Security Strategy, Plan, Budget, Vulnerability Management, Vulnerability Management

Bit Discovery: Review | Security Weekly Labs

Share
Product: Bit DiscoveryCategory: Attack Surface Management
Company: Bit Discovery, Inc.Review date: April 2021

This review is part of the April 2021 assessment of the Attack Surface Management (ASM) product category. If you haven’t read the category overview, you might want to check it out – it explains the category’s basics, use cases, and the general value proposition. Our testing methodology explains both how we interact with vendors and how we tested these products. In short, ASM products aim to discover and manage an organization’s external digital assets. This approach extends far beyond assets with an IP address, however, including everything from certificates to S3 buckets to DNS misconfigurations. 

Company background

Bit Discovery was founded in February 2018 by CEO, Jeremiah Grossman, and CTO, Robert “RSnake” Hansen. Both founders are very well known for their contributions to the security industry over the past few decades, in terms of community work, inventions, and as entrepreneurs. The company employs six and has a few dozen paying customers.

The company raised a $2.7m seed round in 2018 led by Aligned Partners and individual investors Alex Stamos (former Facebook CIO), Jeff Moss (DEFCON and Black Hat founder), Jim Manico (Manicode Security) and Brian Mulvey (PeakSpan Capital partner).

Product summary

While some ASM vendors have chosen to focus on the challenge of risk analysis, vulnerabilities and prioritization, Bit Discovery has planted its stake in trying to build the most comprehensive inventory of IP-based assets exposed to the Internet. This round of reviews on ASM products won’t be able to answer the question of whether Bit Discovery has succeeded in its goal (performance will be more of a focus when we next revisit ASM products). What we can say is that “comprehensive” is the right word to describe our initial impressions when using it.

Bit Discovery’s core tech revolves around the ability to continuously scan the Internet, gather very granular data in the process and make that data easy to access and explore for their customers. Bit Discovery focuses on assets that can be associated with an IP address or DNS record. The tool gathers less asset types than other ASM products, but Bit Discovery goes deeper with the data they do discover, store and allow customers to query.

Bit Discovery also does not limit access to its massive collection of indexed data. Any customer can create a source collection based on any domain, IP or ASN. This is a sharp contrast to other ASM vendors who restrict asset collection and monitoring to properties owned by the customer.

Target market: Bit Discovery states their ideal market is one with 500 or more Internet-facing assets, regardless of vertical, revenue or employees. Looking at the product from a usability perspective, we can’t argue with that – it’s simple enough for a company with a single IT person (no security staff) to manage, but is clearly built to scale to the Fortune 500 (see the deployment and configuration section for more details).

Time-to-value: It’s not often we’ll say zero here, but that is really the case. With zero prior knowledge, this product becomes useful from the moment you enter a domain name, IP address or ASN. All you need is an account.

Maintaining value: Bit Discovery does some seed discovery, but it isn’t fully automatic. It’s necessary to periodically check the suggested domains (check the Usage section for more details) and manually enter new seeds, while creating new businesses and inventories as necessary to keep everything organized. Asset discovery, asset change notifications and subscription notifications are fully automatic.

Total cost: We don’t have any pricing data on the product itself, but we do know that pricing is an annual subscription based on the number of assets being monitored by the product. In a large enterprise (10,000+ employees), we’ve estimated 2 hours of analyst time to do the initial configuration and get familiar with the product. Following that, we estimate 2 hours of maintenance per month, which can be performed by a junior analyst. All told, we estimate it would take $908.56 annually in labor costs to run this product, plus the annual subscription cost of the product.

Strengths: For what it does, it does extremely well and quickly. As a platform, it’s an ideal base for an organization that prefers to do risk analysis and prioritization in-house, or already has an existing product doing this work. Requires very little care and feeding.

Weaknesses: UI/UX is occasionally unintuitive. Lacks the risk analysis and prioritization features of other ASM vendors, though we’d expect the difference in functionality to be reflected in the price. There are so many interesting insights that can be pulled out of this data – we find ourselves wanting for more functionality to highlight them.

Conclusion: A detailed up-to-date inventory of all your external assets (and everyone else’s too).

Deployment and configuration

Deployment is where this product really shines. While it’s not asking a lot for a few hours or days for discovery processes to run, the advantage Bit Discovery has is that everything a customer could ask for is already in an incredibly performant database – just a query away. In our testing, when adding a new seed value, the results showed up as quickly as we were able to navigate to them.

Within the application context, there are businesses and inventories. A user account can access multiple businesses, which can each have multiple inventories, which can have multiple sources with tons of assets each. Truly a product designed to organize assets for large organizations full of subsidiaries. The application starts you off with a default inventory, but it is possible to create and switch between multiple inventories – a nice feature to organize all your sources into. Three ‘seed’ options are available to create an asset source: IP address, ASN and hostname.

