- April 19, 2023: 2023 Ratings Algorithm Update.
- November 30, 2021: Impact of ongoing infections.
- October 20, 2021: Ratings Algorithm Update 2021.
The Compromised Systems risk category accounts for 27% of a company’s Bitsight Security Rating. The total letter grades of all Compromised Systems risk vectors and event duration are factored into the entire Compromised Systems risk category, and then normalized to account for company size:
Each risk vector receives an individual letter grade based on frequency, duration, and severity. The letter grade is relative to all other companies. Individual grades are calculated and refreshed daily.
The volume of events that appear in given sets of time.
Unique IP addresses, malware family, number of days, and connection tracking information are taken into consideration when classifying observations as an event:
|Number of Days:
Determines the duration of an event.
|Multi-day with Gaps:
For multi-day observations with gaps (skips a day or two), there’s a 3-day tolerance period that considers these multi-day observations as one multi-day event.
An event must have a unique IP address.
|Gamarue was observed 7 times in xxx.xxx.12.345 and 2 times in xxx.xxx.54.321 (different IP), the 9 observations are considered as 2 events.|
An event must belong to a unique malware family.
|Conficker and Rammit were observed any number of times in xxx.xxx.12.345 on January 1st, each type of malware is considered as a separate event.|
The time between when the system was first observed to be compromised and when it was last observed. Longer lasting events have a larger impact than shorter events.
Example: If a Botnet Infection is first observed in one machine on June 1, is seen again from the same machine on June 2, and then not seen subsequently, the duration is 2 days.
Frequently Asked Questions
When do Security Ratings Improve?
Compromised Systems events are refreshed daily and are based on events that occur over the past 180 days. The letter grade of a particular risk vector will improve over time after the event’s end date, assuming no new events occur.
How do Ongoing Infections Impact Bitsight Security Ratings?
All infections have the same raw weight/impact. An infection of a particular family on a given IP only counts against the rating once in a three-day period.
The ratings algorithm is based on relative rankings of companies. This means that the output ratings does not directly match the raw impact.
In practice, what happens is that the first few events have a higher impact because the first few events push the company to a lower rank relative to many other companies - this is because Botnet Infections are rare occurrences. As the number of Botnet Infection findings increases, the ratings impact gets smaller since there are fewer companies with that many findings.