Here is a quiz that CIOs might like to try on themselves. Your company is collaborating with, let’s say, five other businesses on a sensitive/skunkworks joint project where large amounts of data are being shared around and worked on between you. How certain are you of the security capabilities of those five partners?
They all have a vast array of security tools in place and seem to know how to use them. They have security policies that they say are all being applied properly. But does that mean those partners really are secure? How can you really tell?
Then try the slightly more nerve-wracking question: could you say the same about your own business? You have the security tools, you have the policies and you are sure your business is secure, but in the final analysis, is it? Really.
Now couple this suspicion with the certain knowledge that the ‘bad guys’ use all kinds of deviousness to hide their activities. Malicious code can still get in, and can lie around idly doing nothing for ages other than send the occasional message to their perpetrators saying, ‘Still here, let me know when you want me to start?’
Therein lies a scenario that most anti-virus/anti-malware tools will not be able to find until it is too late. The best you can then hope for is quick and effective reactive remediation. But what about being proactive?
How does their security really rate?
One obvious solution is to check the security ratings for those partners and, while you are at it, check the rating for your company as well. This is a job for a specialist outfit with some interesting tricks of the trade.
I met up with Jake Olcott, VP of Business Development for one of the players in this specialised market, Boston-based BitSight, who told me:
Think of us as similar to a Standard and Poor's or a Moody's. We create a consumer credit-like score of an organization's cyber-security performance, which is very similar to a consumer credit ratings model and the type of thing that comes into play when you apply for a credit card or a home loan. The bank checks your history when it comes to making payments on time, and in a similar fashion, we are checking an organization's security performance.
This all works in a significantly different way, however. Those credit rating agencies are paid by the financial institutions to do the checking, and they have a direct role in the checking process itself. The agencies base their assessment on an institution’s answers to questions about their business and financial positions and in the end have to trust that they’re getting honest answers.
There are an obvious couple of question marks in this approach, one being the probity of the answers themselves, and the other being the fact that the institutions are paying, leading to some inevitable potential for compromise.
According to Olcott, the business model adopted by Bitsight is that payment comes from the company with the biggest need to know, the first party business. So, in the little scenario painted above, it would be the CIO who pays to get security performance reports on the company’s important business partners. This then suggests that BitSight has to go knock on those partners’ doors and ask cheerily, ‘Can we come in and ask how you do cybersecurity?’
As it happens, they don’t have to do that, said Olcott, arguing that the company can build a good picture of any company’s security posture from the outside, and without the company in question being involved, or even aware:
Ultimately, what we're trying to do with a security rating is to enable a business decision that factors cyber security into a broader business decision framework.
It does this by sitting on the outside of an organization, collecting a massive amount of security performance data using two main ways of achieving that goal. One is through data sources that the company owns, and the other is through third party licensed data sources:
BitSight owns and operates the world's largest sinkhole network. What does that mean? When a bad guy is trying to break into your system, they're going to send you a spear phishing email. If you do not have the right security technology in place, you will click on that email and download malware.
The first thing that that malware is going to try to do is send a message back outside to the bad guy. Owning a sinkhole network means that we can intercept communications as they come back outside of the network. That is what gives us insight into what is happening inside. From the outside.
Building a sinkhole network depends on cyber-criminals working in certain ways and exploiting that. For example, they will often register groups of IP addresses that effectively become the command and control host of their activities, but some of them will get compromised and some will lapse, giving BitSight the opportunity to move in and take them over. This way, they get to receive those incoming messages from malware waiting for instructions.
They also use third party datasets to help build the security picture. For example, when anyone looks at a website nearly every page comes with many advertisements and their arrival is often down to Advertising Delivery Networks, organizations that need to know information about the browsers being used, such as type, version and the operating system of the computer running it so that they don’t crash any target computer. Those services can also see an infection on the system:
What we do is trade some of our data to get access to some of their data, which shows a lot of really interesting things from a security perspective, such as companies running an outdated browser, an outdated operating system, a system that hasn’t been patched recently. We are continuously collecting a massive amount of security and performance data from all around the global Internet, and we use that data to understand the security posture of individual organizations.
It’s risk management in the end
One of the most common use cases for BitSight is that of third party risk management and the component of that which stems from working with business partners. Some business can have hundreds of them, such as contractors and subcontractors, cloud providers, law firms and consulting firms.
One factor driving this, especially in Europe, is GDPR where any third party – referred to as a data processor - is any other business that is using the data of a first party business. GDPR actually requires the first party organization to do a risk assessment of a data processor, and essentially to continuously monitor that organization, so the security component of that risk assessment is crucially important.
This is also not a one-time only job. Most businesses will have a need to understand the ongoing security posture of third party data processor organizations to ensure their security holds up well during the lifetime of a business relationship. New attack vectors and vulnerabilities will continue to emerge. This is why BitSight is offering a subscription service so that a first party business can have on-going reporting on its third party partners.
The company does also offer a first Party Performance Management service, where a company can put itself under the same level of inquiry and surveillance, said Olcott:
That is becoming very important, because CIOs and CTOs are being held accountable for demonstrating strong security performance. They've had challenges in deciding what data to share with the CEO or Board that shows the effectiveness of their security programme. And so a lot of folks are turning to security ratings as a way of providing some independent, objective data. They need to be able to show that the things that they are investing in from a governance or security technology perspective are actually working.
Most businesses spend a good part of their time looking for new or additional opportunities to explore and I put it to Olcott that adding a remediation management service might just be one. For example, feeding details of those ‘malware ready and waiting’ messages back into a tool like Splunk could allow a business to pinpoint the where/how/who of the malware’s entry process, as well as helping with its removal or quarantine.
ServiceNow was another obvious candidate to which BitSight could provide comprehensive source data for any remediation ticket. Olcott told me:
We now have a partnership with ServiceNow, where our data informs workflow that can be generated by them in terms of vendor outreach. The whole goal is for this relationship to create meaningful value for the customer.
This could prove to be an interesting tool, particularly for unsuspecting third party businesses, for their ServiceNow implementation will be telling them of a security issue and a need for remediation that has been identified by BitSight. They may be surprised, but they would be foolish to be ungrateful.
There is more than a touch of the `cloak and dagger’ about this, and I can imagine some companies being put off, or at least unnerved, by the thought of their system suddenly announcing they have a cyber-security hole ‘here’ and `here’, and remediation is needed urgently. But one of the key questions, especially with the increasing levels of operational complexity and cross-company collaboration that is commonplace, how does one tell whether a business is actually secure? You may have invested in every known security tool, you may have robust security policies in place, but you might still leak like a sieve. The ability to objectively observe a business from the outside, and identify those leaks may prove to be a better option than anything.