Bit Discovery also has a seed discovery feature that is a bit hidden in the top toolbar. Clicking the lightbulb presented us with additional domains related to assets in existing inventories. From here, it’s easy to check a few boxes and either archive domains we don’t want or add them to the current inventory. Once added, sources are actively maintained, with notifications sent out whenever assets are automatically added or removed from a source.

Usage

The initial interface displays the name of the inventory and summaries of total assets, domains and subdomains. Adding or removing filters will automatically update these totals at the top of the screen. A list of domains occupies the left-hand side, while the assets each contains are listed on the right, in a table view. By default, a few useful columns are exposed, along with a screenshot on the right-most side. Navigating out past that screenshot will reveal a green arrow, which will guide us into a detailed view for each corresponding asset when clicked.

The interface initially looks simple and spartan. However, a lot more data lies underneath. A click on the gear icon in the corner reveals an option to choose columns – 124 columns, to be exact. Each column represents a data type (not to be confused with asset types), which are organized into fourteen categories.. A few examples of data types include: javascript libraries, ASN number, Live Chat, Cryptominer, ports and captchas. Below is a list of each of the fourteen categories and the data types available within each one.

  • Security (13)
  • HTTP Response (12)
  • Networking (22)
  • Programming (8)
  • Geolocation (11)
  • Bit Discovery (2)
  • Services (8)
  • Web Applications (18)
  • Data (2)
  • Social (3)
  • Media (8)
  • Finance (4)
  • Marketing (6)
  • General (7)

Further exploring that gear icon, it lists a number of different options for viewing or using the data currently listed. Render Assets as Dashboard, for example, will automatically transform the data you’re viewing into up to 10 charts, making it easier to visually quantify the data. The remainder of the options export the currently viewed data to CSV or XLSX formats.

Viewing the details of an asset, the first feature is the ability to add tags, followed by all the data Bit Discovery found related to this asset – from geolocation to SSL cipher suites to Google Analytics IDs. One of the products’ flagship features is its ability to identify hundreds of different third party libraries, technologies and integrations. In our testing, 17 different technologies were identified on one page. They ranged from font scripts to multiple advertising networks and several analytics packages.

A few of our complaints are UI/UX challenges that naturally arise when trying to make such a large dataset usable. First is the filtering function – we wanted to search for JQuery in our data set, but weren’t sure which of the 100+ data types to search in. Is JQuery a javascript library or a javascript framework? It took a little trial and error to figure out. We wish there was a global search feature that would allow us to simply punch in “jquery”.

None of these are dealbreakers and didn’t bother us much after the first hour or so in the product. In fact, after getting a better feel for what data existed in some of the columns, we began to appreciate how powerful this product can be. A good trick to better learn the data available is to view the details for assets – all data available for that asset will be displayed under the same category names used for building filters. Speaking of filters, one of the more interesting features is the ability to turn any filtered query into a “subscription.”

Once a subscription is created, it can be found by clicking the subscription symbol in the upper right (which also looks a bit like a wireless symbol someone knocked over). Essentially, these are saved queries that can be recalled with a click. What makes them a subscription is the ability to enable alerts for any of them. For example, say you want an alert whenever RDP is enabled on any company-owned systems. Or maybe you want to know whenever Google Analytics keys show up in new places, to ensure you stay in the loop on marketing/web projects.

A few clicks and you have it – an alert that can be configured to trigger an email, a ServiceNow ticket or an incoming Slack message, notifying of any changes related to these subscriptions. This feature complements Bit Discovery’s existing alerts that notify of any assets automatically added or removed.

Subscriptions have one final trick – the ability to share them. Clicking the share icon for a subscription displays an option to generate a public link – similar to how we often share Google and Office365 documents. Anyone with the link can view the results of this query.

Bit Discovery also has support for team members, who can view and manage the same set of subscriptions, custom tabs and inventories.

Notable Integrations

Support

Bit Discovery has a 48 hour support SLA.

Claims

“Know what you own in pristine detail.”

The lawyer in us might ad a “with regards to IP-based asset types” disclaimer in small print, but otherwise, we don’t think this messaging is too much of a stretch. Bit Discovery is clearly committed to grabbing all the data available, short of becoming a mirror for the Wayback Machine.

Roadmap

The folks at Bit Discovery have received a lot of requests for prioritization and are busy at work on an upcoming feature that will address this need. They plan to introduce it within the next month.

Security program fit

Bit Discovery, like other products focused on discovering vulnerabilities and misconfigurations, fits solidly within the Identify column of the Cyber Defense Matrix.

Conclusion

As more of the market moves towards risk analysis, prioritization, and validating findings, we wonder where Bit Discovery goes from here. We can see value in just focusing on improving and enhancing the existing product, but in a way, this tool feels a bit like Splunk – something that additional apps could be built on top of. With an API available, we suspect some larger customers with developer resources might consider Bit Discovery + some in-house development over some of the more expensive offerings in this space.

Adrian Sanabria

Adrian is an outspoken researcher that doesn’t shy away from uncomfortable truths. He loves to write about the security industry, tell stories, and still sees the glass as half full.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.