BitSight Security Ratings are a measurement of an organization’s security performance. Much like credit ratings, BitSight Security Ratings are generated through the analysis of externally observable data. Armed with daily ratings, organizations can proactively identify, quantify and manage cyber security risk throughout their ecosystem.

Unlike existing security assessment tools that examine a company’s policies or conduct periodic scans, BitSight continuously measures security performance based on evidence of compromised systems, diligence, user behavior, and data breaches to provide an objective, evidence-based measure of performance. This data-driven, outside in approach, requires no information from the rated entity. BitSight ratings specifically are correlated with financial performance and likelihood of data breaches to help organizations be as informed as possible when managing their cybersecurity.

As the framework for creating the methodology behind our ratings, BitSight uses the US Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, which we helped develop.

BitSight is committed to creating the highest quality and most accurate security ratings in the industry. We are also committed to allowing all rated organizations—not just customers— the opportunity to challenge the assets, findings, and interpretation of those findings used to determine a BitSight Security Rating, and to provide corrected or clarifying data. As a signatory and contributing author, we are firmly committed to upholding the Principles for Fair and Accurate Security Ratings.

BitSight has a formal dispute resolution process that allows rated organizations to dispute findings. BitSight seeks accurate and prompt remediation for any dispute. The dispute resolution process is governed by the BitSight Policy Review Board (PRB), a committee created to govern the ratings algorithm and associated policies, and to ensure that they are aligned with our principles. As the highest level of ratings governance, the PRB also adjudicates appeals related to data accuracy and evaluation methodology. It is charged with providing a consistent, transparent, and systematic dispute resolution process that is available to all rated entities. For more information, please visit the Policy Review Board description.

Glass Lewis Proxy Paper research reports will feature a point in time snapshot of an organization’s cybersecurity performance, as of the first day of the current quarter. The report features the company’s overall Security Rating and how the organization benchmarks against its peers in 20 major risk categories.

Click here to request a copy of your organization’s BitSight Preview Report.

With BitSight for Security Performance Management, it’s easier than ever to continuously assess your cybersecurity program — and identify potential gaps in your existing controls.

For more information on BitSight’s enterprise solutions, please visit the BitSight for Security Performance Management page. To learn more about our enterprise offerings, please click here to request a call with one of our sales representatives.

Security ratings are computed one day at a time; there is a new rating for each organization, for each day. However, findings typically affect the rating for longer than a single day.

Why is that? Consider a couple examples from other rating domains. An accident affects auto insurance premiums for several years. A loan default remains on a consumer credit report for seven years. The reason is that, statistically speaking, past negative events can be predictive of current risk. An at-fault accident is evidence that a driver engages in risky behavior, and that behavior is unlikely to change overnight. The older the event, however, the less predictive it is; an accident 30 years ago is not as worrisome as one last week.

The same is true of cybersecurity risk. Our data indicate that a negative event, such as a botnet infection, is indicative of potential deficiencies in an organization’s security performance, even several months after it occurred. This is likely because it takes time to make significant improvements to an organization’s security program (though the timescale is certainly shorter than years, as in the credit rating example).

For these reasons, compromised systems (malware) events and security incidents (breaches) have an impact on the rating which is greatest on the date they occur, and then gradually decays away as the events age.

In contrast, diligence records (e.g. open ports or SPF records) are measurements of the current state of an organization’s systems. In most cases, if we can reliably confirm that the state has changed (e.g. the open port was closed), the rating reflects that immediately. (An analogy from consumer credit ratings: these typically incorporate the current ratio of credit utilization.) Otherwise, the record continues to affect the rating for 60 days. This duration was chosen (again, based on analysis of our data) to balance ratings stability against responsiveness, and aligns with typical update cadences.

For more information on finding lifetimes and decay rates, please refer to the BitSight Knowledge Base.

Peer benchmarking in the BitSight Preview Report is determined by an organization’s BitSight industry classification. BitSight collects industry information from LinkedIn and categorizes an organization into one of 23 industries.

To bring you and your team up to speed with how to use and understand the information available in the BitSight platform and your report, BitSight has designed educational content available through BitSight Academy and the BitSight Knowledge Base.

For more information on your organization’s Rating and the BitSight platform, click here to sign up for a review session with a BitSight Customer Success Representative.

Underlying forensic findings are available in the BitSight platform. Click here to sign up for 30 days of complimentary access to the BitSight platform.

