Fresh off of raising $24 million in a Series A funding round, security startup BitSight Technologies on Tuesday launched its first offering designed to deliver ratings on the information security effectiveness of organizations.
The ratings, which are based on externally visible network behavior, are generated daily to keep track of the continuously shifting nature of an organization’s security state, the company said.
The new service offering – the BitSight Partner SecurityRating – provides objective and up-to-date ratings on the information security health of a company’s partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors, the company explained.
The company compared its security ratings to credit scores, with its security ratings ranging from 250 to 900, with higher scores indicating better security postures.
Using sensors placed around the Internet, BitSight collects and analyzes publicly available Internet traffic flowing to and from an organization. Suspicious behaviors, such as participation in a DDoS attempt or communication with a known botnet, are analyzed for severity, frequency, duration and confidence to create an overall rating of the organization’s current security health, the company explained.
The ratings are generated entirely from the outside; no special disclosures are required and no intrusive testing is conducted on the rated company.
But is analyzing anonymous Internet traffic without any vulnerability scanning, pen testing or other assessment really enough to provide a true view of an organization’s security posture? Not likely, but the company says that the information it does provide helps customers make data-driven decisions on risk management.
“BitSight does not perform any vulnerability scanning or any intrusive testing on the company’s network,” Stephen Boyer, co-founder and CTO of BitSight told SecurityWeek. “Those are helpful assessments, but they only offer a snapshot in time of the security state of a network. We’re providing a continuous and ongoing way to monitor for vulnerabilities by looking at the externally observable risk areas our customers care about and believe are good measures of security effectiveness.”
“Because ratings are generated on a daily basis, trends can be examined over time,” Boyer continued. “We have found that some companies greatly improve their security posture after being breached and maintain that posture over time. Other companies fix only the immediate issue, and then end up being breached again. Our ratings detect this and that is what makes our service valuable to our customers. Our customers accept that we do not see everything and that we often do not know the source of the problem we see. But what we do observe allows them to make data-driven decisions on risk management.”
Delivered as a SaaS offering, key features of the service include:
• Up-to-Date Partner Ratings – BitSight processes and analyzes terabytes of data daily to rate thousands of organizations, including the world’s most popular data and outsourced service providers in the hosting, storage, manufacturing, advertising, HR and legal sectors. New ratings are presented daily via the Customer Portal.
• Timely Alerts – BitSight customers are alerted of significant changes to their partner ratings so they can quickly and proactively take steps to mitigate and prevent possible data breaches. In addition, BitSight delivers detailed information on individual risk vectors so that the sources of risk can be identified and shared with partners.
• In-depth Analytics – BitSight provides customers with analytical tools that assess trends, compare individual ratings against industry benchmarks, and rank ratings within their portfolio. Partner groups can be created based on size, industry, type of data being shared, or business objective in order to help organizations better manage partner risk.
According to a February 2013 Ponemon Institute survey, 65 percent of organizations transferring consumer data to third-party vendors reported a breach involving the loss or theft of their information. In addition, nearly half of organizations surveyed did not evaluate their partners before sharing sensitive data.