Why security scores are misleading?

profile

Puneetha J

~ 5 mins read | November 16, 2021

log4j-banner-image

Widespread internet adoption and the subsequent rise of online businesses led to a steady increase in cybercrimes since the year 2000. When organizations sought insurance against such crimes, insurance companies needed to assess their risk quotient quickly. That's when security scores were introduced, and they helped standardize the risk assessment by comparing the same metrics across organizations and thereby delivering an overall score. Security scores are a way for organizations to benchmark their digital health. They help sales, legal, and c-suite executives make decisions about M&A, procurement, third- party risks, evaluating RFPs, etc.

That said, many organizations today use security scores to manage their security posture and cyber defense, and that's when they fall prey to cyber-attacks because these scores can be misleading.

This blog will examine the components of a security score and explain why it cannot replace a comprehensive attack surface management program.

  1. Limited asset discovery:

    Security scores run passive scans to discover organizational assets for scoring purposes. Security scoring does not identify exposed internal environments, shadow IT, ephemeral cloud assets, software code, containers, mobile, proprietary APIs, secret leaks (email addresses, personal information), and misconfigurations as it is not purpose-built to discover an attack surface comprehensively. This bird's eye view of a limited enterprise area is inadequate to assess a business's ongoing security posture.

  2. Score aggregation masks critical exposures:

    Security scores are an aggregate of multiple data points. Exposures that can result in crippling attacks remote code execution (RCE), credential leaks and critical vulnerabilities may be present in a network and yet an organization can receive a high security score due to the aggregation process.

  3. Broad-based and homogeneous:

    A security score is a high-level, observational view of an organization's digital health. Since its purpose is to provide comparisons against similar organizations, the risk data is detected via banners that only return high-level data riddled with false positives. ASM also mines such data but supplements it with broader asset discovery, in-depth asset fingerprinting and deeper exposure checks delivering much needed context for data driven security actions. Furthermore, security ratings do not consider the business context of an asset or provide in-depth data like the tech stack used by an organization.

  4. Lack of data freshness and continuous discovery:

    A critical drawback of security scores is that they're not continuous. They are essentially a point-in-time snapshot of an organization's digital health. Such services also rely heavily on the passive asset data collected by third parties to build an organization's risk profile. Some of the data sources can be up to 30 days old. In today's dynamic digital landscape, such data is often outdated. Using such a score to decide an enterprise's ongoing cybersecurity program will lead to severe security gaps and expose an organization to attacks.

security-scores-are-misleading

In summary, security scores are a high-level, observational, homogeneous benchmark that can function as a starting point for improving an organization's cybersecurity posture. However, they are misleading when used to replace a proper attack surface management program as they lack the required context, depth, and nuance.

Comparison between a security score rating platform and an ASM platform

Features Security Score Rating ASM Platform
Comprehensive Asset Discovery High-level and partial In-depth and comprehensive
Continuous Monitoring No Yes
Threat context Minimial In-depth and nuanced
Tech Stack Discovery No (few ) Yes. With exposure and threat context
Business Context No Yes. Unique to each asset
Contextual Exposure Prioritization No Yes. Highly contextual
False Positivies High Very few
Quantifiable Latency Metrics No Yes. In-depth at the asset level and continuously updated

How can Securin help?

Securin platform is custom-built for organizations looking for a custom solution to proactively protect their attack surface and continuously improve their security posture.