Within the platform, you’ll be able to do the following:

• View your organization’s BitSight Security Rating
• Compare your security performance against that of your industry
• Identify and remediate potentially harmful security issues based on actionable information of malware types and IP addresses

BitSight Security Ratings range from 250 to 900. The higher the rating, the more effective the company is in implementing good security practices. BitSight Security Ratings are calculated using a proprietary algorithm that analyzes and classifies externally observable data. The ratings are generated based on four classes of data -– compromised systems, diligence, user behavior, and data breaches.

For more information on how BitSight Security Ratings are calculated, download the complete Rating methodology overview.

Security ratings are built on data from over 100 different sources. We collect much of the data ourselves, and we also work with numerous best-in-class data partners (many exclusive) who specialize in various types of telemetry. To date, we have collected petabytes of security relevant data and are adding billions of new observations every day.

For more information on BitSight’s data collection methods, download the complete Rating methodology overview.

Four Data Categories in BitSight’s Security Ratings Platform

Compromised systems

Compromised Systems are devices within an organization’s network that are infected with malware. Each separate instance of malware communications, even if it is from the same machine, constitutes a single observation.

We identify and classify compromised systems into the following risk types:

Botnet Infections
A unified network of machines that are performing coordinated actions based on instructions received from the malware’s creators.

Spam Propagation
Machines compromised with malware that causes them to send large volumes of unwanted email.

Malware Servers
A machine hosting a website that injects malicious code into a visitor’s browser, often resulting in the installation of new malware on that visitor’s computer.

Potentially Exploited
A machine running a potentially unwanted application which leaves the system vulnerable to adware, spyware, and remote access tools.

Unsolicited Communications
Any host that is observed trying to contact a service on another host that is not expected or supported.

Diligence

Diligence records demonstrate the steps a company has taken to prevent attacks. We identify and classify diligence risk vectors as follows:

Open Ports
Ports that are exposed to the public internet, which are evaluated to determine whether or not unnecessary access points exist.

TLS/SSL Certificates
Records verifying the authenticity of your company servers to your associates, clients, and guests, and which serve as the basis for establishing cryptographic trust.

TLS/SSL Configuration
Records indicating that servers have properly configured security protocol libraries and support strong encryption standards when making encrypted connections to other machines.

Web Application Headers
HTTP header configurations that inform how to receive and respond to web requests in a manner that prevents malicious behavior such as man-in-the-middle and cross-site scripting attacks.

Sender Policy Framework (SPF)
A DNS (Domain Name System) record identifying which mail servers are permitted to send email on behalf of a domain, preventing spammers from sending emails with forged “From:” addresses.

DomainKeys Identified Mail (DKIM)
A protocol designed to prevent unauthorized servers from sending email on behalf of a company’s domain.

Patching Cadence
The speed at which a company resolves publicly disclosed vulnerabilities, which are bugs in software or device firmware that can be used to gain unauthorized access to systems and data.

Server Software
Versions of commonly installed IT infrastructure software, which can indicate security vulnerabilities and obsolescence.

Desktop and Mobile Software
Versions of commonly installed desktop and mobile operating systems and browsers, which can indicate security vulnerabilities and obsolescence.

Insecure Systems
Devices that may be communicating with domains registered by malware distributors or hacking teams, which could allow attackers to inject malicious code back into these systems and access or extract sensitive data.

DNSSEC Records*
A protocol that uses public key encryption to authenticate DNS servers.

Mobile Application Security*
Versions of mobile applications in Android and iOS app stores with known security risks that can compromise end-users’ devices and networks.

Domain Squatting*
Web Domains that appear to be a legitimate domain of an organization, but are under the control of external actors and can be used to carry out spear phishing attacks.

^* risk vector does not currently impact rating calculations

User Behavior

User Behavior examines activities that may introduce malicious software onto a corporate network, for example, by downloading a compromised file. We identify and classify user behavior into the following risk types:

File Sharing
Media and software shared using peer-to-peer exchange protocols, which can be infected with malware.

Exposed Credentials*
Indicates whether employees of a company have had their personal or corporate information revealed as a result of a publicly-disclosed data breach.

^* risk vector does not currently impact rating calculations

Public Disclosures

BitSight collects information about publicly disclosed breaches and interruptions to business continuity from a variety of news sources and data breach aggregation services. A breach is attributed to a company when there is significant, publicly-disclosed evidence that the company was at fault for the data loss, such as a company-issued disclosure notice or investigation from a credit card company.