At the Cyentia Institute, we believe a closer community is a smarter community. Our team is always on the lookout for event opportunities and other partnerships that help advance cybersecurity knowledge and practice. Explore upcoming events below.
September 25th, 2024 | 2:00PM EST
Rewatch the discussion designed to unpack the new insights from the explosive IRIS Ransomware and discuss the broader implications of our latest findings on ransomware trends.
During the recording, you will:
At Cyentia Institute, we are committed to fostering a community of cybersecurity excellence. Enjoy this discussion with special guest Olga Livingston from CISA and let’s collectively explore the ever-evolving landscape of cyber threats!
October 12th, 2024 | 1:45PM EST
In most organizations, threat intelligence and risk quantification functions rarely collaborate. This is unfortunate, since they share the same goal of enabling risk-informed decision making to protect the organization. One of the major reasons behind the CTI-CRQ gap is they speak such different languages and leverage different frameworks. One seeks intelligence on adversaries, TTPs and IOCs, while the other seeks to understand scenarios, LEF, LM.
Wouldn’t it be amazing if there was a bridge between these two worlds to facilitate tighter collaboration and better risk management? Why not measure LEF for TTPs or estimate LM for adversaries? The latest Information Risk Insights Study (IRIS) from the Cyentia Institute seeks to build that bridge.
Sponsored by the Cybersecurity and Infrastructure Security Agency (CISA), the IRIS 2024 analyzes tens of thousands of historical cyber loss events to supply frequency and loss measures to support FAIR-aligned risk analysis. It also incorporates a huge collection of open-source intelligence to assess the most common and impactful MITRE ATT&CK techniques behind these incidents to help organizations collaboratively prioritize defenses.The IRIS 2024 is scheduled for release soon after FAIRCON24. But attendees will get an exclusive sneak peek at findings from the study at the conference. Please join us as we ATT&CK CRQ!
Join Wade at FAIRCon for a compelling session where industry experts will dive into innovative approaches for quantifying cyber risks. This discussion will feature Wade Baker, PhD,Co-Founder of the Cyentia Institute; Jon Baker, Director & Co-Founder at the Center for Threat-Informed Defense, MITRE Engenuity; and Vidit Baxi, CISO at Safe Security. Together, they will explore the intersections of MITRE ATT&CK frameworks and cyber risk quantification, providing insights into how organizations can enhance their security postures by leveraging these methodologies for better threat assessment and strategic planning.
September 26th, 2024
Join us for a webinar as the Cyentia Institute and SecurityScorecard dive into the findings of the “Global 2000” report. We’ll explore the monumental cyber risks that some of the world’s most influential companies face today. From third-party vulnerabilities to supply chain complexities, this discussion will unpack the data, highlight key trends, and offer actionable insights to help you understand and mitigate these challenges. Don’t miss this opportunity to hear from industry experts and learn how to strengthen your organization’s security posture in a rapidly evolving risk landscape.
September 12th, 2024 | 2:00PM EST
Are you concerned about the rising number of cyber threats targeting your organization? Ever wonder how many of the vulnerabilities you’re managing may be exploited or how to predict such events? Our upcoming webinar will provide you with answers and insights to address these challenges.
Join the Cyentia Institute and Tenable as we explore the latest research into vulnerability exploitation and the development and historical performance of the Exploit Prediction Scoring System (EPSS). By attending, you will learn about:
September 10th, 2024 | 1:00PM EST
As attackers evolve, so must the strategies for identifying and prioritizing vulnerabilities. This webinar, led by Jay Jacobs, co-founder of Cyentia Institute and one of EPSS’s creators, and Guillaume Ross, Deputy CISO at JupiterOne, will delve into Cyentia Institute’s latest research, addressing the limitations of traditional vulnerability management methods like CVSS, and providing attendees with insights on integrating EPSS into their security practices.
As risk-based vulnerability management programs advance, the emphasis shifts from merely understanding current exploits to proactively anticipating future threats.
The Exploit Prediction Scoring System (EPSS) embodies this forward-looking mindset by using probability and machine learning to estimate the likelihood of software vulnerabilities being exploited.
However, relying solely on an EPSS threshold based on general risk tolerance provides only a broad prediction. To truly harness the power of EPSS, it’s essential to tailor this threshold to your organization’s unique context.
