When it comes to understanding the security risks an organization faces, a good place to start is to first understand what technologies are in place. That's the basic premise behind the visibility technology offered by UpGuard, which also now offers a scoring system called Cybersecurity Threat Assessment Report (CSTAR), based on an organization's security posture to help assess risk.
UpGuard is the new name for ScriptRock, which originally was not positioned as a security vendor. The basis of the original ScriptRock platform was visibility into servers, network appliances and other technology devices in an organization to analyze packages installed and configuration states, according to Alan Sharp-Paul, co-founder and co-CEO for UpGuard.
"What we realized is that by building tools that help companies understand and get visibility into their state, we can also help to mitigate risk and ensure security," Sharp-Paul told eWEEK. "We're not a security company; we call ourselves a digital resilience company, helping companies to understand what they have."
Another realization that Sharp-Paul made is that insurance companies are lacking the information they need to make informed decisions about cyber-security risk issues. In Sharp-Paul's view, modern IT security is no longer just about attempting to prevent attacks—it's also about risk mitigation.
"The cyber-insurance market today is broken because the actuarial tables for insurance companies don't exist," Sharp-Paul said. "Businesses don't understand their state, and insurance companies don't either."
To help both insurance companies and the organizations they insure to properly understand risk, UpGuard is launching CSTAR, which provides a FICO-like score to help assess cyber-security risk. The CSTAR score is based on multiple factors, including an internal scan of an organization's technology assets, looking at compliance, configuration and security information. The internal scan is coupled with an external scan of an organization's infrastructure to help create the risk score.
Mike Baukes, co-founder and co-CEO of the company, explained that UpGuard's visibility scanning can also assist organizations in understanding the integrity of their IT infrastructure, which can help organizations deal with unplanned and unmanaged change.
The internal scan of an organization is not a blind scan, but rather it requires the use of some form of administrative or system credentials to get configuration information from devices.
"Passive networking monitoring just on traffic really doesn't give you the configuration insights that you need to understand risk," Baukes told eWEEK.
For the external scan, UpGuard is not performing a full external penetration test that looks for vulnerabilities. Rather, Baukes explained that the external scan looks at common elements such as the proper use Secure Sockets Layer/Transport Layer Security (SSL/TLS) for Web security, the integrity of MX mail records and DNS records for Website domains.
Going a step just beyond giving organizations visibility and providing a score, UpGuard can also give direction to companies on where and how to remediate risks via integration with popular configuration management tools.
"If you come across a problem, not only can you drill down to the exact line or package, but you can generate a Chef, Puppet, Ansible or Microsoft DSC [Desired State Configuration] file to remediate issues," Baukes said. "It's a virtuous cycle of being able to see a problem and then resolve the problem using one of the common configuration tools that are out there."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.