Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

BitSight Technologies Launches Information Security Risk Rating Service

Fresh off of raising $24 million in a Series A funding round, security startup BitSight Technologies on Tuesday launched its first offering designed to deliver ratings on the information security effectiveness of organizations.

Fresh off of raising $24 million in a Series A funding round, security startup BitSight Technologies on Tuesday launched its first offering designed to deliver ratings on the information security effectiveness of organizations.

The ratings, which are based on externally visible network behavior, are generated daily to keep track of the continuously shifting nature of an organization’s security state, the company said.

The new service offering – the BitSight Partner SecurityRating – provides objective and up-to-date ratings on the information security health of a company’s partner ecosystem so it can better protect sensitive business and customer data shared with third-party vendors, the company explained.

The company compared its security ratings to credit scores, with its security ratings ranging from 250 to 900, with higher scores indicating better security postures.

Using sensors placed around the Internet, BitSight collects and analyzes publicly available Internet traffic flowing to and from an organization. Suspicious behaviors, such as participation in a DDoS attempt or communication with a known botnet, are analyzed for severity, frequency, duration and confidence to create an overall rating of the organization’s current security health, the company explained.

The ratings are generated entirely from the outside; no special disclosures are required and no intrusive testing is conducted on the rated company.

But is analyzing anonymous Internet traffic without any vulnerability scanning, pen testing or other assessment really enough to provide a true view of an organization’s security posture? Not likely, but the company says that the information it does provide helps customers make data-driven decisions on risk management.

“BitSight does not perform any vulnerability scanning or any intrusive testing on the company’s network,” Stephen Boyer, co-founder and CTO of BitSight told SecurityWeek. “Those are helpful assessments, but they only offer a snapshot in time of the security state of a network. We’re providing a continuous and ongoing way to monitor for vulnerabilities by looking at the externally observable risk areas our customers care about and believe are good measures of security effectiveness.”

“Because ratings are generated on a daily basis, trends can be examined over time,” Boyer continued. “We have found that some companies greatly improve their security posture after being breached and maintain that posture over time. Other companies fix only the immediate issue, and then end up being breached again. Our ratings detect this and that is what makes our service valuable to our customers. Our customers accept that we do not see everything and that we often do not know the source of the problem we see. But what we do observe allows them to make data-driven decisions on risk management.”

BitSight Screenshot

Delivered as a SaaS offering, key features of the service include:

Up-to-Date Partner Ratings – BitSight processes and analyzes terabytes of data daily to rate thousands of organizations, including the world’s most popular data and outsourced service providers in the hosting, storage, manufacturing, advertising, HR and legal sectors. New ratings are presented daily via the Customer Portal.

Timely Alerts – BitSight customers are alerted of significant changes to their partner ratings so they can quickly and proactively take steps to mitigate and prevent possible data breaches. In addition, BitSight delivers detailed information on individual risk vectors so that the sources of risk can be identified and shared with partners.

In-depth Analytics – BitSight provides customers with analytical tools that assess trends, compare individual ratings against industry benchmarks, and rank ratings within their portfolio. Partner groups can be created based on size, industry, type of data being shared, or business objective in order to help organizations better manage partner risk. 

According to a February 2013 Ponemon Institute survey, 65 percent of organizations transferring consumer data to third-party vendors reported a breach involving the loss or theft of their information. In addition, nearly half of organizations surveyed did not evaluate their partners before sharing sensitive data.

More information on BitSight’s Partner SecurityRating service is available online.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.