Security Ratings: A Big Data Approach to Measuring and Mitigating Security Risk
The increasing volume of breaches we hear about in the news highlights the challenge risk managers face in working to address cyber risk. Current assessment methods, while insightful, are inadequate due to the pace at which security postures change, leaving organizations vulnerable and exposed in th
The increasing volume of breaches we hear about in the news highlights the challenge risk managers face in working to address cyber risk. Current assessment methods, while insightful, are inadequate due to the pace at which security postures change, leaving organizations vulnerable and exposed in the blink of an eye. In order to truly reduce security risk, managers need more insight and better tools that allow for continuous visibility into the ever-changing network environments they are administering.
Join Stephen Boyer, CTO and co-founder of BitSight Technologies, and Oliver Brew, Vice President of Professional Liability at Liberty International Underwriters (LIU) for this webinar to discover:
- Why measuring security risk is difficult and how some assessment methods leave organizations vulnerable to threats and financial loss
- How forward-looking organizations are using Big Data to reduce risk, increase transparency and address new regulatory requirements
- Case Study: How LIU is using Security Ratings to mitigate risk
RecordedApr 17 201446 mins
Your place is confirmed, we'll send you email reminders
Email remains a critical component of business process. Strong interest and adoption of Microsoft’s Office 365 online productivity and collaboration suite is pushing email to the cloud. However, Office 365 has many security and risk professionals scrambling to figure out what security controls are necessary to secure email.
While Office 365 can provide native functionality baked in, enterprises need to understand the gaps and where additional security might be necessary to protect you from today’s advanced threats. Join Ryan Kalember, Proofpoint SVP of Cybersecurity, to discuss the key capabilities that enterprises should consider for their Office 365 email environment.
Key takeaways include:
• Why the shift to Office 365 increases criticality of email security
• Common pitfalls to avoid in the planning stages
• Key security capabilities to protect from advanced threats
Learn more about how Proofpoint has helped customers find success with their Office 365 initiative with advanced security, end-to-end insights and rapid response capabilities, and email continuity.
Guest speaker Kelley Mak of Forrester Research will also be on hand to discuss the industry at large from an independent perspective.
PCI compliance is a steep enough challenge, but what happens when your entire infrastructure is in AWS? Do the same concepts of network segmentation and separation apply, and if so how? At what point do AWS compliance efforts intersect with your compliance efforts?
Join this webinar where we will cover how a customer is using the Palo Alto Networks VM-Series for AWS to maintain separation of data and traffic in AWS to improve security and achieve PCI compliance.
Join Keyaan Williams, Senior Executive, C|CISO Programs at EC-Council for his Corporate Governance for CISOs webinar series! The first webinar in the series will cover the topic of Asset Management from an executive perspective. This session will focus on some fundamental concerns that an organization must address to support an effective information security program. How do you identify asset owners? What are examples of effective classification strategies? What type of inventory do you maintain to manage your asset information? What relationship do asset management and change management share?
Between constraints of IT security skills and the rise of cloud adoption it is increasingly difficult to control security policies across the heterogeneous network. Network security and operations teams are expected to ensure and initiate connectivity while protecting the attack surface from the next cyber threat and complying with internal policies and industry regulations. Join us for a Webinar session with ESG senior principal analyst Jon Oltsik, as he reviews the latest findings of a recent survey on how cloud adoption is transforming network security operations. In this session we will also examine how security policy orchestration can help address some of the key challenges of managing security and connectivity in the cloud, and across hybrid cloud and physical networks.
Are you an (ISC)² member with questions about your certification? Would you like to hear more about member benefits and how (ISC)2 can help you? Join the Guide to your (ISC)2 Membership in EMEA webinar to learn more about these topics and others including:
•CPE opportunities, member benefits and getting involved
•Your membership requirements summarized
•Who are the (ISC)2 EMEA team and how we can help you
Application Defender can provide consistent and centralized logging of application use and abuse to SOCs or others tasked with Security Monitoring. Learn about the Application Logging categories and use cases that will enable you to gain visibility into application activity across the whole enterprise without changing source or parsing logs.
The Industrial Internet of Things is rapidly evolving, both in terms of its business requirements and the enabling technologies needed to improve decision-making and gain competitive advantage. The ideal technical solution should be able to fuse streaming Fast Data coming from IoT devices and sensors with static Big Data about customers and assets.
In this webinar, hosted by Brian Clark of Objectivity and analyst Jason Stamper of 451 Research, we’ll discuss how to augment these critical categories:
We’ll explain the technical challenges involved when supporting massive volumes of data in a mixed workload environment, and how to leverage open technologies, such as Spark and HDFS, to enable real-time IoT intelligence.
