UpGuard Release Notes

Learn about new features, changes, and improvements to UpGuard this month:

Current UpGuard customers rely on Identity Breaches to identify and notify employees who have had their credentials exposed in a third-party data breach. But not every breach impacts your organization nor do we have access to the details of every breach. 

Prior to this release, these breaches that fall under this definition weren’t visible inside UpGuard nor were other important security-related events such as ransomware attacks or M&A activity. Even if these incidents don’t impact your organization, they provide important context that can feed into your risk assessment on a vendor. 

Incidents & News is designed to provide you with a searchable, chronological feed of publicly disclosed data breaches and other security-related information such as cyber attacks, ransomware, malware, acquisitions, spin-offs, mergers, and more. 

The feed is broken down into individual items that have a date, severity, type, impacted company, summary, and where applicable other related companies. At the top of Incidents & News, you’ll see three tabs that filter down results:

1. Incidents: Think data breaches, cyber attacks, ransomware, malware, etc.
2. News: Mergers, acquisitions, spin-offs, and other security-related news. 
3. You and your vendors: Incidents and news related to you or your vendors. 
   

By default, results that are shown are limited to the last twelve months but you can adjust this timeframe as you like.

Incidents & News is currently in closed beta and will be rolled out to all customers soon. 

Learn more about Incidents & News here.

Improved questionnaire process for vendors

We’re rolling out an improved questionnaire experience for vendors to reduce the time it takes for you to get a complete and accurate questionnaire. The new page replaces, improves, and streamlines our previous questionnaire details page which vendors told us was confusing. 

Vendors can now quickly start answering the questionnaire, track their progress, discover unanswered questionnaires, and see any associated remediation requests. Messages sent to vendors will now appear in the top right corner of their screen which makes it simple to respond to your queries. 

The page has been split into three separate tabs: 

1. Overview: Questionnaire metadata, progress, remediation requests, and unanswered questions.
2. Documents: Any attached documents 
3. Timeline: The version history and timeline of the questionnaire
   

Learn more about UpGuard makes it easy for vendors answer questionnaires.

Better remediation reporting

Managing and reporting on your remediation activity gets harder as you scale. That’s why we’re excited to be improving the reporting functionality for Remediation Requests. 

Remediation request tables now show the total number of active requests as well as a breakdown of the number of requests at each stage (in progress, awaiting review, completed, archived). 

This makes it simple to keep track of your overall progress and to dive deeper into the requests that need your attention.  We’ve also added support for exporting remediation requests to PDF or Excel, making it easy to share progress to internal stakeholders, auditors, and regulators. 

Learn how to export your internal or vendor remediation activity here.

Other fixes and improvements

• Added Date Published field to Identity Breaches API
• Added Last Assessed field to Vendors API
• Improved Typosquatting results by adding support for commonly used prefixes and suffixes
• Improved performance of Domains in tree view
• There is now a task for when a questionnaire needs to be resent

You likely already restrict access to a portion of your UpGuard account to specific users. For example, not every user on your account should have administrative access. But what we’ve heard from you is that as you onboard more users, it gets harder and harder to manage, keep track of, and update the permissions of each user. 

That’s why we’re introducing role-based access control. Administrators can now create and manage custom roles, making it easy to ensure each teammate has the right permissions and that your organization is following the principle of least privilege. You can learn more about RBAC and the principle of least privilege on our blog. 

Managing roles is as simple as creating a role, configuring your desired permissions, and assigning it to users. If you need to update a role later, any changes will cascade down to the assigned users too. 

We also heard that you wanted more granular permissions. That’s why you can now decide whether a user has access to BreachSight, Vendor Risk, or CyberResearch. This is great for situations where one team manages your attack surface and another separate team manages your vendors. 

In addition to these improvements, you can now decide whether a user has read-only or full access to BreachSight’s or Vendor Risk’s core features, as well as whether a user has access to Identity Breaches and Typosquatting. 

Role-based access control is currently in closed beta and only available for certain plans. Please reach out to us if you would like to learn more. 

Learn how to create and manage roles.

Label vendor and subsidiary domains, IP addresses, and IP ranges plus support for labelling in tree-view

Another frequent bit of feedback we receive is that you want to be able to label your vendor’s or your subsidiary’s domains, IP addresses, and IP ranges so you can drill down into the specific assets that mean something to you. Now you can. 

Next time you’re on a vendor’s or subsidiary’s Domains or IP Addresses page, you’ll see an Add label on the far right of the table. Clicking Add label will allow you to add an existing or create a new label. For context, labels in UpGuard are broken down into vendor and assets labels. This means that domain and IP address labels are shared across BreachSight and Vendor Risk. 

As part of these improvements, we’ve refreshed the design of the labels modal, moved the management of labels to Settings under the Labels tab, and added support for labelling domains in tree view across BreachSight and Vendor Risk. 

These improvements make it easier than ever to track your and your vendors’ assets and to keep your team’s labels under control. 

Learn how to label your vendor domains, IP addresses, and IP ranges and your subsidiary’s domains, IP addresses and IP ranges as well as how to manage your labels. 