In this webinar, Jay Jacobs (EPSS report author, Cyentia) teams up with Stephen Shaffer (EPSS Sig Co-Chair, FIRST) and Scott Kuffer (COO and Co-Founder, Nucleus) to walk you through the steps of operationalizing EPSS. They will show how to combine EPSS with detailed business and asset data, such as internet accessibility, data sensitivity, asset criticality, and compliance requirements.
Join us as we delve into:
We’ve all heard plenty over the last several years about the rise of ransomware, and many of us have been charged with assessing the risk it poses to our organization. In a first for the IRIS, this edition focuses on a specific incident pattern: ransomware. Join us for highlights from and discussion of findings including, but not limited to these questions:
Our Anniversary Bash was an awesome opportunity for us to take a step back and appreciate all that we’ve accomplished together, as well as to share the excitement for what’s coming next. Revealing our new projects and future plans to you all was genuinely one of the best parts of the event.
Key highlights from the webinar:
#5 redefines the game!!
Replay Coming Soon!
November 15th, 2023 | 1:00PM EST
Join us for our next webinar with RiskRecon, where we explore the intricate web of “Ripples Across the Attack Surface” based on our latest comprehensive report.
In this session, we’ll take a deep dive into the realm of “ripple events,” those seemingly minor incidents that can trigger significant consequences. Our analysis, built on an exhaustive study of nearly 900 historical cases, unveils the top MITRE ATT&CK techniques that adversaries exploit in these scenarios and how these ripples spread across organizations and their interconnected supply chains.
During this webinar, you can look forward to:
This is your chance to proactively shield your organization against unforeseen security risks. Don’t let the unpredictable catch you off guard. Register now to stay well-prepared and ahead of the ever-evolving threat landscape!
One fundamental question resonates in the cybersecurity community: “How will adversaries attack us, and what defenses should we prioritize?” This query is all too familiar, and finding precise answers isn’t always easy.
Enter MITRE ATT&CK®, the keystone of adversary tactics and techniques. Grounded in real-world observations, it’s the bedrock for enhancing cybersecurity strategies. Yet, as the data landscape expands, a new challenge arises: harmonizing the myriad of statistics on ATT&CK techniques.
Join Us for a sneak peak into the newest collaborative report with TidalCyber: Our experts will be available for questions, discussions, and valuable perspectives!
November 2nd, 2023 | 12:00PM EST
Join us on November 2nd at 12 PM EDT for an exciting webinar where we introduce our partnership with Axio and showcase the enhanced Axio360 cybersecurity performance management platform.
•Deep Dive into Industry Nuances: Discover industry-specific insights and explore surprising financial impacts through this innovative approach.
• Unveiling Data-Driven Insights: Witness how Axio and Cyentia collaboratively combat fear, uncertainty, and doubt in the realm of cyber risk quantification.
• Realistic Cyber Risk Assessments: Learn how our partnership equips organizations with practical cyber risk assessments, emphasizing the value of Cyber Risk Quantification.
Don’t miss this opportunity to stay ahead in the ever-evolving landscape of cybersecurity. Register for the live webinar and unleash the power of data-driven cyber risk management.
As the cybersecurity landscape continues to evolve at an unprecedented pace, gaining deep insights into cyber threats is more critical than ever. We invite you to mark your calendar and join u.s for an engaging and informative webinar about the newest addition to the Risk Retina Family, the IRIS Threat Event Analysis.
Our webinar promises an extensive exploration of the IRIS Risk Retina® Threat Event Analysis and its practical applications in the real world. David and John join to bring you a focus on use cases, where we’ll uncover invaluable insights to sharpen your cybersecurity strategies, and show you the best applications for IRIS T.E.A
Here’s a Sneak Peek of What to Expect:
This webinar isn’t just a discussion about theoretical concepts. We’ll emphasize real-world applications and tangible outcomes that can significantly impact your cybersecurity efforts. Our team of experts will be on hand to answer your questions and provide invaluable insights.
Buckle up, cybersecurity enthusiasts! It’s time to embark on a quirky and informative journey into the world of MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge). Join us for our monthly Cyentia webinar on September 28th at 2:00 PM EST, where we’re answering your top ten questions, straight from the keyboard of our beloved ChatGPT, the AI wordsmith.
