UpGuard Release Notes

Keeping on top of what has happened in your UpGuard account is one of the most important things you can do to improve your security posture. That’s why we’ve created Home. Home is a replacement for the existing Notifications screen. It highlights new events and actions that have occurred since you last logged in. 

Events can include score changes for your websites or your vendors, typosquatting updates, vulnerability notifications, and more. For UpGuard administrators, it can also include audit log events. 

Home is split into two tabs, All activity and My tasks. 

All activity is broken down into cards, with each card linking directly to the relevant section in the app, making it even easier to dive deeper into the events that matter most to you. Each card also has a list of breadcrumbs to help you passively learn the structure of the platform over time. 

My tasks gives you an up-to-date list of the actions you need to take next inside UpGuard. This can include things like approving risk waivers, replying to messages, reviewing submitted security questionnaires, and actioning remediation requests. Tasks will stay active until you complete or dismiss them. 

Home is currently in beta, if you would like us to enable it on your account please contact support@upguard.com 

Learn how to manage your Home screen

Improved support for CyberResearch tiers

Customers who have purchased more than one tier of our third-party risk management services can now pick which service level they want the vendor assessed to. We’ve also added support for defining the importance of the vendor to your organization. 

As part of this work, we’ve also improved the granularity for the statuses shown in Managed Vendors to make it even easier to see where your request is up to. This means that rather than seeing that a request is in progress, you’ll be able to where in the process your request is up to such as gathering evidence, performing risk assessment, remediating risks, etc. 

If you are an existing customer who wants to learn more about our third-party risk management services, please contact support@upguard.com 

Learn more about Managed Vendors here

Securely share vendor assets with related entities

Gathering evidence and performing risk assessments are time-intensive and expensive for you and your vendors. That’s why we’re introducing a way to securely share your completed security questionnaires, additional evidence, and risk assessments with those related entities who also have an UpGuard account. 

If your organization is part of a multi-org account, you and your related entities can now proactively share vendor assets. Sharing assets is a great way to eliminate the email back and forth that is usually associated with onboarding a new vendor, allowing your organization to assess more vendors in less time by leveraging the work done by related entities. 

To understand how Shared Assets works, let’s go through an example. 

Imagine you need to assess a potential vendor for your marketing team. You log into UpGuard, monitor the vendor, and click on Shared Assets. You see that a related entity has shared a completed questionnaire and a risk assessment. 

Rather than doing your own assessment, you request access to your related entity’s assets, read through them, and determine the vendor is not adequately secure. You respond to your marketing team’s query, outlining why the potential vendor is not a good fit based on your related entity’s assessment. 

And just as you can control access to your Shared Profile, you can control who has access to your Shared Assets. Related entities won’t get access to your assets unless you provide to them. 

Learn how to use Shared Assets here

Other fixes and improvements

• Removed the use of no-reply from our transactional email addresses which should improve deliverability of our emails
• Improved design of the vendor summary to display all available assets
• Third-party risk management services customers can now create, edit, and publish their own risk assessment
• Improved the performance of the changes view for you and your vendors

We’ve made significant performance improvements to key pages like the Risk Profile and Vendor Summary. When you next visit one of these pages you’ll notice they load significantly quicker, particularly for large vendors with thousands of domains. 

This means less time spent waiting for things to load and more time diving into the details that matter to you. 

Other fixes and improvements 

• Added support for document storage in India

Learn about new features, changes, and improvements to UpGuard this month:

You can now export your own and your vendors’ inactive domains. To support this new feature, we’ve refreshed the design of the Domains PDF exports. The new design makes it super simple to see which domains are active and which are inactive, as well as when domains were last scanned. 

If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to export your domains or a vendor’s domains.

Export audit log

We’re giving you more control over where you can use audit log data by allowing UpGuard administrators to export to Excel. This makes it simple to ingest events into other platforms or to track employee usage of the UpGuard platform. 

Learn how to export your audit log

Other fixes and improvements

• Fixed issue where vendors were still being scored when they had no active domains
• Fixed issue causing vendors to have a questionnaire score when they had no completed questionnaires
• Added optional expiration date for additional evidence
• Added a verified vulnerability check for the new Microsoft Exchange vulnerability (CVE-2021-26855)
• Added pagination on questionnaire page

You can now build your own security questionnaires inside the UpGuard platform. Start from scratch, or use one of our growing library of questionnaires as a starting point and adjust it to cater for your specific needs.

