ScriptRock changes name, branches out to security, delivers cybersecurity scoring

FICO scores are the standard measure for credit worthiness. ScriptRock (now UpGuard) is attempting to create its own standard measure for security: CSTAR

data security

The startup formerly known as ScriptRock is all about helping enterprises gain the sort of agility that they see on a daily basis from consumer Internet brands but seem so unable to replicate. Australian by origin, but now in the U.S. by location, ScriptRock's co-founders escaped the country of their birth and are firmly ensconced in Silicon Valley, attempting to evangelize their message of enterprise IT agility through clear visibility across the IT systems in play.

Today sees them change their company name to UpGuard in an attempt to better reflect their new strategy and focus. The company's product, GuardRail, helps IT departments understand how their various systems are operating. By giving a single pane of glass view across the myriad of systems in use within an enterprise, GuardRail helps to enable a more agile operation. GuardRail is integrated with a host of orchestration tools such as AnsibleWorks, Puppet and Docker.

ScriptRock has steadily grown more aware that security is one of the ongoing issues that hinder enterprise agility, and to that end the company is today launching a new security configuration management tool that they hope will allay CISO fears, as well as create a foundation for more agile practices across the IT organization. The new tool automatically scans every server, network device, application and mobile device in an IT environment to create a living model of configuration state, while automatically monitoring them for security vulnerabilities and configuration drift.

It provides a framework to create policies that notify customers of changes across their entire infrastructure in real-time. In addition, its time-based model allows them to track security configurations over time to better understand and play back the impact of configuration changes and drifts. 

Alongside the security scanning tool, ScriptRock is trying to push a new security scoring methodology. The CSTAR (Cybersecurity Threat Assessment Report) score is a composite measure based on the vulnerability discovery and scanning of server, network devices, applications and mobile device configurations. The idea of the score is to allow businesses to rate their overall risk, the potential for data breaches and unplanned outages -- and detect where all of these vulnerabilities exist. Essentially it calculates the insurability of enterprise IT assets against breaches; UpGuard's CEO, Mike Baukes puts it simply: "Once you understand something, you're in a position to fix it."

According to the company, they actually have partnerships with some large insurance providers who will be leveraging the CSTAR score when determining insurance coverage and cost. If this is the case, this takes CSTAR from being a moderately interesting idea, one that is more about a vendor's attempts to create a marketing angle, to one which is actually useful. I wanted to grill Baukes on this topic but, frustratingly, there wasn't much he could divulge. What he could tell me, however, was that the various partners understand the risk score and can use it to assess policies externally.

"Existing customers using the product can unify the internal and external score to use in consideration with their insurance providers for premium discussions," Baukes said. "We are also releasing an extension for browsers that allows the public to see an anonymous score for sites."


Clearly cybersecurity is a massive issue and one which will be increasingly of concern to company executives and boards of directors who hold liability for data breaches. And where potential liability exists, massive opportunity for insurers also lurks. Traditional models of calculating insurance premiums and assessing insurer's risk are fairly archaic and by tying the insurance metrics directly to the actual security score for an organization, UpGuard is opening up the potential for better results for both insurers and the insured parties.

It's always hard for an individual vendor to gain traction for a new measurement standard, and time will tell whether CSTAR gets broad uptake. In general, though, the concept and initial execution seem solid.


Copyright © 2016 IDG Communications, Inc.

Shop Tech Products at Amazon