Security practitioners must take a proactive, inside out approach to managing their organization’s cyber risk. But the challenges lie in effectively measuring the overall risk posture of the business. The manual process tied to analyzing security data today is demanding and error prone. To address this, the security and risk department needs an automated and repeatable process that makes sense of the volumes of security data from their existing solutions. This would allow them to effectively communicate a traceable and actionable view of cyber risk to line of business owners and the board of directors.
Please join us on Thursday, April 28, 2016 at 10:00 a.m. PT for a live Bay Dynamics webinar as Humphrey Christian, Vice President, Product Management, explains how your organization can obtain a 360 degree view of your cyber risk posture.
What were the overall trends in cyber breaches, and what does this mean for organizations and the third party vendors with whom they work?
In this webinar, Advisen, an insurance analytics firm, will analyze cyber breaches and identify ebbs and flows throughout 2015 and into 2016. Panelists will then take the unprecedented step of correlating the data Advisen and Bitsight possess to take an even deeper dive to find possible threats to an organization’s cybersecurity — giving all stakeholders greater visibility into the cyber posture of organizations as well as their third party vendors.
Jay Jacobs, Senior Data Scientist, BitSight
Aloysius Tan, Product Manager, Advisen
Chad Hemenway, Managing Editor, Advisen (moderator)
How do organizations assess and manage the security risk by their vendors and suppliers? What kind of programs to organizations have in place to manage risk, and how mature are these programs?
In this webinar, Stephen Boyer, CTO and CoFounder of BitSight and Joyce Chutchian, Senior Managing Editor, IDG Enterprise discuss recent survey data on the maturity of vendor risk management programs. This presentation will provide an in-depth analysis of which methods are being used by organizations in order to mitigate third party risk.
Attendees will also learn:
- Why vendor risk management is becoming a standard business practice
- About the challenges organizations face in building a formalized vendor risk program
- How continuous monitoring solutions and security ratings can help bolster vendor risk management programs
Recent high profile data breaches have made it obvious that organizations often underestimate the risk their vendors present, and struggle to evaluate third party cyber risk.
In this webinar Mike Rothman, Analyst & President of Securosis, and Tom Turner, President and COO of BitSight describe how organizations can build a systematic means to evaluate their IT risk presented by business partners and vendors.
Viewers will learn about:
- Understanding Third Party IT Risk
- Structuring Vendor Risk Management Programs
- Evaluating Vendor Risk
- Ongoing Vendor Monitoring and Communication
Infections are a growing threat to business networks. Symantec recently noted that over a million new malware threats are released every day. This leaves companies searching for solutions to prevent infections before they occur - and identify infections that do happen to infect company devices.
Join Payal Mehrotra, BitSight Product Manager, for this webinar to learn how security programs can leverage the BitSight platform to identify and remediate infections on their network, including spam, botnets and malware. She will give an overview on how BitSight identifies infections and how alerts and forensics can help organizations detect and remediate issues as they occur.
Cybersecurity is now a #1 concern for board members. What should they know? How should it be presented?
Richard Clarke knows. As a senior White House advisor to four U.S. Presidents, a member of three corporate boards, and CEO of Good Harbor Security Risk Management, he’s talked cybersecurity in the Situation Room and the boardroom.
Jasper Ossentjuk also knows how to present cybersecurity in the boardroom. As SVP and CISO for TransUnion, Jasper regularly presents information to his Board about his organization's security posture.
On March 22 at 2PM ET, join Richard and Jasper for a discussion of:
- What cybersecurity metrics and measurements are most important for the board
- Methods for security leaders to communicate security issues across the enterprise
- How to graphically represent your cybersecurity program
The transition to large scale outsourcing among large and mid-sized companies has increased the number of fourth party connections and the dependency on cloud service providers, web hosting platforms, and other cloud services. As companies rely on a handful of service providers, they become vulnerable to single points of failure in their supply chains. Cyber criminals may be able to breach multiple organizations across different industries through a single attack on a service provider.
Today, insurance companies lack sufficient visibility into the level of concentration of third party cloud providers in their book of business. To successfully assess and mitigate this level of cyber risk aggregation insurers must identify areas of third party concentration in their portfolios, where a single breach of a compromised service provider could lead to dozens or hundreds of cyber claims.
Join Jay Jacobs, Senior Data Scientist and Ira Scharf, GM of Worldwide Insurance at BitSight on March 15 at 2:30 PM for a discussion of:
- Why organizations need to be aware of fourth party connections as they transition to the public cloud and digital systems
- Which industries could be most impacted by service provider outages and which of these industries rely on obsolete software
- How insurers will approach cyber risk aggregation
The Higher Education sector is a large target for cyberattacks because of their research in science and technology that can be leveraged for commercial gain. However, colleges and universities often have unique requirements and specific challenges to securing their networks.