Creating a custom questionnaire is easy. We provide you with a range of question types designed to cater for different circumstances. Think single, multi-select and text-based answers, as well as file uploads to capture additional evidence and sections to group related questions together. 

Like our in-built questionnaires, custom questionnaires can be configured to automatically identify risks based on one or more answers to a set of questions. When a risk is identified, you can also choose whether or not to ask respondents for compensating control information.

In addition to automatic risk identification, our custom questionnaire builder has powerful conditional logic which lets you ask the right questions and skip the rest. Asking only what is required means more thoughtful responses and higher completion rates. 

All in all, your custom questionnaires can be as powerful as you want them to be.

While we iron out the last kinks, this is a beta feature. You can get it enabled by reaching out to our support team. If you have any feedback on this or any other feature, don’t hesitate to reach out to us.

Learn how to use our questionnaire builder.

Recurring reports

We have added the option to schedule recurring reports.

Exporting data in UpGuard has so far required you to log in, navigate to the desired page, and then click the export button each time you want fresh data. This can become frustrating if you want to export the same data on a recurring schedule or if you need to share the data with stakeholders who don’t use the UpGuard platform.

This is why we built a new way to export reports that makes it super simple and fast to create recurring reports on a weekly, monthly, quarterly, or yearly cadence. The new export modal also lets you add any email address, so you can easily share recurring reports with colleagues or stakeholders who aren’t UpGuard users.

Recurring reports is currently a beta feature. If you would like to be a beta tester, please reach out to our support team.

Learn more about recurring reports.

Other fixes and improvements

• You can now remove the original recipient and change the sender when resending questionnaires
• Added support for multiple recipients when creating a questionnaire or remediation request
• Fixed issue where /vendors and /vendor endpoints were returning different scores
• Fixed issue where vendors using Amazon CloudFront would be penalized
• Fixed issue causing an open port 7654 on Azure Apps environments to be raised as a risk
• Domains parked at NetRegistry will now be classified as inactive
• Fixed issue where custom domains were not shown when they failed their first scan
• Vulnerability notifications now lead to a filtered version of the vulnerabilities page that is specific to the notification
• Fixed issue causing vendors with no active domains to not load
  

Learn about new features, changes, and improvements to UpGuard this month:

You can now export your list of monitored typosquatting domains, as well as the registered, unregistered, and ignored permutations of a specific domain to PDF or Excel. 

Once exported, you can use the permutations in workflows outside the UpGuard platform. This may include adding registered permutations to a default block list for your email gateway, handing them over to your legal team to do takedown outreach, or feeding them into a separate platform. 

In addition to these improvements, we’re also introducing filtering for typosquatting. You can filter down the number of typosquatting permutations by selecting a specific type. For example, you may want to identify all the possible typosquatting permutations that are homoglyph substitutions. And when you go to export, you’ll have the option to apply any active filters.

Learn how to export from typosquatting or filter typosquatting permutations results.

Other fixes and improvements

• You can now retrieve files uploaded to a vendor’s documents, questionnaires, or additional evidence via our API
• Active vendor risk waivers now appear in the Vendor Report as well as Risk Profile, Risk Assessment, and Portfolio Risk Profile exports
• Compensating control information for questionnaire risks is now visible on the questionnaire details page
• Waiving a risk from specific questionnaire now only selects the risk from the corresponding questionnaire
• Fixed bug where compensating control information was being displayed for all questionnaire rather than only the questionnaires that the risk was waived from
• Fixed issue where Vendor Summary prompted Third-Party Risk Management Services customers to create or edit a questionnaire when one didn’t exist or was in draft
• Standardized time format in UpGuard API to 6 decimal places
• Improved text in vendor risk report to support situations where details are not exported
• Fixed issue where inactive domains were not showing if there were no associated scanning results
• Fixed issue where parent domain wasn’t showing in tree view when all subdomains were inactive

We’ve made a small but meaningful improvement to how you manage vendor risks inside UpGuard. Vendor Risk Waivers lets you waive vendor risks identified through automated scanning, questionnaires, and additional evidence.  

This feature is particularly useful for risks identified through questionnaires. For those that are not aware, when you send a questionnaire through the UpGuard platform we automatically identify risks based on the answers provided by your vendor and ask for compensating control information. 