Trigger webhook calls from audit log events

Administrators can now push Audit Log events into other platforms using our Integrations feature. For background, Integrations uses webhooks to notify your other applications when an event happens in your account. Examples of these events include when an identity breach or data leak is detected, the score of a watched vendor drops below a threshold, and now any Audit Log event of your choosing.

Learn how to integrate UpGuard with other services.

Other fixes and improvements

• Added an exception for Kubernetes clusters that sit behind AWS Elastic Load Balancing. This means that scores won’t change unexpectedly when Kubernetes stops and starts.
• Fixed bug causing Excel report generation to break for large exports
• Vulnerabilities that have been waived will no longer produce notifications
• Improved design of domain side panel to indicate when a risk is coming from www or the root domain

Learn about new features, changes, and improvements to UpGuard this month:

Geolocation Risk lets you discover and drill down into the geographies that your infrastructure and your vendors’ infrastructure is operating in. It’s similar to Fourth Parties but focused on geographies instead of fourth-parties. 

Monitoring Geolocation Risk is a great way to understand whether data is being hosted in different countries and what data and privacy laws may be in place to protect it.

It’s also a great way to keep track of what countries your data may be stored in. This is particularly important for organizations in regulated industries like financial services or healthcare who may have regulatory requirements that dictate what countries data can be stored in. 

Geolocation Risk information is available in the BreachSight Executive Summary, Vendor Risk Executive Summary, Vendor Summary, and the Vendor Risk Report.

Geolocation Risk is currently in beta, if you would like us to enable it on your account please contact us.

Other fixes and improvements

• Changed names of Concentration Risk and Supply Chain to Fourth Parties to improve consistency across the product and to better reflect what the feature does
• Improved the subject line of invitation emails making it even easier for new users to get started
• Removed the register a domain button from Typosquatting 
• Owned IP ranges with no active IP addresses are now shown in your or your vendors’ IP Addresses
• IP addresses that are part of an owned IP range and are discovered through a DNS record will now be labelled as Owned and DNS rather than only one

Keeping on top of what has happened in your UpGuard account is one of the most important things you can do to improve your security posture. That’s why we’ve created Home. Home is a replacement for the existing Notifications screen. It highlights new events and actions that have occurred since you last logged in. 

Events can include score changes for your websites or your vendors, typosquatting updates, vulnerability notifications, and more. For UpGuard administrators, it can also include audit log events. 

Home is split into two tabs, All activity and My tasks. 

All activity is broken down into cards, with each card linking directly to the relevant section in the app, making it even easier to dive deeper into the events that matter most to you. Each card also has a list of breadcrumbs to help you passively learn the structure of the platform over time. 

My tasks gives you an up-to-date list of the actions you need to take next inside UpGuard. This can include things like approving risk waivers, replying to messages, reviewing submitted security questionnaires, and actioning remediation requests. Tasks will stay active until you complete or dismiss them. 

Home is currently in beta, if you would like us to enable it on your account please contact support@upguard.com 

Learn how to manage your Home screen

Improved support for CyberResearch tiers

Customers who have purchased more than one tier of our third-party risk management services can now pick which service level they want the vendor assessed to. We’ve also added support for defining the importance of the vendor to your organization. 

As part of this work, we’ve also improved the granularity for the statuses shown in Managed Vendors to make it even easier to see where your request is up to. This means that rather than seeing that a request is in progress, you’ll be able to where in the process your request is up to such as gathering evidence, performing risk assessment, remediating risks, etc. 

If you are an existing customer who wants to learn more about our third-party risk management services, please contact support@upguard.com 

Learn more about Managed Vendors here

Securely share vendor assets with related entities

Gathering evidence and performing risk assessments are time-intensive and expensive for you and your vendors. That’s why we’re introducing a way to securely share your completed security questionnaires, additional evidence, and risk assessments with those related entities who also have an UpGuard account. 

If your organization is part of a multi-org account, you and your related entities can now proactively share vendor assets. Sharing assets is a great way to eliminate the email back and forth that is usually associated with onboarding a new vendor, allowing your organization to assess more vendors in less time by leveraging the work done by related entities. 

To understand how Shared Assets works, let’s go through an example. 

Imagine you need to assess a potential vendor for your marketing team. You log into UpGuard, monitor the vendor, and click on Shared Assets. You see that a related entity has shared a completed questionnaire and a risk assessment. 

Rather than doing your own assessment, you request access to your related entity’s assets, read through them, and determine the vendor is not adequately secure. You respond to your marketing team’s query, outlining why the potential vendor is not a good fit based on your related entity’s assessment. 

And just as you can control access to your Shared Profile, you can control who has access to your Shared Assets. Related entities won’t get access to your assets unless you provide to them. 

Learn how to use Shared Assets here

Other fixes and improvements

• Removed the use of no-reply from our transactional email addresses which should improve deliverability of our emails
• Improved design of the vendor summary to display all available assets
• Third-party risk management services customers can now create, edit, and publish their own risk assessment
• Improved the performance of the changes view for you and your vendors

We’ve made significant performance improvements to key pages like the Risk Profile and Vendor Summary. When you next visit one of these pages you’ll notice they load significantly quicker, particularly for large vendors with thousands of domains. 

