UpGuard Blog

Assessing Critical Cyber Risks with UpGuard

Given the complexity of modern information technology, assessing cyber risk can quickly become overwhelming. One of the most pragmatic guides comes from the Center for Internet Security (CIS). While CIS provides a comprehensive list of twenty controls, they also provide guidance on the critical steps that "eliminate the vast majority of your organisation's vulnerabilities." These controls are the foundation of any cyber resilience platform and at the center of UpGuard's capabilities.

Filed under: configuration, configuration management, upguard, cyber risk, vulnerabilities

UpGuard Capability: Demonstrating DFS 23 NYCRR 500 Compliance

UpGuard makes a cyber resilience platform designed for exactly the realities that necessitate regulations like New York State Department of Financial Services 23 NYCRR 500. On one hand, businesses need to store, processes, and maintain availability for growing stores of valuable data; on the other, the very conditions for market success open them to attacks from increasingly sophisticated and motivated attackers. Balancing these requirements makes a business resilient, and UpGuard provides the visibility, analysis, and automation needed to thrive while satisfying regulations like NYCRR 500.


Filed under: upguard, cyber risk, Regulations

Visualizing Cyber Risk with UpGuard's Home Page Dashboard

Why dashboards?
Nobody’s perfect. Success is almost always determined through trial and error, learning from mistakes and course-correcting to avoid them in the future. The length of this cycle— from experiment to result, incorporated into future decisions— determines how quickly a trajectory can be altered, which in turn offers more opportunities to succeed. However, capturing and using hard data to make these adjustments is more difficult than it seems. Dashboards visualize real time data and recent trends, giving people insight into whether their efforts are succeeding— assuming they’re using the right metrics.

Filed under: upguard, cyber risk, IT management, dashboards

Monitoring AWS with UpGuard: Instances, Load Balancers, and Security Groups

So I've finally gotten the go-ahead from higher-ups to join the twenty-first century and use cloud hosting. Now I need to prove that running in AWS is not just easier than maintaining our own farm, but more stable and secure. To do this, I need to be able to monitor each of my instances for configuration drift, ensure that they are properly provisioned, and maintain visibility into dependencies like load balancers and security groups. Fortunately, UpGuard provides all of this information, so even if something were to go wrong I could catch it before someone else does.

Filed under: AWS, devops, Cloud Computing, upguard

UpGuard Welcomes Security Expert Chris Vickery

UpGuard is proud to announce that security expert Chris Vickery is joining our team as a cyber risk analyst, bringing with him a stunning track record of discovering major data breaches and vulnerabilities across the digital landscape. Chris comes to us from his previous role as a digital security researcher, where among other achievements, he discovered a publicly accessible database containing the voter registration records for 93.4 million Mexican citizens, protecting more than seventy percent of the country’s population from the risk of exposure of their personal information.

Filed under: upguard, cyber risk, working at upguard, data breach

UpGuard and Puppet - Fits Like a Glove

Going from nothing to automation using one of the many tools available can be a daunting task. How can you automate systems when you’re not even 100% sure how they’ve been configured? The documentation is months out of date and the last guy to configure anything on that box has since left the company to ply his trade somewhere that will more fully appreciate his Ops cowboy routine.

Filed under: IT automation, configuration management, puppet, upguard

UpGuard And Retrospective Security

We've all heard the saying: hindsight is 20/20. This applies to many scenarios but is seldom the case when it comes to IT security: most organizations develop shortsightedness when it comes to data breaches—even those that may be happening right under their noses. Like a vehicle's side and rearview mirrors, retrospective security improves visibility by eliminating blind spots using past trends and historical data.

Filed under: cyber security, upguard, cyber risk

Looking for Love in All the Wrong Places

When we think of protecting our information online, it’s usually in the context of traditionally sensitive data-- credit card numbers, addresses, SSNs, and so on. But as anyone who has taken a picture of themselves wearing nothing but a smile can tell you, the information exchanged during online dating can be just as personal. I haven’t done that, though. Ever. I have never done it.

Filed under: cyber security, upguard, cyber risk, webscan

Bringing Digital Resilience Back to the Digital Economy: ScriptRock Becomes UpGuard

As the saying goes, there are two certainties in life: death and taxes. As we all look ahead to 2016, it’s clear that a third certainty has entered the mix: breaches. 

