~ 5 mins read | November 16, 2021
Widespread internet adoption and the subsequent rise of online businesses led to a steady increase in cybercrimes since the year 2000. When organizations sought insurance against such crimes, insurance companies needed to assess their risk quotient quickly. That's when security scores were introduced, and they helped standardize the risk assessment by comparing the same metrics across organizations and thereby delivering an overall score. Security scores are a way for organizations to benchmark their digital health. They help sales, legal, and c-suite executives make decisions about M&A, procurement, third- party risks, evaluating RFPs, etc.
That said, many organizations today use security scores to manage their security posture and cyber defense, and that's when they fall prey to cyber-attacks because these scores can be misleading.
This blog will examine the components of a security score and explain why it cannot replace a comprehensive attack surface management program.
Security scores run passive scans to discover organizational assets for scoring purposes. Security scoring does not identify exposed internal environments, shadow IT, ephemeral cloud assets, software code, containers, mobile, proprietary APIs, secret leaks (email addresses, personal information), and misconfigurations as it is not purpose-built to discover an attack surface comprehensively. This bird's eye view of a limited enterprise area is inadequate to assess a business's ongoing security posture.
Security scores are an aggregate of multiple data points. Exposures that can result in crippling attacks remote code execution (RCE), credential leaks and critical vulnerabilities may be present in a network and yet an organization can receive a high security score due to the aggregation process.
A security score is a high-level, observational view of an organization's digital health. Since its purpose is to provide comparisons against similar organizations, the risk data is detected via banners that only return high-level data riddled with false positives. ASM also mines such data but supplements it with broader asset discovery, in-depth asset fingerprinting and deeper exposure checks delivering much needed context for data driven security actions. Furthermore, security ratings do not consider the business context of an asset or provide in-depth data like the tech stack used by an organization.
A critical drawback of security scores is that they're not continuous. They are essentially a point-in-time snapshot of an organization's digital health. Such services also rely heavily on the passive asset data collected by third parties to build an organization's risk profile. Some of the data sources can be up to 30 days old. In today's dynamic digital landscape, such data is often outdated. Using such a score to decide an enterprise's ongoing cybersecurity program will lead to severe security gaps and expose an organization to attacks.
In summary, security scores are a high-level, observational, homogeneous benchmark that can function as a starting point for improving an organization's cybersecurity posture. However, they are misleading when used to replace a proper attack surface management program as they lack the required context, depth, and nuance.
|Features||Security Score Rating||ASM Platform|
|Comprehensive Asset Discovery||High-level and partial||In-depth and comprehensive|
|Threat context||Minimial||In-depth and nuanced|
|Tech Stack Discovery||No (few )||Yes. With exposure and threat context|
|Business Context||No||Yes. Unique to each asset|
|Contextual Exposure Prioritization||No||Yes. Highly contextual|
|False Positivies||High||Very few|
|Quantifiable Latency Metrics||No||Yes. In-depth at the asset level and continuously updated|
Securin platform is custom-built for organizations looking for a custom solution to proactively protect their attack surface and continuously improve their security posture.