your own enterprise’s cyber hygiene is demanding enough, let alone worrying whether your third party vendors’ security is up to scratch. SecurityScorecard’s platform provides an instant view of the cyber posture and maturity of "any company in the world", according to its CTO & SVP Jasson Casey.

"What we do is we provide them with a tool to understand directionally, of their third party suppliers, who actually needs further investigation and communication, and who can they have a fair degree of confidence in,” he says.

This allows a business to make informed decisions when choosing a new vendor, giving peace of mind that any data being passed through supply chains will be protected. After all, data as a commodity is becoming increasingly valuable.

"If I give them some of my proprietary data, or private data, do I have a reasonable expectation that they will keep it safe?" says Casey.

The monitoring process is continuous to ensure that changes – such as people leaving the company – are taken into account and the score is always up to date. And for Casey, the people behind the machines are more important than software.

"Security can't be reduced to just: 'I see that you have this unpatched vulnerability'. It's more about: who have you hired to run your security, is the team competent, do they have processes and procedures in place?” says Casey.

“Because if the answer is yes to all of those, sure they'll have issues from time to time, but in general things should be good and improve.”

Leveraging AI to monitor cyber hygiene 

SecurityScorecard displays security posture in a simple metric, but the technology behind it is complex. And it all starts with data collection.

It does this with a vast network of sensors located around the world that collect data on devices connected to the internet.

"We want to understand the state of every device that's connected to the internet," says Casey.

This collection is done in two ways: passive and active. Active collection involves going to a website and understanding how it's configured, such as headers, through technical means.

Passive involves receiving a malware connection from a device that's infected.

Once the data is collected, the analysis begins. Using machine learning, SecurityScorecard determines attribution – the company likely to control or operate the device – and measurement.

"We want to understand what is the level of security hygiene of this asset, and what is the level of compromise of this asset," says Casey.

“We want to understand the state of every device that's connected to the internet.”

From this analysis, SecurityScorecard is able to determine whether the device looks like it is well-maintained by a security professional.

All of these metrics are combined to produce a grade between A and F. Using historical breach datasets, SecurityScorecard can show graphs of positive and negative correlations of companies over time.

The data can also be used to compare companies of similar size and notice patterns.

"So, for instance, what's likely to cause a breach for a boutique consultancy is different than what might likely cause a breach for a multinational," says Casey.

This model is updated continuously, says Casey, and the company is always on the lookout for new signals and adjusting the scoring model when new information comes in.

Casting a cyber-shadow in Plato’s Cave 

In addition to historical data, SecurityScorecard has recently been using a third style of adjustment: behavioural analytics.

“Imagine you're looking at a well-run company. One of the things you can see is every time a new security patch or a new major series of fixes is released by Google Chrome, this company's mean time to repair or upgrade 80% of their devices is 12 hours.

“The intensity is very low, you can be reasonably certain, not 100%, but reasonably certain that you're looking at their guest Wi-Fi.

“So behavioural analytics is really this second derivative style of analysis where you look at how this changes over time and what are the likely reasons that caused that change or reasons that you could rule it.”

“Given how we see the shadows change and we have this model of physics, we can reconstruct these realities of what may actually be happening inside the enterprise.”

The outputs of this type of analysis are also starting to go into the scoring model.

Casey compares this forensic reconstruction of a company’s cyber posture to Plato’s Cave; every company casts a shadow in cyberspace. SecurityScorecard, with its model of physics for the cyber world – firewalls, management of software and controlled webservers – looks for changes in those shadows.

“So, given how we see the shadows change and we have this model of physics, we can reconstruct – to a coarse grain level – these realities of what may actually be happening inside the enterprise.”

Cyber insurance underwriting

Cyber insurance is a relatively new but growing market. According to a Fitch Ratings report, the US cyber insurance industry grew by 35% in 2016 to $1.35bn.

"Cyber to a company really comes in two parts,” says Casey. “Number one – and the predominant one that people worry about – is loss of revenue. If your systems are down and you need your system to make money, you're not making money."

The next parts are compliance and cleanup. In regulated industries in particular, there are a prescribed series of steps that must be followed, which can be costly. Cyber insurance is one way to ensure a company has the funds available to address it, says Casey.

However, one of the challenges faced by underwriters is the lack of sufficient actuarial data.

SecurityScorecard makes use of its extensive data gathering to provide the data that "drives the underlying actuary models" used by insurance underwriters.

Where health insurance requires medical data, cyber underwriters require cyber health data.

"Our platform will basically generate reports and provide a lot of details that these auditors and investigators can use to enhance the conversation they're having with their third-party suppliers."

Share this article