Bitsight for Security Performance Management

I was primarily using Bitsight for attack surface monitoring and external attack surface monitoring use case.

I was monitoring all the alerts and the risk score that Bitsight provides. We mainly focused on improving the risk score for a particular organization for which we were using this in an MSSP setup. We were monitoring different scenarios and different alerts that Bitsight was throwing in, such as open ports cases, missing web application headers, and missing web application security headers. We then communicated this to our customer to get those particular things remediated so the risk score could improve over the portal.

The user interface and the area that Bitsight covers for attack surface monitoring use cases are excellent features. Bitsight's coverage ranges from open ports to web application security headers and web application headers, which in my opinion are the best features Bitsight offers. Bitsight also covers multiple other scenarios, including email headers, DMARC, and DKIM. Additionally, Bitsight scans for vulnerabilities across the system.

We were able to remediate a lot of positive alerts and our risk score improved on their platform, which further helped us to drive better results in terms of cyber insurance. Cyber insurance providers look for attack surface monitored scores quite seriously, and if your score is good, you are very well covered from an insurance point of view.

There was one case scenario where a lot of parked domains were observed for a particular organization that we were monitoring via Bitsight. Bitsight flagged a missing web application header although no exact web applications or web application had been hosted on that particular domain, and it had been in a parked state. We had a discussion with Bitsight team, and their concern was that although no web application was being hosted on that particular domain, it could still be exploited by threat groups. They provided examples in which those domains had already been leveraged by threat groups to emulate ransomware attacks.

From their point of view, Bitsight continues to flag those particular domains in their platform under the missing web application headers criteria. Since if the number of findings increases for a particular month, your overall risk score decreases, which can become a challenge for a team working on this particular issue. Bitsight could work on this use case scenario where they could either exclude or include findings, or create a separate criteria which would not affect the score. When delivering reports to a CISO, CTO, or CIO level, the score is one of the things that gets focused on first. My suggestion is that Bitsight might consider whether findings from parked domains where no web application is being hosted really need to be included in the mainstream findings. Bitsight could create a separate tab or criteria where they could inform customers about these findings without directly including them in the total number of findings. If the total number of findings increases for a particular month, that will impact the overall score, which becomes a challenge for a team working on this field and they have to explain why the score has dropped and whether remediations were not completed the previous month. This is an area that could be improved.

I used this particular platform for more than one year in my last role at PwC.

Bitsight is quite stable in my experience without any downtime or reliability issues.

Bitsight handles growth and increased workload well when it comes to scalability.

Customer support seems fine to me, and I have interacted with them.

Bitsight was my first external attack surface monitoring tool that I used, as I did not previously use a different solution before Bitsight.

If you are exactly looking for external attack surface monitoring, and you are exploring options, then Bitsight is a very good option that you can explore. I have not worked upon any other solutions, but as far as Bitsight is concerned, it gives flexibility in choosing third-party vendor risk agreements and licenses, or a first-party point of view. You can publish your own score as well in case you have any concerns. That flexibility particularly depends upon the license and agreement that you have, whether you are using it from a first-party perspective or a third-party perspective. Bitsight provides this flexibility. I would rate this review an overall rating of eight.

My main use case for Bitsight is finding vulnerabilities in the wild, especially in internet-facing web applications and networks.

A specific example of how I have used Bitsight is that we do not know the current ongoing issues day-to-day. There are so many vulnerabilities and zero days that are exploitable and outside. With this platform, we are able to detect vulnerabilities quickly and notify the teams using our communication channel. Along with that, it also helps us to remediate quickly because when issues are identified, they should also be included in the remediation part. That is where we were able to sort it out quickly.

Another use case I would add is that Bitsight builds customer trust because it provides a score based on severities or how the system is currently functioning. If our system is secure and we have strengthened the full security, then we will eventually have a good score. That is going to build customer trust.

The best features Bitsight offers include heavily using external vulnerability scans or network scans, which we have done for a couple of years.

What I appreciate about the external scans feature in Bitsight is that it gives us continuous visibility into our externally exposed assets, which requires finding misconfigurations or any unexpected exposures much earlier than we would have caught through manual review period scans. This essentially allows my team to find issues quickly, and as we get notified, we can validate our attack surface. It helps us to reduce blind spots. We can prioritize remediation faster and validate changes by deploying fixes. Overall, it strengthens our security posture by monitoring and supporting our compliance programs.

Regarding Bitsight's features, they offer different aspects that I agree with, especially in external scans. They also provide a rating based on your externally facing domains, which helps us to rate our scores and aids in building customer trust. They have the capabilities to assess the attack surface, so those are the main areas they focus on.

Bitsight has positively impacted my organization by improving security and customer trust. It is impact-focused with measurable values that show us, for example, it has reduced our mean time to detect external exposure issues before we relied on periodic scans. Plus, it gives us continuous monitoring. Now we find misconfigurations within hours instead of days or weeks, which directly improves our overall security posture. It reduces risk as we catch high-risk exposures early, especially unexpected cloud assets or testing endpoints that accidentally went public. Each early detection helps us reduce the threat exposure time and strengthen the compliance program.

