From the report, “The Prioritization to Prediction series is an ongoing research initiative between Kenna Security and the Cyentia Institute. The first volume proposed a model for predicting which of the numerous hardware and software vulnerabilities published each month were most likely to be exploited, and thus deserving of priority remediation. The second volume sought to apply and test that theoretical model using empirical data collected on billions of observed vulnerabilities. We ended the last report by analyzing vulnerability remediation timeframes across a sample of 12 firms. This third volume picks up where we left off and expands the analysis to roughly 300 organizations of different types and sizes. We leverage a technique called survival analysis to draw out important lessons about remediation velocity and capacity, concepts we explore and define during the course of this report. Overall, our goal is to understand what it means to survive—nay thrive—in the race of vulnerability remediation.” Read on to find out more.

From the report, ““Realized coverage & efficiency vary greatly among firms—over 50% between top and bottom performers—indicating different remediation strategies lead to very different outcomes.” Where is your strategy leading?” Read on to find out more.

The essays in this eBook provide a wealth of information and present an inside look at an aspect of cybersecurity that is still not well understood. I am certain that anyone responsible for critical industrial operations will benefit from the advice and experiences of those who have contributed to this eBook.

This document will examine the cyber risk trends that are of concern to the insurance industry, and introduce the RiskSense solution designed to address these challenges

NopSec has pioneered the research, measurement, and analytics of vulnerability threats since 2013. Its annual State of Vulnerability Risk Management reports are widely used and cited in the cybersecurity industry for its insights and actionable information. As presented in this report, vulnerability threats are ever more expanding and evolving, and NopSec is once again leading the research for new ways to expose these threats and protect valuable assets from getting compromised.

This report examines emerging cyber security challenges and risks that businesses are facing as they embrace cloud services at an accelerating pace. The report provides leaders around the globe and across industries with important insights and recommendations for how they can ensure that cyber security is a critical business enabler. Cyber security leaders and practitioners can use this report to educate lines of business about the real security risks the cloud can present.

The data in this survey suggests that the role of the firewall in network security remains critical even as the network security landscape undergoes significant evolution and expansion. Within the enterprise, organizational and departmental roles and responsibilities with respect to network security in the new technology landscape remain in flux. At the same time, parameters that bound traditional definitions of ‘firewall’ are subject to change as emerging platforms and devices acquire characteristics that were previously in the domain of traditional firewalls. The totality of this complexity overlays and exacerbates pre-existing challenges in managing firewalls rules and protocols and points to the need for innovative solutions to reign in complexity and ease the burdens on overextended network security professionals.

From the report, “Business applications are critical business resources for companies of all sizes — and they’re increasingly under attack. To gain deeper insights into the state of application security, Cybersecurity Insiders conducted an in-depth study in partnership with the 400,000 member Information Security Community on LinkedIn. This report is the result of a comprehensive survey of 437 cybersecurity professionals designed to reveal the latest application security trends, how organizations are protecting applications, and what tools and best practices IT cybersecurity teams are prioritizing to find, fix and prevent vulnerabilities in next-gen applications.”

In the last two years, businesses and governments have seen data breaches like Equifax and Marriott impact 100s of millions of accounts each, as well as critical intellectual property (IP) and core operations. A global survey of 600+ cybersecurity leaders and professionals by Ponemon Institute shows that 67% of organizations are not confident that they can avoid a data breach, and what the primary security and IT challenges that are causing this. The survey also provides fundamental recommendations that can reduce breach risk through innovating and improving a vulnerability management program.

This report offers insights and guides into the new Help America Vote Act.

From the report, “As the hype and soaring price of cryptocurrency has drawn in thousands of new players worldwide, generating a single bitcoin takes a lot more servers than it used to. It is becoming an arms race amongst miners for access to CPUs, GPUs and even electricity. As a result, we are starting to see a cryptojacking epidemic and hackers aren’t sparing anyone; they are targeting everyone from consumers to large multinational organizations.”

