NopSec Announces Release of New Cyber Threat Exposure Platform

We are excited to announce the release of a new and improved NopSec platform – NopSec Cyber Threat Exposure Management. The new features and capabilities of this new vulnerability management solution are a direct reflection of gathered feedback we’ve collected from numerous parties over the last year. The end result is a new revolutionary security solution that better serves the needs of maturing enterprise security teams.

Why the Redesign?

Customers expressed that the existing NopSec platform helped them transform their Vulnerability Management (VM) programs from manual workflows into automated workflows, killed mountains of spreadsheets and emails, as well as better coupled VM team processes with their Remediation Team (RT) counterparts. Customers also revealed how they were leveraging our data to measure the success and progress for their teams. 

However, they also expressed new needs that the platform could not yet support. Many of these new requirements were focused on VM programs maturing and starting to look for how to prioritize across all of their teams, not just their Infrastructure teams. At the core of their new requests was the need for insights focused at the strategic level.

Also, leading analyst firms have all spoken in unison that the industry as a whole was trending away from historical Risk-Based Vulnerability Management and that the more comprehensive framework of Continuous Threat Exposure Management is taking its place. This framework takes into consideration more processes and functions than its predecessor and thus new technology is needed to meet its demands.

In meeting with industry analysts, all of our clients, and other advisors we decided a major update was needed.

Product Improvement Strategy

Many hours were spent by our Product team diving deep with our clients to truly understand their processes, workflows, and pain points. We learned where our product was fundamentally helping our clients within their VM program but we also learned where we could improve. We categorized those insights into the following pain-point categories:

• User Interface / Experience limitations
• Hard to understand the “So What” of our prioritization. What were the actionable insights that VM leaders could take action on?
• Prioritization continued to be a problem, especially across teams in an organization, when dealing across the Software Development Lifecycle from code to hosting live applications on compute resources.
• Enterprise functionality was still limited.

By understanding these four pain-point categories, we started work on designing architectures and interfaces that would provide solutions to our clients to solve some of their short-term needs while truly positioning ourselves to solve some of their new challenges.

We developed new design storyboards, built prototypes, and tested them with our clients. We validated which specific features and workflows worked and which didn’t. During this process, we gathered further insights into how different persona’s needs would have to be accounted for. The results of these efforts were the definitions of four improvement tenants to guide our product development strategy:

• Self-Service Control – This is the ability for users to control their own instance of the product within the platform without impacting simplicity and onboarding.
• Actionable Insight – The ability for the platform to provide insights no other product could provide.
• Contextual Risk – The ability to prioritize across all teams within a unique organization with unique assets, network controls, policies, and business.
• Enterprise – The ability to support large enterprise needs for user management, data access, notifications, and support.

For Administrators through Analysts, our mission has been to ensure our existing clients could benefit from day one and then grow with us as we continue further feature developed over the next year.

Self-Service Control

First our User Interface was previously focused on the Analyst persona and based on customer feedback was kept relatively simple with little to no self-service capabilities in order to reduce the overhead for users to learn the platform. This was great for the Analyst persona, however, over time we found users beginning to ask for advanced functionality and these users were now acting as different persona’s. 

• Administrators and Managers within large organizations required more in product functionality and customization to create and manage system wide settings. 
• VM Leaders needed ways to ask and answer questions more effectively.

Both of these two use cases required a new design that would allow us to maintain the simplicity at the Analyst level but provide advanced functionality for other persona’s based on their roles.

Actionable Insights

We strongly believe we are uniquely situated to provide our clients with deeper security insights that only we can provide.

We will leverage our Offensive Security experience and our data science expertise to provide clients with data driven security related metrics that can provide predictive insights tailored to their environments. 

We believe insights can support all of our personas and will be a major focus in our product roadmap in 2024. Being able to understand when integrations are encountering issues that will impact workflows, or how your teams are getting faster or slower in remediation workflows, or how to plan for the next six month’s anticipated vulnerabilities as a leader will be some of the many insights we provide.

Contextual Risk

Contextual risk is the specific risk for a client based on their unique set of assets, network environment, policies, teams, and business. 

The first set of contextual risks that NopSec already supports are Target Criticality and Target Mitigating Controls. In both cases, the presence of a vulnerability on a specific target is scored depending on whether or not that target has mitigating controls, or if it is a critical target or not. This is known as a Vulnerability Instance score.

We aim to extend our contextual risk by further understanding a client’s uniqueness. This includes knowing the target’s location and relationships with one another, the network or security controls in place that allow communication between one target and another. As well as understanding your environments and processes to distinguish between development environments vs production environments. Ultimately enabling us to provide recommendations closer to the root causes for you to prioritize your effort accordingly across your entire organization.

Enterprise

We’ve introduced a completely new user management model that is more flexible and scalable. Teams can now be created which are configured to manage a set of targets through a data access query. Teams are then given a Role in which all team members inherit. Managing users is now ensuring a user is in the right team(s). Roles have been improved to support multiple roles and control the actions they perform at a granular level. We will continue to introduce functionality to enable Enterprise clients to fully manage and maintain the NopSec platform easily for their use case.

What’s Next?

We are excited to announce the General Availability of our new platform, but we aren’t finished yet. You can except to hear more about our planned additional features over the coming months:

• Notifications based on system events that Admins can control and users can configure.
• Team based collaboration features to support internal team and cross- team collaboration through commenting, assignment, and escalation.
• Insights page dedicated to providing new custom NopSec data science driven analysis of a client’s data.
• Contextual risk graphs for creating relationships across targets, vulnerabilities, and controls in order to improve prioritization and root cause analysis for an enterprise organization.
• New self-service Dashboards to provide users with more control over their metrics and situational awareness.

The new NopSec platform is ready for viewing. If you’d like to experience this new solution, you can schedule a demo right now. If you’d like to see deeper details on the latest product improvement from NopSec, you can view our release notes here.