Ever wondered how MITRE ATT&CK fits into the wild world of cybersecurity? Don’t worry; you’re not alone! We’ve heard your curious inquiries, and ChatGPT is here to spill the beans – in its own…charming…way.
In this laugh-out-loud yet insightful webinar, our team will unravel the mysteries of MITRE ATT&CK by addressing the following burning questions (courtesy of ChatGPT’s musings) and more:
These questions come straight from the mind of ChatGPT, the AI sensation, and they highlight the growing importance of MITRE ATT&CK in cybersecurity. Get ready to laugh, learn, and leave with a newfound appreciation for all things ATT&CK.
Join us for a hilarious yet enlightening experience as we decode MITRE ATT&CK, one witty answer at a time. Reserve your spot now, because in this webinar, even the toughest cybersecurity questions come with a punchline!
Sign up today to get exclusive webinar content from our in-depth, monthly discussion with the team!
Join us for July’s webinar on the 20th at 2PM EST – Prioritization to Prediction: Greatest Hits! Our experts, Wade and Jay, will guide you through an insightful journey, discussing the most remarkable highlights from the past 8 volumes of our groundbreaking reports we developed in collaboration with Kenna.
Known for their expertise in vulnerability management, Wade and Jay will provide in-depth analysis and valuable insights derived from years of extensive research. This is a unique opportunity to tap into their wealth of knowledge and gain a comprehensive understanding of the key findings that can enhance your vulnerability management efforts and maximize risk reduction.
Don’t miss out on this engaging session with Cyentia as we unravel the key takeaways from our report’s vast collection of insights. Register now for the webinar and mark your calendars to join us for a discussion that will enhance your approach to vulnerability management.
Stay tuned for Volume 9, scheduled for release later this year, and ensure you stay up-to-date with the latest advancements in vulnerability management research. Take the first step in transforming your cybersecurity strategy by reserving your spot in this must-attend webinar.
Is anything “normal”? Nearly every cybersecurity phenomenon includes extreme events. Ben Edwards will discuss methods to handle this phenomenon with relevant examples from vulnerability management, application security, SIEM data, and human risk.
Join our monthly webinar on June 15th at 2pm EST as we delve into the power of tracking exploit code and how it shifts the way organizations should track and prioritize vulnerabilities.
In today’s rapidly evolving landscape, the relationship between publicly available exploit code and real-world exploitation activity is stronger than ever. Learn about new research from Cyentia and discover how detecting and analyzing exploit code can help your organization bridge this gap, significantly reducing the chances of costly breaches and reputational damage. With Cyentia, you can stop guessing and start knowing the probability of exploitation, enabling you to take timely and informed action.
Don’t miss this opportunity to gain a deeper understanding of vulnerability through our discussion with Jay on Cyentia’s Exploit Intelligence Service (EIS) as he guides us on it’s potential to transform your vulnerability management strategy. Register now and experience the power of exploit intelligence for assessing the risk of exploitation. It’s time to make informed decisions and protect your organization’s digital assets.
Join us on May 25th at 2pm est for our monthly Cyentia webinar where we’ll be discussing our recent events at RSAC and SiRA. Our team had the opportunity to participate in these conferences and we’re excited to share our insights and experiences with you. In this webinar, we’ll explore key takeaways from both events and delve into the latest trends and developments in cybersecurity. You’ll gain valuable insights on the current state of the industry and what you need to know to stay ahead of the curve. Don’t miss out on this opportunity to learn from our team of experts. Register now and mark your calendar!
May 18, 2023 | 9:00AM EST
Did you know that 71% of organizations have exposures that can allow attackers to pivot from on-prem to cloud?
Or that once an attacker accesses a cloud environment, 92% of critical assets lie just one hop away?
But did you also know that 75% of all exposures lead to dead ends – or issues that don’t put organizations’ critical assets at risk?
Want to discover more fascinating stats and trends impacting exposure management in 2023?
Join us for a webinar with Wade Baker, as he explores the findings from our new research report, Navigating The Paths of Risk: The State of Exposure Management in 2023, along with XM Cyber’s SVP Product and Innovation Menachem Shafran and VP Research Zur Ulianitzky.
While much of the research we’ll discuss is global or US based, we’ll also highlight some LATAM specific data points and what unique challenges the region faces.
