Updated on May 31, 2018 by UpGuard
Nobody’s perfect. Success is almost always determined through trial and error, learning from mistakes and course-correcting to avoid them in the future. The length of this cycle— from experiment to result, incorporated into future decisions— determines how quickly a trajectory can be altered, which in turn offers more opportunities to succeed. However, capturing and using hard data to make these adjustments is more difficult than it seems. Dashboards visualize real time data and recent trends, giving people insight into whether their efforts are succeeding— assuming they’re using the right metrics.
Walking the Walk
UpGuard VP of Product Greg Pollock wrote a short piece about the difference between stats and scoreboards, offering some guidance on how to determine usable metrics while keeping the bigger picture in mind. We at UpGuard use dashboards in all of our departments to stay on top of our progress, set realistic expectations for goals, and predict performance in the future. More than just having these dashboards, we make them visible for everyone, so that all of the people whose work goes into determining our metrics can understand them and how they affect the business as a whole.
This context helps people internalize the reasons why they are doing the work they do, rather than having a series of arbitrary tasks in which they are not invested. For example, our engineering department uses dashboards to track open tickets and bugs, while marketing tracks lead gathering and conversion. Our customer success team visualizes how different software versions are distributed among customers so we can provide better support and standardization; finally, our product team tracks the use of our web scanner, the consistency of our internal knowledge base, and project progress over time. For UpGuard, what’s more important than the numbers themselves, as important as they are, is that everyone understands why we care about them and how the work we do affects them.
The UpGuard Home Dashboard
We’ve brought this same philosophy to our cyber resilience platform, creating visibility into complex inner workings, providing trackable, predictable metrics for IT processes, and quantifying and demystifying cyber risk. The UpGuard Home dashboard is the centerpiece of this idea, visualizing the key metrics about your environment in terms of systems, processes, and cyber risk.
Digital technology has always had inherent dangers, but for the bulk of its use they were hidden. Occasionally, the consequences of cyber risk would boil to the surface in a major data breach or service outage, and the affected organization would react by trying to implement a cybersecurity solution, as much to appease the public as to actually protect their business. But cyber resilience isn’t about reacting; it’s about proactively building strong, thorough, and visible IT processes to minimize the chances of an eruptive breach or outage down the road. Security isn’t something that can be slapped on top of an existing IT environment. It must be built into the stages of every process, the configuration state of every asset, and the philosophy of every person involved. We created UpGuard as a way to make that possible.
What’s in the UpGuard Home Dashboard?
The UpGuard Home dashboard provides an indicator of the health of your environment, and a place from which to identify potential issues. By visualizing a summary of the changes, policy checks, vulnerability scans, and external website scans that have occurred over the last ten days, we give organizations baselines and measurements by which to increase resiliency and decrease cyber risk. For Infrastructure Operations, this may be monitoring unexpected or unapproved changes, as well as changes that cause policies to fail. For Security Operations, it may be an increase in high-severity vulnerabilities. For an IT Manager, it may simply be a fall in the overall CSTAR score.
Find What’s Important, Fast
When the dashboard is first loaded it includes information from every node in the organization. However, every organization defines criticality differently, and the only useful metrics are going to be those that conform to the specifics of the business. The Home dashboard is filterable in a way that facilitates important information and minimizes extraneous noise. For instance, you may want to see data on nodes in the “production” environment that are also in the “Windows Server” node group. This granularity helps produce metrics that are actionable, not arbitrary.
Measuring Cyber Risk with CSTAR
UpGuard's CSTAR, or Cyber Security Threat Assessment Report, provides an overarching measure of cyber risk. The score is based on a comprehensive analysis of every asset in the environment, the processes by which those assets are managed, and external risks, such as the industry in which the organization operates. The score encompasses four category scores: Changes, Policies, Vulnerabilities, and External Risk. An overall CSTAR score that is low or falling indicates a problem. Organizations can then drill into the four quadrants to identify why.
Change is good. When change becomes bad, it means that the process for change needs improvement. The Changes section of the Home dashboard captures all changes that have recently occurred. The score is based upon the extent to which these changes can be validated by tests— a low score indicates a high amount of change without corresponding tests to ensure the changes are good. The Changes summary information can be used to quickly identify unauthorized or unexpected changes, especially when combined with Environment and Node Group filtering.
The Policies section tracks an organization’s ability to maintain compliance to a resilient state. To determine the Policies score, UpGuard first assesses test coverage. Without testing, there’s no way to know that a system is misconfigured. You can increase your test coverage by writing custom policies or choosing from UpGuard’s content library. The more test coverage, the better the Policies score. UpGuard then calculates the pass rate for those tests. A high Policies score means the organization does a good job ensuring that systems are configured correctly. Policy failures should be investigated and remediated to prevent breaches and outages.
The Vulnerabilities section measures the organization's capacity to detect and remediate software vulnerabilities. The score is based on the frequency of scans, as well as the number and severity of vulnerabilities that are discovered. High-rated vulnerabilities that impact multiple nodes should be prioritized for remediation.
External Cyber Risk
Scores for changes, policies, and vulnerabilities are all calculated by examining the organization from within. The External Cyber Risk score captures risk from outside. It encompasses a number of factors, including whether websites and communication infrastructure are configured securely, the nature of the industry in which the organization operates, and even the sentiment of staff within the organization as a marker for insider attack.
UpGuard is the world’s first cyber resilience platform, built to facilitate and automate low-risk digital assets and processes. Part of the way we do that is by creating transparency in those assets and processes, offering clear metrics for continued improvement over time. This creates a win/win scenario for IT managers, who can supplement budget requests with solid data, and executives, who can understand the business risks posed by the technology on which they rely. The UpGuard Home dashboard provides the top level view, where the massive amount of data we gather is transformed into an immediately actionable dashboard.
Misconfigurations are an internal problem that emanate from within the IT infrastructure of any enterprise; no hacker is necessary for massive damage to occur to digital systems and stored data. And the problem is pervasive, with Gartner estimating anywhere from 70% to 99% of data breaches result not from external, concerted attacks, but from internal misconfiguration of the affected IT systems.