How do I find details and evidence about a security finding reported by Coalition?
To find asset information, scan details, and evidence for alerts:
- Navigate to Security Findings > All Findings on the left-hand navigation.
- Select the security finding you want to know more about.
- The Quick View for that security finding will then be displayed on the side panel that pops out.
- You can now see the full details and evidence for that security finding through the sub-tab:
- Overview
- Impacted Assets
How do I request to rescan a vulnerability that I fixed?
We have combined the rescan functionality with the resolution workflows. To rescan a particular security finding, click on Resolve and continue through the flow.
Steps to resolve:
- Click on Resolve button
- Select Fixed the Issue
- Select the reason for how the issue was fixed and hit Resolve
How do I report / remove a false positive asset?
To report/remove a false positive:
-
Copy the IP or domain name of the asset(s) you would like to report as false positive (e.g., assets that do not belong to your organization). You can also look for the asset detail under the vulnerabilities you were notified about
-
Navigate to the main dashboard
-
Select “Assets”
-
Select IP or Domain depending on the asset you are trying to report
-
Locate the asset via the advanced search feature or by scrolling through the assets
-
Check the “source” field of the asset to see the reason why we detected it. Please remove the asset from your DNS entry. If you still believe it is not yours select the “remove” button next to the asset and follow the prompt to submit the asset from being reported further. You will have to enter a valid reason and the security team will approve or reject your request within 48 hours.
How do I mute security alerts?
To Mute an Alert: (This will mute future email notifications, we are working on removing it from your risk score, coming soon)
-
Navigate to the vulnerabilities section of the Control dashboard
-
If your security alert requires you to submit evidence of additional security controls we cannot detect, select the Mute feature
-
Update the prompt with your supporting evidence and submit
Are my insurance terms affected by these scan findings or my risk score?
During your policy period, scan details do not affect your current insurance policy terms. However if they are not fixed over a period of time they will lead to contingencies at renewal time and could also result in a claim. In order to reduce your cyber risk, Coalition provides information about what vulnerabilities your organization has from an external perspective. These alerts are based on security best practices. These alerts may also differ from the risk assessment findings found at the start of your policy: the threat space is ever-evolving and we want to ensure each policyholder has a snapshot of active risks. Addressing these risks will help prepare you for your insurance renewal.
Are the scans a penetration test?
Coalition Control attack surface monitoring is not a penetration test. On a monthly basis we scan policyholders’ external attack surfaces based on the domains provided during the quotation process, added by the policyholder during the policy, or enumerated by our security platform using public information (see below).
After public records, domains, and IPs are collected, our platform scans those endpoints from the public internet to identify technologies that may be vulnerable, similar to how threat actors might conduct reconnaissance. Our platform also pulls data from a variety of third party sources including databases of known breaches, which Coalition then correlates with these scan findings and enrich the risk assessment.
How does Coalition find our assets?
The most common ways Coalition finds assets and associates them with policyholders are: sub-domain enumeration (finding subdomains associated with domains already associated), DNS records, SSL certificates directly or historically associated with your organization, and IPWhois data showing the organization’s name/address/domain name registered to that asset in ARIN. Each of these can occasionally result in false-positive associations These can be reported in the Control platform as noted above, but can also be reported to the source of the data, and can often be corrected in the public records themselves.
You can also add/update your domains and IPs through Control to ensure we accurately capture your infrastructure.
Why are there so many medium and low level alerts?
Having a high number of medium and low level alerts is an indicator that you may have something that's expanding your attack surface outside of what you may have in documentation. Assets like SPF records that have too many IP's allowed in them, or the use of public/shared/wildcard certificates may be exposing your organization to outside risks that have varying levels of security control in your attack surface. Use the “source” column in the assets section to help identify the asset that might be opening the door to the other exposures.