Continuing to Evolve Next-Gen Asset Attribution Through Service Provider Collaboration

Tags:

Information available for companies with Delegated Security Controls hero
Written by Miguel Reis

One of the primary reasons that the Bitsight Security Rating is widely respected and closely correlated with real-world security outcomes is the scale and sophistication of our asset attribution capabilities. In a recent post, my colleague Francisco Ferreira shared an update on the momentum building with Bitsight Graph of Internet Assets (GIA), the AI-powered engine we use to map assets to organizations and build our Ratings Trees. As a follow-up to this, I’m going to dive deeper into a specific area where asset attribution can be particularly nuanced: assessing service providers’ security posture. This is an area where we have worked closely with leading cloud service providers like Amazon, Microsoft, and Google for years to continually refine our approach and extend it to thousands of service providers globally.

Key takeaways

  • Asset attribution for service providers is complex, since they operate under a shared responsibility model where many of their associated assets are under the control – and security oversight – of their downstream customers
  • Through a collaboration with leading cloud service providers that began in 2022, Bitsight developed a framework for excluding assets with delegated security controls from Bitsight Rating calculations
  • In the years since, this model expanded to include other types of service providers operating under a shared responsibility model with customer-controlled assets
  • Bitsight’s next-generation delegated security control framework, which was introduced in late 2023, has now scaled this capability up to thousands of service providers globally and contributed to a 50 percent increase in subscriptions to service provider security ratings in the Bitsight platform

First-in-class industry collaboration with leading cloud service providers

Asset attribution for technology service providers and IT infrastructure service providers is a complex task. After all, organizations in the cloud service provider, internet service provider, and telecommunications spaces operate vast infrastructure, and due to the nature of the services they provide, many of the connected assets in these environments operate under a shared responsibility model with customers. In this model, the customer, not the service provider, is responsible for certain controls. For example, while cloud service providers like AWS, Microsoft, and Google provide the underlying computing infrastructure for their customers, the functionality sitting on top of it and, by extension, the security posture of these assets, is primarily the customer’s responsibility. Similarly, internet service and telecommunication providers have little control over the systems that their customers connect to their networks – or how secure they are.

This poses an interesting challenge as organizations like Bitsight assess the security posture of service providers. On one hand, service providers have a responsibility to guide their customers toward secure computing practices and compliance with acceptable use policies. At the same time, the security posture of individual customer assets is not necessarily reflective of the service provider’s overall security execution.

Bitsight was the first in the industry to develop a more sophisticated approach to asset attribution for service providers. In 2022, we began a collaboration with several top-tier cloud service providers – including Google Cloud Platform, Microsoft Azure, and AWS – to better understand the problem and develop an initial model for identifying cloud assets with delegated security controls. We implemented this model to better assess cloud service provider ratings and soon after rolled it out for dozens of additional cloud service providers. This provided an immediate impact by giving organizations using or considering a cloud service provider a more accurate view of the provider’s security posture and execution.

Broadening the scope to other shared infrastructure providers

After seeing the benefits that our delegated security control model delivered in the service provider space, we began to consider the broader universe of organizations that may delegate security control for connected assets to third parties. This led us to extend our focus to other industry segments, including:

  • Internet service providers that deliver internet access to a significant number of residential or business customers
  • Internet research companies that conduct internet scanning and indexing, malware research, threat research, or similar activities that may appear similar to threat actors
  • Network service providers offering data centers, server colocation, infrastructure as a service (IaaS), server virtualization, virtual private network (VPN), or traffic proxying services
  • Platform as a service (PaaS) platforms that offer customers shared cloud infrastructure to build and run applications

Since this expanded scope resulted in a much larger total number of organizations that must be included in our delegated security control model, our team began a focused effort to bring additional automation and scalability to our approach. This culminated in the launch of our next-generation delegated security control attribution capabilities in late 2023.

This improvement was exceptionally well received by the technology service provider community and users of Bitsight’s products.

How our delegated security control framework works

Our next-generation model streamlines two critical aspects of technology service provider asset attribution.

Classifying companies that delegate security controls

Now that we are evaluating a much broader set of organization types for delegated security controls, it is important for us to identify these candidate companies systematically. We start this process by using heuristics to create a candidate list of companies. From there, we use additional natural language processing techniques to refine the suggested classification of each candidate company. Our team then uses this information as a jumping-off point for expert human curation and validation, using details about services the company offers, technical documentation, and other technical and business information to confirm whether or not they fit the profile for delegated security controls. In addition to delivering accurate classifications of organizations delegating security controls, these efforts also feed valuable insights back into our ML algorithms, training them to deliver even higher-quality automated classifications in the future.

Identifying assets with delegated security controls

Once a company has been classified as eligible for delegated security controls, the next step is to create a list of company-controlled domains. An automated assistant performs a first pass at this based on domain usage and hostname data. This information is then sent to our expert human curators for analysis and validation. Once a clear set of company-controlled names is confirmed, additional automated processes use these names and DNS data to create a list of IPs controlled by the company. All other domains and IPs are then excluded from the company’s Bitsight Rating calculation.

Transparency is a critical aspect of this process. Entity classification, assets, and findings that do not impact the rating are visible to all users of Bitsight’s applications.

Information available for companies with Delegated Security Controls
Information available for companies with Delegated Security Controls

Even though assets with delegated security controls are not considered when calculating the Bitsight Rating for IT infrastructure service providers, information about these assets remains of great interest to the service provider they are associated with. It is in the service provider’s interest to identify and mitigate high-risk or non-compliant behavior in their infrastructure, even if it originates from assets with delegated security controls. For example, if a botnet operates through a collection of hijacked home internet routers, the telecommunications provider networks these devices are connected to could suffer performance degradation and expose other customers’ devices to new risks.

The insights that Bitsight provides about these assets enable the service provider to prioritize customer outreach and engagement even though they don’t control the assets directly.

Scaling our approach and assessing customer confidence

Since introducing our next-generation approach in late 2023, we’ve scaled the number of organizations with delegated security controls into the thousands, furthering our industry lead in ratings quality and trust. Users of the Bitsight platform are taking notice as well. Since we’ve launched our next-generation framework for delegated security controls, we’ve observed a 50 percent increase in the number of subscriptions to information about IT infrastructure service providers covered by this initiative. While many factors may contribute to this increase, it does indicate that users are already seeing greater value in our enhanced service provider ratings.

Free Whitepaper

To learn other innovations and technologies that fuel the betterment of Bitsight Rating, including Bitsight’s internet scanning and AI-based graphing capabilities, download our white paper, “A Data-Driven Approach to Asset Discovery and Risk Measurement.”

You’ll learn how Bitsight GIA and Bitsight Groma, our scanning engine, work in concert to build a living map of the world’s digital ecosystem and capture deep insights about organizational risk posture.