Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

How to Provide Context for an Uncompromised System

Avatar
Ingrid
Follow
Publication Date – January 4, 2019

If you have events that are coming from a network with non-malicious activity (uncompromised system), we recommend using our contextualization feature set to segment, identify, and tag your infrastructure (CIDR blocks, IP addresses, or domains).

The contextualization feature set include:

To preserve transparency and objectivity for other organizations reviewing your rating, your full set of IP addresses will always remain as part of your Bitsight Security Rating, as outlined in our testing-related networks policy.

Adding Context

Refer to the following guideline to add context for your rating in a manner that allows you to have the most constructive dialogue with your third parties and internal teams:

  1. Use Infrastructure Tags to tag the IP addresses that are used for testing with a public tag, and then assign a relevant name (i.e. “Testing” or “Sandboxing”). The name will be displayed next to findings that emanate from this space.
  2. Segment your network into at least 2 self-published ratings:
    • Segment 1: Tagged network with a name that indicates its purpose (i.e. “Lab”).
    • Segment 2: Untagged network (i.e. “Corporate”) highlighted as your primary rating. This ensures that anyone searching for your company will find the Security Rating that best reflects your company’s security posture.
    • Optional: Any other segments that you wish to create (i.e. “Guest Network”).
  3. Request an update to your company’s description to reflect its usage:
    • Example “lab” description: “The IP addresses in this network may be used for occasional testing or sandboxing which could result in Compromised Systems events being recorded.”
    • Example description if normal network traffic is commingled with testing traffic: “Normal network traffic may also be commingled with the traffic from the testing infrastructure.”
  4. When events occur in the “Lab” network, use Event Annotations to leave a public comment on their nature for your third parties (i.e. “This event resulted from a controlled detonation of malware attached to inbound email on our Trend Micro sandbox.”) This is particularly helpful if your traffic is commingled.

    If your regular network and testing traffic is commingled on the same IP space, you may decide that it would be sensible to separate the network traffic that intentionally communicates with our sinkhole into a separate IP space. This decision and how you choose to communicate it to your organization and partners is completely in your control.

Example

The primary rating is highlighted to indicate the rating which the company believes best reflects their organization’s security posture.

Related articles