There are areas for improvement; we do notice sometimes finding vulnerabilities which gives us visibility to find them quickly. However, there could be a mechanism they can build on top of that for validation as they identify the issues. What will the real risk be for that identifiable issue? Sometimes it could be open because of the traffic; how they detected it could be seen as vulnerable, but upon testing, it might not be a real issue. It could be a false positive because there could be a honeypot that we built. My thinking is about validation, so if they can build that validation part before they expose the risk to the specific asset, that would help. Additionally, based on their reporting, they could also build risk scores and prioritization, which would also aid us.

I would suggest adding dashboards and custom reporting, which could help us by enabling rich custom reports with filters. That is especially for leadership because they will not look at each technical area, but overall they would be looking at the risk score and what the assets or critical exposure areas are. Customizable reporting based on requirements would be valuable.

I chose 9 out of 10 because the reporting and dashboards would be the first thing I would consider for improvement, and then the second is about the validation part, which could probably improve to 10 out of 10.

I cannot think of too much for additional improvements. Maybe some good automation with the API solutions that could be integrated with the CI/CD pipeline or DevOps tools we are running would also be automated and tested.

I have been using Bitsight in my past job as well as in my current job. I would say it is around eight years.

Bitsight is stable so far.

The scalability of Bitsight is good; it is a cloud solution, so upon usage, it scales out without being a concern at this moment.

We do interact with Bitsight's support team, and we do get a response back from them as defined in the SLAs.

I would rate the customer support from Bitsight as 10 out of 10.

Previously, I used SecurityScorecard, which is a competitor in that space. I think that Scorecard had functional issues, and because of that reason, we switched to Bitsight.

My experience with pricing, setup cost, and licensing for Bitsight is overall good with the current price model.

I feel the current pricing model is fair. The initial setup and licensing process was straightforward. I did not face any challenges in that part.

I do not have a good answer regarding return on investment with Bitsight.

Before choosing Bitsight, I did not evaluate too many options, but I compared between Bitsight and Scorecard, along with one more tool that I lost the name of, but Bitsight won out of those three.

My advice for others looking into using Bitsight is that it is definitely a great tool, especially to identify blind spots. If your applications are internet-facing and you have customers using your products or your cloud-based solutions, whether SaaS or PaaS, this tool is going to build trust between the customer and the provider. As the tool deploys for your application or domains, it continuously scans and finds vulnerabilities and reports them. As you find and report, it is also going to build your domain score, showing how well you are doing with publicly available applications, especially those that are internet-facing. I gave this review a rating of 9 out of 10.

My main use case for Bitsight is to identify the available vulnerabilities on the network side, and I rely on it for that the most.

The best features that Bitsight offers include the way of presenting the data, which is very good because you can get proof while reviewing your findings. This helps our infrastructure team identify and fix those findings.

Those features help our team by making things easier. For example, if we have a specific security header missing, Bitsight shows us that, such as HSTS being missing, providing specific details on what header is lacking on our websites.

I would add that Bitsight has a task assignment feature that allows us to keep assigning tasks to different team members so they can work on the specific findings assigned to them. Additionally, it has report features, enabling us to generate reports and send them to our clients to show how well we are remediating issues. We can also share our score with the client to improve our client relations.

Bitsight has positively impacted our organization. After using it, we discovered many things. As I mentioned, we have many vulnerabilities available, and it keeps identifying and showing us them, which is valuable.

Bitsight has been good overall, and I do not see any negative points. However, if another organization can spy on us, that is concerning, as they can see our score and we cannot see theirs.

I wish for the addition of features such as leak credentials within Bitsight, which would be more useful because we need to rely on some other third-party tools. If those features were available, there would be no need to use additional tools.

I chose 8 out of 10 because if we receive invites from clients every 45 days, our subscription ends, and we have to renew it. Additionally, it does not show vulnerabilities according to the CVSS score or the impact they are causing. Instead, it labels these vulnerabilities as bad or one, which can be confusing for those unfamiliar with identifying errors. It would be better to categorize them as high vulnerability, critical vulnerability, or low vulnerability.

A quick specific example of how I have used Bitsight to identify a vulnerability is when it helped us catch bad and one vulnerabilities we mostly search for, giving us a better idea if we have any public IP available on the internet that can directly expose us and is already bypassing our firewalls. Those IPs we need to make private to secure ourselves.

In my day-to-day work with Bitsight, we do not have to do any manual scans. We just put our company name and the details, and it automatically identifies all our assets and all our internal things and all the details, such as NS lookup and any other technique it is using. We discover multiple things such as open ports, CSV vulnerabilities, missing security headers, and publicly available IP addresses.

Regarding specific outcomes, earlier we had a bad score of around 600 with many vulnerabilities. After using Bitsight, we know about vulnerabilities whenever they are published or observed, and we keep remediating those vulnerabilities. This actually increased our score to 670.

My advice to others looking into using Bitsight is that it provides a lot of information that was not available before, and it is especially good in recon as it can identify many things about an organization that have never been found earlier, making it a valuable tool.

Overall, I believe Bitsight is good because everything is covered, including user management, so I have no additional thoughts beyond that. I give this product a rating of 8 out of 10.