Why A Holistic View Is Key To Accurate Security Ratings
SecurityScorecard’s co-founders, former CISOs, were struggling with the fact that they were able to understand their own security posture but didn’t have that same confidence when it came to determining an accurate security rating for their partners and vendors. They created SecurityScorecard to fill the gap in the market.
The use of third-party cloud-based companies has never been larger and their use is growing every year. IDC predicts the SaaS market to become a $110+ billion market by 2019. Cloud-based vendors offer convenience at a low cost but companies need to be sure that their networks are secure and their vendors and partners aren’t leaving a side-door open for hackers and malware. This is why it’s important to have the most accurate security risk benchmarking software.
Many cybersecurity solutions offer an incomplete look at a company’s security posture and lack an accurate security rating. We take a multidimensional approach that looks at the many layers that make up a company’s cybersecurity infrastructure. We know vulnerabilities lie within your network, whether the risk comes from employee error or outdated software, so we offer analysis on inbound and outbound signals, potentially exposed passwords, and endpoint security. This is captured in our Social Engineering, Password Exposure, and Endpoint Security scores.
It’s also important to understand where exposure to external risk may lie so we’re collecting data from unique data sources and methods, such as public data breach databases, various dorking methods, WHOIS configuration exposures, IP Mapping, and IP Blacklists among many other sources. We look at hacker forums and communities, social networks, and data leaks and dumps to see if companies might be at risk for an immediate hacker attack or data breach. This is where the Hacker Chatter, Web Application Security, and Network Security score can inform you.
Because hackers just need one point of entry, we also offer open port analysis, identify insecure and risky SSL signatures, and also endpoints with insecure, outdated, and end-of-life software, vulnerable browsers, and CVE vulnerabilities, which can put you at risk for some of the most common attacks such as POODLE, FREAK, or DROWN.
We process over a terabyte of data every month and 70% of that data comes from our own proprietary data collection techniques which include Malware Sinkholes and Honey Pots, Deep Web/Dark Web Scraping, Data Partnerships, and scanning and crawling every addressable IP on the entire internet. Because we control the data flow and collection process, we’re able to debug data, consistently refine our algorithms, and ensure we have the highest signal to noise ratio.
This allows us to be confident in our collected data and report meaningful conclusions on the potential vulnerabilities and business risks of every company in the world. We have pre-calculated the scores of over 100K companies, 3 times more than any other cybersecurity platform. And because we know calculating the accurate security rating of a company takes a multidimensional, layered approach, our SecurityScorecard grade is based on a 10-factor scoring system that shows companies where their true risk lies.
In the graph below, you can see the correlation between hacked companies and clean companies from just one of our 10 factors – IP reputation.
The IP Reputation score takes into account the amount of malware and botnet signals coming from a company’s network based on intercepted malware signals linked to specific IP addresses.
Image 1: Score offers a risk analysis of a company’s vulnerability to malware or botnet attacks
These strategic focal points and predictive capabilities of our data collection are what give our clients an accurate security rating and a view into their industry’s comparative security posture and the security posture of their vendor ecosystem.
Our Security Scorecard benchmarked grade is not fixed, and we invite companies to interact with their vendors or with us in order to improve their scores or their third parties’ scores. We encourage companies to engage with their own scorecards and reach out to us after their vulnerabilities are remedied.
We offer companies the possibility of collaborating with others. They can invite vendors and partners to view their scorecard, see a list of potential issues, start discussing how to improve cybersecurity issues, and, after action is taken, reduce the risk of a third party breach.
If you have feedback on your SecurityScorecard, reach out to us. We’re happy to hear from companies who want to improve their score and reduce their potential vulnerabilities.