Security operations

It’s a day-to-day activity monitoring security and responding to threats and incidents.

Incident response

A security incident is an event which results in, or could result in, loss or damage to the confidentiality, availability, integrity, or privacy of Culture Amp data, systems or networks. We maintain a structured incident response framework which leverages industry frameworks, such as NIST 800-61, Mitre Att&ck, and Re&ct, to ensure that security incidents are managed in a consistent, effective, and efficient manner. Culture Amp have defined playbooks for investigating and responding to security incidents consisting of detailed response actions which document the necessary steps at each stage of the incident lifecycle. These playbooks and the incident response plan provide interfaces to key support processes including our Crisis Management Process and notifications processes for communicating with team members and customers.

Our team members operate Testing, Training, and Exercise (TTX) and Post Incident Review (PIR) programs which seek to ensure that responders are familiar with the processes, tooling, and practices involved in responding to a security incident and that opportunities to improve processes and documentation are proactively identified following a real or simulated event.

Security detection program

Culture Amp operates a security detections program that aims to ensure that we are able to effectively detect anomalous activity across the environment. The detections program is driven by an understanding of the external threat landscape and our internal threat models. We leverage commercial and open source threat intelligence sources to gain an understanding of the adversaries targeting our environment and the tactics and techniques that commonly use and use this knowledge to prioritise the development of new use cases, detections, and response actions and the lifecycle management of existing detections.

Detections roll-up into our broader use case management framework which allows for the consistent development and coordination of detections, playbooks and response actions, log sources and events, and automations, and ensure that these are aligned to available threat intelligence, business content and risk, and allows for continuous improvement in the detection lifecycle.

Threat Hunting

At Culture Amp, our threat hunting practices are designed to proactively identify and mitigate potential security threats before they can impact our operations. We employ the TaHiTI framework as the foundation for our threat hunting methodology, leveraging its structured approach to ensure thorough and effective threat detection using available threat intelligence to form hypothesis-driven hunts.

Our approach combines both managed threat hunting services from a security partner and internal threat hunting initiatives. This dual strategy allows us to benefit from the latest industry expertise and broad range of intelligence sources while utilizing our internal team's deep understanding of our unique environment.

To maintain a high level of preparedness, we operate a rigorous testing, training, and exercise program. This includes regular adversary emulation testing and drills, simulating real-world attack scenarios to identify potential attack paths for future threat hunting activities. These preparations are supported by frequent formal training in threat hunting process and methodologies, and involvement in security operations development opportunities such as Splunk’s Boss of the SOC and other capture the flag and simulated incident events.

Security testing

Culture Amp employs a combination of internal and external security testing to ensure that vulnerabilities in our environment and our platform are rapidly detected and remediated. External security testing is driven by multiple factors including compliance testing, major platform changes and events, testing training and exercising requirements, or for verification of the efficacy of vulnerability remediation practices. Culture Amp leverages a panel of specialised security firms employing appropriately skilled and qualified individuals to assist with this testing, and rotate between the panel members to reduce bias and skill gaps in our testing program.

External testing is supported by internal security testing practices embedded throughout the development lifecycle including threat modelling, security reviews, secure code reviews, and application security testing activities.

Culture Amp welcomes verified reports from external security researchers and is currently exploring a public bug bounty program to ensure that we can reward researchers for the time and effort they invest in contributing to our platform security posture.

Vulnerability management

Culture Amp operates a comprehensive vulnerability management program which serves as the framework for the systematic identification, assessment, prioritization, and mitigation of vulnerabilities within the environment. Our program encompasses a broad range of technologies, addressing vulnerabilities across end-user compute devices, containers, codebases, and open-source dependencies which can be identified from a variety of sources including tools, penetration tests, security and peer reviews, and vendor notifications.

For end-user compute devices and static workloads we employ continuous endpoint scanning tools to detect and notify remediation teams of potential vulnerabilities. Our container security strategy includes rigorous scanning and integration with our CI/CD pipelines to ensure that our containerized applications remain secure. In our software development lifecycle, we integrate static code analysis tools to identify and fix code vulnerabilities early in the development process before they are deployed to production.

We also closely monitor open-source and third-party dependencies, using specialized tools to continuously identify and manage vulnerabilities in these libraries. This proactive approach ensures that any vulnerabilities are promptly addressed, reducing the risk to our systems and our customers.

Security Advisories

[page for us to publish advisories and notifications to customers]