In the past, you couldn’t use this compensating control information to waive the risk even if you were happy with the information provided. Now you can waive risks and remove them from the vendor’s risk profile if the vendor has adequate compensating controls. 

Vendor Risk Waivers is currently in closed beta. If you would like access, please contact UpGuard support.

Learn how to waive a vendor risk.

Detect vendor data leaks

We’re introducing a new managed service called Vendor Data Leaks. As you may be aware, our team of analysts and proprietary data leak detection engine give us an unparalleled ability to find leaked credentials and exposed data before it gets into the wrong hands. 

Vendor Data Leaks extends these capabilities by monitoring for data leaks at your vendors so you know if they’ve exposed data before it impacts your organization. When our data leak detection engine finds an exposure at your vendor, our analysts review the data, assign a severity, and speak to you to get an appropriate vendor contact. 

Once we have a contact, we’ll work directly with the vendor to remediate the issue and notify you when the exposure has been resolved. ‍

Vendor Data Leaks is currently in closed beta. If you would like more information, please contact UpGuard support. 

Learn more about vendor data leaks. 

Other fixes and improvements

• You can now use the category filter on the risk profile in exports
• Improved design of export modal

Our IP Addresses feature helps you manage your cyber risk by providing an IP-centric view of your organization and its vendors’ attack surfaces. With IP Addresses, UpGuard automatically finds the IP addresses and ranges associated with the DNS records of an organization’s domains, as well as any IPs or ranges that are added manually. In the coming weeks, we’ll further enhance this feature by attributing ownership of IP ranges based on WHOIS data.

If an IP address is associated with at least one domain, UpGuard has already been scanning it during our domain-based analysis of security issues, misconfigurations, and vulnerabilities. As you know, this analysis then feeds into our scoring algorithm which gives the domain a security rating.

As part of this release, we now scan IP addresses that don’t have a DNS record for open ports and other security issues and give those IPs a security rating. Just as you can drill into the underlying issues associated with a scored domain, we surface the underlying security issues associated with these IP addresses, and what we recommend you do to improve your security posture. 

The other major change we’ve made is support for IP ranges. When you add an IP range, UpGuard will periodically scan through the range to discover any new assets. This is an excellent way to reduce the risks associated with shadow IT services as we’ll uncover potentially unknown assets during these scans.

Clicking into an individual IP address will show you the owner, associate IP range, country, autonomous system (AS), autonomous system number (ASN), and any associated domains or risks. Likewise, by clicking into an IP range, you’ll see the owner, country, and number of IPs in the range, as well as any detected IP addresses or domains. Both views can be filtered by services, IP owner, ASN, or IP country.

IP Addresses is currently a beta feature. If you or your team would like to test IP Addresses prior to its official release, please contact us at support@upguard.com.

Learn how to monitor your IP addresses and ranges and see how we can help you monitor your vendor’s IP-based assets here.

Templates for remediation requests, risk assessments, questionnaires, and identity breach notifications

Templates lets administrators set up templates for remediation requests, risk assessments, questionnaires, and identity breach notifications emails sent from the UpGuard platform. 

Using templates is a great way to save time, ensure consistency and uniformity across teams and processes, by reducing mistakes and errors caused by copying and pasting text across documents. 

Templates are available for customers on the Professional bundle and up or as an add-on on lower plans.

Learn how to set up templates

Other fixes and improvements:

• Changed Attestations to Answer Questionnaires in the sidebar to make it easier for new users to know where they need to go to respond to questionnaires

Learn about new features, changes, and improvements to UpGuard this month:

‍Managed Vendors helps you manage your third-party vendor risk. UpGuard analysts assess your vendors and present their findings in a comprehensive report based on the analysis of security questionnaires, compensating control information, public security documentation, and security ratings data. 

Beta users can now see which vendors are managed by UpGuard, request an assessment, and get notified when analysts publish a new assessment from inside the platform. 

Managed Vendors is currently a beta feature. If you are a current Managed Vendors customer or want to learn more about how UpGuard can help you manage your third-party vendor risk, please contact us at support@upguard.com

Learn more about managed vendors and how to use it.

Other fixes and improvements:

• Added support for filtering by individual CVE on the subsidiary risk profile
• Standardized and increased character limits on in-app correspondence
• Risk rating icons and alert colors now match
• Fixed issue causing questionnaires to become unavailable in Vendor Risk Report when new questionnaire was in draft

Learn about new features, changes, and improvements to UpGuard this month: