Security

BigPanda is committed to the security of your data. We use a variety of industry-standard security technologies and procedures to help protect your information from unauthorized access, use, or disclosure. You also have several security controls available within BigPanda.

Overview

To protect your information, data is:

  • Encrypted in transit using HTTPS/TLS 1.2
  • Encrypted at rest using AES 256
  • Accessed through the password-protected BigPanda website or via APIs that require token authentication.
  • Stored in an ISO 27001 and FISMA certified data center.

Data Transmission

Incoming

Standard alert data is collected securely from monitoring systems and sent to the BigPanda service by using one of the following methods:

  • Webhook—if the monitoring system supports sending data via Webhook, it can be configured to send alert data directly to the BigPanda service via a secure API endpoint.

  • Agent—if the monitoring system does not support sending data via Webhook, the BigPanda agent can be configured to collect data locally and send it to the BigPanda service via a secure API endpoint. The agent pulls data from a machine on the local network or cloud infrastructure by using a vendor-supplied API, parsing log files, or using other techniques, depending on the monitoring system’s capabilities.

BigPanda marshals all data sent to the BigPanda service as well as the return codes delivered back to the agent and monitoring systems in JSON.

Outgoing

The BigPanda service sends data to integrated messaging or ticketing systems, such as email, SMS, JIRA, or Slack. BigPanda sends all data to these providers or services via HTTPS and uses industry-standard email and SMS providers.

Access Control

Users can access the BigPanda application by visiting https://a.bigpanda.io via a web browser. All data is sent via HTTPS. Website access requires username and password authentication.

Customer Access

Users can authenticate on the BigPanda website by entering their username and password. Organizations can also configure an SSO integration that allows users to authenticate on the BigPanda website. BigPanda uses an industry-standard, encrypted token for session-level authentication. BigPanda user passwords are stored in an industry-standard, encrypted hash format. For enhanced security, BigPanda enforces password complexity requirements for all new user passwords and changes to existing user passwords. BigPanda also enforces an automatic session timeout after a fixed period of inactivity.

Customers can access only the data for their own organization. Organizations can grant access to users by inviting them into BigPanda.

BigPanda Employee Access

BigPanda personnel access customer data only on a need-to-know basis for support purposes. All support personnel have signed Non-Disclosure Agreements, and no changes are ever made to an account without prior approval from the customer.

Physical Security

BigPanda data centers are hosted on Amazon Web Services (AWS). The IT infrastructure that AWS provides is designed and managed in alignment with security best practices, including the following IT security standards:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)

  • SOC 2

  • SOC 3

  • FISMA, DIACAP, and FedRAMP

  • DOD CSM Levels 1-5

  • PCI DSS Level 1

  • ISO 9001 / ISO 27001

  • ITAR

  • FIPS 140-2

  • MTCS Level 3

Physical access to the data center is strictly controlled both at the perimeter and at building ingress points by professional security staff, using video surveillance, state of the art intrusion detection systems, biometric locks, and other electronic means.

For more information, refer to the AWS Security White Paper.

Session Management

For optimal security, BigPanda automatically logs out users when their sessions have been inactive for a long time. The session management feature determines how long a user can be inactive and when a warning message appears for inactive users.

Available Settings

BigPanda enforces the following settings for each user session. If you'd like to customize the settings for your organization, contact BigPanda support.

Session Timeout

Length of time after which the system logs out inactive users—between 15 and 1440 minutes. The default value is 120.

Session Warning

Length of time before a session times out when a warning message appears—between 1 and 15 minutes. If the session is automatically ended, the user must log in again to access BigPanda. The default value is 2.

Considerations and Exceptions

The automatic timeout applies only to a specific session. For example, a user may log in from two different browsers and therefore have two different sessions. If one session times out, the user is logged out only for that browser. The user remains logged in for the other browser until that session also times out or until the user manually logs out.

Because the BigPanda Dashboard is designed for NOC displays, the automatic session timeout does not apply to it. Therefore, if a user leaves the Dashboard tab open, the user's session remains active.

Data Retention

  • By default, BigPanda retains at least one year of historical data, which can be accessed via the Unified Search screen.
  • Configuration data such as users, correlation patterns, tags, etc. are stored indefinitely.
  • Despite our policy guaranteeing 1-year data retention at least, we cannot guarantee that we will retain data for exactly that length of time. Occasionally, we remove historical data from our platform to ensure optimal performance. Nevertheless, we will not delete any data less than one-year-old, unless explicitly requested by the customer.
  • Customers may request custom retention policies. Please refer to your account manager for more information.

Penetration Testing

BigPanda conducts annual 3rd party independent Penetration Testing using Standard Grey Box Assessment Methodology, which includes OWASP Top 10 risks evaluation.

Penetration Testing includes Application Abuse/Business Logic Testing using commercial tools, public tools, custom tools, and manual techniques to identify code patterns indicative of business logic flaws.

  • Web Application Security Penetration Testing works to identify code patterns indicative of implementation security bugs, including OWASP Top 10 risks, and whether attackers could identify and exploit common and advanced web application security vulnerabilities.
  • API Security Penetration Testing works to identify a variety of flaws in the code of the client API which could allow for data modification and attack methods through Direct API attacks (attacks against the API end-point itself) and Indirect API attacks (attacks against the app via the API).
  • Network Security Assessment performs an external vulnerability scan and analysis of the results. Network scans use a vulnerability identification strategy similar to that used by real world attackers.

Our penetration testing is comprehensive and covers the entire CWE list and notes whether all (many hundreds) of CWEs are applicable to to the BigPanda application.

Pen Testing attempts to determine whether attackers could identify and exploit common and advanced web application security vulnerabilities, including:

  • Cross-Site Scripting (XSS)
  • Click-jacking
  • SQL, System Command, LDAP, XML, etc. injection points
  • Malicious content propagation (use the app as an attack proxy)
  • HTTP Redirects
  • Transport encryption verification (Non-SSL for sensitive pages)
  • Cipher Strength Analysis
  • Session management subversion
  • Session Fixation
  • Response Splitting
  • Cross-Site Request Forgery (CSRF)
  • Cookie Analysis

Based on Penetration Test results, BigPanda proactively adds and maintains additional security measures to ensure your data is fully secure. For example, BigPanda has implemented Content Security Policy (CSP) on its websites to protect from malicious cross-site scripting (XSS) attacks and to help prevent code injection and block external references to malicious content.

Security Compliance

BigPanda undergoes an independent third-party SOC 2 Type II security audit on an annual basis, since 2017.