Hero Diamond Background

Unparalleled Data. Differentiated Insights.

BitSight leverages our unparalleled data set to deliver differentiated insights to our customers. Our data and analytics deliver unique visibility to help organizations make better, smarter risk decisions.

Video Url
CBF68EC0-893E-4ABF-8357-660D42DCE02C@1x

BitSight leverages our unparalleled data set to deliver differentiated insights to our customers. Our data and analytics deliver unique visibility to help organizations make better, smarter risk decisions.

raw events collected

raw events collected

new events collected per day

new events collected per day

rated organizations worldwide

rated organizations worldwide

of historical data included in every rating

of historical data included in every rating

Data correlation to breach

BitSight Security Ratings represent more than just what’s happening on your attack surface. BitSight takes program and vendor risk management a step further by offering companies an external and trusted view of network risks. 

Our data is independently verified to correlate with an organization’s risk of a data breach. Confirmed by AIR Worldwide and IHS Markit, cybersecurity managers can rely on BitSight data analytics to accurately summarize a program’s breach risk and better prioritize mitigation decisions with visibility into where the greatest risks lie.

See how Botnet infections correlate with breach risk.

Download datasheet
Button Arrow
ransomware chart

BitSight data is also directly correlated with the risk of a ransomware attack. As the rate of ransomware attacks grows globally, even the most well-established organizations are falling victim, and losing thousands or millions of dollars in the process. BitSight data points to specific security gaps that are correlated with higher potential for ransomware attacks. 

Armed with the data to tackle ransomware risks in your network, organizations can better protect their data, network, and reputation. 

Download eBook
Button Arrow
Video Url
CBF68EC0-893E-4ABF-8357-660D42DCE02C@1x

BitSight’s encompassing pool of data has provided customers with a reliable tool to support cybersecurity decision-making. Security ratings are independently verified to correlate with an organization’s financial performance, according to independent Solactive research

When directly connecting cybersecurity program decisions to a company’s financial performance, executives and board members can visualize the company-wide impact of a strong cybersecurity program. 

"We were very confident in BitSight’s ability to deliver accurate information to us and have that accuracy over time."

Chris Porter
CISO, Fannie Mae
Fannie Mae

Building on the Principles of Fair and Accurate Security Ratings, BitSight uses the below as a framework for our methodology and governance:

Since the ratings are based on empirical observations, the observations must be correct, correctly attributed to organizations, and correctly interpreted.

Since the ratings are based on empirical observations, the observations must be correct, correctly attributed to organizations, and correctly interpreted.

Ratings must allow meaningful comparisons of security performance between organizations and comparable over time making it possible to observe trends.
 

Ratings must allow meaningful comparisons of security performance between organizations and comparable over time making it possible to observe trends.
 

Ratings should be available for nearly every significant organization, in all industries, and across the world. This enables comparison against industry and global benchmarks.

Ratings should be available for nearly every significant organization, in all industries, and across the world. This enables comparison against industry and global benchmarks.

Ratings should be based on objective, verifiable data, rather than opinion or subjective judgements and should be correlated with real-world outcomes.

Ratings should be based on objective, verifiable data, rather than opinion or subjective judgements and should be correlated with real-world outcomes.

Security Ratings should be relatively stable (free from spurious fluctuations), and accurately reflect how a security change impacts overall posture.

Security Ratings should be relatively stable (free from spurious fluctuations), and accurately reflect how a security change impacts overall posture.

Ratings should be intuitive, consistent and easy to understand. It should be clear what effect findings have on ratings, and why.

Ratings should be intuitive, consistent and easy to understand. It should be clear what effect findings have on ratings, and why.

Compromised Systems are devices within an organization's network that are infected with malware. Each separate instance of malware communications, even if it is from the same machine, constitutes a single observation.

We identify and classify compromised systems into the following risk types:

  • Botnet Infections
    A unified network of machines that are performing coordinated actions based on instructions received from the malware’s creators.
  • Spam Propagation
    Machines compromised with malware that causes them to send large volumes of unwanted email.
  • Malware Servers
    A machine hosting a website that injects malicious code into a visitor’s browser, often resulting in the installation of new malware on that visitor’s computer.
  • Potentially Exploited
    A machine running a potentially unwanted application which leaves the system vulnerable to adware, spyware, and remote access tools.
  • Unsolicited Communications
    Any host that is observed trying to contact a service on another host that is not expected or supported.

Diligence records demonstrate the steps a company has taken to prevent attacks. We identify and classify diligence risk vectors as follows:

  • Open Ports
  • TLS/SSL Certificates
  • TLS/SSL Configuration
  • Web Application Headers
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Patching Cadence
  • Server Software
  • Desktop and Mobile Software
  • Insecure Systems
  • DNSSEC Records*
  • Mobile Application Security*
  • Domain Squatting*

* risk vector does not currently impact rating calculations

User Behavior examines activities that may introduce malicious software onto a corporate network, for example, by downloading a compromised file. We identify and classify user behavior into the following risk types:

  • File Sharing
    Media and software shared using peer-to-peer exchange protocols, which can be infected with malware.
  • Exposed Credentials*
    Indicates whether employees of a company have had their personal or corporate information revealed as a result of a publicly-disclosed data breach.

* risk vector does not currently impact rating calculations

BitSight collects information about publicly disclosed breaches and interruptions to business continuity from a variety of news sources and data breach aggregation services. A breach is attributed to a company when there is significant, publicly-disclosed evidence that the company was at fault for the data loss, such as a company-issued disclosure notice or investigation from a credit card company.