BitSight Security Ratings - www.bitsighttech.com - BSI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
BitSight Security Ratings
www.bitsighttech.com
Trends
2
www.bitsighttech.com
Increasing governance and assurance required
Subsidiary Third Party
Risk Risk
Management Management
Fourth Party
Benchmarking Risk
Management
Cyber
Insurance
Security Mergers &
Risk Acquisitions
www.bitsighttech.com 3
Cyber Risk is Increasing
CYBER INCIDENTS THE TARGETS THE DAMAGE
CONTINUE TO INCREASE ARE BROAD IS SEVERE
● Volume ● 1st party ● Financial loss
(# of attacks) ● 3rd party ● Reputational harm
● Speed of attacker ● Legal liability
● Nth party
● Sophistication of ● Operational
attacker disruption
Market Conditions
BO AR D EXPE CT AT I O NS BU SI NESS I M PACT
of organizations will report to the board on vendors granted access to a company’s
100% cyber risk at least 1x / year, by 2020 181 network per week
of board members can’t interpret of all breaches linked directly or indirectly to
91% cybersecurity reports 63% 3rd parties
REG U LA TO R Y ENVI R O N M ENT M AR KET I M PA CT
will be spent in 2020 on information security
Oversight Continues to Increase $100B worldwide
in estimated cybersecurity insurance
GDPR FFEIC HK CFI $10B premiums by 2020
DFAR NY DFS NIST
$2T cyber crime costs by 2020
The power of objectively
measuring cybersecurity
performance….
What would it enable for YOU?
6
Key Questions
How do diverse stakeholders have a sensible conversation about Cyber Security?
• Language - Risk posture vs. vulnerability checklist? Impact vs. events. Non technical
language
• Consistency of measurement – Absolute and relative, Universal Metrics Standard
across a critical mass of organizations
• Business Context – What is in it for me? How to relate cyber security to business
• Outcome vs activity – Results rather than effort
• Objective versus subjective – Data centric but in context
BitSight brings data-driven efficiency and automation to the cyber risk evaluation process by
providing a COMMON METRIC (ratings) to be used in a cyber risk decision framework:
The Key Questions
Who are the consumers of Cyber security information?
• The Board
• Procurement
• Compliance
• Vendor Risk Management Common Language
• Audit
Different perspectives / context
• Operational Risk
Subject to specific risks
• CISO Info Sec Cyber security
• Business process owners
• Supplier Managers
• CIO / CROBitSight Security Ratings Enable Measurement
BitSight Security Ratings LIKE CREDIT RATINGS...
BOSTON, MA • Data-driven rating of security
HEADQUARTERS
performance ADVANCED
450+
EMPLOYEES
740 - 900
$150M+
• Non-intrusive SaaS platform INTERMEDIATE
CAPITAL RAISED FROM
640 - 740
BLUE CHIP INVESTORS
• Continuous monitoring BASIC
EXPERIENCED
LEADERSHIP TEAM WITH • Objective, quantitative measurement 250 - 640
RECORD OF GROWING
SUCCESSFUL COMPANIES
GLOBAL
OFFICES IN SINGAPORE,
LISBON AND RALEIGH
THE LARGEST, MOST ENGAGED ECOSYSTEM
2011 1,500+ 25,000+ 20,000+ 160,000+ 105,000+ 15M+
FOUNDED
Customers Users Ecosystem Monitored Pieces of User- Domains
Worldwide Comments & Tags Organizations Generated ContentHow do security ratings help?
BitSight Security Ratings: LIKE CREDIT RATINGS...
• Provide a measurable range of risk
• The only ratings solution with a third party verified
correlation to breaches.
700
Strong, Validated Correlation to breach
If the Botnet Grade is B or
If the security rating drops below If 50% of computers run lower
5x 400 as compared to an 3x outdated Operating
2x or the File Sharing grade is
organization with a 700 or higher System versions B or lower
or the Open Ports grade is F
Security ratings are an objective, continuous, external measure of an organization’s overall cyber security posture3 levels of information – tailored for stakeholder needs
1. Security Rating - Overall Cyber Risk posture rating
Dashboard, Management
reports
‘view from the bridge’,
trending
2 Risk Vectors – Rating for groupings of like events
Risk hunting, thematic reviews,
Audit selection + scoping
Operational reports
3 Events – specific incidents or vulnerabilities
Remediation, preparation
for on-site audits
Activity reportsTranslating Security Data into Actionable Ratings
Security Ratings Risk Vector Factors within Ratings
Organizational security
performance ratings
ranging from 250 - 900
derived from verifiable,
outside-in security data
User Behavior
10%
Compromised Systems
55%
Diligence
35%Botnet event detail
Measuring Performance Across a Large Portfolio
15Better Data Enables Smarter Prioritization of Risk
Vendor Tiering enables quick identification of critical vendors
with issues ….
