The Truth About How Security Ratings Work

By Graham Rance, Director of Sales Engineering EMEA, CyCognito | August 6, 2021
Share:
Just like a personal credit rating, security ratings platforms are designed to take a high-level, permissionless view of an organisation based on externally observable BEHAVIOURS. Like any tool, third-party security rating platforms are often perfectly suited for the job they were designed to do, but tend to struggle when used for a different purpose – in this case, creating actionable, operational information that is high quality and tested to reduce false positives.

To assess YOURSELF, you need a different product and, if you take security seriously, you need a product that is focused on enhancing your operational security, discovering the entire attack surface and complementing your existing enterprise toolset.

Using a rating to manage and protect your external attack surface is like using your personal credit score to manage your finances; it rapidly loses relevance as you dive into the actual details of your financial position to try to improve things.

 

What security ratings do… and don’t

At a high level, ratings platforms use data that is aggregated from third-party data sources that provide them with an indication of how an organisation configures certain aspects of their perimeter. They then base their security ratings on that data. That data is passively collected because of the need to gain statistical relevance by scanning hundreds of thousands of organisations, and is therefore literally limited to banner matching for vulnerabilities and issues. 

This results in a low-fidelity, high-false positive way of determining issues. These third-party passive data feeds provide a minimal, common set of data to create a high-level security rating report, which can then be used to compare organisations for the purpose of security posture benchmarking. Because the intent of this data is to compare different organisations, the data itself must be homogenous enough to facilitate comparison, preventing the easy customisation of your attack surface; the same customisation that would be critical to gaining a true understanding of your current posture.

The benefit of a security rating from one of these platforms is its speed and consistency. It gives you a quick, high-level number that compares the company you’re analysing to others using the same methodology and data sets that are used for everyone. This can provide general guidance into the organisation’s relative security posture compared to others. That is valuable for M&A due diligence, purchasing and supply chain management, meeting partner compliance requirements, or qualifying for cyber insurance. The simplicity of this type of rating is its strength, but because it can provide only general guidance, it is also its weakness.

How so? The problem is when companies try to use their own rating as a replacement for performing attack surface management or deep security testing for security posture improvement. Passive ratings don’t include vulnerability tests or security tests, and potentially they miss out on subsidiaries or fail to update them for changes. 

As a result, your security rating might tell you the relative security posture of your company, but it can’t provide actionable security improvements that can be used to identify and remediate vulnerabilities or other issues. Worse, because the security rating is based on third-party threat intelligence data feeds, the data runs the risk of being stale and woefully inaccurate as the attack surface and its threats have changed in the time it took to collect the data and present it as a tidy rating.

Another potential pitfall to keep in mind with security ratings platforms is that when a security rating becomes a key performance indicator (KPI), organisations will naturally begin focusing on improvements that improve the security rating, and not improvements that will necessarily impact their security posture. 

In the best case, a security rating is a valuable, if general, guide; in the worst case, it’s a convenient metric that distracts from an organisation’s true cybersecurity risk. 

 

Why security ratings are no replacement for attack surface management

While a security rating platform is the wrong tool for creating actionable insight, an attack surface protection platform is critical for that job. The CyCognito platform uses attacker-like reconnaissance techniques to see and manage your complete attack surface, find security gaps, and help your organisation prevent breaches.

By looking at your attack surface from the perspective of the hacker, you can remediate the issues that hackers will find most tempting, while gaining actionable information about where your vulnerabilities and other security gaps lie so you know exactly what you need to focus on. With detailed contextual information derived from active security testing, you can execute prioritised remediation plans that improve your organisation’s security posture. 

Here’s how common security rating platforms compare to an attack surface management platform like the CyCognito platform:

  CyCognito Platform Security Rating Platforms
Main Purpose

Provide SOC teams with complete visibility into the externally exposed assets across the entire attack surface for security posture improvement.

Provide risk management procurement teams with a snapshot of another company’s overall risk, with no mission for security posture improvement.

Automated Discovery

Automatically and continuously discovers new assets, including unknown and new networks using active reconnaissance.

Relies solely on annual reports of acquisitions and third-party passive data feeds to provide a snapshot with limited network visibility.

Automated Classification

Automatically classifies 90% of assets.

Limited automatic classification based on 3rd-party banner grabbing.

Automatic Attribution

Automatically and continuously attributes virtually all assets to one or more organisations/teams with evidence.

Limited to links on registry pages or domains while lacking a transparent discovery path, which makes false positives common.

Risk Detection

Actively detects sensitive data exposures, network infrastructure vulnerabilities, web application vulnerabilities, phishing risks, software misconfiguration, weak credentials, dangling DNS, and much more with high fidelity.

Very low fidelity and high false positive rate with no transparency or evidence. Detections based on banners are entirely inadequate to identify real risks, much less prioritize them.

Prioritization

Asset scoring and grading is contextually driven using parameters of issue severity, attractiveness for attack, potential impact, exploitability of issues, and discoverability of assets.

Priority algorithm is opaque without use of real-time context or threat intelligence calculation. No concept of remediation planning based on prioritisation and goals.

Complete Black Box Operation

Platform automatically delivers complete continuous attack surface protection with zero configuration.

Using a security rating platform for attack surface management requires almost 100% manual efforts to correlate high-level findings with scan-based security testing that is prioritized and validated outside of the platform.

Workflow Automation

Automatically synchronizes with teams and systems for asset management, security testing, operationalisation of remediation workflow, automatic generation of tickets, automatic communication to vested parties, and automatic continuous closed-loop fix validation.

Provides integrations for Governance, Risk, and Compliance (GRC) but not operationalised security.

Analytics

Customisable filters provide quick access to attack surface analytics that make sense to all stakeholders.

High-level reporting on generalised scores of subsidiaries only; lacks the required details for remediation and validation of fixes.

 

Like trying to manage your current account with your credit score, you’re almost destined to fail when using a security rating service to manage your attack surface. Ratings are based on very limited testing, low fidelity asset discovery and data from third-party passive services, and comparisons against other companies without any context into your specific network or business objectives. In no way does this tell you anything about your actual security posture. 

Download our Cybersecurity Self-Assessment Guide to learn how you can establish the baseline security “rating” you need to actually understand how things change over time so you can ensure that your security investments in people and technology are effectively addressing your organisation’s highest priorities and most critical risks.

mobile

Start Eliminating Shadow Risk

Demo Request