The company's founder explains how BitSight not only rates other companies' security posture, but also rates itself.
Security ratings company BitSight Technologies announced on Sept. 15 that it has raised $40 million in a Series C round of funding, bringing total funding to date to $95 million.
The new funding, which was led by GGV Capital and included the participation of Flybridge Capital Partners, Globespan Capital Partners, Menlo Ventures, Comcast Ventures, Liberty Global Ventures and Singtel Innov8, will be used to help BitSight with its global engineering, marketing and sales efforts.
"It was a very over-subscribed round, and we could have raised a lot more," Tom Turner, president and COO of BitSight, told eWEEK
. "But we didn't want to raise more as we have plenty of cash in the bank and we're not going to start lighting Cuban cigars with $100 bills."
Turner said he always wants to make sure that money being raised is being put to effective use. BitSight's core product is a software-as-a-service (SaaS) security ratings service. BitSight's customers make use of the ratings to better understand the security of partners and vendors in a quantitative manner.
The BitSight platform enables a continuous monitoring of security posture that can help reveal potential areas of risk. Turner explained that the data gathered by BitSight doesn't involve an invasive scan of the company being rated. The collected data includes sources of information about whether an organization has compromised systems as well as overall security hygiene. Security hygiene elements include the status of security certificates and whether an organization's staff is participating in risky behaviors, including the usage of public file sharing services.
In terms of data collection, Nagarjuna Venna, founder and chief product officer of BitSight, said his company's platform doesn't do any active scanning of specific organizations. Rather, he said, at least 60 percent of the data collected by BitSight comes from the company's ability to identify compromised systems within an organization without ever actually being inside the compromised organization's network.
"We use various techniques to identify malware compromises and botnet infections inside of a company," Venna told eWEEK
. "Basically, we use sinkholes to identify malware, and we can also identify what machines have been compromised by the malware."
A security sinkhole is a legitimate-looking server set up by researchers to attract malicious botnet traffic. Venna said that many companies assume that if they implement security best practices, including network and endpoint security technologies, they will have good security outcomes.
"What we're actually trying to do at BitSight is to verify if the organization really is getting a good security outcome," he said. "So a lot of the data that we collect will show if the people, technologies, policies and procedures used by a company are actually working."
The fact that a given company has been compromised isn't the only important metric that BitSight measures. Venna said that BitSight also looks to discover how long it takes an organization to recover from a compromise.
BitSight has sensors distributed across the internet. The back-end infrastructure stack includes a Hadoop cluster and makes use of Apache Spark for big data processing. The back-end server infrastructure runs mostly on Amazon's cloud, Venna noted.
While BitSight rates other companies' relative security posture, it doesn't shy away from rating itself.
"We have an interesting rating for ourselves, since one of the things we do at BitSight is malware research," Venna said. "So some of the people in our research teams are visiting malware sites so they can download samples, and some of that gets caught up in our sinkhole and it impacts our rating."
Looking forward, Venna said that the focus is to help organizations make use of BitSight ratings as part of day-to-day operations and processes.
With the Series C round of funding in hand, Turner said he plans on hiring another 90 to 120 people in the next 12 months to help grow the company.
"Our vision is to be the standard in the industry for security ratings," Turner said.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.