Skip to content


Trends and Service-level Agreements (SLAs)

A walkthrough of new features inside Analytics. With PlexTrac’s new Trends and SLAs feature housed in Analytics, customers can now configure, manage, track, and report on how they are performing against their service-level agreements directly in the platform.

Series: PlexTrac MiniDemo Series

Category: Analytics, Product Features



And if I’ve got my crown jewels that I got the world banging away at, and they do find something, I’m going to want to get that taken care of quickly and mature. Programs, from what I’ve seen, have internal processes or benchmarks or service level agreements for time to remediation. And that can be based on a number of different attributes. It can be just based upon something as simple as the severity of the finding. Or because not all critical findings are created equal, it can be a combination of attributes. Right. It can be the severity of the finding with, for example, assets that are crowned jewels, the domain controllers, the identity and access management providers, things like that.

And this is something we’ve heard loud and clear. PlexTrac for a long time, has provided a great method for you to track remediation, but we’re taking it to the next level with our new feature, service level Agreements. And Landon, do you want to give us a little bit of a set up on what we’re going to be seeing here? Yeah, maybe I’ll start with the overall vision. When you can aggregate the data, you can help record and remediate from all the different platforms and tools. You have an opportunity to automate even more of the workflow and make it even more efficient. And the goal of service level agreements is to help you all figure out what should I be doing today or next and what’s coming up soon, right? And how can I have the system tell me that rather than have to remember in a spreadsheet or take a note and go find it? And so this is an investment in that space, one of many that will continue to make over our time in the product, but really excited for this capability to come and for Sean to show you all awesome. So, first and foremost, when you hop into your service level agreements, which does exist in your administrative functions, you’re going to see that we’ve got four prebuilt ones here, right? And these will actually all be disabled by default.

You can enable them if you like. Now, what you see for the name here, this is also just an arbitrary string. You will note that I’ve created my own service level agreement, which I call it critical and high on crown jewels. I have been an information security leader. Once again, not all findings are created equal, and a high finding that exists on a critical asset may be something that I want to prioritize for remediation over a critical finding, if you will, on a laptop in the marketing department. No offense there, Angie.

So the beauty of this is that I can create my own service level agreements that are tailored to really target those particular things that I care about most. So I’ve created this one here, and I’ll kind of walk you through a little of the functionality. The first thing is, what is my target time for remediation. Right? And so for this, I’ve selected two days. I would probably be wanting to do that faster if it truly is on a crown jewel. But I’m giving myself a little bit of slack here. I have them the option of start assigning the attributes that I want to associate with this SLA.

So I can choose either one or multiple different findings. Severities now, I do have to choose a finding severity, but luckily enough, I can choose them all if I still choose to see fit. Right? But the finding severity is just one of the attributes I can use. I could also say finding severity of critical or high. And the finding itself has a certain tag. Right? And what is that tag? It can be whatever you like. Or maybe going back to my analogy of this being present on an asset that is extremely important to my business, I can choose it based upon other attributes of the assets that are associated the affected assets.

So those of you who are familiar with Flex Track reporting know that for every finding, you have an opportunity to assign affected assets. And those affected assets have something like, I don’t know, 36 different possible attributes you can assign. But one of the more important ones is the asset criticality. Right. You don’t have to use this. It’s an option for you. And once again, that becomes an and statement with the severity of the overall finding.

But the last attribute that we can use is the asset tags themselves. So assets and Flex Track exist as independent data. Objects from any findings are associated with that’s. What allows you to get that macro level view, that asset view of everything that is impacting a particular asset, and you can tag your assets. And so what I’ve chosen for the attribute for this particular SLA is simply to tag a crown jewel, common industry standard term. I think most people understand it so great. Now, I have set up what types of data go into this bucket? Well, what am I going to do with this? Well, the first thing that we can do is set up notifications.

And notifications can go to two audiences. The first one is to the user that is assigned to the finding. For every finding of Flex Track, you have an option to assign it to someone for remediation or other action. Right? And so I can say I’d like for this given user to get a daily summary email. And this is pretty cool because roll up emails are a pretty new bit of functionality. Lennon, do you want to comment on that at all? I mean, there’s not a lot to share to add the roll up capability, but it’s pretty exciting. I think what I’ll say, and I don’t know if you plan on showing it or not, is we put in a lot of thought on what we want to do in a roll up email because we know that this information is private, we know this information is important, and we need to stay within our platform.

So what I assure you is that it is truly a roll up in a summary that just in case, for some reason, this gets in a place where it might be exposed that we aren’t sharing anything but a number. Thanks, man. And yeah, I totally failed my prep to bring up an example. But the email that you do get, it simply gives you account of the number of findings that are either approaching or have exceeded the particular benchmark with a hyperlink that will take you back to the platform. There’s no titles of the findings, so you’re not going to get an email that says cde 20 22, 12 34 is present on VPN Endpoint. Two, two, three. Right.

It’s just going to be a simple hyperlink that takes you back to collect tract so that you can investigate that further. And I’m going to show you where you can do that in just a moment. Right? But another option that you’ve got is, hey, start sending me a little bit of gentle nudging. Ping me, right? If I get to say, within 12 hours of this busting, this gate, this benchmark, hit me up with an email, let me know. Right? And then also maybe send me something when I’ve actually busted it. Okay? Now I know that the boss is going to come looking for me or if I’m the boss, that I need to go looking for somebody, right? But if you are the boss, one thing also is really cool about our notifications is you can also identify other recipients that get and have options for these same sorts of emails. So maybe if I’m the CISO and I really just want to know when the team hasn’t met their objective, I can choose to get a notification and I can choose to get this email myself as well.

