Benchmarking Security Ratings

A recent survey from the Global Benchmarking Network found that nearly 70% of companies use informal benchmarking processes to measure performance in key business functions such as customer service, human resources and corporate strategy –so why not cyber security performance?

To effectively understand the impact of security programs and communicate changes to key decision makers, companies need tools that provide a quantified and comparative view of cyber security performance over time.

BitSight Security Ratings for Benchmarking deliver a continuous, data-driven measure of security performance, giving businesses a quantified baseline and comparative data. These ratings enable organizations to measure the effectiveness of risk mitigation programs, compare performance to industry peers and communicate key indicators to the board.

BitSight continuously analyzes, rates and monitors companies’ security postures with externally accessible data that does not require permission from the rated slide_image_063014potw-bitsite-100353009-gallery.idgecompany. Security Ratings are updated daily and alerts are generated if there are significant changes in your company’s rating. In addition, users gain visibility into a wealth of risk vector data on themselves and peer companies, allowing them to benchmark their performance on a wide set of actionable security metrics.

 

What are Bitsight Security Ratings?
BitSight-engine-1024x450

Breaches matter in today’s world. Whether it is the loss of personally identifiable information, financial records or other forms of data, organizations across the world are tasked with preventing data loss on their own networks, or from vulnerabilities that lie outside their control. Professionals and leaders across multiple industries are turning to BitSight Security Ratings to provide data-driven clarity on the security performance of themselves as well as their vendors, insureds, acquisition targets and more. To make these ratings actionable, BitSight does intensive research to ensure that the ratings can be used to identify real-world security risks. Recent research has shown that BitSight Security Ratings are the only security ratings that are indicative of a publicly disclosed breach. Companies with a rating of 400 or lower are five times more likely to have a breach than those with a rating of 700 or more.

ratings-correlate-to-breach.png

All data added into the BitSight Security Ratings product is meaningful and impactful for risk managers, security professionals and cyber insurance underwriters. Currently, BitSight includes three categories of data in the Security Ratings platform: Events, Diligence and User Behavior.

Events

Botnet Infections: Does this organization have controls in place to identify and prevent botnet infections?

Spam Propagation: Is spam being sent from this organization’s mail servers?

Malware Servers: Has this organization prevented malware infections that can be designed to harvest data, abuse company resources and spread across a network?

Potentially Exploited: Are there devices with potentially unwanted software such as adware, spyware and remote access tools on a network?

Unsolicited Communication: Are hosts trying to contact other services in an irregular manner? Are there hosts scanning darknets?

Diligence

Sender Policy Framework (SPF): Is this organization protecting itself from email spoofing and phishing attacks by implementing SPF? Are any SPF records syntactically correct?

TLS/SSL Certificates: Are the cryptographic keys for TLS/SSL certificates secure?

DomainKeys Identified Mail (DKIM): Is this organization preventing unauthorized servers from sending mail on behalf of their domains?

TLS/SSL Configuration: Has this organization implemented servers with properly configured security protocols?

DNSSEC beta: Is this organization using public key encryption to authenticate DNS servers?

Open Ports: Can attackers more easily infiltrate this organization’s network because they have open ports with known vulnerabilities?

Application Security beta: Are security-related fields on HTTP headers properly configured? Is this organization protecting itself from potentially harmful man-in-the-middle and cross-site scripting attacks?

User Behavior

File Sharing: Does this organization have evidence of potentially harmful file sharing activity over peer-to-peer websites? Is this organization exposing itself to malware through poor file sharing practices?

Note: Beta risk vectors are not included in the ratings. They are for informational purposes only.