SPHEREboard 6.5 Release Notes

We're excited to present SPHEREboard 6.5!


New Features and Enhancements

New Hygiene Hub Layout

SPHEREboard’s home page has been rebranded as the Hygiene Hub and re-organized so you can easily find what you’re looking for!

HygieneHub

Organize your data by mapping users to accounts and assigning ownership of assets.

Report on your accounts, groups, and data in their respective reporting modules.

Review and Remediate security issues with SPHEREboard’s interactive Asset Review Module and Virtual Workers.

The new Hygiene Hub also provides high level statistics for an at-a-glance view of what you’ve collected and where you have risk.


PAM Becomes Accounts

SPHEREboard’s PAM Module has been converted into Accounts - where you can now report on all your accounts - not just the privileged ones.

Start with the Account Overview Card where you can see high level counts of your accounts, what they have access to, and how many control violations are in your environment.

AccountOverview
Account Overview Card with high level metrics

Next, dive deeper into account inventory with the Account Summary Card. Break down your accounts by Account Type, Account Source, or Business Unit and see which groups of accounts have the most access to assets and control violations.

AccountSummary
Account Summary Card with options to pivot based on Account Type, Account Source, or Business Unit

Ensure accounts have owners so that they can be reviewed and any violations can be remediated. The Ownership Card highlights missing ownership - again, allowing you to pivot based on Account Type, Account Source, and Business Unit.

AccountsOwnership
Ownership card showing account ownership split by account type

Get a feel for your control stature with the Control Summary Card. Seeing red? Those are your current control violations being highlighted. Click on the bar in the graph to be taken to a granular details page listing out each account in violation of the specified control.

ControlSummary
Control Summary Card showing the list of controls and a count of the accounts in violation, compliant, and excepted from the control.

More on controls….

The Accounts Module comes with a set of out of the box controls that can be used to monitor your account security stature. Controls can be enabled and disabled across your entire environment or for specific account types.

ControlsandExceptions
Controls and Exceptions page showing list of enabled and disabled controls

Exceptions allow you to temporarily exclude a specific account from being reported on as violating a control:

AddingExceptions
Example of an exception for an account against a specific control

Control Violation Stock and Flow

Violation Stock and Flow has been improved to be more configurable and interactive.

Configure the start date where you’d like stock and flow reporting to begin. This should be the date where you’ve scanned all of your sources and collected your baseline of accounts. This sets your starting “stock” value to give you an idea of how much work is needed to remediate current violations.

Configure the reporting interval shown on the graph and chart between “Daily”, “Monthly”, and “Weekly”. This helps you zoom in on day to day trends while still allowing you to step back and see longer term changes.

The chart and table are now clickable to provide you with specifics on which violations were present in each daily, weekly, or monthly period.

ControlViolationStockandFlow
Control Violation Stock and Flow

Expanded CyberArk Controls

Speaking of accounts and controls…SPHEREboard’s CyberArk integration has been expanded in 6.5 to include reporting on more than just vault status and password management enabled status. We’ve added the following controls specific to CyberArk in the Accounts Module:

  • Password rotated last 90 days

  • Password rotated last 60 days

  • Password rotated last 30 days

  • Password rotated 1 Hour after use

  • Password rotated 12 Hours after use

  • Password verified last 7 Days

  • Password verified last 24 hours

  • Account has Exclusive Access

  • Dual Control Password Access Approval Required

  • One Time Password Access

  • Privileged Session Monitoring and Isolation

  • Record and Save Session


More Automated Ownership Methods

In 6.4 we in expanded ownership automation to include all assets rather than just collections and groups. But you still had to work with SPHERE to develop custom methods to implement for most asset types.

Now in 6.5, every asset has at least two out of the box methods available and some have more!

Do you store an employee identifier in an extension attribute in Active Directory? Use the Extension Attribute method to automatically assign ownership of those accounts to the correct user.

OwnershipAutomation
Extension attribute account ownership method

Bug Fixes & Minor Enhancements

  • AD - Active Directory connector log more clearly displays warning about unresolved SIDs

  • AD - Clickthrough in Created vs Modified card now filters more accurately

  • ARM - Default task failed email no longer pre-configured

  • ARM - Email Scheduler calendar no longer closes prematurely

  • ARM - Downloading the asset reviewers table in ARM now includes all rows in exported file

  • ARM - Email correctly populates when adding a user to a group in an access review

  • ARM - Campaign status pie chart report statistics updated

  • CDM - Error loading open access card resolved

  • CDM - Error with search function in CDM shared object details card resolved

  • CyberArk Connector - CyberArk mapping improved for multiple domain environments

  • CyberArk Worker - Fixed issue with installer inserting extraneous line in configuration file

  • CyberArk Worker - Fixed an issue where the password management enabled status was not correctly being updated in CyberArk for some accounts.

  • Hitachi Connector - Improve handling of whitespace around exclude folders task option

  • HR - Issue downloading large hygiene reports resolved

  • Installer - Removed dependency on SQL TRIM function

  • LDAP Connector - Improvement to prevent users from accidentally collecting extra objects

  • MSSQL Connector - Included support for scanning case sensitive SQL servers

  • PAM - Decommissioned filers should no longer appear in PAM (now Accounts)

  • PAM - Accounts that have been deleted from Active Directory no longer show up in PAM (now Accounts)

  • UDM - “Size” column in granular details no longer gets rounded when exporting to CSV

  • UNIX Connector - Additional functionality for collecting sudo permissions from sudoers.d files

 


Glossary

  • AD - Active Directory Module

  • AOM – Asset Ownership Module

  • AM – Administrative Module

  • ARM – Asset Review Module

  • CCM – Collection Creation Module

  • CDM – Cloud Data Module

  • HR - Hygiene Reports

  • IAMM – Identity Access Management Module

  • KYD – Know Your Data module

  • MAM – My Assets Module

  • MGM – Mailbox Governance Module

  • OA – Ownership Automation

  • PAM – Privileged Access Module

  • UAM - User Account Mappings Module

  • UDM – Unstructured Data Module