UpGuard Release Notes

Send a questionnaire to multiple vendors at once

Sending a questionnaire to multiple vendors previously required you to repeat the questionnaire sending process for each vendor. Now we have streamlined this process, enabling you to easily send many questionnaires at once by selecting multiple vendors within the one workflow. This is particularly useful when a broad impact vulnerability such as Solarwinds or Log4j is discovered and you need to quickly assess your Tier 1 vendors to determine the risk exposure of your organization.

For more information on sending questionnaires, visit our knowledge base article ‘How to send security questionnaires in UpGuard’.

Other improvements

• Bug fixes

Until now, only automatically discovered fourth parties were able to be viewed in our Fourth Parties feature. Now corporate+ customers can map out fourth party vendors as you become aware of them, and optionally add corresponding information about the specific products being utilized. For more information, see the knowledge base article ‘How to add a fourth party vendor in UpGuard’

Other improvements

• Performance improvements for the vendor portfolio risk profile.
• Bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

Risk remediation requests now include both web and questionnaire risks

You can now send remediation requests that combine both automated web scanning and questionnaire-based risks, simplifying the process for you and your vendors. It’s also much easier to preview your vendor's projected score once the remediation request has been resolved, allowing you to consider your risk appetite for that vendor.

For help requesting remediation from a vendor, check out: ‘How to request remediation from a vendor’ 

Export Compliance reports into PDF and Excel

In October 2021 we released the compliance reporting feature which enables you to assess your vendor's risk profile against recognized security frameworks such as NIST CSF and ISO27001. You are now able to export these results into PDF or Excel formats for your auditors and other stakeholders.

Granular user permissions for Shared Profiles

You can now assign user specific permissions for your Shared Profile:

• Read access to the organization's Shared Profile
• Respond to Shared Profile access requests and invite people to view your Shared Profile
• Update Shared Profile questionnaires and documents, and set the Shared Profile to published

Check out the ‘Managing user permission for your Shared Profile’  for more information.

Other improvements

• Vendor comparison selection functionality has been restored and improved
• Control/Command clicking View questionnaires buttons will now open a new tab
• Various bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

New and improved risk assessments

Over 60% of cyber security incidents come from trusted vendors. Secure your data and prevent this from happening to your business with our new and improved risk assessments. You can now send questionnaires, request or use shared questionnaires and add additional evidence from inside a risk assessment. When the assessment is completed, set a reassessment date to make sure that you stay up to date with your vendor's risk profiles. Check out ‘How to complete a risk assessment’ for assistance in completing a risk assessment.

Apache Log4J - Critical Vulnerability Questionnaire and automated scanning

Control your Log4J critical vulnerability risk by sending your vendors our new Log4J questionnaire. We've also added an automated scan and verified vulnerability for Log4j CVE-2021-44228. This uses a basic detection mechanism as part of a GET request to a scanned domain, in order to keep our scanning as non-invasive as possible. It is important to note that the absence of this verified vulnerability does not mean that you or your vendors are 100% safe from this vulnerability, but the presence of the vulnerability means that you are likely exposed. Please see our blog post for more information on CVE-2021-44228 (Log4Shell) and how you can minimize your exposure.

Custom Domain for outbound emails

Tailor your workflow notifications to best represent your business, improving your vendors confidence and diligence at opening/fulfilling your requests. By default, notifications and invites to outside parties come from an UpGuard email address. Now customers with co-branding can set up a customized mailing address such as UpGuard@yourbusiness.com or set notifications to come directly from their own email address wherever possible. For help setting this up, check out the knowledge base article ‘Sending outbound emails from a custom address’.

Slack Integration

Get more value from UpGuard with the new Slack integration. You can create a Slack integration directly within UpGuard, enabling you to securely get the information you need from UpGuard, direct to Slack. You’ll be able to set up notifications to trigger directly into Slack, with the flexibility to display the information you need to act promptly.

