PlexTrac's Client Portal

Transcript

Good day everybody. This is Jason Krameck with PlexTrac coming at you live with another mini demo. Whether we like it or not, Pen testing has become a bit of a commodity. The process is the same, the report is similar. And what we’ve been forced to do as service providers is figure out how do we differentiate our service. So today I’m going to do a quick demo view in PlexTrac to show you how you can use PlexTrac not only to deliver a report, a final PDF report, but also to give your customer live updates and have them interact with your final report findings in a very interactive manner. So I’m going to share my screen here and we’ll walk through that.

So the first thing that we need to understand is how does PlexTrac deal with Roles based access control? So from the home screen here, I’m going to navigate to our account admin. I’m going to go to security and then Rolespace access. PlexTrac comes out of the box with three different profiles. Administrator, standard and analyst. As you can see, administrator has all the permissions enabled. Standard, user a little less, and then analysts even less than that. Typically our customers will use standard, user and administrator for their internal employees and then they’re going to use analysts for access to their customers.

Analysts is limited to mainly read only. So when you come down here, what you see in purple, that means that it is enabled for this particular profile. So here you see the ability to view asset analytics, but not edit ability to edit assessments. You can get very granular with what you want this to look like. So this is what we come with out of the box. But you are also able to create your custom roles. So I created a custom role here that started with analysts, but then I just took out some of the other permissions that I didn’t want the customer to see.

So that’s the base understanding we need. And now we’ll actually take a look at what does an analyst role look like live within PlexTrac. So right now I’m logged in as an administrator for my particular instance. Here you can see that I am listed as a contributor, an operator or reviewer on two different clients. I’m going to go ahead and click into clients and let’s use this Detroit Lions. I am a lion fan. I wouldn’t recommend it for anybody though.

And from here I’m going to go to our details and just notice that right now I’m the only one additional, this global admin that’s listed as a contributor. I’ll click over to reports and you can see that we actually have a Pen test engagement that’s in process. Here. We have a number of our different findings. I can come in, I can edit these findings, I can go to our readout, which includes our report narrative, our scope, summary of findings, and so on. I can come in here, I can edit this information, anything you would expect an admin to be able to do within PlexTrac. So what I’m going to do now is go back to clients and click into that client and go to details and I’m going to add an analyst.

So I’ve created another profile, Jason Krameck plus Hacker, and this is going to be listed as an analyst. Click Save. Now, I’ve already logged into that account on this other screen. I chose the life background so you could tell the difference between the two. And you can see that when I’m logged in right now, I don’t have access to any clients. Let’s refresh that. Now that I’ve added myself as an analyst here.

And there it is right there. So that client has now popped up and I now have the ability to access it. And I can see the engagement that we are currently working on here as well. If I go to the readout phase, you can see that all I have the ability to do is read it. I do not have the ability to edit it. I do have the ability to see findings and I can also change the status so I can come in here. And for example, we want to change this from an in process because my company is working on it to closed and this was fixed and then now everybody listed as a contributor will now get a notification here.

Now let’s say, for example, we do not want to have the ability for a customer to be able to export a document. All we need to do is go back into our main tenant and we’ll go into our back controls, go to security, roles based access, and I’ve created this custom profile. Now within this custom profile, I have turned off go to export reports, I have that turned off. I also have turned off the ability to view any of the analytics metrics on the left hand side. So let’s go back to that individual client we were working on and let’s go to details and let’s go ahead and change this from Analyst to custom automatically safe. Now, when we go back here, let me refresh the page, notice the export button. I no longer have the ability to export.

This button is removed, nor do I see anything on the left side pertaining to analytics. Now, we certainly understand that most customers are still going to want access to that PDF output. So what we can do here is navigate to our artifact section and this is essentially works as a dropbox. I can upload any arbitrary files, whether that be the final report or evidence. So I’m going to take a pen test report that I have here, drop it in as a PDF, click upload and let that do its thing. So now we have that uploaded. Now if I go back to my analyst and I refresh and go to artifacts.

You can see that I now have the ability to download that specific report. So this is one way that you can use it to actually deliver the final report, as opposed to putting it through SharePoint or an encrypted email. You can then upload it to PlexTrac and instruct your customer to access it. We can only scratch the surface. Here what we can do with RBAC controls within PlexTrac. But the key takeaway is how do we differentiate our service? And one way to do that is through PlexTrac. Not only delivering a final PDF report, but also providing real time updates in an interactive experience that your customer can enjoy.

Hope you enjoyed it. Have a great day, everybody. Bye.