Given the complexity of modern information technology, assessing cyber risk can quickly become overwhelming. One of the most pragmatic guides comes from the Center for Internet Security (CIS). While CIS provides a comprehensive list of twenty controls, they also provide guidance on the critical steps that "eliminate the vast majority of your organisation's vulnerabilities." These controls are the foundation of any cyber resilience platform and at the center of UpGuard's capabilities.
UpGuard makes a cyber resilience platform designed for exactly the realities that necessitate regulations like New York State Department of Financial Services 23 NYCRR 500. On one hand, businesses need to store, processes, and maintain availability for growing stores of valuable data; on the other, the very conditions for market success open them to attacks from increasingly sophisticated and motivated attackers. Balancing these requirements makes a business resilient, and UpGuard provides the visibility, analysis, and automation needed to thrive while satisfying regulations like NYCRR 500.
Why dashboards? Nobody’s perfect. Success is almost always determined through trial and error, learning from mistakes and course-correcting to avoid them in the future. The length of this cycle— from experiment to result, incorporated into future decisions— determines how quickly a trajectory can be altered, which in turn offers more opportunities to succeed. However, capturing and using hard data to make these adjustments is more difficult than it seems. Dashboards visualize real time data and recent trends, giving people insight into whether their efforts are succeeding— assuming they’re using the right metrics.
So I've finally gotten the go-ahead from higher-ups to join the twenty-first century and use cloud hosting. Now I need to prove that running in AWS is not just easier than maintaining our own farm, but more stable and secure. To do this, I need to be able to monitor each of my instances for configuration drift, ensure that they are properly provisioned, and maintain visibility into dependencies like load balancers and security groups. Fortunately, UpGuard provides all of this information, so even if something were to go wrong I could catch it before someone else does.
UpGuard is proud to announce that security expert Chris Vickery is joining our team as a cyber risk analyst, bringing with him a stunning track record of discovering major data breaches and vulnerabilities across the digital landscape. Chris comes to us from his previous role as a digital security researcher, where among other achievements, he discovered a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens, protecting more than seventy percent of the country’s population from the risk of exposure of their personal information.
Going from nothing to automation using one of the many tools available can be a daunting task. How can you automate systems when you’re not even 100% sure how they’ve been configured? The documentation is months out of date and the last guy to configure anything on that box has since left the company to ply his trade somewhere that will more fully appreciate his Ops cowboy routine.
We've all heard the saying: hindsight is 20/20. This applies to many scenarios but is seldom the case when it comes to IT security: most organizations develop shortsightedness when it comes to data breaches—even those that may be happening right under their noses. Like a vehicle's side and rearview mirrors, retrospective security improves visibility by eliminating blind spots using past trends and historical data.
When we think of protecting our information online, it’s usually in the context of traditionally sensitive data-- credit card numbers, addresses, SSNs, and so on. But as anyone who has taken a picture of themselves wearing nothing but a smile can tell you, the information exchanged during online dating can be just as personal. I haven’t done that, though. Ever. I have never done it.
As the saying goes, there are two certainties in life: death and taxes. As we all look ahead to 2016, it’s clear that a third certainty has entered the mix: breaches.
One of our main objectives is to explain the costs of unplanned outages and help you prevent them from ever occurring in the first place. It's never merely time and money lost—customer trust and your reputation take hits, too. We've written many articles about it and work with companies on improving their service reliability every day.
There can be absolutely no question anymore that DevOps isn't just a fad—it's here to stay, it's a big deal, and it's coming to the enterprise. Speakers from relatively new companies like SurveyMonkey and Docker took the stage at the 2015 DevOps Enterprise Summit in San Francisco alongside old standards like IBM and General Electric to prove that the transition to a DevOps culture in established enterprises is not only possible, but probably inevitable.
Known vulnerability assessment– evaluating a machine's state for the presence of files, packages, configuration settings, etc. that are known to be exploitable– is a solved problem. There are nationally maintained databases of vulnerabilities and freely available repositories of tests for their presence. Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common? Why, according the Verizon Data Breach Investigation Report, were 99.9% of the vulnerabilities exploited in data breaches last year over a year old?
UpGuard's "three waves" methodology helps businesses achieve digital maturity through a three step process: gain visibility, establish test driven infrastructure, and then automate what you can also validate. In our last release we focused on improving visibility with an improved data visualization, a search engine, and group differencing. Now we've revisited our testing platform to make both incremental improvements and fundamental changes.
Though still a relatively new player on the market, group messaging upstart Slack has steadily expanded its footprint into the business and enterprise arena with its polished, streamlined offering for team collaboration. For the uninitiated, Slack is essentially a tool for collaborating amongst teams—chat rooms on steroids, if you will. And like UpGuard, Slack’s integration capabilities are among its most lauded features. When used in conjunction with each other, the two together can give organizations a highly effective feedback loop for staying on top of system/configuration changes and vulnerabilities.