This report measures the difference in days between when an exploit for a vulnerability becomes publicly available (Time to Exploit Availability) and when a vulnerability is first assessed (Time to Assess). A negative delta indicates that the attacker has an opportunity to exploit a vulnerability before the defender is even aware of the risk. The sample set used for this analysis is based on the 50 most prevalent vulnerabilities from nearly 200,000 unique vulnerability assessment scans.

In this report we analyze real-world end-user vulnerability assessment (VA) behavior using a machine learning (ML) algorithm to identify four distinct strategies, or “styles.” These are based on five VA key performance indicators (KPIs) which correlate to VA maturity characteristics. This study specifically focuses on key performance indicators associated with the Discover and Assess stages of the five-phase Cyber Exposure Lifecycle. During the first phase – Discover – assets are identified and mapped for visibility across any computing environment. The second phase – Assess – involves understanding the state of all assets, including vulnerabilities, misconfigurations, and other health indicators. While these are only two phases of a longer process, together they decisively determine the scope and pace of subsequent phases, such as prioritization and remediation. The actual behavior of each individual enterprise in the data set, in reality, exhibits a mixture of all VA Styles. For the purposes of this work, enterprises are assigned to the specific style group with which they most closely align. We provide the global distribution of VA Styles, as well as a distribution across major industry verticals.

This report offers 14 tips to fortify your public cloud environment. From the report, “This edition of RedLock’s Cloud Security Trends marks the report’s one year anniversary, and it’s been a sobering year in terms of public cloud breaches, disclosures and attacks. This report highlights key learnings from these incidents along with research by the RedLock Cloud Security Intelligence (CSI) team to shed light on the trends that we can expect this year.”

Synopsys and SAE International partnered to commission this independent survey of the current cybersecurity practices in the automotive industry to fill a gap that has existed far too long—the lack of data needed to understand the automotive industry’s cybersecurity posture and its capability to address software security risks inherent in connected, software-enabled vehicles. Ponemon Institute was selected to conduct the study. Researchers surveyed 593 professionals responsible for contributing to or assessing the security of automotive components.

From the report, “With its customer base of over 4,000 organizations, Alert Logic has first-hand insight into the state of threat detection and response. Drawing from more than a billion security anomalies, millions of security events, and over a quarter million verified security incidents from April 2017 to June 2018, our research has identified five key insights that every business leader, IT leader, and IT practitioner should be aware of: 1. The initial phases of the cyber killchain are merging to accelerate targeted attacks 2. Industry and size are no longer reliable predictors of threat risk 3. Attack automation and “spray and pray” techniques are aiming at everything with an IP address 4. Cryptojacking is now rampant 5. Web applications remain the primary point of initial attack” Read on to find out more.

From the report, “We live in incredible times, where we trust more of our lives to machines that are becoming ever more powerful. We cannot leave the doors to our “digital kingdoms” wide open. Adversaries, both nation-states and for-profit malicious actors, have access to a seemingly unlimited supply of “all access keys”. Our responsibility is to revoke and disable these keys or to at least make that access as difficult as possible through thoughtful defense-in-depth security controls. These controls should not just rely solely on the “next gen” version of a well-known technology. Truly different types of protection and detection technologies need to be layered in order to create the strongest possible defense.” Read on to find out more.

This report offers the following taglines - IoT device breaches undetectable by nearly half of companies, and use of blockchain technology to help secure IoT data, devices and services doubles in a year.

This survey, the sixth in a series of annual studies by SANS on security practices in software development, is the first to explicitly focus on DevOps. The results of this study show that organizations are finding ways to keep up with rapid change through DevOp but they have a number of challenges they still need to deal with.

The “Impact of Cloud on ERP” survey report was designed to assess the impact of ERP solutions on organizations and better understand cloud preparation and data migration needs to implement ERP solutions in the cloud. Features and benefits gained, security and privacy challenges, and time to deploy for an ERP Solution in a cloud environment were explored.

Sonatype’s 4th annual report on managing open source components to accelerate innovation.