Last week, we had the privilege of hosting the highly informative CyberRisk Summit, held twice a year, bringing together a diverse group of cyber risk experts from various industries and companies. Throughout the event, these experts shared their top cyber security advice, tips, and profound knowledge on a wide range of topics, delving into the realms of cyber risk and vulnerability risk management in… challenging times.
The summit provided a unique opportunity for the Vulcan Cyber community to gain valuable insights and practical strategies to tackle the ever-evolving challenges posed by cyber security threats. From discussions on risk assessment methodologies to the implementation of effective management at scale, the summit covered a broad spectrum of crucial subjects. With each session, we deepened our understanding of the complex cyber landscape and discovered innovative approaches to enhance our organization’s cyber resilience.
The valuable lessons learned and the knowledge gained during the summit will undoubtedly play a pivotal role in strengthening our cyber security posture and fortifying our defenses against potential threats in the future.
Here are the main takeaways from CRS this time around:
Session 1: Helping enterprises mitigate cyber risk at scale
Speaker: Yaniv Bar-Dayan, Vulcan Cyber CEO
1. The enterprise attack surface is expanding
The attack surface grows as we speak, with large corporations, smaller enterprises, hyperscale tech companies, and more, relying heavily on scanning tools to identify vulnerabilities, assess risks, and gain insights into their enterprises’ attack surface and posture.
2. Vulnerability risk management is a multi-tool effort
Enterprises employ multiple tools (up to 20) to collect information for risk identification and vulnerability management. These tools produce thousands of new vulnerability instances and hundreds of thousands of critical vulnerabilities daily, sourced from infrastructures, code projects, applications, and SaaS.
3. There’s always someone in charge
The difficulty of remediation lies in identifying the right remediation owner for each finding, which requires associating ownership data distributed across different systems and databases.
4. Processes also need to scale
The ability to scale the process of managing vulnerabilities effectively is crucial for enterprises, especially as they continue to onboard new tools and face regulatory compliance requirements.
5. Follow the steps
Scaling the vulnerability management process involves steps such as correlating data, enriching findings with contextual information, prioritizing vulnerabilities, associating tasks with owners, and measuring progress.
Watch the full session here >>
Session 2: CISO perspectives on efficient cyber security with limited resources
Speaker: Frank Kim, YL Ventures CISO in residence
1. Principles matter
When dealing with limited resources, it’s important to go back to first principles and focus on the fundamental concepts of cyber security. Often, in the midst of daily emergencies and distractions, common sense practices may be overlooked. Remind yourself and your team of the basic principles and turn them into common practice.
2. Don’t forget the goals
As a security leader, your role extends beyond implementing controls to encompass managing information risk for the organization. Understanding business objectives and aligning your security program with the broader goals of the organization are crucial aspects of this responsibility.
3. Cyber risk is business risk
Treat cyber security as an enterprise risk issue, not just an IT issue. Like other risks faced by the organization, cyber risk needs to be managed strategically. Take into account strategic, financial, operational, legal, and reputational risks, as cyber security risk cuts across all these areas.
4. The risk equation
Assess the likelihood and impact of cyber security risks. Likelihood refers to the probability of a security incident occurring, while impact refers to the potential harm or consequences of such an incident. Consider the interplay between likelihood and impact to determine the level of risk and prioritize efforts accordingly.
5. Control with compensating controls
When faced with high-risk scenarios, focus on implementing compensating controls and processes to mitigate the risk. Compensating controls are security measures or practices that can help bridge the gap and reduce the likelihood or impact of a security incident.
Watch the full session >>
Session 3: Prioritizing vulnerability risk at Verana Health
Speaker: Jayashree Jagannath, director of security and compliance at Verana Health
1. Get your cyber risk together
One of the challenges faced was the lack of a unified view of vulnerabilities. With different sources providing vulnerability data, it was important to get a single pane of glass for teams to effectively assess and resolve vulnerabilities.
2. Assets, not just vulnerabilities
Proper asset management was crucial for understanding what needed to be protected or monitored. Verana Health’s data and assets are highly sensitive as they are operating in the world of digital health analytics. Setting up a structured account structure and standardized tagging helped categorize and assess risks associated with different assets.
3. Vulnerability and patch management fatigue
Managing and prioritizing vulnerabilities, as well as patching them, posed a challenge due to the continuous influx of vulnerabilities. Prioritizing vulnerabilities based on risk and establishing SLAs for timely fixes helped address this issue and build urgency wherever it was needed.
4. Build a security culture
Building a culture of security was emphasized, involving educating teams, promoting a top-down approach, and integrating security practices into the development process. A shift left mentality and instilling secure coding practices were important aspects of the security culture.
