BitSight Technologies CTO Says Security Metrics Can Work1:10 PM EST Tue. Sep. 10, 2013
BitSight Technologies Co-Founder and Chief Technology Officer Stephen Boyer believes his company is in a position to assess an organization's security effectiveness from the outside, establishing a rating similar to a credit score that businesses can use to weigh the risks posed by their partners.
He and other executives at the Cambridge, Mass.-based security firm recently convinced investors to dole out $24 million in Series A funding. This week, the company unveiled its cloud-based service called SecurityRating, which provides up-to-date scores on the information security health of a company's partner ecosystem.
"Our mission is to introduce relevant metrics that can drive business decisions with objective science," Boyer said. "Up until now, decisions have been typically prescriptive-based."
The company assigns information security effectiveness scores from 250 to 900, and said the ratings are similar to consumer credit scores, with higher ratings indicating better security postures. The ratings are based on externally visible network behavior. It monitors company IP address ranges for suspicious activity, adds in threat-intelligence feeds from security vendors and "global sensors" to determine if a firm's corporate network may have been penetrated.
"We are looking at as broad of different classes of data as we can," Boyer said. "We'll analyze anything that can provide evidence of an organization's security effectiveness."
Traffic flowing to and from an organization is monitored for participation in a Denial of Service Attack attempt or communication with a known botnet. Detected threats are analyzed for severity by frequency and duration to create the rating.
Users of the service sign into a portal to receive ratings on hundreds of firms they identify in their portfolio. The ratings are updated daily, tracking an organization's security posture over time, Boyer said. Tools can enable users to assess trends based on size, industry, type of data being shared, or business objective. People can drill down and understand the driving factors underneath the score, Boyer said. The service is designed to appeal to business executives, information risk managers and chief information officers at firms rather than IT security professionals and incident responders, he said.
NEXT: Better Security
One of the biggest challenges in the security world at large is ground truth and relevant metrics, Boyer said. "I firmly believe nobody has the full picture of the risks posed by their partners," he said. "We're displaying this in a way so people get a quick indicator." BitSight said the performance of an organization over time is the best indicator of its security posture. The information also can provide benchmarking measurements that can be useful to advocate for better security processes and technology upgrades, Boyer said. A company can benchmark itself against its peers and in the future, BitSight plans to add measurements on industry verticals, he said.
"We're trying to introduce into the cybersecurity world the same level of rigor, analysis and risk management that has existed in the financial sector for quite some time," Boyer said.
The company currently has a small group of customers using its service in healthcare, financial services and retail. BitSight said its service is sold as an annual subscription. Pricing has been based on the number of partners that a user wants to rate and monitor, the firm said. Since it is delivered as a SaaS offering, the service may appeal to resellers.
Boyer said his firm is distancing itself from an emerging set of threat intelligence vendors, which provide information about specific security threats. BitSight's service is similar to Arlington, Va.-based Lookingglass Cyber Solutions, which provides threat intelligence monitoring and management enabling visibility into risks posed by partners. Rather than assigning a risk score, Lookingglass provides detailed information on the presence of botnets, hosts associated with cybercriminal networks, unexpected route changes and the loss of network resiliency.
"We're not trying to move from ignorance to negligence," Boyer said. "We'll only provide our customers with the underlying factors used to arrive at a security effectiveness score."
The security community is skeptical about security effectiveness ratings, said Pete Lindstrom, principal and vice president of research at Spire Security. BitSight appears to be heading in the right direction, but it needs to open up its valuation model to affirm the scores it assigns, Lindstrom said.
"There's no doubt a need to monitor your partner ecosystem, but BitSight is heading into treacherous waters because any score is subject to scrutiny," Lindstrom said. "There's value in this, but the challenge is getting everyone to agree upon the empirical evidence behind the arrival of the score."
PUBLISHED SEPT. 10, 2013