This means less time spent waiting for things to load and more time diving into the details that matter to you. 

Other fixes and improvements 

• Added support for document storage in India

Learn about new features, changes, and improvements to UpGuard this month:

You can now export your own and your vendors’ inactive domains. To support this new feature, we’ve refreshed the design of the Domains PDF exports. The new design makes it super simple to see which domains are active and which are inactive, as well as when domains were last scanned. 

If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to export your domains or a vendor’s domains.

Export audit log

We’re giving you more control over where you can use audit log data by allowing UpGuard administrators to export to Excel. This makes it simple to ingest events into other platforms or to track employee usage of the UpGuard platform. 

Learn how to export your audit log

Other fixes and improvements

• Fixed issue where vendors were still being scored when they had no active domains
• Fixed issue causing vendors to have a questionnaire score when they had no completed questionnaires
• Added optional expiration date for additional evidence
• Added a verified vulnerability check for the new Microsoft Exchange vulnerability (CVE-2021-26855)
• Added pagination on questionnaire page

You can now build your own security questionnaires inside the UpGuard platform. Start from scratch, or use one of our growing library of questionnaires as a starting point and adjust it to cater for your specific needs.

Creating a custom questionnaire is easy. We provide you with a range of question types designed to cater for different circumstances. Think single, multi-select and text-based answers, as well as file uploads to capture additional evidence and sections to group related questions together. 

Like our in-built questionnaires, custom questionnaires can be configured to automatically identify risks based on one or more answers to a set of questions. When a risk is identified, you can also choose whether or not to ask respondents for compensating control information.

In addition to automatic risk identification, our custom questionnaire builder has powerful conditional logic which lets you ask the right questions and skip the rest. Asking only what is required means more thoughtful responses and higher completion rates. 

All in all, your custom questionnaires can be as powerful as you want them to be.

While we iron out the last kinks, this is a beta feature. You can get it enabled by reaching out to our support team. If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to use our questionnaire builder.

Recurring reports

We have added the option to schedule recurring reports.

Exporting data in UpGuard has so far required you to log in, navigate to the desired page, and then click the export button each time you want fresh data. This can become frustrating if you want to export the same data on a recurring schedule or if you need to share the data with stakeholders who don’t use the UpGuard platform.

This is why we built a new way to export reports that makes it super simple and fast to create recurring reports on a weekly, monthly, quarterly, or yearly cadence. The new export modal also lets you add any email address, so you can easily share recurring reports with colleagues or stakeholders who aren’t UpGuard users.

Recurring reports is currently a beta feature. If you would like to be a beta tester, please reach out to our support team.

Learn more about recurring reports.

Other fixes and improvements

• You can now remove the original recipient and change the sender when resending questionnaires
• Added support for multiple recipients when creating a questionnaire or remediation request
• Fixed issue where /vendors and /vendor endpoints were returning different scores
• Fixed issue where vendors using Amazon CloudFront would be penalized
• Fixed issue causing an open port 7654 on Azure Apps environments to be raised as a risk
• Domains parked at NetRegistry will now be classified as inactive
• Fixed issue where custom domains were not shown when they failed their first scan
• Vulnerability notifications now lead to a filtered version of the vulnerabilities page that is specific to the notification
• Fixed issue causing vendors with no active domains to not load
  

Learn about new features, changes, and improvements to UpGuard this month:

You can now export your list of monitored typosquatting domains, as well as the registered, unregistered, and ignored permutations of a specific domain to PDF or Excel. 

Once exported, you can use the permutations in workflows outside the UpGuard platform. This may include adding registered permutations to a default block list for your email gateway, handing them over to your legal team to do takedown outreach, or feeding them into a separate platform. 

In addition to these improvements, we’re also introducing filtering for typosquatting. You can filter down the number of typosquatting permutations by selecting a specific type. For example, you may want to identify all the possible typosquatting permutations that are homoglyph substitutions. And when you go to export, you’ll have the option to apply any active filters.

Learn how to export from typosquatting or filter typosquatting permutations results.

Other fixes and improvements

• You can now retrieve files uploaded to a vendor’s documents, questionnaires, or additional evidence via our API
• Active vendor risk waivers now appear in the Vendor Report as well as Risk Profile, Risk Assessment, and Portfolio Risk Profile exports
• Compensating control information for questionnaire risks is now visible on the questionnaire details page
• Waiving a risk from specific questionnaire now only selects the risk from the corresponding questionnaire
• Fixed bug where compensating control information was being displayed for all questionnaire rather than only the questionnaires that the risk was waived from
• Fixed issue where Vendor Summary prompted Third-Party Risk Management Services customers to create or edit a questionnaire when one didn’t exist or was in draft
• Standardized time format in UpGuard API to 6 decimal places
• Improved text in vendor risk report to support situations where details are not exported
• Fixed issue where inactive domains were not showing if there were no associated scanning results
• Fixed issue where parent domain wasn’t showing in tree view when all subdomains were inactive