RiskIQ's platform provides insight and automation needed to map and monitor your organization's internet-exposed digital attack surface, understand and mitigate exposures, and expedite external threat investigation.
BitSight provides security ratings that aggregate different risks into a single score that allows for immediate and easy comparison of different organizations, third-party vendors, and service providers.
Like RiskIQ, UpGuard's platform monitors your internet footprint to provide insights into your digital attack surface, vulnerabilities, and external security posture. The difference is that UpGuard can also monitor your third-parties' security posture providing you with a holistic view of your organization's security risk.
We then take this analysis and group it into an easily understandable security rating that allows anyone to understand the risk of a particular asset or vendor. For security operations and threat management teams, the security rating can break down into its underlying parts which can be used as part of remediation workflows.
In addition, UpGuard uses risk assessments and security questionnaires to provide context into the internal security controls of your organization and its vendors. These more manual solutions provide valuable information that can be missed by endpoint security or attack surface management solutions like RiskIQ.
For reference, security ratings provide a data-driven, instantaneous, and always up-to-date measurement of an organization's external security posture.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A, and even as a raw metric for internal security programs.
And Forrester expects cybersecurity ratings to become a de facto standard in the boardroom by 2025. Investors and traditional debt ratings agencies will include cybersecurity as a risk factor for rating the ability to repay company debt (influenced in part by the cybersecurity ratings market).
Read our full guide on security ratings to understand all their use cases.
- RiskIQ: Focuses on first-party attack surface management and does not provide a real solution for third-party risk management.
- BitSight: a FICO-like rating between 250-900.
- UpGuard: Provides a score between 0 and 950 for first, third, and fourth-parties along with the following letter grades, A: 801-950, B: 601-800, C: 401-600, D: 201-400, F: 0-200. You can request your free security rating by clicking here.
Risk assessment methodology
Each service relies on its own proprietary risk assessment methodology to assess the potential risk.
While RiskIQ is useful for assessing your own attack surface and may be sufficient to complete other assessment techniques when evaluating first-party risk, it has real limitations when applied to improving your organization's complete security posture.
BitSight relies on IP reputation which attempts to attribute malware traffic based on IP addresses. We've outlined in detail why we believe IP attribution isn't a complete solution for your third-party risk program.
At UpGuard, we believe an accurate and up to date inventory of you and your vendors' public-facing digital assets is a must for any cybersecurity program. It's no longer enough to only manage your own security posture. You need to know that your vendors are keeping the data you provide them safe too.
That's why UpGuard takes a standardized approach to security assessment across first and third-party risks by using a combination of security ratings, self-assessments, and vendor assessments against recognized security frameworks.
Additionally, we've introduced a secure way for organizations to make the results of these security assessments easily shareable to save time, resources, and to increase trust in the supply chain.
The standardization of security assessment practices against recognized security frameworks, and making the results easily shareable helps all businesses save time, resources, and increases trust in the supply chain.
With UpGuard, you and your vendors can publish your security rating, completed security assessments, and supporting documentation directly on the platform.
Additionally, UpGuard's platform provides real-time risk monitoring capabilities, integrated vendor processes, and data leak detection to provide businesses with a complete solution.
- RiskIQ: Primarily focuses on first-party attack surface management and first-party external threats like social media impersonation and phishing, which is only one of the many ways that an organization can suffer from a data breach, cyber-attack, or data leak.
- BitSight: Relies primarily on IP reputation.
- UpGuard: UpGuard assesses first, third, and fourth-parties and augments point-in-time risk assessments with security ratings to ensure information is always up-to-date. Our security ratings algorithm runs hundreds of individual checks including email security and email spoofing risks (SPF, DKIM, and DMARC), website security (SSL, HSTS, header exposure), phishing and malware risk, explicit checks for 200 services across thousands of ports (mail, app, user auth, file sharing, voice, administration, database, unidentified, and open ports), domain hijacking risk (DNSSEC and domain registry issues), reputational risks (CEO rating and employee rating), credential management (exposure to known data breaches and data leaks detected by our data leak detection engine). We give each identified issue a risk prioritization category, so you know what to focus on first.
Your assets are only one of the ways that your organization can be exposed. As we saw with Target, even a non-technical vendor like an HVAC provider can lead to the exposure of more than 110 million consumers' credit card and personal data.
RiskIQ only focuses on your public-facing digital assets and ignores the risks that vendors pose.
Not every solution provides the same level of coverage. If your organization employs small specialist vendors, ensure the solution covers them. As you know, it is best practice to monitor any vendor that handles sensitive data continuously.
- RiskIQ: Primarily focuses on first-party risk rather than taking a holistic view of cybersecurity.
- BitSight: 170,000 supported organizations
- UpGuard: 2,000,000 organizations scanned daily, and customers can automatically add new domains or vendors.