BitSight Technologies CTO Says Security Metrics Can Work


BitSight Technologies Co-Founder and Chief Technology Officer Stephen Boyer believes his company is in a position to assess an organization's security effectiveness from the outside, establishing a rating similar to a credit score that businesses can use to weigh the risks posed by their partners.

He and other executives at the Cambridge, Mass.-based security firm recently convinced investors to dole out $24 million in Series A funding. This week, the company unveiled its cloud-based service called SecurityRating, which provides up-to-date scores on the information security health of a company's partner ecosystem.

"Our mission is to introduce relevant metrics that can drive business decisions with objective science," Boyer said. "Up until now, decisions have been typically prescriptive-based."

 

[Related: CrowdStrike Raises $30 Million For Security Intelligence, Analytics]

The company assigns information security effectiveness scores from 250 to 900, and said the ratings are similar to consumer credit scores, with higher ratings indicating better security postures. The ratings are based on externally visible network behavior. It monitors company IP address ranges for suspicious activity, adds in threat-intelligence feeds from security vendors and "global sensors" to determine if a firm's corporate network may have been penetrated.

"We are looking at as broad of different classes of data as we can," Boyer said. "We'll analyze anything that can provide evidence of an organization's security effectiveness."

Traffic flowing to and from an organization is monitored for participation in a Denial of Service Attack attempt or communication with a known botnet. Detected threats are analyzed for severity by frequency and duration to create the rating.

Users of the service sign into a portal to receive ratings on hundreds of firms they identify in their portfolio. The ratings are updated daily, tracking an organization's security posture over time, Boyer said. Tools can enable users to assess trends based on size, industry, type of data being shared, or business objective. People can drill down and understand the driving factors underneath the score, Boyer said. The service is designed to appeal to business executives, information risk managers and chief information officers at firms rather than IT security professionals and incident responders, he said.

NEXT: Better Security