Start-up offers IT security rating system

It's not uncommon for companies to want to try and evaluate the IT security of another business before entering into an e-commerce arrangement. Now a start-up, BitSight Technologies, is out with what it calls a "rating" service to do exactly this, though there are limits to how far it can go at this point.

The BitSight Partner SecurityRating sets a score of between 250 to 900 -- similar to a credit rating, says BitSight vice president of product marketing, Sonali Shah -- which is supposed to indicate the known security posture of the company based on a number of factors.

[NEWS:National Cyber Security Hall of Fame inducting five

MORE SECURITY:FireEye offering APT-detection service to notify customers of stealthy attacks]

One of the main factors is an analysis of Internet traffic by BitSight sensors on the Internet to detect if the company's IT assets, such as computers, servers and network, have been commandeered for threats such as botnets and denial-of-service attacks. This would indicate the company's IT assets have been compromised in some way, and thus would lower the company's IT security score in the BitSight rating system.

"We rate the security risk," said Shah, describing the underlying technology as largely dependent on analysis of IP-based traffic and the maintenance of a large database of security-related information.

Other factors lowering a company's security-rating score would be news about a data breach, website or social media compromise. Shah says BitSight is keeping track of this, though the number of businesses BitSight now tracks are mostly limited to the Fortune 1000, though more customized evaluations of several other companies are being done on request.

BitSight already has some customers, though they can't be named, according to the firm. The major categories focused on by BitSight are financial institutions, retail and healthcare, according to Shah.

Today, a lot of risk analysis for purposes of vetting IT security in business partners relies on companies sharing self-scored assessments, or periodic audits, or permitting site visits. BitSight wants to make that more of a dynamic and independent third-party process, and will also supply rating of separate industries on how well they do. Shah says customers get a clear idea of what it's all about when BitSight provides them with their own scores and assessment. BitSight provides its ratings on a subscription basis, but isn't releasing pricing.

There are limits to BitSight's technical approach, however, at present. BitSight today has no way to ascertain security stance based on what a company may do in cloud-based services, Shah acknowledges, though BitSight is seeking partnerships in that area with cloud providers. The technology surrounding the BitSight service is currently focused on a security-oriented examination of Internet traffic associated with a company's enterprise network.

Cambridge, Mass.-based BitSight was founded in 2011 by Stephen Boyer, CTO, and Nagarjuna Venna, COO. Boyer's background includes a decade working at MIT Lincoln Labs on Internet security projects. The CEO of the start-up is Shaun McConnon.

BitSight last June received $24 million in venture-capital funding from investors that include Menlo Ventures, Globespan Capital Partners, Commonwealth Capital and Flybridge Capital Partners; the company also received earlier seed funding which included a National Science Foundation grant.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com

Read more about wide area network in Network World's Wide Area Network section.