UpGuard is built to answer the fundamental questions of configuration management: how are my systems configured, are they configured correctly, what's changed since yesterday, what's for lunch– the stuff you absolutely need to know. In its first release, UpGuard satisfied the first three by scanning and recording configuration state, continuously testing with policies, and giving users the ability to difference configuration state over time or between nodes. But one thing was missing: the ability to difference a group of nodes all at one time.
From rudimentary topologies to multi-cloud deployments, UpGuard was designed to provide end-to-end visibility for all types of infrastructures. Our platform gives organizations unprecedented macro and micro-level visibility in even the most complex and heterogeneous IT environments. And now—with UpGuard’s powerful new Search feature—identifying and locating items of interest or concern is as easy as typing text into a search box.
More than ever, UpGuard provides the ability to know how your environments are changing and to identify the deviations that increase your risk for failed change, outages, and security incidents. Here we quickly cover how UpGuard addresses the needs that every IT organization has through visualizations that allow you to start solving your problems today.
Today, a new vulnerability called VENOM was announced in CVE-2015-3456. It stands for “Virtualized Environment Neglected Operations Manipulation” which sounds, frankly, like an indictment of anyone aloof enough to let it sneak up on them. And wading through other blog posts on the subject—with their snake-related clipart and all—is like looking through the first few pages of the book when you visit a tattoo shop. Here’s the gist from its discoverers at CrowdStrike:
Whenever there's a lot to lose, UpGuard is the solution to ensure correct configuration state. Often this means working the enterprises in banking, transportation, and ecommerce, but the Internet of Things introduces risks to the most mission critical system of them all: your home.
If you're one of the unfortunate ones who woke up to a frantic text from their boss this morning, there's some small consolation: today's OpenSSL vulnerabilities probably aren't as horrific as Heartbleed! Hooray, great job everyone! The bad news is that you still have to patch your environment, and before you can even do that—do you even know what you've got? There's a kind of configuration "fog of war" over IT that's been a fact of life for as long as IT has been around, especially in established environments. Sure, you could manually dig into each machine and run openssl version, or spend the afternoon scripting a solution if you're fancy, but that amount of work will only get you through today. You need to make room in your tool chest for a universal configuration scanner and system of record.
Sarbanes-Oxley (SOX) compliance—it’s like checking for holes in your favorite pair, but with consequences beyond public embarrassment. For publicly traded companies, the ordeal is a bit like income tax preparation for the rest of us: a painful, time-consuming evil that—if not carried out judiciously—may result in penalties and fines. Throw in an additional bonus of prison time for good measure, if you’re a C-level executive and discrepancies are found on your watch. Yes, the SEC is serious about SOX compliance, and you should be, too—especially if you’re in IT.
This week, Apple’s App Store and iTunes Store suffered a downtime of about 10 hours. For the better part of the day, customers were unable to access the stores, purchase music or apps, or make payments using the Apple Pay payment system. The problem has been attributed to “a configuration blunder” of its DNS setup.
We rewrote the UpGuard agent as a connection manager to reap the benefits of agentless monitoring. Why get rid of agents? Because agents must be updated. They are like a free puppy–it's easy to take them home but you have to feed them, take them to the vet, and clean up after them for years afterward. The new connection manager allows for an agentless architecture while keeping all SSH/WinRM activity behind your firewall. It's fast, light, easy to maintain, and secure.
Microsoft has announced a vulnerability in Samba, the widely used SMB/CIFS protocol for Windows/*nix interoperability. The vulnerability exists in versions 3.5.0 to 4.2.0rc4 and allows malicious clients to manipulate the host such that clients can execute code via a netlogon packet.
We know you're sick of updating OpenSSL so we'll keep this short. There is a new SSL vulnerability named FREAK with a published proof of concept. FREAK affects a significant portion of websites, including big names like American Express and the NSA. Like POODLE, FREAK takes advantage of support for legacy cryptographic protocols.
Over the years, Amazon has become the poster child for all things cloud-related, and for good reason: as one of the initial vendors to embrace the cloud computing paradigm, they were the first to offer widely accessible commercial cloud infrastructure services when it launched EC2 and S3 as part of AWS back in 2006. And now, almost a decade later, the tech giant continues to dominate with a 27% market share of the cloud services market. It's therefore not surprising that for many, Amazon comes to mind first when thinking of cloud computing.
One of the easiest ways to build applications programmatically into containers through Docker is to use a Dockerfile. Dockerfiles are the Makefiles of the Docker world. A ton of blog posts and tutorials have sprung up over the last few months about how to set up Docker, or how to set up a LAMP stack and even a LEMP stack in Docker.