Now, for the recipients, the selections here are going to be users that exist in your Flex Track Tenancy. Once again, that security concept, we don’t want you setting this to Putin at Russia. Ru right? So you want to make sure that you’re sending it to somebody who is going to be able to do something with the hyperlinks that are sent and also obviously could offset there. But one thing that I’m really excited though is how granular we’ve gotten with our notifications. I really think you can tailor this to the level and the volume so you’re going to get the signal and not the noise that you’re looking for.

All right, so now I’m actually not going to save that because I don’t want to start the cascade of emails to my inbox. But we’ve got this set up for notifications, but I probably want more data than just having emails about this stuff. And so we’re super excited to unveil a new area of our analytics. So if I pop over to analytics, those of you who may have updated recently may have noticed that the trends tab has been changed to trends and SOAS. All right. And so what have we got going on here? Well, the first thing that you’ve got is a simple meantime to remediation chart. Right.

There’s very few industry standard metrics that everyone in this industry can agree upon from a defensive perspective. And I think that meantime remediation is one of those few. And so what you get is an indication over time of what your meantime remediation has been within any given time frame. Right. And so you can see, actually what I’m going to do is I’ve got a filter in place. These filters work, by the way, just like filters do in all the other areas of analytics, and we default to the last 30 days. I want to take a little bit longer review, so I’m actually going to go back a couple of months and we can get a look at what is our main time remediation been since the beginning of December.

And you can see that in general, we’re probably doing close to the right things. We’re resolving things that are critical severity quickly, at least more quickly than our highs, and putting off some of the remediation of those less severe categories like mediums and low. So we’ve got a little bit more bandwidth. Now, these metrics right here, this is the aggregation of all closed findings by severity.

This isn’t dependent upon what SOAS that you have enabled in your environment. This is just your overall meantime remediation. So if you’re preparing your packets for the board meeting, this is an incredibly useful graphic to probably take a screenshot. If you’re telling a good news story, you might not want to share it if you’re going in the wrong direction. Right. Brian, is this the sort of thing that in your past life that you would have been useful to you and your reporting up to the board? Oh, yeah, to the board, to the people that I was working with and doing the actual remediation, they wanted to have some of these metrics as well, to see how they were doing on their own types of metrics. How is my team doing? Not how is the company or how is it from a management perspective or a board perspective.

Hey, it’s time for my annual review. How did I do on what I was working on over the last year type of things too. So it goes both ways. Yeah, it’s a good point. And to that point as well, if I was doing Brian’s, your performance review, and I really wanted to just drill down into what he was responsible for, once again, all those standard filters are here. I’ve only got one client built out today, but I could definitely hold Brian to the piece of the fire on that. But we don’t stop there.

So moving on down, this is the same. This is nothing new on this, but if you haven’t paid attention to this, it is useful, right? Because I always call this the winning losing graph. Because ultimately, I kind of want to see some parity, maybe ideally even more a little bit green, because red are findings that I’ve opened and green are findings that I’ve closed, and blue is my line of the total open right now. I just imported another scan result last night. Haven’t done a lot of work, but that’s okay. But this is a great one stop shop. Once again, if you’re looking for that real time feedback.

Am I winning or am I losing the security battle here? This is a great high level view of that. But let’s get to the start of the show and get down before you go on. You asked me not to close anything, so you can’t use this.

I did. You’re getting ready for this? This morning, I was like, all right, Brian, I’ve got my data set in the platform. Don’t go in there, start monkeying around with it, or I’m not going to have pretty colors to show people.

All right, so let’s get to the start of the show, which is the actual graphs on the SOAS now, these are fairly simple graphics, but that’s okay because they’re here to tell one story. And that story is, am I meeting my benchmarks or not? And so for each of the SLAs that you have enabled, what you get is the line that is established. And this you can see here, we’ve got three days. This is the line I’ve set for my target remediation time for all critical findings. Right? And we can see that historically, based upon the findings that are closed, that I’m not doing as hard as I want to do lately as I was towards the end of last year. I blame it on Amazon’s, right? Blame it on what you will, but you’ve also got these widgets up here, and these widgets will give me the actual finding detail on each of these findings. So what you’ll see is that we have one finding here that has busted the time to SLA that is still open, and I can even take this further and hop directly into that finding to get greater detail about it.

You’ve also got the historical data for things that have closed, and you can see that, yes, these are closed now, but we didn’t meet the benchmark for it. We were a little bit over. And once you’ve got this modal open, you can actually pop in between and see other findings. So if I wanted to see things that are within the SLA, doesn’t look like I have any criticals or nearing the SLA. Not much to show there, but that’d be the same as if I chose these other widgets. It’s just a different way of getting to the data. So I could now go back to exceeding and see that same sort of view.

Just taking another look at like this one here. You’ve got your criticals with the high and highs on your crown jewels. Once again, it’s a simple story, but a powerful 01:00 A.m.. I meeting the objectives that I have set for my internal remediation.

So really excited to get this out the door. Any additional words on that? Either Brian or Landon.

I love this view. I think so valuable to just tell that story of it’s historically, how are we doing? In a little more granular way, because it’s filterable down on this specific SLAs that you have set.

Just a couple of things to add, I think. One is just to note, as Sean was growing down, you may have saw a purple gear with an edit settings button. You have to scroll up to show it. If you need to get to the administrative panel and you want to be able to configure them, we actually put that link right there for you in the application. And that’s just to make it simpler, because we’re thinking about efficiency even when it comes to using our product, not just doing the work that our product helps you do. So that was something that I want to make sure that you saw.

And I think the other piece that’s really nice to remember is that this is filterable and configurable by you just like any of the other things within our analytics. So know that you can use this to help slice and dice and drive your team the way that you need to write.