One of the primary reasons that the Bitsight Security Rating is widely respected and closely correlated with real-world security outcomes is the scale and sophistication of our asset attribution capabilities. In a recent post, my colleague Francisco Ferreira shared an update on the momentum building with Bitsight Graph of Internet Assets (GIA), the AI-powered engine we use to map assets to organizations and build our Ratings Trees. As a follow-up to this, I’m going to dive deeper into a specific area where asset attribution can be particularly nuanced: assessing service providers’ security posture. This is an area where we have worked closely with leading cloud service providers like Amazon, Microsoft, and Google for years to continually refine our approach and extend it to thousands of service providers globally.
Asset attribution for technology service providers and IT infrastructure service providers is a complex task. After all, organizations in the cloud service provider, internet service provider, and telecommunications spaces operate vast infrastructure, and due to the nature of the services they provide, many of the connected assets in these environments operate under a shared responsibility model with customers. In this model, the customer, not the service provider, is responsible for certain controls. For example, while cloud service providers like AWS, Microsoft, and Google provide the underlying computing infrastructure for their customers, the functionality sitting on top of it and, by extension, the security posture of these assets, is primarily the customer’s responsibility. Similarly, internet service and telecommunication providers have little control over the systems that their customers connect to their networks – or how secure they are.
This poses an interesting challenge as organizations like Bitsight assess the security posture of service providers. On one hand, service providers have a responsibility to guide their customers toward secure computing practices and compliance with acceptable use policies. At the same time, the security posture of individual customer assets is not necessarily reflective of the service provider’s overall security execution.
Bitsight was the first in the industry to develop a more sophisticated approach to asset attribution for service providers. In 2022, we began a collaboration with several top-tier cloud service providers – including Google Cloud Platform, Microsoft Azure, and AWS – to better understand the problem and develop an initial model for identifying cloud assets with delegated security controls. We implemented this model to better assess cloud service provider ratings and soon after rolled it out for dozens of additional cloud service providers. This provided an immediate impact by giving organizations using or considering a cloud service provider a more accurate view of the provider’s security posture and execution.
After seeing the benefits that our delegated security control model delivered in the service provider space, we began to consider the broader universe of organizations that may delegate security control for connected assets to third parties. This led us to extend our focus to other industry segments, including:
Since this expanded scope resulted in a much larger total number of organizations that must be included in our delegated security control model, our team began a focused effort to bring additional automation and scalability to our approach. This culminated in the launch of our next-generation delegated security control attribution capabilities in late 2023.
This improvement was exceptionally well received by the technology service provider community and users of Bitsight’s products.
Our next-generation model streamlines two critical aspects of technology service provider asset attribution.
Now that we are evaluating a much broader set of organization types for delegated security controls, it is important for us to identify these candidate companies systematically. We start this process by using heuristics to create a candidate list of companies. From there, we use additional natural language processing techniques to refine the suggested classification of each candidate company. Our team then uses this information as a jumping-off point for expert human curation and validation, using details about services the company offers, technical documentation, and other technical and business information to confirm whether or not they fit the profile for delegated security controls. In addition to delivering accurate classifications of organizations delegating security controls, these efforts also feed valuable insights back into our ML algorithms, training them to deliver even higher-quality automated classifications in the future.
Once a company has been classified as eligible for delegated security controls, the next step is to create a list of company-controlled domains. An automated assistant performs a first pass at this based on domain usage and hostname data. This information is then sent to our expert human curators for analysis and validation. Once a clear set of company-controlled names is confirmed, additional automated processes use these names and DNS data to create a list of IPs controlled by the company. All other domains and IPs are then excluded from the company’s Bitsight Rating calculation.
Transparency is a critical aspect of this process. Entity classification, assets, and findings that do not impact the rating are visible to all users of Bitsight’s applications.
Even though assets with delegated security controls are not considered when calculating the Bitsight Rating for IT infrastructure service providers, information about these assets remains of great interest to the service provider they are associated with. It is in the service provider’s interest to identify and mitigate high-risk or non-compliant behavior in their infrastructure, even if it originates from assets with delegated security controls. For example, if a botnet operates through a collection of hijacked home internet routers, the telecommunications provider networks these devices are connected to could suffer performance degradation and expose other customers’ devices to new risks.
The insights that Bitsight provides about these assets enable the service provider to prioritize customer outreach and engagement even though they don’t control the assets directly.
Since introducing our next-generation approach in late 2023, we’ve scaled the number of organizations with delegated security controls into the thousands, furthering our industry lead in ratings quality and trust. Users of the Bitsight platform are taking notice as well. Since we’ve launched our next-generation framework for delegated security controls, we’ve observed a 50 percent increase in the number of subscriptions to information about IT infrastructure service providers covered by this initiative. While many factors may contribute to this increase, it does indicate that users are already seeing greater value in our enhanced service provider ratings.
To learn other innovations and technologies that fuel the betterment of Bitsight Rating, including Bitsight’s internet scanning and AI-based graphing capabilities, download our white paper, “A Data-Driven Approach to Asset Discovery and Risk Measurement.”
You’ll learn how Bitsight GIA and Bitsight Groma, our scanning engine, work in concert to build a living map of the world’s digital ecosystem and capture deep insights about organizational risk posture.