May 17th, 2023 | 3:45 – 4:30PM EST
The tools that got you where you are – managing typical risk – won’t get you to where you’re going – managing extreme losses. The Cyentia team has wrestled with this problem. In this session, come learn what tools and techniques can be used to identify and manage the risks out in “the Devil’s Tail”.
May 17th, 2023 | 1:00 – 1:45PM EST
Vulnerability prioritization is an exercise in risk analysis. Like any other analysis it requires measurement of threats, weaknesses and potential impact. Multiple studies have shown the existing scoring systems are inadequate, so we’ve developed EPSS to play a supporting role in your risk analyses.
March 21, 2023 | 10:00AM CT
During this webinar viewers will:
In this webinar, we’ll share a bit about the new EPSS updates, discuss the increasing data and partnerships, how we use EPSS and how you can benefit from the Exploit Prediction Scoring System.
Get an inside look into the open, data-driven effort for estimating the likelihood that a software vulnerability will be exploited in the wild.
March 9, 2023 | 2:00PM EST
Join us for the second part of our webinar with CyberTheory where we’re going to be diving further into the second installment of our collaborative CISO Engagement & Decision Drivers Study and answering any questions you may have! Don’t miss this engaging and informative webinar!
What we’ll cover in this webinar:
✓ How has cybersecurity engagement shifted quarter-to-quarter in 2022?
✓ What are the account based marketing (ABM) implications of webinars?
✓ Which are the top cybersecurity content types across regions?
✓ What are the differences between ‘live’ versus ‘virtual’ summit sessions?
✓ What regional differences exist in cybersecurity user engagement around the globe?
✓ Which asset titles titillate CISOs?
✓ What are the top on-demand summit sessions?
And much much more!
Mark your calendars and join Mike D’Agostino and Julie Jordan from CyberTheory, for a discussion with our very own Wade Baker, PhD and Ben Edwards on March 9th at 2 pm Eastern.
Join us for the second live webinar in our new monthly webinar series! This month, Wade Baker & David Severski join us for a dive into our latest foray into the wilds of cyber risk analysis.
To date, our Information Risk Insights Study (IRIS) series has been more focused on modeling higher-level event frequencies and losses. But we’ve heard from many risk analysts and security professionals that they’d like a more tactical view into the who, what, and hows behind the 10 years of cyber loss events. In response, we’ve been hard at work applying MITRE ATT&CK and VERIS (used in Verizon’s DBIR) to our historical incident data.
In this webinar, we’ll share a bit about our approach to this, what we’re learning, and how you can benefit from this research through the IRIS and our customized Risk Retina offerings. You’ll see how this kind of analysis goes well beyond just cyber risk quantification to guide tactical security strategies.
Be the first to get a sneak peak into both the process behind the stats and the stats behind the process of this new body of research.
High risk users are the top quartile of users in an organization who have had at least one instance of risky behavior or event. They are responsible for 41% of all simulated phishing clicks, 42% of all malware events, and 54% of all secure-browsing incidents.
Register & attend this live webinar to learn more about:
✓Identifying and analyzing high risk individuals and actions;
✓Percentages of high risk users in relation to different departments;
✓Improving security decision making.
More webinar details here
We teamed up with SecurityScorecard to analyze data from their Automatic Vendor Detection on over 230,000 organizations for clues about the underlying conditions that exacerbate third and fourth-party risk. By measuring the extent of digital supply chains and investigating the prevalence of security incidents among third and fourth-party vendors, this report takes a look at how the effects of exposure yield insights on how to better manage risk.
Join Wade Baker, Partner at the Cyentia Institute and Vanessa Sorenson, Sr. Product Marketing Manager for SecurityScorecard where they’ll talk about key findings and trends from the research report including:
✓ How the interdependence of modern digital supply chains can impact cyber risk exposure
✓ What industries have the most third- and fourth-party connections
✓ Steps your organization can take to dig deeper into how you can better protect your organization from third-and fourth- party risk
We learned a lot in 2022 and as we ring in the new year, we take a look back to at the top 10 key findings from our research! Register now to get an inside look from the Cyentia Institute Team as they discuss the importance and value of the 2022 research!
