Q: Panaseer, is a GCP integration also available for the integration?
A: We don't have any GCP connectors. We have AWS/Azure for now. We build these based on demand and our Data Connector platform allows us to build these in 1-2 days, depending on use case.
Q: Panaseer, what are a few real world examples of controls that are being continuously monitored via your tool?
A: Out-of-the-box we measure technical controls in a range of security domains such as: Inventory, Control Coverage Gaps, Endpoint Security (e.g. malware defenses with A/V. EDR), Vulnerability & Patch Management, Identity & Access Management, Privileged Access Management, Application Security (i.e. supporting DevSecOps processes), User Awareness Training - and we're continually adding more as we work with customers.
To give you a specific example of a control we measure - e.g. Malware Defenses with an EDR or A/V solution - we firstly want to ensure that EDR agents are deployed and running on every device in scope. Then we measure the EDR policy compliance - e.g. is each instance scanning and receiving signature updates in accordance with a policy you have established for the specific asset.
Q: Panaseer, how do you establish criticality of IT assets? How/where is the risk assessment performed?
A: We set different rules based on business context and/or any other asset attributes. Those rules are defined alongside our customers and feed into the data engine. Where possible we combine attributes from multiple sources with the rules engine to determine criticality. Often, we see customers risk assessing assets in other tools, such as GRC, and in these instances we consume the rating from these tools. So, an example use case would be for Panaseer to create the complete/up-to-date inventory to forward to RSA Archer, followed by risk assessment in RSA Archer, and then Panaseer can read back the latest risk assessment for the device to update its inventory.
Q: ThreatWatch, about Third Party VA, most vendors do not allow the direct VA (scanning) by their business partners. How do most of companies achieve their third party VA in readily?
A: Currently third party VA is done using questionnaires or asking the vendor to provide a VA report (which could be dated). ThreatWatch provides an eco-system which allows the vendor to use twigs (open source CLI completely inspectable) without any cost implications and only share this report back to their partner (i.e. ThreatWatch customer). This allows customers to track VA posture of their partners in a real-time and collaborative manner. ThreatWatch can get a representation of third party assets and keep track of those assets in the parent organization's ThreatWatch instance. ThreatWatch used a non-intrusive script to identify the assets and its make-up, which does not require scanning of the assets within third party environments. Third Parties get access to a ThreatWatch API key which they can use to push this information into the managed instance.
Q: ThreatWatch, in reality, we use the questionnaires and attestation reports. That is what we can do for our third party VA. Do you have any comments on this?
A: Our approach does not use any questionnaire or attestation reports. Scan reports for vulnerabilities get obsolete very quickly since the rate of new vulnerabilities and their impacts is very high. Our goal here is to provided continuous assurance. Assets from the third party are completely anonymized as part of the ingestion into ThreatWatch instance.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.