Last week we hosted the third, semi-annual Remediation Summit by Vulcan Cyber. Firstly, we’d like to thank more than 200 attendees who participated in the virtual event and our keynote speakers, who talked all things cyber risk:
Each year, The Remediation Summit brings the leading minds, best practices, and latest technologies in cyber risk measurement, vulnerability prioritization and remediation across enterprise surfaces including cloud, application, and traditional IT infrastructure.
If you’ve missed the summit, don’t worry - we’ve got you covered. This blog post summarizes seven golden lessons learned from our speakers about cyber risk management. Links to watch each of the Summit sessions are also provided below from our BrightTalk channel.
- Today, cyber risk owns us - it’s extremely hard for security professionals to manage risk and understand what to do first. This takes shape even more aggressively when talking about modern environments we are handling today such as cloud, IoT, etc.
- Application security moves more responsibility to the execution side - the holy grail of application security programs is to shift the security responsibilities to developers but to do so we must have reliable datasets and holistic visibility into application inventory.
- Get and stay above “the negligent bar” - for every organization there’s an unreasonable risk they want to uncover. What we as security professionals need to aspire to is to get above that “unreasonable risk” bar, AKA “the negligent bar”. And this is only possible if we get help from others in the organization, and not simply trust ourselves and our tools. Security basics such as 2FA, property management and encryptions, malware protection, security training, etc. make a big difference and would likely get us above that bar.
- Measuring cyber risk programs is still a struggle, but it is possible - How are you measuring the cyber risk posture of your business or organization? There's a good chance you aren't, and if you aren't you are not alone. Measuring cyber risk is a struggle, but it is still possible. Adding meaningful business context, such as an acceptable risk threshold or risk policy, to the risk equation is a good place to start. Attend this webinar to learn how using the new Vulcan Security Posture Rating can help your cyber security team integrate business context and understand a percentage of assets compliant with policy.
- Hackers love Windows - It's a big job to secure Windows environments and Windows updates don't make the job easier. Windows updates are often inconsistent and advisories can be extremely complex. Attend this webinar to learn about the new Vulcan Cyber solution to collect, suggest and match Windows advisories to Windows vulnerabilities and help streamline Windows security.
- Vulnerability prioritization can become more efficient in application security programs - If we've learned anything from Log4Shell, application security programs can stand to be much more efficient and effective. A risk-based approach to vulnerability prioritization will help application security teams confidently run secure code in production. To measure risk, AppSec teams need help aggregating data from multiple vulnerability scanners, asset repositories, and threat intelligence feeds. But as vulnerabilities and exploits increase, application security teams need to know what the risk for any one vulnerability means to their specific organizations or business units.
- Attackers are looking for your exploits, better prioritization will help you avoid being the next target - Threat actors are always on the hunt for the most efficient attack vector. But the common denominator for almost all exploits is the unmitigated, but known, vulnerability. Attend this webinar to learn how to get in the head of the attacker to more effectively prioritize vulnerability-generated risk. In order to better manage cyber risk, IT security teams must aspire to identify more exposed assets and proactively work to protect their organizations. Look at cyber risk from a different perspective…the attacker's perspective.
In summary, the biggest lesson we have heard across the board in all of the sessions is that in order to own risk - one must manage it holistically. End to end. From Identifying all the assets in our ecosystem to working with other teams to achieve security collaboration, and prioritizing vulnerabilities better. This is the only way to be steps beyond cyber risk, act proactively and strengthen security posture.