10 Essential Steps to NYDFS Compliance
Help us build a quality automation solution for our web application and the cybersecurity engine that drives it.
Own our production clusters on GKE. Get involved in scaling, monitoring and cloud architecture. Improve our Jenkins setup but also guide us in Cir...
The Panorays platform assesses companies and generates a rating that reflects the company’s cyber posture. This rating, together with other factors like the security questionnaire, is used by Panorays’ customers to make security decisions regarding their third parties.
Panorays performs a non-intrusive assessment of the third party’s external digital footprint. Since the assessment is not invasive, it can be performed continuously and without the consent of the assessed party. This means that the assessment data is collected from:
Panorays is a 100% SaaS-based platform. The Panorays assessment is performed externally and does not have access to internal company resources. That said, some of the public sources include feeds, such as botnet activity, which allow for a deeper internal look of the company without the need to be intrusive. Many Panorays findings provide specific vulnerability information, e.g. by technology version, CVE correlation or from bug bounty programs. However, Panorays does not perform active penetration tests such as running exploits or brute forcing.
Probing company services, including but not limited to web servers, mail servers, DNS, SNMP, SSH and NTP, can reveal security configurations and practices performed by the company. The external digital presence and exposure says a lot about the security hygiene of a company. The amount of data that can be obtained about any company in this manner is staggering. Using big data analytics and experienced research capabilities, the Panorays platform delivers a thorough look into the assessed company’s security gaps (also called findings). Accordingly, the platform generates a rating which reflects the cyber posture of the assessed company.
Panorays continuously performs the reconnaissance phase and monitors the assessed company so that the platform alerts of critical new findings or significant changes to the Cyber Posture Rating. This is unlike different assessment methodologies like penetration tests and questionnaires that become outdated immediately once they’re completed.
The Panorays platform identifies a large percentage of the company’s attack surface through its Asset Discovery Mechanism. This mechanism enables Panorays to generate a very low affiliation false positive rate.
The basis of the Panorays ratings methodology is the Test entity. Each assessment comprises 100+ Tests that are run on the discovered company assets (servers, DNS, IP ranges, etc.). All of the tests are prioritized with various severity levels.
The results of each Test generates findings and a rating, and the aggregate of all ratings generates the final rating of the company.
Some Test examples:
Each Test has its own internal 0–100 rating, which is rated as follows:
The Tests have different rating calculation functions, to provide the most precise results for each Test. Different calibration parameters are as follows:
Simple relativity. For example, if two out of 10 assets have a finding, the Test rating will be 80.
Statistics. For example, if one out of 100 assets has an open database, Panorays won’t rate the Test as 99.
Company and industry standards. For example, a company with 20 employees should not have the same security team size as a company with 20,000 employees.
Tests are based on two security aspects:
Together, Panorays generates a roadmap of Tests and categories to be added to the assessment engine.
Each Test is examined for prioritization and considers questions such as the following:
In particular, the Data Collection and Tuning phases are crucial. Every Test is initially deployed in hidden mode to collect data from at least tens of thousands of companies in the Panorays database. The data is then used to corroborate the researcher’s know-how and tune the severity and weight of the Test.
The Tests are divided into three top-level sections: Network and IT, Application and Human. The rating for each category is an aggregate of all Tests run under that category. The category ratings help the user focus on problematic areas in the assessment and compare between companies based on the categories.
The final rating is not derived from the category ratings, but directly from the Test ratings. This is done in order to increase the accuracy of the Test’s impact, such as N/A Test results, critical findings, etc.
The list of Tests, severities, and weights is called an Assessment Template. There is a single enabled Assessment Template at any given time. Because changing the template may affect the Cyber Posture Rating, each change in the template (adding tests, changing weights, etc.) is documented and monitored.
Panorays allows third parties to easily dispute findings and assets as follows:
The Panorays Cyber Posture Rating delivers:
For more information, please contact [email protected]