Filed under: cyber security, upguard, cyber risk, digital resilience

Snoop Dogg to Server Admins: "Fix Your Sh*t"

One of our main objectives is to explain the costs of unplanned outages and help you prevent them from ever occurring in the first place. It's never merely time and money lostcustomer trust and your reputation take hits, too. We've written many articles about it and work with companies on improving their service reliability every day. 

Filed under: outage, server management, upguard

DevOps Year in Review 2015

There can be absolutely no question anymore that DevOps isn't just a fad—it's here to stay, it's a big deal, and it's coming to the enterprise. Speakers from relatively new companies like SurveyMonkey and Docker took the stage at the 2015 DevOps Enterprise Summit in San Francisco alongside old standards like IBM and General Electric to prove that the transition to a DevOps culture in established enterprises is not only possible, but probably inevitable.

Filed under: devops, upguard

Why We Made Our Vulnerability Assessment Free for Everyone

Known vulnerability assessment– evaluating a machine's state for the presence of files, packages, configuration settings, etc. that are known to be exploitable– is a solved problem. There are nationally maintained databases of vulnerabilities and freely available repositories of tests for their presence. Search for "free vulnerability scanner" and you'll see plenty of options. So why are breaches due to known vulnerabilities still so common? Why, according the Verizon Data Breach Investigation Report, were 99.9% of the vulnerabilities exploited in data breaches last year over a year old?

Filed under: upguard, vulnerabilities

Improved Policies Make Testing and Compliance Even Easier

UpGuard's "three waves" methodology helps businesses achieve digital maturity through a three step process: gain visibility, establish test driven infrastructure, and then automate what you can also validate. In our last release we focused on improving visibility with an improved data visualization, a search engine, and group differencing. Now we've revisited our testing platform to make both incremental improvements and fundamental changes.

Filed under: upguard, IT operations, process

Closing The Loop On Notifications with UpGuard and Slack

Though still a relatively new player on the market, group messaging upstart Slack has steadily expanded its footprint into the business and enterprise arena with its polished, streamlined offering for team collaboration. For the uninitiated, Slack is essentially a tool for collaborating amongst teams—chat rooms on steroids, if you will. And like UpGuard, Slack’s integration capabilities are among its most lauded features. When used in conjunction with each other, the two together can give organizations a highly effective feedback loop for staying on top of system/configuration changes and vulnerabilities.

Filed under: upguard, slack

Group Differencing: How We Designed Our Variance Report

UpGuard is built to answer the fundamental questions of configuration management: how are my systems configured, are they configured correctly, what's changed since yesterday, what's for lunch– the stuff you absolutely need to know. In its first release, UpGuard satisfied the first three by scanning and recording configuration state, continuously testing with policies, and giving users the ability to difference configuration state over time or between nodes. But one thing was missing: the ability to difference a group of nodes all at one time.

Filed under: upguard

Introducing UpGuard's Powerful New Configuration Search Engine

From rudimentary topologies to multi-cloud deployments, UpGuard was designed to provide end-to-end visibility for all types of infrastructures. Our platform gives organizations unprecedented macro and micro-level visibility in even the most complex and heterogeneous IT environments. And now—with UpGuard’s powerful new Search feature—identifying and locating items of interest or concern is as easy as typing text into a search box.

Filed under: upguard

Know What You Have: Baselining, Change Anomalies, and Group Differencing

More than ever, UpGuard provides the ability to know how your environments are changing and to identify the deviations that increase your risk for failed change, outages, and security incidents. Here we quickly cover how UpGuard addresses the needs that every IT organization has through visualizations that allow you to start solving your problems today.

Filed under: upguard

Secure Your Hosts from VENOM

Today, a new vulnerability called VENOM was announced in CVE-2015-3456. It stands for “Virtualized Environment Neglected Operations Manipulation” which sounds, frankly, like an indictment of anyone aloof enough to let it sneak up on them. And wading through other blog posts on the subject—with their snake-related clipart and all—is like looking through the first few pages of the book when you visit a tattoo shop. Here’s the gist from its discoverers at CrowdStrike:

Filed under: upguard, vulnerabilities

UpGuard for IoT

Whenever there's a lot to lose, UpGuard is the solution to ensure correct configuration state. Often this means working the enterprises in banking, transportation, and ecommerce, but the Internet of Things introduces risks to the most mission critical system of them all: your home. 

Filed under: upguard

ChefConf 2015 Debriefing

Last week, we repped our set at ChefConf 2015 and gave a couple hundred live UpGuard demos to attendees. We saw a few talks and caught up with some old friends, too. It was a great time and we’ll definitely be back next year.

Filed under: chef, upguard

Generating Chef Recipes from Existing Configs

We've covered the benefits and pitfalls of configuration management tools like Chef in many articles. But let's assume you've done your homework and decided Chef is the tool for you. How do you get started?

Filed under: chef, upguard

Another Day, Another OpenSSL Vulnerability

If you're one of the unfortunate ones who woke up to a frantic text from their boss this morning, there's some small consolation: today's OpenSSL vulnerabilities probably aren't as horrific as Heartbleed! Hooray, great job everyone! The bad news is that you still have to patch your environment, and before you can even do that—do you even know what you've got?

There's a kind of configuration "fog of war" over IT that's been a fact of life for as long as IT has been around, especially in established environments. Sure, you could manually dig into each machine and run openssl version, or spend the afternoon scripting a solution if you're fancy, but that amount of work will only get you through today. You need to make room in your tool chest for a universal configuration scanner and system of record.

Filed under: upguard, openSSL

UpGuard and COBIT for SOX Compliance

Sarbanes-Oxley (SOX) compliance—it’s like checking for holes in your favorite pair, but with consequences beyond public embarrassment. For publicly traded companies, the ordeal is a bit like income tax preparation for the rest of us: a painful, time-consuming evil that—if not carried out judiciously—may result in penalties and fines. Throw in an additional bonus of prison time for good measure, if you’re a C-level executive and discrepancies are found on your watch. Yes, the SEC is serious about SOX compliance, and you should be, too—especially if you’re in IT.

Filed under: upguard, cobit

Apple's $20M Configuration Problem

This week, Apple’s App Store and iTunes Store suffered a downtime of about 10 hours. For the better part of the day, customers were unable to access the stores, purchase music or apps, or make payments using the Apple Pay payment system. The problem has been attributed to “a configuration blunder” of its DNS setup.

Filed under: configuration, upguard

Getting Started with the UpGuard Connection Manager

We rewrote the UpGuard agent as a connection manager to reap the benefits of agentless monitoring. Why get rid of agents? Because agents must be updated. They are like a free puppy–it's easy to take them home but you have to feed them, take them to the vet, and clean up after them for years afterward. The new connection manager allows for an agentless architecture while keeping all SSH/WinRM activity behind your firewall. It's fast, light, easy to maintain, and secure.

Filed under: upguard

Testing for Samba CVE-2015-0240 with UpGuard

Microsoft has announced a vulnerability in Samba, the widely used SMB/CIFS protocol for Windows/*nix interoperability. The vulnerability exists in versions 3.5.0 to 4.2.0rc4 and allows malicious clients to manipulate the host such that clients can execute code via a netlogon packet.

Filed under: upguard, policies

Putting the FREAK (CVE-2015-0204 ) on a Leash

We know you're sick of updating OpenSSL so we'll keep this short. There is a new SSL vulnerability named FREAK with a published proof of concept. FREAK affects a significant portion of websites, including big names like American Express and the NSA. Like POODLE, FREAK takes advantage of support for legacy cryptographic protocols.

Filed under: upguard, policies

An Overview of Amazon AWS and UpGuard (Part 1 of 2)

Over the years, Amazon has become the poster child for all things cloud-related, and for good reason: as one of the initial vendors to embrace the cloud computing paradigm, they were the first to offer widely accessible commercial cloud infrastructure services when it launched EC2 and S3 as part of AWS back in 2006. And now, almost a decade later, the tech giant continues to dominate with a 27% market share of the cloud services market. It's therefore not surprising that for many, Amazon comes to mind first when thinking of cloud computing. 

Filed under: AWS, upguard

Liquifying your Infrastructure with UpGuard and Docker Containers

One of the easiest ways to build applications programmatically into containers through Docker is to use a Dockerfile. Dockerfiles are the Makefiles of the Docker world. A ton of blog posts and tutorials have sprung up over the last few months about how to set up Docker, or how to set up a LAMP stack and even a LEMP stack in Docker.

Filed under: devops, docker, upguard, lamp