Release Notes - Nov 2022
  • 11 Minutes to read
  • PDF

Release Notes - Nov 2022

  • PDF

New Features and Enhancements   (SAFE Version 3.0.39) 

We are happy to announce SAFE v3.0.39, which brings the below new features and enhancements to SAFE:

1. Introducing Cyber Risk Scenarios in SAFE

We are introducing Cyber Risk Scenarios, a whole new way to look into your organization's cybersecurity posture in SAFE. With this feature, SAFE now provides the ability to measure, mitigate, and manage top cyber risk scenarios in your organization.

1.1. Top Cyber Risk Scenarios

SAFE continuously monitors top Cyber Risk Scenarios by correlating all the security findings to respective MITRE ATT&CK TTPs (Tactics, Techniques & Procedures)

Currently, 20 Cyber Risk Scenarios are supported based on recent security trends and historical breach data. 

SAFE provides risk quantification for each of the Cyber Risk Scenarios, including SAFE Score, Breach Likelihood in percentage, Attack Behavior, Attack Surface,  Estimated Financial Impact(EFI), and Financial Risk(FR). Additionally, the Industry Benchmark SAFE Score is available for comparative analysis. 

You can view a summary of top Cyber Risk Scenarios on the main SAFE Dashboard. You can also navigate to the individual Cyber Risk Scenario detail page by clicking on the desired Cyber Risk Scenario.
Risk Scenarios

Industry benchmarks for breach likelihood for each risk scenario

Additionally, we have added details on the industry benchmark of breach likelihood for each cyber risk scenario in SAFE. Hovering on the breach likelihood percentage bar displays the top 10 percentile, average, and bottom 10 percentile in SAFE.

Industry Avg

1.2. Overall breach likelihood percentage, Financial Risk, and SAFE Score on SAFE dashboard

Overall breach likelihood trend

We have added the overall breach likelihood percentage timeline frame modeled graph to present the breach likelihood trend for the organization. The current breach likelihood is available in the dial view for the organization.

Breach likelihood

Financial risk trend

Financial risk represents the expected financial loss an enterprise can incur in case of a breach over a 12-month period. It is a function of the SAFE score and estimated financial impact associated with the risk scenario.

Now, In addition to the breach likelihood trend, SAFE displays the financial risk trend and the current financial risk for each cyber risk scenario. 

financial Risk Trend

SAEE Score

SAFE scores against cyber risk scenarios are now calculated using an evolved SAFE Scoring model, which takes into account the adversarial behaviors (techniques) and objectives (tactics) to estimate the breach likelihood. This information is further enriched with threat intelligence, which indicates for a particular risk scenario how prevalent is the attacker’s behavior.

SAFE references the adversary behaviors and objectives outlined in the MITRE ATT&CK® framework.

Users can see the SAFE Score and score trend for the overall organization by clicking the > icon available next to the Breach Likelihood title in the dial view.

SAFE Score trend

2. Estimated Financial Impact and Interactive Cost Model

Estimated Financial Impact

SAFE now displays the Estimated Financial Impact per Cyber Risk Scenario, i.e; the dollar value impact an enterprise can incur due to a breach. A range is also provided with upper and lower bounds of Financial Impact, with an expected value that is generally a mean. SAFE auto-generates the inherent EFI for a risk scenario based on the company characteristics, security findings, and applicable cost drivers.

Financila Risk

The default Estimated Financial Impact estimation is powered by Safe Security’s proprietary database - built and maintained by our expert analysts and threat intelligence teams. The model leverages:

  • Over 500,000 data points across 2,000 mapped discrete incidents taken from primary sources across:
    • Financial fraud - such as business email compromise, account takeover, and advertising fraud
    • Ransomware, PxI data breaches - including leaks and exposures
    • Wiper and cryptocurrency theft - including lost access
    • Data privacy violations
  • ~1300 CVEs identified as seen in the wild., and over 1,100 attack groups, including identified aliases
  • TTP mapping to MITRE ATT&CK for over 100 attack groups and malware (with more added regularly)
  • A pipeline of over 25,000 security incidents is being actively reconciled and processed.


Interactive Cost Model (ICM)

Additionally, SAFE does not limit the financial impact estimation to the default assumptions. It also provides an Interactive Cost Model (ICM), which is capable of conforming to different internal assumptions for cost modelling.

The Interactive Cost Model ICM is designed as an interactive tool where a user can calibrate the cost modelling assumptions for the applicable cost categories for a cyber risk scenario. A user can provide upper bound, lower bound, and expected values for all the tunable cost drivers. Based on the inputs, EFI and, subsequently, the Financial Risk for the scenario shall be calibrated for the Cyber Risk Scenario

Edit ICM

3. Enhanced Prioritized Actionable Insights for Risk Scenarios

SAFE displays all security findings that need immediate attention as Prioritised Actionable Insights. These insights are available on the Main dashboard for enterprise cyber risk scenarios and the individual cyber risk scenario dashboard. The prioritized list of actionable insights will help you measure, manage and mitigate the identified security findings.