… and Asset prioritization provides context on the most
pressing issues facing these critical vendors
Other ratings providers cannot provide the extensive visibility of security issues (see previous slide) or business critical assets (no API,
mail server, or database visibility) meaning customers don’t get the most comprehensive view of the most important issues facing
their most critical vendors.Leading Organizations Use BitSight
20% 4 40+ 4 50%
of Fortune 500 of the top 5 Investment government agencies, of the Big 4 of the world’s cyber
companies use Banks use BitSight for including US and Global Accounting Firms insurance premiums
BitSight Vendor Risk Financial Regulators, use BitSight are underwritten by
Management use BitSight BitSight customers
1,500+ CUSTOMERS ACROSS THE GLOBEThird Party Risk Management
18
www.bitsighttech.comTPRM: Customer Pain Points
Vendor Ecosystem
Customer
Existing Processes
Tier 1 Vendors Existing processes Gather important data through questionnaires or
Critical to business function with highly focused on episodic assessments to learn about vendors
potential network access or Tier 1 vendors
sensitive data sharing
policies, procedures, controls
Tier 2 Vendors Send risk manager to do onsite assessments to
Important vendors that may
have access to network, data or
verify vendor policies, procedures, controls
company premises
Tier 3 Vendors Perform penetration tests to get point-in-time
Long tail of vendors with less
network/technology relationship analysis of vendor security vulnerabilities
Current processes are expensive, time consuming, and don’t provide
continuous visibility across an organization’s entire ecosystem of vendors.
19Cyber Security Challenge
Difficult to scale traditional approaches:
Questionnaires, audits, penetration tests,
manual efforts, etc.
www.bitsighttech.comBitSight Value in TPRM Program
Vendor Ecosystem
Customer
Existing Processes
● Expand visibility across all vendors to
identify highest-risk vendors
Cost-effective continuous visibility across all tiers
Tier 1 Vendors Questionnaires
Critical to business function with
potential network access or ● Drive efficiency and automation across
sensitive data sharing
existing workflows and processes
Tier 2 Vendors ● Prioritize action and allocate resources to Onsite assessments
Important vendors that may
have access to network, data or
address dynamic risks across vendor
company premises population
● Integrate ratings data throughout vendor
Tier 3 Vendors lifecycle processes including selection, Penetration tests
Long tail of vendors with less
network/technology relationship onboarding, ongoing monitoring and
termination
BitSight Security Ratings are a cost-effective, data-driven metric that enables
better prioritization of risk and allocation of resources to make effective risk
decisions within an organization’s TPRM program
21BitSight TPRM
Third Party Monitoring Produces
Measurable Results at Scale for
Goal: Monitor the information security disposition of critical third party service providers
Actions by BitSight Results
Monitor thousands of third
parties
Evaluate risk rating for
each provider
9X
Determine risk areas for Third party
action expansion coverage
with same FT employees
23Security Performance Management
24
www.bitsighttech.comSecurity Performance Management Capabilities
Operational Value Business Management Value
Prioritization Peer Analytics Progress Tracking
Launch in Q1 Future Enhancement
Remediation Benchmarking Forecasting
25
CONFIDENTIALPeer Analytics
One Example of Impactful Results from Vendor
Collaboration
Onboarded 496 suppliers and engaged with BitSight Security Ratings as part of this process
56% 50
Saw a Rating
Increase Average points
increased across
this group
276
*Supplierson-boarded between May 1st and October
31. Ratings compared between May 1st and Dec 4th 28How BitSight Security Ratings are Calculated
Collect Data Research & Filter & Process Calculate
180+ Billion events daily Assign 60% Compromised Systems
Rating
Externally observable
Automated & human validated 30% Diligence Information Daily Ratings
World’s largest sinkhole
Public Internet registries 10% User Behavior Range from 250 to 900
12+ month history for all Breaches when applicable
companies Low ratings correlated to
higher likelihood of breach
TESTED AND
120
VALIDATED DATA
23 RISK
DATA SOURCES
VECTORS
160,000
QUALIFIED PROCESSED
DATA DATA
COMPANIES SECURITY
MONITORED
RATING
29You can also read
