Start-up offers IT security rating system

It's not uncommon for companies to want to try and evaluate the IT security of another business before entering into an e-commerce arrangement. Now a start-up, BitSight Technologies, is out with what it calls a "rating" service to do exactly this, though there are limits to how far it can go at this point.

The BitSight Partner SecurityRating sets a score of between 250 to 900 -- similar to a credit rating, says BitSight vice president of product marketing, Sonali Shah -- which is supposed to indicate the known security posture of the company based on a number of factors.

[NEWS:National Cyber Security Hall of Fame inducting five

MORE SECURITY:FireEye offering APT-detection service to notify customers of stealthy attacks]

One of the main factors is an analysis of Internet traffic by BitSight sensors on the Internet to detect if the company's IT assets, such as computers, servers and network, have been commandeered for threats such as botnets and denial-of-service attacks. This would indicate the company's IT assets have been compromised in some way, and thus would lower the company's IT security score in the BitSight rating system.

"We rate the security risk," said Shah, describing the underlying technology as largely dependent on analysis of IP-based traffic and the maintenance of a large database of security-related information.

Other factors lowering a company's security-rating score would be news about a data breach, website or social media compromise. Shah says BitSight is keeping track of this, though the number of businesses BitSight now tracks are mostly limited to the Fortune 1000, though more customized evaluations of several other companies are being done on request.

BitSight already has some customers, though they can't be named, according to the firm. The major categories focused on by BitSight are financial institutions, retail and healthcare, according to Shah.

Today, a lot of risk analysis for purposes of vetting IT security in business partners relies on companies sharing self-scored assessments, or periodic audits, or permitting site visits. BitSight wants to make that more of a dynamic and independent third-party process, and will also supply rating of separate industries on how well they do. Shah says customers get a clear idea of what it's all about when BitSight provides them with their own scores and assessment. BitSight provides its ratings on a subscription basis, but isn't releasing pricing.

There are limits to BitSight's technical approach, however, at present. BitSight today has no way to ascertain security stance based on what a company may do in cloud-based services, Shah acknowledges, though BitSight is seeking partnerships in that area with cloud providers. The technology surrounding the BitSight service is currently focused on a security-oriented examination of Internet traffic associated with a company's enterprise network.

Cambridge, Mass.-based BitSight was founded in 2011 by Stephen Boyer, CTO, and Nagarjuna Venna, COO. Boyer's background includes a decade working at MIT Lincoln Labs on Internet security projects. The CEO of the start-up is Shaun McConnon.

BitSight last June received $24 million in venture-capital funding from investors that include Menlo Ventures, Globespan Capital Partners, Commonwealth Capital and Flybridge Capital Partners; the company also received earlier seed funding which included a National Science Foundation grant.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityFireEyeendpoint securityWide Area Network

More about APTFireEyeIDGMIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts