The Ugly Truth About Risk Scores and Threat Intelligence

Prevailion, Inc.

By Sanjay Raja, VP of Marketing

Whether it's vendors that provide an external grade/score of a company's risk, threat intelligence platforms or vulnerability management vendors, everyone is looking for the ultimate "risk score".

A risk score is like a home inspection report. It makes us feel like we are making good decisions in buying a new home by telling us what could go wrong next, but the inspection doesn't really find everything that is wrong or prepare us for the dirty truths already present in the home. While we have a lot of promises around machine learning and AI to piece together seemingly random indicators of compromise (IOCs), the burden still falls on the analyst to put together puzzle pieces. So, does a risk score or even random bit of threat intelligence provide you with immediate insights into whether an infestation is already present?

Risk Scores and Threat Intelligence: A Game of Guessing

So, what's the point of the risk score? It can vary depending on what your objectives are:

1. Assessing 3^rd-party risk, aka Third-Party Risk Management: In its simplified form this is all based on assessing the perimeter or external "attack surface" of an organization and combining that with scanning news on the internet, Darkweb, etc., and coming up with a risk-of-doing-business-with-that-vendor score. One major problem with this type of scoring is that the quality of the data used to calculate the score varies for every organization and thus the risk score isn't necessarily consistent.
2. Making sense of threat intelligence: Many cyber threat intelligence sources provide threat severity scores that rate the potential impact of each threat. While this is nice for comparing one threat to another, it isn't very useful unless it can be applied to your infrastructure.
3. Vulnerability risk: Vulnerability vendors, even when combined with threat intelligence, only on rare occasions can map known vulnerabilities active in the wild against your current assets. That is great for patching a potentially vulnerable asset but does not do anything for detection of a successful compromise that has circumvented these layers.

How are these risk scores even calculated? Is the telemetry consistent from organization to organization or asset to asset? Does working with a vendor with a "high score" mean you won't get compromised? Is one vendor's score superior to another? And if so, why?

The reality is, it's a leap of faith to trust in any of these scores. Do we want that kind of uncertainty when dealing with sophisticated attackers and the well-documented impacts to our businesses?

Attackers spend on average 60 to 250 days within your environment before the final detonation of malware/ransomware. What is needed is a new approach to actively monitor for current compromise and KNOW whether I have a mouse or worse, a RAT, where it is and how it comes and goes.

To learn how Continuous Breach Monitoring can significantly reduce your Mean-Time-To-Detection and Mean-Time-To-Response, please visit Prevailion to learn more.