- May 3, 2022: CIS v8 now supported.
- July 28, 2021: Published.
Control Insights is the next evolutionary concept in Security Performance Management that allows you to identify gaps in your organization’s security controls. Control Insights uses automatic, intelligent analysis of the already collected externally observable telemetry to generate insights on whether your security controls appear to be performing effectively or ineffectively.
Insights are control framework agnostic and mapped against a control framework to put all the insights into context, determine the gaps, and provide guidance on what you can do to close the gaps. Control Insights are generated monthly on the last full month of observation data in order to give you a true performance overview and monitor performance over time.
- Available for certain SPM packages. Speak to your Account Manager about which packages include Control Insights.
- Available for Security Performance Management users only.
- Accessible from the Security Performance Management app only.
The Center for Internet Security (CIS) Critical Security Controls framework is currently the supported control framework mapping with two available versions:
- v8 (a.k.a. CIS 18) - Latest version. Learn more about the CIS v8 Framework.
- v7.1 (a.k.a. CIS 20) - Previous version. Learn more about the CIS v7.1 Framework.
Support for additional control frameworks in Control Insights are planned in the future.
Control Insights uses the same underlying observations data that the Bitsight Rating uses, but takes a parallel path to processing and interpreting the observations in a control and performance-focused way.
- Control Insights does not directly impact or influence Bitsight Security Ratings.
- Control Insights are only visible to your own organization at this time; third party companies will not see your Control Insights report. This will change in the future.
- User-Submitted evaluations & comments are currently private-only and are not shown to third parties.
How It Works
Low-level observations are analyzed and translated through the following 4-part process into insights and control evaluations about the observed effectiveness of security controls.
Control Insights evaluates the control performance on a monthly basis, using the previous full month of data. This enables seeing the overall performance of your organization for a month, and high-level performance and consistency over time.
Control Insights provides a 6-month history out of the box. Control Insights does not require any input to run.
1 – Observations
Control Insights uses the same externally observed observation data we already collect to analyze for key properties that can be used to tell a bigger picture story about what is occurring and why. These observations provide evidence to then derive insights.
Through observation of malware events known to be specific to mobile devices, we are able to make an objective observation that a mobile device has been infected with malware in a given organization’s network.
2 – Bitsight Insight & Insight Assessment
The insight is an interpretation of observations that infers whether a common security control or best practice process appears to be performing effectively or not. Insights have a result that is either positive or negative, providing a description of what specific control seems to be either effective or ineffective and why.
Insights assessment results are then used by the control evaluation to determine whether a Control seems to be acceptable or needs improvement. An insight will not be triggered if there are not enough or any observations the insight needs to make an inference.
Insights are control framework agnostic and designed by Bitsight security experts based on observed cybersecurity best practices and benchmarks across aggregated observation data.
If an organization has a number of network devices, such as printers and routers, with administrative interfaces exposed to the Internet, an insight can be made that the organization may not have an effective process to manage and configure these devices securely.
The opposite insight can also be made, suggesting that an organization may have an effective control in place if there are no exposed administrative interfaces observed or any observed are securely configured.
3 – Control Mapping & Evaluation
In order to interpret them within a specific model, insights are mapped to a control framework. This allows us to assess an organization’s effectiveness in implementing a specific framework control. A single insight may be mapped onto multiple different control frameworks.
Control Insights currently supports the CIS Controls v8 and v7.1 framework, but more frameworks will be added in the future.
Each control is evaluated as a whole every month based on the positive or negative insights for the control. Each control is evaluated as:
- Acceptable: The control is evidently working. There is at least 1 positive insight and 0 negative insights in the control for the month.
- Needs Improvement: The control may not be working effectively from what evidence can be seen. There is at least 1 negative insight in the control for the month.
- Not Enough Data: There are no positive or negative insights for the month, there was not enough data to make a relevant insight. They primarily focus on internal data or other data that cannot be covered, but are still presented in the Bitsight platform to provide full context.
4 – User-Submitted Evaluation & Comments
Every month, Control Insights will generate insights and an evaluation for each control based on the gathered data. But to enable you to document your own perspective and additional context on each control, there is the ability to add a user-submitted evaluation and comment. This evaluation and comment are per-control and are private to your organization.
Once submitted, the user-submitted evaluation will show first in the control card and will persist until deleted, so you don’t have to update it monthly.