Whether it’s vendors that provide an external grade/score of a company’s risk, threat intelligence platforms or vulnerability management vendors, everyone is looking for the ultimate “risk score”.
A Risk Score is like a home inspection report. It makes us feel like we are making good decisions in buying a new home by telling us what could go wrong next, but the inspection doesn’t really find everything that is wrong or prepare us for the dirty truths already present in the home. It could tell us that there is a mouse hole that needs to be covered up, but not whether a mouse is actually inside. While we have a lot of promises around machine learning and AI to piece together seemingly random indicators of compromise (IOC), the burden still falls on the analyst to make sense of a discovery of “mouse droppings”. That is for another blog, but the point is, does a risk score provide you with true insights into whether an infestation is already present?
Exposing Risk Scores and Threat Intelligence: A Game of Guessing
So, what’s the point of the risk score? It can vary depending on what your objectives are:
A False Sense of Security
So, all these risk scores are based on the “potential” for attackers to exploit known gaps in your security. They certainly make you feel like you are doing all you can to prevent a breach, but have they? Basically, the promise of these risk scores is to help make you prepare to be “less attractive” or even more difficult to attack by threat actors, but how are these risk scores even calculated? Is the telemetry consistent from organization to organization or asset to asset? Does working with a vendor with a “high score” mean you won’t get compromised? Is one vendor’s score superior to another? And if so, why?
The reality is, it’s a leap of faith to trust in any of these scores without knowing how they were even formulated. Do we want that kind of uncertainty when dealing with sophisticated attackers and the well-documented impacts to our businesses?
Regardless of the risk score’s “accuracy,” why is there so much focus on “potentials” when most of our money is spent on detection and prevention? Even an indicator is just an indicator. I need to find droppings whenever they are dropped, determine the age or changes in a mouse hole, and other indicators, but what are the odds of me being up at 3am when the house is quiet to possibly catch a hungry mouse in action? I need to find a better way than simply relying on a combination of risk scoring and indicators. I need current and accurate evidence. What if you had damning evidence that a rodent had made its way inside and could pinpoint where it was within 24 hours?
Personally, I’d rather have evidence of an active and current compromise and whether I have a mouse or worse, a RAT, where it is and how it comes and goes. Risk scoring can certainly help provide better awareness and get you to improve your defense, but we put too much emphasis on them providing true resistance against a breach. Threat Intelligence requires resources to filter through them and certainly XDR platforms can make some use of them to shrink dwell time, but that improvement still means attackers spend on average 60 days within your environment before detonating the primary objective of the campaign. The reality is that as we come up with more automation and smarter systems, attackers are relying even simpler techniques to circumvent them. We need something different that shifts detection far to the left. We just need to KNOW, not keeping guessing.
To learn how compromise intelligence literally takes the guesswork out of the current state of your security through hard evidence of compromise, please visit Prevailion to learn more.
Hijazi discusses Microsoft hack parallels with SolarWinds and how China and Russia likely execute their cyber campaigns.
See Prevailion CEO, Karim Hijazi, comment on how nation states use proxy groups to compromise organizations through weaker supply chain points.
See Prevailion CEO, Karim Hijazi, weigh in on a second solar winds hack and how elite hacker groups have likely already compromised many top companies around