Check out our ‘Setting up a Slack integration’ knowledge base article for help getting started.

VIP Identity breach list

The first question we hear our customers ask when an identity breach is reported is ‘are any of our executives exposed’? Now you’ll be able to get peace of mind by adding them to a VIP list within the identity breaches module. You can then set up a VIP identity breach notification to let you know when your VIPs are exposed in an identity breach. It might even be worth setting up a separate Slack channel for VIP identity breach notifications! For more information about the Identity Breaches module - check out this article. 

Other improvements

• Domains marked as belonging to you on the Domains screen will now be automatically set to “Owned by us” in Typosquatting
• A number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

Curated dark web incident reports 

Many organizations concerned with threat actors operating on the dark web lack visibility into actual activity on the dark web, relying on aggregated metrics of "hacker chatter" to detect and measure risk. Given that dark markets are notorious for scams, data reuse, and intentional misdirection to fool credulous observers, security analysts need visibility into raw data being published on the dark web to verify the veracity of the leak and assess any impact to their organization. UpGuard customers on the Professional tier and up will now see curated posts from ransomware leak blogs on the Incidents and News page tagged as Dark Web. 

Detection of Moodle vulnerabilities

Moodle vulnerabilities are now detected and reported in both Breach Risk and Vendor Risk. Currently, it is not possible to detect software versions on many Moodle instances, so vulnerabilities from all versions of Moodle are shown. Stay tuned for further improvements to our Vulnerabilities module in the coming weeks, which should make dealing with this data easier. Learn more about how to use the vulnerabilities module in our knowledge base article “What is UpGuard Breach Risk’s vulnerabilities module?”

Improvements to Shared Profiles‍

• Factor risks from shared profiles into risk profile, vendor summary, and associated exports.
• Include questionnaire scores from the vendor’s shared profile in overall vendor scores.
• Create risk waivers for shared questionnaire risks.‍
• Trigger notifications when a monitored vendor publishes or updates their Shared Profile.

Other improvements

• Ignore multiple unverified vulnerabilities at once with the select all option.
• This release includes a number of bug fixes.

IP address export now includes associated domains

When analyzing IP address information, it can be useful to see the list of domains associated with each IP address. Previously the PDF export of IP addresses showed the associated domains but the Excel version did not. 

We now include the domains associated with each IP address in both the PDF and Excel exports. For more information check out our knowledge base articles: 

• How to export your IP addresses
• How to export a vendor’s IP addresses or IP ranges

Other improvements

• This release includes a number of bug fixes

Learn about new features, changes, and improvements to UpGuard this month.

Bulk Import vendors, tiers and labels

In this release, we have added the ability to bulk import vendors to your monitored vendors list. You can do this by entering a list of domains or uploading a CSV. Using the CSV import capability also allows you to assign tiers and labels to new or existing vendors. For help using this feature, check out the ‘Importing Vendors, Tiers, and Labels in UpGuard’ knowledge base article

Custom notifications based on risk severity

You will now be able to create custom notifications that will alert you when a risk of a particular severity is identified for your company or your vendors. These notifications will also be available for integration via the webhooks functionality.

Risk framework mapping for compliance reporting

We’ve added the ability for you to assess a vendor’s risk profile by mapping risks against recognized security frameworks such as ISO 27001 or NIST CSF, making it easy to identify and remediate potential gaps. Check out ‘What is Compliance Reporting within UpGuard Vendor Risk?’ for more information.

New questionnaire UI 

You’ll also find a new UI for questionnaires, which will make it easier for your vendors to view, identify outstanding questions and ultimately complete questionnaires. Check out ‘How to send a security questionnaire in UpGuard Vendor Risk” for more information.

Other improvements 

• Ability to add custom logos to your shared profile.
• Ability to exclude specific questionnaires from a vendor's questionnaire score.
• More accurate remediation planner impact preview.
• News webhooks now include ‘source’.
• Various bug fixes.