Security Operations Center (SOC) analysts are an organization’s last line of defense against cybercriminals. They’re the security team members who respond to breaches, investigate threats, and analyze vulnerabilities in an organization’s own cybersecurity and those of its third parties.
It’s a necessary role because cyber incidents are on the rise. According to Allianz’s 2020 Risk Barometer, cyber incidents are on the rise. In 2019, cyber incidents increased by 37 percent; breaches are becoming larger and costing more, ransomware attacks are increasing, and some companies may even face lawsuits after a breach.
With so much on the line, SOC analysts need to stay proactive, scanning for threats before an attack takes place.
That’s why cyber risk scores are such an important tool.
What is a cyber risk score?
A risk score, or a security rating, is a way of evaluating an organization’s ability to protect its data and networks
It may help to think of security ratings as a sort of credit rating. A credit check reviews your public financial data and history — whether you are making payments on time, and if you have a line of credit — and comes up with a score that tells a bank if you’re a good risk for a loan. It doesn’t tell the bank everything, but the bank knows enough from your credit score to make a decision about lending you money.
A cyber risk score reviews your public-facing online assets and your history to see if your organization is reasonably secure: do you have unsecured assets, for example? Are leaked credentials from your organization online? Do you have a history of being hacked? Then that information is used to create a score. Organizations use that score to help them know which organizations they should partner with, and cyber insurance companies use that information to better understand which companies are a good risk.
You can also use that score to proactively reduce your organization’s risk. How?
Here are 5 techniques SOC analysts use to stay proactive:
1. Continuously monitor the risk scores of your third parties
Traditional third party management programs include a lot of paperwork and footwork — questionnaires, in-person security assessments, and penetration tests. They’re also static; once a questionnaire is submitted or a site visit is done, all you have is a snapshot of how that third party’s security was during the assessment itself.
Cyber risk scores help you keep an eye on vendor’s cybersecurity all the time. If those scores dip, you know immediately that something is wrong with a vendor, and that you need to contact them as soon as possible.
2. Ask questions
Because a SOC analyst is an investigator, they know that they’ll need more than a cyber risk score to verify the security of an organization. A score change might not mean that an organization’s been hacked but may signal something that’s easily fixed: an unsecured Amazon Web Services bucket for example.
That’s why it’s important for SOC analysts to use scores as indicators that guide their work, just as an investigative reporter might use an anonymous tip to start investigating a story. So once a SOC analyst sees a change in a cyber risk score at a vendor, for example, it’s time to pick up the phone and get in touch with that third party.
3. Look at your own organization’s risk score
Organizations tend to be anxious about their third parties’ cyber risk, and that’s normal. Vendors often have access to your data and networks, but you don’t have control over your third parties’ cyber hygiene the way you have control over the processes of your own organization. Cyber risk scores provide an important window into that risk.
But what about your own organization’s risk? You’re most often seeing that risk from the inside out: you know about your policies, your training, and your penetration tests. A smart SOC analyst knows that it’s important to check your own public online assets, so you can see your risk as an outsider might. You might find something you can’t see from the outside, like hacker chatter or credentials you didn’t realize were leaked.
4. Use scores to inform your internal probes
Cyber risk scores become powerful security tools when they’re used in conjunction with other internal security measures, like internal vulnerability probes and penetration tests.
By combining external and internal scans, an analyst can form a complete picture of their organization’s cybersecurity posture.
5. Think of cyber risk scores as an alarm system
While you should never use cyber risk scores alone to determine risk — you should always combine them with other security controls – they’re an important indicator that something might be wrong with the cybersecurity of an organization. In fact, it may help to think of them like a burglar alarm.
You set a burglar alarm after you check the security of your house. You make sure the doors and windows are locked, and any valuables are secured first, then you set the alarm and leave. If the burglar alarm goes off, you might be reasonably sure a robber can’t get into your safe, but you also know you should check on your house.
The alarm might have gone off for nothing — maybe someone was walking too close to your front door – or the alarm might be telling you that someone broke a window and is in your house right now.
Cyber risk scores are the same — first, secure your assets traditionally, then use scores as a way to continuously monitor the risk of an organization. As soon as a score dips, check it out. It could be nothing, but it could be something.
How SecurityScorecard can help
SecurityScorecard’s ratings allow you and your organization’s business stakeholders users to continuously monitor the public-facing assets of your company and your third parties. Our platform alerts you to problems as soon as they appear and automatically generates a recommended action plan when any issues are discovered so you can stay proactive.
By monitoring the cyberhealth of your extended enterprise, you’ll be able to collect data on your cybersecurity efforts and make informed security decisions in the future.