5. Choosing the right platform to manage risk
Criteria for selecting a tool that will be used to manage vulnerability risk included the ability to integrate with different vulnerability sources, ease of asset classification and risk communication, vulnerability prioritization organization’s specific measures, advanced reporting and analytics, and providing sufficient information to developers for fixing vulnerabilities.
Verana Health selected Vulcan Cyber vulnerability risk management platform due to product features that addressed their challenges such as The Vulcan connectors and integration capabilities, single pane of glass for asset risk management, automated campaigns for vulnerability scanning and ticket creation, reporting and analytics functionalities, integration with Jira for tracking and resolving vulnerabilities, prioritization and remediation based on threat intelligence and business risks.
Watch the full session here >>
Session 4: Getting the most out of EPSS and CVSS for risk prioritization
Speakers: Roy Horev, Vulcan Cyber CTO, and Octavian Suciu, postdoctoral cyber security research
1. What is EPSS?
EPSS (Exploit Prediction Scoring System) is a community-driven effort that aims to derive a probability of observing exploitation activity in the wild within the next 30 days. It is based on machine learning and collects data about vulnerabilities and exploits to predict future exploitation activity.
2. EPSS vs. CVSS
EPSS is not designed to replace CVSS (Common Vulnerability Scoring System) but rather complement it. While CVSS focuses on the characteristics of vulnerabilities, EPSS takes into account additional factors such as exploit availability, attacker skills, and patching cadence to provide a more accurate prediction of exploitation likelihood.
3. EPSS is a vulnerability prioritization factor
EPSS predictions are updated daily and should be used in conjunction with other risk management information and contextual factors. It helps prioritize resources within the high CVSS score bucket by considering vulnerabilities with high CVSS scores and high probabilities in EPSS.
4. Not everything is perfect
Feedback on EPSS has highlighted two main challenges: transparency and completeness. Users often want to understand why EPSS scores change and have more transparency into the underlying data. However, contractual obligations with data partners limit the level of transparency that can be provided. EPSS is also not a comprehensive risk assessment tool and cannot capture all environmental and compensating control factors.
5. The golden advice for infusing EPSS into day-to-day risk management
Start with threat intelligence. If vulnerabilities are already known to be high-priority through threat intelligence, focus on those first. Then, leverage EPSS by combining its probability output with contextual and environmental information from other sources to set priorities accordingly. EPSS should be seen as one tool among others in the risk management process.
Watch the full session here >>
Session 5: Putting cyber security data to work at scale
Speakers: Yitzy Tannenbaum Vulcan Cyber director of product marketing, Annam Iyer Wiz product manager, Steve Boone Checkmarx head of product growth, Yochai Corem Cyberint CEO, Andrew Grealy CTCI CEO
1. The Vulcan Cyber integration engine
We acknowledge the importance of integrating to a wide variety of cyber security tools, fast. The new integration engine allows for seamless and speedy integration with various security tools in an organization’s ecosystem. We have over a hundred out-of-the-box connectors and also provide a low-code way to integrate with unique or custom security solutions.
2. The Vulcan Cyber Wiz integration
Wiz offers an agentless scanning approach for cloud workloads, utilizing APIs provided by different cloud service providers. They scan and analyze resources across multiple cloud environments, including AWS, Azure, GCP, Oracle, and AliCloud. Wiz has recently integrated with Vulcan Cyber, allowing customers to get a comprehensive view of cloud vulnerabilities posture and de-duplicate findings for prioritized remediation actions. This integration simplifies the process and helps customers make informed decisions about their cloud vulnerability management.
3. The Vulcan Cyber Checkmarx integration
Checkmarx offers an application security platform that includes various engines for static application security testing, software composition analysis, infrastructure as code scanning, container scanning, dynamic application security testing, and API security. Checkmarx’s integration with Vulcan enables seamless orchestration and automation of security actions. The integration allows for automated security scans and actions, saving time and effort for security teams. Real-time threat response becomes a reality, as security scans can be initiated automatically within the platform.
Watch the full session here >>
Beyond the best practices
Taking on board cyber security advice is only one piece of the puzzle. The rich tapestry of today’s vulnerability risk environment means that security teams must rally their entire organizations to assist with the vulnerability management effort. This is often a case of aligning tools, gaining a clear picture of cyber risk, and communicating in a shared language to ensure the most pressing risk is mitigated effectively. But with so many moving parts, teams are quickly overwhelmed.
You can manage vulnerabilities and risks across all your attack surfaces at scale with the Vulcan Cyber® risk management platform. Book your demo today.