3.1. Return on Security Investment-based Prioritization

Actionable Insights will now comprise a prioritized list of up to 100 insights which are a combination of all Critical/High severity failing controls sorted based on the change in financial risk in descending order. Findings that contribute higher to the reduction of financial risk will be ordered higher, giving visibility into Return on Security Investment (ROSI). This will help quantify the business impact of cybersecurity budgets and prioritize cyber initiatives to maximize cyber risk reduction.

P Actionable Insights

Now a user can: 

  • View the prioritized Actionable Insights on the SAFE Dashboard just below the Top Risk Scenarios
  • Know more about a particular actionable insight by clicking on that insight from the table
  • Compare and prioritize different cyber initiatives (like buying a new cybersecurity product, strengthening the incident response plan, or applying patches to all servers) based on financial risk reduction
  • Establish an ROI of her/his cyber budget
  • Have a business risk discussion with the Board, the CFO, and the CEO.

Further to this, we have added the following new data points in the actionable insights table against each insight to enable the measurement of security investments. User has the flexibility to sort based on either of the below-mentioned data points to tailor as per their risk prioritization requirements.

  • Delta SAFE Score: Displays what is the SAFE Score improvement, if a particular finding is mitigated
  • Delta Breach likelihood: This is an alternate representation of the SAFE Score. Displays what is the percentage reduction in breach likelihood, if a particular finding is mitigated
  • Delta EFI: Displays what is the dollar value reduction in Estimated Financial Impact, if a particular finding is mitigated
  • Delta Financial Risk: Displays what is the dollar value reduction in Financial Risk, if a particular finding is mitigated

4. Enhanced ATT&CK Mappings

4.1. Outside in Technology Assessment mapped to ATT&CK

Now, SAFE is able to give out of the box association between Outside-in Technology assessment controls and applicable techniques ( attacker behaviors) mentioned in ATT&CK Framework. 

Out In Technology

SAFE uses the above correlation to predict financial risk and produce actionable insights 

4.2. Vulnerabilities mapped to ATT&CK

Now, SAFE is able to give out of the box association between high-impact vulnerabilities (CVEs which are highly exploited) and applicable techniques ( attacker behaviors) mentioned in ATT&CK Framework. 

Vul mapped to ATT

SAFE uses the above correlation to predict financial risk and produce actionable insights.

5. All new SAFE Hooks page

We have revamped the SAFE Hooks page to a whole new experience that provides an easy way to find and configure the automated signals in SAFE. This page contains various labels at the top, and clicking them filters the integration list and allows you to search and configure quickly.

SAFE Hooks

SAFE integrates with various tools and applications to collect the input signals that do not need any configuration via SAFE Hook pages. These integrations are either available via APIs or can be established by following simple steps in SAFE. Also, some of these integrations are pre-configured in SAFE OOTB, and some may need manual configuration outside of SAFE UI.  

SAFE Hooks 2

Additionally, we added a link to integration guides at the top of the SAFE Hooks page.

6. New Integrations

6.1. Qualys SCA integration in SAFE

In addition to the SAFE integration with Qualys VMDR with SAFE to import the Vulnerability Assessment results, Now SAFE also integrates with Qualys Policy Compliance (PC)and Security Configuration Assessment (SCA) to fetch the configuration assessment results based on CIS benchmarks into SAFE.

You can configure Qualys SCA in SAFE via SAFE Hooks and SAFE REST APIs.

Qualys SCA


Qualys PC and SCA integration are currently independent of the Qualys VADR integration present in the product. The configuration assessment for the following asset types is supported for this integration:

  • Windows Server 2012 R2
  • Window Server 2016
  • Windows Server 2019
  • RHEL 7.x
  • RHEL 8.x

6.2. Simplified Salesforce integration

Currently, Salesforce assets can be onboarded to SAFE via the asset management page. To provide a better user experience and ease, we have simplified this integration by adding a Salesforce card under the SAFE Hooks. Now, SAFE Admins can go to the SAFE Hooks and configure Salesforce using the connector details.

6.3. Simplified Snowflake integration

Currently, Snowflake assets can be onboarded to SAFE via the asset management page. To provide a better user experience and ease, we have simplified this integration by adding a Snowflake card under the SAFE Hooks. Now, SAFE Admins can go to the SAFE Hooks and configure Snowflake using the connector details.

6.4. Enhanced integration with

We have enhanced the SAFE - integration. Now SAFE connects with via read-only APIs and allows users to discover and import assets and their respective vulnerability assessment results. Users can sync the assessment results of assets at a pre-configured time interval, as well as the on-demand pull of assessment results for assets.


7. Simplified Policy, CSP, and Compliance assessment

Today SAFE has approximately 42 cybersecurity policies accessed via more than 4200 controls, which makes the Policy and Compliance assessment a lengthy and hard-to-action process and disconnected from the actual risk posture.

