Sign In

Communications of the ACM

ACM News

Into the Breach


Security scores assembled by QuadMetrics, now owned by FICO

A confluence of factors is helping to drive the market for cybersecurity risk management, including managing third-party risk, corporate self-monitoring, and due diligence related to mergers and acquisitions.

Credit: FICO

It should come as no surprise that data breaches have reached record levels. According to a study by the non-profit Identity Theft Resource Center and solution provider CyberScout, the number of U.S. data breaches during 2016 reached 1,093, an increase of 40% over 2015's "near record high" of 780.

In many instances, the hacking victim is not at fault. For example, the 2013 breach of Target Corp., in which the personal information of 70 million customers, as well as the data for 40 million credit and debit cards, was hacked, originated with a third-party heating, ventilation, and air conditioning (HVAC) vendor.

"Target is a classic example because it wasn't actually within the IT control domain where the problem happened, it was in facilities management," explains Mike Baukes, co-founder and co-CEO of UpGuard, a cybersecurity ratings firm. "A vendor, a third party, had access to Target's network, so when the third-party vendor was breached, Target got breached. The ability to understand third-party risks is key."

Assessing the cybersecurity of other businesses to gain insight into third-party risk has led to a new generation of start-ups providing solutions for the market. Companies such as SecurityScorecard, Bitsight Technologies, and UpGuard have leapt into the breach to create a new security ratings services sector. What Equifax, Experian, and TransUnion do for consumer credit ratings, and Moody's and Standard & Poor's do for business credit ratings, cybersecurity ratings firms are trying to do for that aspect of business.

"Companies invest a lot of money into their own security, but when it comes to the security of companies that they do business with, they have no insight into the security posture whatsoever of their partners," says Aleksandr Yampolskiy, co-founder and CEO of New York City-based SecurityScorecard. He explains the goal of cybersecurity ratings systems is to give companies the ability to measure each other's security and understand the true risk a firm could pose to its partners, should its cybersecurity be inadequate.

According to Cybersecurity Ventures, the global annual cost of cybercrime, which the firm estimated at $3 trillion in 2015, is expected to reach double that level in 2021, with data remaining the primary target of hackers. As a consequence, thwarting cybercrime is becoming big business, and companies are spending freely; Bank of America spent $400 million in 2015 on cybersecurity, and JP Morgan Chase's budget was $500 million.

A confluence of factors is helping to drive the market for cybersecurity risk management, whether it be managing third-party risk (as when large organizations on-board vendors), companies that want to monitor themselves for internal purposes, or due diligence related to mergers and acquisitions.

Underwriting for cyberinsurance is also propelling the market. Allianz, a global financial services provider with operations predominantly in the insurance and asset management businesses, estimates the size of the global cyber insurance market at $2 billion, with fewer than 10% of companies purchasing such policies. The market is expected to accelerate rapidly and exceed $20 billion in the next 10 years. "Insurers are finding it very difficult to understand what good versus bad risk looks like," UpGuard's Baukes says, adding that cybersecurity ratings give insurers the insight they need to assess the risks organizations carry. Such ratings ultimately allow them to price those risks, he says.

At FICO (formerly Fair, Isaac Corporation), head of cyber security solutions Doug Clare sees the cybersecurity market as regulatory-driven: "The Office of the Comptroller of the Currency, starting with OCC 2013-29, put banks directly on the hook for vendor performance, including security, so banks started applying more rigor towards evaluating their vendors on a security basis, and became interested in an ongoing monitoring approach, instead of a periodic review," he explains. "Outside of financial services, the Securities & Exchange Commission (SEC) has put the board's publicly traded companies on the hook to be on top of the security challenges of the companies they oversee. There are a lot of reasons why people care now that didn't exist five years ago, and suggests strongly that this would be a high value service."

That, Clare says, is why FICO entered the market. "We were having our annual conversation with our breach insurance company and they asked us, 'wouldn't it be great if there were a FICO (credit) score for cybersecurity'?" FICO was already bringing some analytics to market for cybersecurity threat detection, basically looking at network traffic and the like, and determined its brand was a perfect fit for the market. As a result, last June FICO acquired Quadmetrics, a cybersecurity ratings company that shared FICO's empirical and analytical approach.

How they do it

Cyber ratings firms measure and evaluate publicly available information in a non-intrusive manner, using a variety of techniques.  Signals—which can be good, bad, or neutral—are gathered from billions of IP addresses from all over the Internet to glean subtle insight into companies' security postures. Some settings are easily detectable from outside a company's network, such as open ports, server settings (such as whether denial-of-service is enabled), SSL certificate practices, how domain name servers are organized, and even patching practices. "We scan of every possible IP address on the Internet once weekly, in a non-invasive ping of assets," says Clare.

Cyber security raters might also deploy defensive lures and traps like sinkholes or honeypots to analyze Web traffic in order to detect the level of malicious behavior aimed at corporate networks from threats such as viruses, spamming software, malware, and botnets. "If a computer within a company's network is infected, typically the computer will beacon outside asking for instructions what to do," says SecurityScorecard's Yampolskiy, and this activity will be detected. He adds that innocuous methods, such as identifying the software versions used by companies to create publicly available documents like PDFs, can be used to help determine if companies are updating their software on a regular basis. Additionally, hacker forums on the Dark Web can be monitored to see if any pilfered data surfaces, such as stolen credit card information up for sale.

"These signals can then be associated with individual companies and subsequently boiled down to a rating or a score, and companies can be benchmarked against their peers to determine the relative risk," says Yampolskiy. Proprietary algorithms and predictive modeling are typically added to the mix to build profiles of companies, and their performance trends over time are measured.

Is the day coming when cybersecurity scores will be as ubiquitous as credit ratings? The demand certainly seems to exist. "The overall cyber risk market that is emerging will be the largest market in technology within 10 years because of the sheer amount of computing, programs, and capabilities being deployed into our everyday lives, like those that are appearing in IoT devices. The risk landscape changes every minute," says Baukes.

"I see a future where every single company in the world monitors themselves and others to gain insight into who they do business with," says Yampolskiy. "Security ratings will help companies in an interconnected world to trust each other by giving them the tools to instantly measure, communicate, and improve security."

FICO's Clare feels very optimistic about the market, concluding, "the availability of these tools is going to create a healthy degree of transparency, and markets perform best when there is transparency. This ought to raise the tide for everybody, and we feel pretty good about that."

John Delaney is a freelance technology writer based in Brooklyn, NY.


 

No entries found