In the security ratings market, some offerings claim that a staggering percentage of the data they leverage is proprietary, and downplay the value of externally sourced data. While these companies may state that (close to) 100% of their data collection on IP maps, DNS records, event data and more is proprietary, there are several reasons why this is problematic. Let’s break down the myths surrounding this issue one at a time.
Myth #1: You have more control over your data if the majority is proprietary.
While this is certainly something that makes sense in theory, it is simply not the case. At BitSight, we possess the largest proprietary data set (including our ownership of AnubisNetworks, widely regarded as the largest global sinkhole infrastructure) and consider it a cornerstone to both our vision and mission. However, we also recognize the value of gathering data from a variety of outside sources and partners. For every data element that is input into our system, our data science team looks for redundancies and correlations in the outside data, ensuring that the data is objective, verifiable and actionable. Cross-correlation is key; it allows us to validate figures that may seem slightly off-center. While others may think they possess more control over their strictly proprietary data, having data from outside sources gives BitSight data more validity, and subsequently, gives us both more control and a better understanding of the security landscape. Using outside data sources, BitSight is also able to identify false positives and de-duplicate our data set, providing more actionable data to our customers; this is something companies only using proprietary data are not able to do.
Myth #2: Having a majority percentage of proprietary data allows you to cut costs (and transfer that to lower pricing).
While relying strictly on proprietary data may provide the illusion of keeping all data collection and analysis in-house, organizations will have to make massive investments in data infrastructure to make this business model even remotely sustainable. To understand how to acquire the correct data, clean it, and analyze it, companies will need to rely heavily on investing in the right team and tools. It may seem as though keeping this process strictly internal would be more cost effective, but in reality it places more strain on company resources. Using outside sources for data alleviates some of this strain; it stands as a smart investment in terms of both data validity and resource requirements.
Myth #3: You can effectively understand third party security postures using only proprietary data.
If security ratings organizations rely solely on proprietary data, it is going to take them a very long time to scale and meet the breadth of data across the internet that is needed to fully understand a third party’s security posture. Third-party data providers are often subject matter experts in their respective domains (email security, mobility, file sharing, IoT, etc), giving them the most actionable data available on the market today. At BitSight, scalability is a top priority — we understand that as the amount of security events continues to increase, so does the amount of data out there. We continue to invest in finding new and innovative data sources that can give us breadth and visibility into third party networks that no other provider can today.
As mentioned above, security ratings companies that choose to focus on proprietary data will be required to invest so much into their infrastructure just so they can scale and build out their product. In doing so, there is little possibility they can provide comprehensive visibility into third parties.
Myth #4: Using only proprietary data still provides verifiable correlation to breach.
By default, if security ratings organizations claim that the majority percentage of their data is proprietary, that means they possess less data, that it’s untested in the market, and it has no verifiable correlation to breach. The data providers BitSight uses are well respected, trusted by millions, and, in some cases, actively providing data to others. Anyone can report their findings and claim there is a correlation to breach. It needs to be corroborated and validated by those performing market research. BitSight’s research shows that companies with a BitSight Security Rating of 500 or less are almost 5 times more likely to be breached than companies with a 700 or higher. This has been validated by AIR Worldwide.
BitSight has a multi-tiered approach to collecting data, with a larger proprietary data set than any other security rating service provider, complemented by data from exclusive partnerships and third party sources. BitSight has the data science experience to prove that it does not pay to solely rely on proprietary data; our data has been tested and verified in the market by over 750 customers. Companies relying on security ratings providers without market-tested data may not have the information they need to drive risk reduction. Most importantly, BitSight’s data is time-tested; with over 80 billion events collected daily and over 6 years of data, our data set has matured along with the market — as opposed to other companies with data that has had very little time to mature in the market.
BitSight is proud to possess the most sophisticated, highest quality data set in the security ratings market. We have the ability to ingest third party data sets and both the technical and data science background that allows us to contextualize and verify the quality and actionability of the data we ingest.