If you have events that are coming from a network with non-malicious activity (uncompromised system), we recommend using our contextualization feature set to segment, identify, and tag your infrastructure (CIDR blocks, IP addresses, or domains).
The contextualization feature set include:
- Self-Published Companies
- Primary Ratings
- Finding Annotations (Public or Private)
- Infrastructure Annotation (Public or Private)
- Customized Company Descriptions
To preserve transparency and objectivity for other organizations reviewing your rating, your full set of IP addresses will always remain as part of your Bitsight Security Rating, as outlined in our testing-related networks policy.
Refer to the following guideline to add context for your rating in a manner that allows you to have the most constructive dialogue with your third parties and internal teams:
- Use Infrastructure Tags to tag the IP addresses that are used for testing with a public tag, and then assign a relevant name (i.e. “Testing” or “Sandboxing”). The name will be displayed next to findings that emanate from this space.
- Segment your network into at least 2 self-published ratings:
- Segment 1: Tagged network with a name that indicates its purpose (i.e. “Lab”).
- Segment 2: Untagged network (i.e. “Corporate”) highlighted as your primary rating. This ensures that anyone searching for your company will find the Security Rating that best reflects your company’s security posture.
- Optional: Any other segments that you wish to create (i.e. “Guest Network”).
- Request an update to your company’s description to reflect its usage:
- Example “lab” description: “The IP addresses in this network may be used for occasional testing or sandboxing which could result in Compromised Systems events being recorded.”
- Example description if normal network traffic is commingled with testing traffic: “Normal network traffic may also be commingled with the traffic from the testing infrastructure.”
- When events occur in the “Lab” network, use Event Annotations to leave a public comment on their nature for your third parties (i.e. “This event resulted from a controlled detonation of malware attached to inbound email on our Trend Micro sandbox.”) This is particularly helpful if your traffic is commingled.
If your regular network and testing traffic is commingled on the same IP space, you may decide that it would be sensible to separate the network traffic that intentionally communicates with our sinkhole into a separate IP space. This decision and how you choose to communicate it to your organization and partners is completely in your control.