7.1. A whole new Policy Module

Today SAFE has approximately 42 cybersecurity policies accessed via more than 4200 controls, which makes the Policy and Compliance assessment a lengthy and hard-to-action process and disconnected from the actual risk posture.

To solve this problem, SAFE is bringing a whole new policy module in SAFE, which is short and yet more effective than the earlier one. The new policy module in SAFE has transitioned the 4200+ Compliance-Driven policy controls to 30+ Threat Driven controls.

Below are the highlights of the new policy module in SAFE:

  • The 30+ Threat Driven policy controls are based on MITRE ATT&CK Mitigation Controls and post-attack mitigations.
  • Each control has Tactics and Techniques mapped to them, which will also be visible on the SAFE UI to improve their risk visibility.
  • Users can assess the policy controls directly from the Policy page in SAFE.

All the 30+ policy controls are now applicable to your organization. The option to select the applicable policies for the organization has been removed from Policy Management under Administration > Governance management.

New policy module

7.2. Simplified Cyber Security Products module 

Cyber Security Products (CSP) now has a simpler assessment module, which takes input about the implementation status and coverage status of the implemented Cyber Security Products. There are now 40+ Cybersecurity Products available in SAFE. 

Simplified CSP

With this new approach to the CSP module, by default, the system treats the CSP implementation status as Failed, and it impacts the SAFE Score. It is strongly recommended to assess the newly added Cyber Security Products by enabling the implementation status toggle and assigning a coverage status in percentage for business-critical assets.

If a CSP is not applicable, a user can mark the CSP as not applicable from the Administration > Governance Management > Cybersecurity Products Management section.

CSP Management

  • If a CSP is disabled from Administration, it will not contribute to the SAFE Score of the organization.
  • If a CSP’s Implementation Status is disabled on the CSP page, it treats the implementation status as Failed and impacts the SAFE Score.

7.3. Automated Compliance Assessment 

The Compliance Module in SAFE has now been revamped and now includes only automated controls via asset-level configuration assessment. Here are the highlights of the new compliance module:

SAFE provides automated visibility into the following 6 Global Compliances:

  • NIST CSF v1.1
  • NIST 800-53 r5
  • NIST SP 800-171 r2
  • PCI DSS v4
  • ISO 27002:2022

Automated Compliance Module

Users can select the applicable compliances to the organization from Compliance management under Administration > Governance management. No compliance is mandatory in SAFE, i.e, now users can mark ISO 27001:2013 and NIST SP 800-53 as Not applicable.

Compliance Managment

  • Compliance and Policy have now been decoupled in SAFE, i.e., marking compliance as Not Applicable does not remove the Policy control.

8. Vulnerability Assessment for Cloud Assets

SAFE can now import the Vulnerability Assessment results from the cloud technology verticals, AWS, Azure, and GCP, and consider the VA signals to calculate the SAFE Score. You can perform the assessments by:

  • Uploading a VA report (via CSV) manually
  • Posting the assessment result using the assets’ assessment API

Additionally, depending on the asset matching criteria, you can fetch Vulnerability Assessment results from Qualys and Tenable into cloud assets. You can see these findings on the asset details page and the in the assets' PDF report.

9. Assessment of 12 new cloud Azure asset types 

We have added the assessment support for the 12 new cloud Azure asset types in SAFE.

  • Azure - Automation Accounts Variables
  • Azure - Workflows
  • Azure - Kubernetes Connected Clusters
  • Azure - Stream Analytics Jobs
  • Azure - Batch Accounts
  • Azure - IoT Hubs
  • Azure - Search Services
  • Azure - Service Bus Namespaces
  • Azure - Service Fabric Clusters
  • Azure - Virtual Network Subnets
  • Azure - Virtual Machines Extensions
  • Azure - Virtual Machine Image Templates

For all the existing Azure asset types, controls have been synced with Azure Security Benchmark v3.

10. Enhancements in SAFE Scoring Model

Our scoring model has evolved to address the changing cybersecurity landscape. This upgrade will result in changes to your SAFE score:

  • Overall score - The overall SAFE Score of your organization will change due to adjustments in our model regarding geographic and company profile-based information. The overall score will also be adjusted due to the simplified Policy and CSP modules in SAFE.
  • Technology - The Technology SAFE score may slightly change due to the removal of CSP and Policy related controls. If you have Azure integration, you may see changes in this vertical due to the introduction of additional controls.
  • CSP and Policy SAFE Score will not be available.
  • People - Some changes may be observed due to the recalibration of our scoring model around breach exposure/phishing.

12. Miscellaneous

  • We have added assessment support for Windows 11.
  • The Limited User role is being deprecated.
  • Policy and Cyber Security Products SAFE Score are removed as these are security signals which directly contribute to risk estimation per cyber risk scenario.
  • The maximum number of custom fields allowed in SAFE is 100 by default. Please get in touch with the SAFE support team in case you want to increase the limit.

Was this article helpful?