In this webcast Stephen Boyer, of BitSight Technologies and Chris Schreiber of University of Arizona discuss:
- The specific challenges that universities and colleges face in mitigating cyber risk
- How threats like peer to peer file sharing present greater risk to this sector
- How universities can use BitSight Security Ratings to mitigate cyber risk and improve their security posture
Understanding the cybersecurity posture of vendors, suppliers, and third-parties is now a necessity for businesses in all industries. Yet, many businesses do not have a formalized vendor risk management program. There are multiple components needed to create a comprehensive vendor risk management program. These span governance and control, as well as security controls and technology.
Join Jake Olcott, VP at BitSight on February 9 as he highlights best practices and industry standards for vendor risk management programs. Attendees will learn:
- Which frameworks and methodologies can help get you started
- Vital questions you should be asking your vendors
- Why continuous monitoring and verifying vendor security is crucial to mitigate cyber risk
Many recent data breaches have exploited security weaknesses in third-party vendors to attack businesses. As supply chains grow and business functions increasingly get outsourced, the amount of data given to third parties has increased.
In this webinar, Benjamin Fagan, Product Marketing Specialist, will discuss why vendor risk management should be a top priority for your business. Additionally, he will discuss how BitSight can help manage the cyber risk of your vendors.
While many businesses these days have policies in place that prohibit employees from peer to peer file sharing in the office, this activity occurs on a significant percentage of company networks. Beyond the dangers of downloading copyrighted material and breaking corporate policies, employees that engage in peer to peer file sharing could be bringing malware onto corporate networks without their knowledge.
BitSight recently observed the use of the BitTorrent protocol for over 37,000 entities and found that over 40% of torrented applications contain malicious software. Join Mike Woodward, Program Director of Data as he explains:
- the correlation between BitTorrent activity and botnet infections
- the percentage of torrented applications that contain malware
- which industries face the greatest challenges with peer to peer file sharing
Vendor risk management has long been an area of concern for Financial Institutions. Regulators are now looking for banks to do more and provide a higher level of assurance about the security practices of their vendors. But how? With regulators continuously raising the bar, one thing is clear: the vendor reviews of the past will no longer be sufficient in today's environment.
In this presentation Stephen Boyer, CTO, and Cofounder of BitSight Technologies will explore:
- The evolving regulatory landscape regarding Vendor Risk Management and the practices organizations are adopting to meet these more stringent demands.
- Why continuous monitoring of vendor security performance is both critical and achievable, through the use of data-driven, evidence-based security ratings
- How a global financial services firm is transforming the way they select and interact with vendors and suppliers, detailing their own industry-leading practices in VRM and how the use of security performance ratings is allowing them to harden their extended enterprise.
The market for cyber insurance is expanding rapidly, yet a dearth of actuarial data continues to present challenges for underwriters looking to assess and quantify risk. With so many cyber risk metrics being used, how can underwriters actually know how likely a policyholder is to experience a data breach, and thus how likely they are to have to pay out?
Join Ira Scharf, GM of Worldwide Insurance at BitSight, and Dave Bradford President, Research and Editorial at Advisen as they discuss new correlations between BitSight Security Ratings and data breaches.
Attendees will learn:
- Why security ratings are a clear indicator of cyber risk
- How likely companies with BitSight ratings of 400 or below are to experience a data breach
- How underwriters, policyholders, and applicants can use BitSight Security Ratings to lower their cyber risk
How can companies effectively measure their company’s risk of a data breach? What security metrics are most important when it comes to determining breach risk? How do different types of security compromises, whether botnet infections or brand name SSL vulnerabilities, contribute to an organization’s risk profile? Can you aggregate data to create high-level ratings to measure and report on cybersecurity risk?
Join BitSight’s Chief Technology Officer Stephen Boyer and Senior Data Scientist Jay Jacobs to get these questions answered - and more. This data driven webinar will highlight the extensive analysis that the BitSight Data Science team undertakes to make security signals into concrete risk mitigation actions. Perhaps most importantly, the speakers will give guidance on how security and risk professionals at every level - from the board room to the server room - can drive positive change throughout their organizations.
Many recent breaches have exploited security weaknesses in third party vendors and suppliers to attack business and government agencies. In this webinar, the Deputy CISO at Fannie Mae will detail his experience using BitSight Security Ratings to assess the cybersecurity level of third party business partners and vendors, as well as using BitSight for ongoing monitoring of externally visible signs of lapses in security levels. This presentation will contain a discussion of lessons learned and best practices as well as detail the metrics used to demonstrate the business value gained by a repeatable and ongoing approach for monitoring third party security levels.
Jacob Olcott, Vice President, BitSight, Nell Minow
There’s no doubt that cyber attacks cause real financial harm to businesses. Money can be stolen, business operations disrupted. Cyber theft can provide international competitors with years worth of valuable intellectual property or trade secrets virtually overnight, jeopardizing current and future market opportunities. Cyber attacks can seriously damage an organization’s reputation with customers and result in legal liability for the company, executives, and board members.
