Understanding Security Rating Services
Security Rating Services (SRS) are tools designed to evaluate an organization's cybersecurity risk posture. These quantifiable ratings are valued because they provide an independent assessment of an organization’s security posture. A common use case for SRS services includes:
- Monitoring how an organization’s rating changes over time
- Assessing the impact of new cybersecurity initiatives and tools
- Benchmarking the security of 3rd party organizations
While the value of SRS may seem compelling they often prove impractical. Many security practitioners struggle to utilize the services because the ratings they provide lack context. The limitations of SRS can be summarized as:
Lack of fidelity
SRS services are designed to provide only a high-level rating. They were not built to provide risk analysis and scoring for individual assets. As a result, critical risks can be masked by an organization's overall SRS rating. Furthermore, SRS are not designed to scan for external facing assets, leading to undiscovered risks.
Low accuracy
SRS tools are only capable of assessing a limited number of factors when calculating a score. This limitation can lead to organizations having a false sense of security and leave them exposed. Security teams often have use additional tools and workflows to close the gap and find risks undiscovered by SRS services..
False positives
SRS tools do not verify whether the risks that they have detected are exploitable. This results in teams spending time searching for vulnerabilities that are not there and applying unnecessary fixes. As a result, false positives have a direct impact on the operational efficiency of organizations.
Unactionable result
SRS technologies provide scores without context or recommendations for teams to evaluate and action. Security teams must conduct additional research to interpret the result provided by SRS services and determine the appropiate steps to remediate any discovered risks. This dramatically slows response times.
Introducing Hadrian
Hadrian’s platform is built with the hacker’s perspective in mind, assessing the posture of an organization using the same methodology as a real-world adversary. The platform’s Orchestrator AI analyzes every asset and attack vector, determining both a high-level organization score and ratings for each asset associated with the organization.
Hadrian assesses a vast array of potential exploits to accurately determine the risks, additionally the platform self-validates to remove false positives. Built to provide actionable insights, Hadrian records the attack vector for each risk, allowing security teams to understand how the score was determined, and detailed remediation instructions aid the remediation of risks.
Hadrian key features
- Executive reporting
Easily report on the overall security posture of organizations with quantifiable scoring along with recent changes and top risks for the organization to prioritize. Detailed information can also be
- Risk inventory
Quickly drill into the specifics Hadrian catalogs all of your external-facing assets into a searchable database. Easily filter them and drill down into their associated risks for detailed insights.
- Attack vector analysis
Understand exactly how hackers could exploit your risks with verified attack vector information. Hadrian’s platform records the techniques it used, giving security teams additional insight.
- Remediation instructions
Improve your security posture by remediating risks using Hadrian’s instruction guides. Created by Hadrian’s in-house hacker team they guide teams through the correct steps.
Risks detected by Hadrian
- Passive vulnerability detection & validationsome text
- 1000s of CVEs fingerprints
- 100s of CVEs exploit POC’s
- DoS attack vulnerability detection
- Host header injection detection
- Exposed session cookies detection
- Weak TLS/certificate detection
- Active vulnerability detection & validationsome text
- Zero-day vulnerability detection
- Active sub(domain) takeover detection
- SQL injection detection
- Open redirection detection
- Credential stuffing (Weak password detection)
- Unrestricted file upload detection
- Open-proxy detection
- Reconnaissance some text
- Open S3 bucket detection
- RDP exposure detection
- Sensitive files detectionsome text
- Backup file exposure detection
- Credential leak detection in exposed configuration files
- Credential leak detection in exposed Github environments
- API key detection
- Source code detection
- Insecure .xml file detection