SecurityScorecard Detects, Rates Security of Third-Party Suppliers

New technology aims to help discover and rate the security of an organization's extended list of third-party suppliers.


Modern enterprises face a lot of different types of threats, including security risks and vulnerabilities in the third-party vendor technologies they use. It's a challenge that Aleksandr Yampolskiy, CEO and co-founder of SecurityScorecard, is tackling head on with his company's new Automated Vendor Detection (AVD) capability that can identify and rate the security of vendors used by an organization.

Yampolskiy, who holds a Ph.D. in cryptography from Yale University and has worked at big names in IT including Microsoft, Oracle and Goldman Sachs, started SecurityScorecard in 2013 after realizing that he could build a company to address the challenge of multivendor risk.

"The question that kept me awake at night was, I had a good grasp of security at my own company but when it came to my vendors, partners and suppliers, I was left in the dark if they were as diligent as I was to protect my data," Yampolskiy told eWEEK.

SecurityScorecard, which employs approximately 60 people and is headquartered in New York City, in March 2015 raised $12.5 million in a Series A round of funding led by Sequoia Capital. What SecurityScorecard does is monitor millions of signals and terabytes of data from all over the Internet from every company in the world. The scorecard then rates the security of companies as observable from outside of the organization, according to Yampolskiy.

The new piece of the SecurityScorecard platform that is now launching is the ability to automatically discover the vendors that an organization is using. Yampolskiy said that most organizations face an unknown downstream risk when doing business today, as they don't always know all of the suppliers that their own vendors might be using.

For example, an organization may be doing business with a partner that is using Dropbox to store their files, Slack for communication and GitHub to store source code. If any one of those vendors (Dropbox, Slack or GitHub in this example) experiences a hack, then there is a risk to the original partner with which the organization is working.

"So we have built and patented a technology that can automatically discover a list of partners that a company might be using without the need for that company to first tell us who they are," he said. "We're looking at various traces of information that could indicate to us that a particular third-party service is being used by a company."

SecurityScorecard uses multiple techniques to gather data that informs the Automated Vendor Detection engine, Yampolskiy said. The collected data is then passed to SecurityScorecard's machine learning algorithms to help improve accuracy and reduce the risks of false positives. SecurityScorecard makes use of proprietary crawler and scraping technologies as well as some open-source tools, including Elasticsearch, he added. The Elasticsearch technology is based on Apache Lucene and provides search engine capabilities.

Looking forward, Yampolskiy said that SecurityScorecard is continuing to expand it capabilities and is building various analytics modules for cyber-insurance.

"We're doubling down on new ways to gather intelligence and reconnaissance," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.