As companies race to protect themselves, how do investors know if the organizations they are investing in are secure?
Join Jacob Olcott, VP at BitSight, and Nell Minow, corporate governance expert and co-founder of Institutional Shareholder Services (ISS), for a discussion of key issues, including:
-How investors assess cybersecurity in the M&A diligence process
-What institutional shareholders want to know about cyber risks to their investments
-How shareholders can meaningfully engage with companies on cybersecurity
Managing cyber risk isn’t just about protecting your own house. As we’ve learned from Target and other major breaches, organizations must also be diligent in overseeing risks to vendors, business associates, and other third parties that have access to sensitive data or provide important services. For credit unions, regulatory pressure and cost concerns can make this a daunting task.
Fortunately, there are several cost-effective, proactive measures organizations immediately take to mitigate third party cyber risk. Join Jacob Olcott, VP of Business Development at BitSight Technologies as he discusses ways to get started on a vendor risk management program. Viewers will learn:
Five steps you can take immediately to mitigate third party cyber risk
The types of businesses in your supply chain that may pose risks
How BitSight Security Ratings streamline the process of vendor risk management
Mike Woodward, Program Director of Data, BitSight Technologies
Some cyber security analysts called 2014 “the year of the retail breach” due to major breaches affecting major American retailers and leading to millions of compromised customer records. Cyber security has continued to grab the headlines over the past year, as major breaches have affected companies across all industry sectors, from healthcare to finance.
Join this webinar to learn more about the security performance of six major industry sectors: finance, government, retail, utilities/energy, healthcare and education. Mike Woodward, Program Director of Data will reveal interesting insights into the performance of each industry based on BitSight’s proprietary Security Ratings data.
Attendees will learn:
- What are Security Ratings and how are they developed
- How and why does security performance vary across different industries
- Which industry sectors are still vulnerable to Heartbleed, POODLE and FREAK
- What botnets are trending across different industry segments
Stephen Boyer, CTO & Co-Founder, BitSight Technologies; Featuring Renee Murphy, Senior Analyst, Forrester Research
While many companies focus their effort on reducing cybersecurity risk, more threats are being discovered daily. Point-in-time, subjective questionnaires are not in line with the new regulations requiring continuous monitoring of vendors, partners and other third parties.
In “Continuous Third Party Monitoring Powers Business Objectives,” BitSight CTO and Co-founder Stephen Boyer and guest speaker, Forrester Research Senior Analyst Renee Murphy will discuss the value businesses are finding in using a solution that has a constant eye on third party cyber threats.
Boyer and Murphy will also discuss:
- The results of the study BitSight commissioned Forrester Consulting to undertake, examining how IT decision-makers feel about objective, reliable and continuous monitoring.
- What can be done beyond compliance to increase security performance.
- Which industries stand to benefit most from using automated, objective information security data.
- Specific use cases for continuous monitoring and how they help companies improve information security performance.
Debbie Umbach, Director of Product Marketing at BitSight
As mitigating third party risk becomes an essential business function across many industries, business relationships will be tested. Organizations must now subscribe to a “trust, but verify” philosophy to ensure their third parties are secure. To verify vendor security, organizations now use BitSight Security Ratings, which are gathered externally and don’t rely on any vendor input.
On August 27 at 1:00 pm EST join Debbie Umbach, Director of Product Marketing at BitSight as she discusses the best practices for implementing vendor security ratings. Viewers will learn:
- different approaches for incorporating BitSight Security Ratings into vendor risk management (VRM) programs, whether your program is just getting started or is well underway
- how companies have used BitSight Security Ratings to notify key vendors of security incidents
- how vendor ratings can allow for more effective communication and thus greater transparency
Mike Woodward, Program Director of Data at BitSight
Over the years, businesses have outsourced key business functions and supply chains have grown, increasing risks in the process. When assessing risk for third parties, many companies may immediately think of their banks, their IT service providers, or their software manufacturers. However, there are many overlooked segments of the business services industry that could pose significant risks.
On August 19 at 1:00 pm EST, join Mike Woodward, Program Director of Data at BitSight as he discusses:
– how Accounting, Benefits, Law Firms, and PR Firms differ in security performance
– how quickly these sub-sectors remediate infection on their networks
– how continuous monitoring of vendors can help mitigate the risk of service providers
Find Out How Security Ratings can Reduce Your Company's Risk.
The BitSight Security Rating Platform gathers terabytes of data on daily security outcomes from hundreds of sensors deployed across the globe.
All of the data is externally available and collected without any intrusive testing. Data is classified into several risk categories, including botnets, spam, malware, unsolicited communication, DDoS, and system configuration, and then mapped to an organization's known networks.
BitSight’s sophisticated algorithms analyze the data for severity, frequency, duration, and confidence to create an overall rating of that organization’s security performance.