UpGuard analyzes data about the state of corporate networks to devise a single numerical score that gives a quick sense of security risk, a number that could be used by insurance companies to set premiums for cyber insurance.
The UpGuard platform includes a scanner that evaluates exposure of publicly facing Web interfaces and determines the risk of breaches. This is augmented by analysis of data about the internal network from sources including existing security platforms and software services via APIs or from Windows Remote Management.
That is rolled up into a number – the Cybersecurity Threat Assessment Report (CSTAR) – that capsulizes how vulnerable a network is to attacks, the company says. In addition to the number, the platform enables drilling down into what weaknesses it has found so customers can take remedial action.
Garrett Koehn, regional director for cyber-insurance wholesaler CRC Insurance Services, says CSTAR could represent a needed analysis. In insurance, well established standards are used, say, to determine the level of fire risk to a structure and to set premiums. “We really don’t have anything like that,” he says about cyber insurance.
In addition, brokers work with their clients to manage their risk, and CSTAR could help direct what steps they recommend to improve risk profiles, he says. The score is a measure of susceptibility to attack as opposed to a measure of how severe the damage might be if an attack succeeds.
Koehn says CRC is starting to rollout the platform now.
UpGuard’s platform was initially designed for mapping networks against compliance standards and alert network security pros of security exposures. The company has built a new set of features on top that adds scrutiny of networks’ susceptibility to external attack.
This addition marks a change in focus that led the company to change its name from ScriptRock, adopted when the company formed in 2012, to UpGuard. UpGuard is also the name of its platform, says Mike Baukes, co-CEO of the company along with Alan Sharp.
The company fills a niche and doesn’t have a lot of competition, says Rob Stroud, an analyst with Forrester Research.
The score could be useful to CISOs and CSOs when they have to report to their boards about how effectively they are managing risk, Stroud says. “You’re trying to give assurances your environment meets minimum standards,” he says.
That’s a tough goal given that “minimum standards” is a term for what is essentially a moving target that doesn’t come with many specific requirements that should be met.
UpGuard is privately funded and based in Mountain View, Calif.