How Intruder Supports Your Compliance Journey: Frameworks and Criteria

• “Identifies Threats to Objectives – The entity identifies threats to the achievements of its objectives from intentional (including malicious) and unintentional acts and environmental events

• Identifies Vulnerability of System Components – The entity identifies the vulnerabilities of system components, including system processes, infrastructure, software, and other information assets.” 

• Discover your information assets using cloud connectors and subdomain discovery.

• Identify vulnerabilities by running event-driven (triggered by a change in your attack surface), scheduled, or ad hoc vulnerability scans.

• Automatically scan newly discovered cloud assets for vulnerabilities.

• Emerging threat scans proactively check your systems for new vulnerabilities released in the wild. 

“To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities

• Conducts Vulnerability Scans — The entity conducts infrastructure and software vulnerability scans designed to identify potential vulnerabilities or misconfigurations on a periodic basis and after significant changes are made to the environment. Action is taken to remediate identified deficiencies in a timely manner to support the achievement of the entity’s objectives.” 

“The entity responds to identified security incidents by executing a defined incident-response program to understand, contain, remediate, and communicate security incidents, as appropriate.

• Remediates Identified Vulnerabilities — Identified vulnerabilities are remediated through the development and execution of remediation activities.” 

“Management of Technical Vulnerabilities:

Information about technical vulnerabilities of information systems in use should be obtained, the organisations exposure to such vulnerabilities should be evaluated and appropriate measures should be taken.” 

• Easily conduct vulnerability scans on an ad hoc or scheduled basis to identify vulnerabilities and misconfigurations in infrastructure, web applications, and APIs.

• Access clear reports and receive easy to follow remediation advice. 

“Secure Development Life Cycle:

Rules for the secure development of software and systems should be established and applied.” 

“Secure Coding:

Secure coding principles should be applied to software development.” 

“Security Testing in Development and Acceptance:

Security testing processes should be defined and implemented in the development life cycle.” 

• Be more thorough by finding more assets with cloud connectors, subdomain discovery, API and application discovery.

• Be more thorough with multiple vulnerability scanners.

• Run vulnerability scans to detect vulnerabilities in software used to handle, store, and transmit health data.

• Intruder provides severity ratings based on CVSS to aid prioritization (which explicitly prioritizes based on confidentiality, integrity, and availability).

• See how likely a vulnerability is to be exploited within the next 30 days (EPSS scores). 

• Run vulnerability scans to detect vulnerabilities in software used to handle, store, and transmit health data.

• Intruder provides severity ratings based on CVSS to aid prioritization.

• See how likely a vulnerability is to be exploited within the next 30 days (EPSS scores).

• Intruder’s cyber hygiene score tells you how effectively you are remediating critical and high-risk vulnerabilities to help improve your vulnerability management program. 

• Continuously evaluate your systems for technical risk and get insights to aid non-technical evaluations.

• Intruder’s API enables you to automatically start scans of your systems when significant changes are implemented.

• Emerging Threat Scans and Rapid Response initiate vulnerability scans when there are changes in the threat landscape.

• We also highlight new systems and services that did not previously exist, allowing you to track when deviations from your policies occur. 

• Intruder’s continuous network monitoring identifies insecure services that are exposed to the internet.

• Receive immediate updates when these services are detected so that you can remediate or restrict access as quickly as possible.

• Attack Surface View shows all exposed network services across your attack surface, giving you real-time view of what an attacker can see. 

“Aim: Ensure that computers and network devices are properly configured to:

• reduce vulnerabilities

• provide only the services required to fulfil their role” 

• Scan internet-facing systems and internal systems to identify vulnerabilities.

• Receive remediation advice to quickly and easily fix any identified issues.

• Intruder highlights internet-facing services which are considered unnecessary so that you can review and remove them. 

• Scan internet-facing systems and internal systems to find vulnerabilities introduced by unpatched software.

• Track your time-to-fix to see if updates are being applied within the required 14 day window. 

“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

(a) the pseudonymisation and encryption of personal data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.” 

• Get visibility of vulnerabilities, which contributes to ensuring the confidentiality, integrity, availability and resilience of processing systems and services.

• Continuously assess and evaluate the effectiveness of internet-facing security controls and internal endpoint controls.

• Vulnerability scanning is a fundamental element of the continuous assurance for processing systems.