I’ve opined in these pages and elsewhere that one of the big problems in the IT security space is the absence of actionable data. After all, problems like denial of service attacks, network compromises and inadvertent data leaks are all just risks that organizations and individuals must grapple with in our increasingly wired world. True – they’re new kinds of risks, but otherwise they’re not fundamentally different from problems like auto accidents, property crime or illness – things that we do a good job accounting for.
The difference, as I see it, is an absence of accepted and independent means of assessing the relative security posture of any organization. IT security is still so much dark magic: we rely on organizations to tell us about how secure they are. Organizations, in turn, rely on a complex and patchy network of security monitoring and detection tools, then try to read the entrails (aka log files and reports) to figure out where things stand.
No surprise, then, that our knowledge of IT security risk is patchy, too. Even organizations like the SEC, which requires and has the clout to force better disclosure of cyber incidents finds itself at the mercy of corporations to self-report – something they have little incentive to do.
What’s needed is objective ratings of organizations’ cyber risk posture – a rating, akin to those used by the “Big Three” credit rating agencies (Standard & Poor’s, Moody’s, and Fitch Group) to rate the credit worthiness of everything from corporations to local municipalities to the U.S Government, or by consumer rating firms like Experian and TransUnion to evaluate the credit worthiness of individuals.
But how? Assessing security risk is a notoriously squishy affair. Security tools like IDS and vulnerability scanners may monitor your environment, but they are blinkered: only seeing the problems they’re trained to see. Security Information and Event Management (or SIEM) products promise to make sense of the data from all those disparate tools. But even those products merely pull together the blinkered security products to produce a fuller, but still incomplete picture of your risk posture. And what about third party risk? As the recent case of the hijacking of web domains belonging to The New York Times, Huffingtonpost.com and Twitter prove, the danger posed by vulnerable downstream partners is real.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
A Boston-based startup thinks it has the answer. BitSight Technologies, which recently secured a $24 million Series A funding round, has launched what it calls the first ratings system that will evaluation the information security effectiveness of organizations.
The company grew out of NSF-sponsored research by co-founders Stephen Boyer and Nagarjuna Venna. On Tuesday, the company unveiled BitSight Partner SecurityRating, a cloud based service that offers realtime ratings of organizations’ security risk based on what it calls “externally visible network behavior.”
As explained to me by Stephen Boyer, BitSight’s CTO, the approach is wholly different from what’s found on security “dashboards” that have become popular in recent years. Rather than presenting a “moment in time” assessment of an organization’s internal risk posture, BitSight operates in the manner of consumer credit rating agencies like Experian and TransUnion: providing a realtime assessment of your riskiness by looking around for external (and objective) measures that constitute red flags.
In the consumer credit space, this might be new lines of credit, or a late payment to an existing lender. In security risk, it could be the presence of stolen data on a cyber criminal group’s “drop site” – a likely indicator of compromise. Systems attached to corporate domains that participate in a botnet or distributed denial of service attack (DDoS) could also bring an organization’s risk rating down. BitSight goes beyond high level indicators, too, leveraging data from social media and other open source feeds. Some are quite ingenious. For example, the company taps online advertisers to get insight into the browser configurations prominent within a specific organization- a good indicator of risk for web-based drive by download attacks.
The genius of this system is that it easily allows BitSight to assess its customers and their entire ecosystem of business partners and supply chain partners without requiring on-premises deployments or intrusive audits. BitSight relies on a relationships with a range of third-party data partners (they aren’t naming them) and a global network of sensors to vacuum up terabytes of data each day. Behind the scenes, BitSight leverages the cloud and “Big Data” analytics to break down that data and identify data elements that might impact the risk of a customer or one of that customer’s partners. Real time alerts notify customers of changes in their risk score, or those of its partners, while a web-based dashboard allows companies to analyze risk trends and compare their organization against peer s, industry benchmarks and the like.
“Traditional approaches to measuring and mitigating partner security risk, including network security audits and assessments, have fallen short,” said Boyer in a statement. “BitSight Partner SecurityRating delivers a single, daily rating that encapsulates the information security integrity of any third-party network, allowing customers to make data-driven, risk-based decisions. ”
The idea is to provide CxOs and other decision makers with an objective measure of risk that can inform their business decisions – from partnering to acquisitions – and to inform their own IT security investments. The trick, of course, will be getting BitSight’s ratings to be accepted standards and BitSight as a gatekeeper to certain kinds of business transactions, in the way that ratings by the Big Three or the consumer ratings agencies determine what kind of access to credit individuals and organizations have.
Boyer admits the company isn’t there yet, but its a step in the right direction – away from vendor proffered security snake oil and towards objective measurements that will, over time, drive organizations toward better security practices.