Cyscale release notes
Cyscale release notes
cyscale.com

Long-Awaited Features

 

New

  

Exemptions

You can now exempt assets from specific controls. Cyscale will basically ignore those assets from the assessment process (no alerts, no failed controls; they still appear in your inventory).

You can exempt assets from the corresponding alerts or from the findings section of the control pane. The exemptions are displayed in the compliance reports, at the end of the document.

image.png

 

New

  

Editable Standards & System Policies

You can now edit all standards and policies provided out of the box by Cyscale. This allows you to build an even more relevant compliance programme starting from a solid foundation.

When you press the Edit button, Cyscale creates a clone of the standard/policy that you can adapt to your needs and disables the original one. You can still access the original version, create more copies of it (press edit again), and check any new additions provided by the Cyscale team.

image.png

 

New

  

Alerts Overview Cards

We understand that managing alerts for large cloud infrastructures can be challenging which is why we introduce this:

image.png

More AWS Regions & Policy Revision History

 

New

  

Support for AWS Opt-In Regions

Cyscale now supports AWS regions introduced after March 20th, 2019 (AWS Docs.

If you have infrastructure in any of these regions and want Cyscale to keep an eye on it, you can enable the regions from the configuration page of an existing AWS connector (or during onboarding if you are adding a new AWS account). If you configured the connector to sync all regions, any enabled opt-in region from your AWS account is also synced.

image.png

 

New

  

Policy Revision History

If you've ever seen any compliance document, you've probably noticed a changelog table at the beginning. Cyscale now helps you keep track of changes you make to any policy. When you save, you will have to provide a description of the change.

image.png

 

Improvement

  

Provider-specific controls for SSH access from the internet (0.0.0.0/0) are now replaced by a single control.

image.png

 

Fix

  

When you adjust the alerting severity level from the account settings page, Cyscale provides a link to see the alerts that will be disabled if you save. These alerts were filtered incorrectly.

New Standard

 

New

  

We are happy to announce that Cyscale now provides control mappings for the excellent guidelines provided by the Monetary Agency of Singapore, Technology Risk Management Guidelines (a.k.a. MAS TRM). If you are a fintech, you will find this properly useful.

You can read the actual guidelines here.

image.png

Control Fixes

 

Fix

  
  • The control that checks default EBS encryption settings (aws-1-3-0-storage-2-1) now displays the affected assets (EBSSettings) properly.
  • The control that checks the maximum password age in AWS password policies (aws-iam-11) is fixed. Previously it was checking the wrong field.
  • The control that checks AWS buckets with permissive ACLs now looks for the Authenticated Users group (http://acs.amazonaws.com/groups/global/AuthenticatedUsers) and All Users group (http://acs.amazonaws.com/groups/global/AllUsers) instead of looking for policies allowing any user from an account. The result of this control is also visible on the Data Security Dashboard.

ISO/IEC 27001:2022

 

New

  

Cyscale now supports ISO/IEC 27001:2022 🎉

See how your cloud environments comply with the new and simplified version of the widely adopted ISO standard from the standards page.

 

Fix

  

The control that checks for Azure blob containers allowing public access (azure-1-3-0-storage-5) was providing false-positive results. It is now fixed. It also reports containers as opposed to storage accounts.

Buckets & Databases Specific Issues

 

New

  

image.png

Now you have a new section on the Data Security Dashboard, Data Stores. Here, Cyscale displays the most common and relevant issues affecting buckets (we call them object containers) and databases. You can drill down on any of the presented issues and find out the exact assets in cause.

This wraps up our Data Security Dashboard which helps you swiftly assess how well your data is protected. You can find out at a glance your encryption, public access, and data stores configuration posture.

 

Improvement

  

We continued to improve the asset graph. Now, you can see the asset type and the entire name when you hover over a node. Also, there is a dedicated icon for OS disks (root volumes on AWS) (notice the icon on the volume from the bottom).

image.png

 

Fix

  
  • We fixed an issue which prevented you from filtering alerts for Okta
  • We fixed the control that checks for buckets that allow plain HTTP traffic (aws-1-4-0-storage-1-2)

Data at Rest Security Overview

Access and encryption are among the first aspects of data security.

 

New

  

Data Security

Cyscale enables you to know at any moment

  • which data stores (buckets, databases, queues, etc.) are encrypted (or not; or encrypted with customer managed keys)
  • which data stores are publicly accessible
  • how well you manage your encryption keys (losing encryption keys is far from ideal)

Screenshot 2022-11-28 at 13.54.14.png

 

Improvement

  

Graph Improvements

  • You can now expand the graph to cover the entire page
  • The risk of each asset is now displayed on the graph
  • When there are 6 or more similar nodes (same type, same relationships), Cyscale displays them as a cluster. You can see the nodes from a cluster and show/hide individual nodes
  • The nodes no longer reset their position when you interact with the graph

image.png

More Services

 

Improvement

  

Additional Queue Services

  • Google Cloud Pub/Sub (and Pub/Sub Lite) topics and subscriptions
  • Azure Service Bus namespaces and queues
  • Azure Queue Storage
  • Alibaba Message Service topics, queues, and subscriptions

Additional Database Services

  • Azure Cosmos DB
  • Azure Database for MariaDB
  • Azure Table Storage

More Controls Over Alerts

 

New

  

Severity Alerting Level

Now, you can configure, at the account level, which controls generate alerts based on their severity. If you are just getting started, you might consider increasing it to high (from the default value of medium) until you solve most high alerts.

image.png

Custom Control Severity

You can now adjust the severity of each control individually. Changes will reflect automatically in the generated alerts which are subject to the severity alerting level.

 

Improvement

  

CLI Remediation Steps as Code Blocks

Cyscale now displays the CLI remediation steps described in controls as code blocks with a button to copy the command.

image.png