November 15 2022 | 7:00PM EST
Presenters: Wade Baker
Presenters: Wendy Nather (CISCO)
Presenter: David Severski
Presenter: John Sturgis
Presenter: Wade Baker
Presenter: Neal Roylance
October 25 2022 | 12:20-1:00PM EST
Moderator: Wade Baker
Presenter: David Severski
Presenter: Olga Livingston, PhD
September 27 2022 | 4:15PM EST
Since its original release in 2020, the Information Risk Insights Study has expanded upon its extensive analysis of a huge historical dataset in the IRIS series, shining light on topics like extreme loss events and massive multi-party incidents.
Now, thanks to sponsorship from the Cybersecurity & Infrastructure Security Agency (CISA), the IRIS is back – bigger and better than ever for a 2022 update and expansion. The new study analyzes 77,000 cyber events, $57 billion in reported losses, and 72 billion compromised records. We explore common patterns among those events and identify threat techniques that contributed to their success.
FAIRcon 2022 will be the FIRST PUBLIC PREVIEW of the new study – everyone else will have to wait until it’s fully published! Join Wade and David as they explore the ways that you can use the IRIS to improve your cyber risk quantification efforts!
Join Wade Baker, Benjamin Edwards, Mike D’Agostino, and Julie Jordan for an in depth look into the CISO Engagement & Decision Drivers Study!
We’ll answer pressing questions surrounding CISO engagement including:
What are the most popular content topics in 2022?
How fierce is the competition for certain topics?
Why is evergreen content so valuable?
What are the most engaging vendor brands?
What content format ‘punches above its weight’ in engaging cybersecurity audiences?
Which content works best for specific job functions?
How do we engage multiple contacts from the same organization (ABM)?
We’ll also go into more depth on our research methodology and where our proprietary intent data comes from. How to create effective content by understanding which cybersecurity topics and formats are dominating and then measuring that engagement to continuing growing and reaching your audience. In addition we’ll cover surging topics in Q1 of 2022 and which job titles are interacting most with cybersecurity content!
Presenter: Wade Baker
Presenter: Benjamin Edwards
Presenter: Mike D’Agostino
Presenter: Julie Jordan
September 13 2022 | 12:00PM EST
In this webinar hosted by The Cyentia Institute and SecurityScorecard, Wade Baker, PhD, Co-founder of The Cyentia Institute, and Greg Petropoulos, Director of Data Science at SecurityScorecard will be discussing the current state of vulnerability remediation in a multitude of sectors ranging from the financial sector to the manufacturing sector. The joint research effort measured the speed of vulnerability remediation from 2019 – 2022 and revealed only 60% of organizations have improved their security posture over the last three years.
Presenters: Wade Baker
Presenters: Greg Petropoulos
August 10 2022 | 1:30PM PDT | Las Vegas, NV
Join The Cyentia Institute and SecurityScorecard at BlackHat USA 2022, booth #960, for an inside look at pacing remediation for internet-facing vulnerabilities. We’ll be discussing some of the lessons we learned in the collaborative report with SecurityScorecard that spanned 1.6 million organizations and analyzed billions of internet-exposed assets that were used to measure the speed of vulnerability remediation.
June 9 2022 | 10:50PT | San Francisco
The cybersecurity vendor landscape is crowded. There’s increasing pressure to elevate brand visibility, differentiate products, & get the attention of buyers. Many vendors create thought leadership content because of this, but quality & usefulness varies widely. Let’s talk about how to improve that.
Presenters: Wade Baker
June 2022 | TBD | San Francisco
Supply chain attacks and other multi-party incidents have dominated the headlines of late. Most have likely heard plenty about the biggest ones, but those are just the tip of the iceberg. This session will dive below the surface using hard data to study key risk factors behind hundreds of real-world security incidents that propagated to or otherwise impacted thousands of downstream business partners.
Presenters: David Severski
June 2022 | TBD | San Francisco
Imagine being able to distill every presentation from every year of the RSA Conference into a series of charts that feature key topics, trends, and takeaways. Imagine no more! This talk will apply fancy analytical techniques to decades of Conference submissions to see what was missed, things possibly remembered, and perhaps a glimpse of where things are headed.
Presenters: Ben Edwards; Wade Baker
June 2022 | TBD | San Francisco
In last year’s RSAC keynote, this session presented high-level practices that measurably contribute to a more successful cybersecurity program based on a rigorous survey of nearly 5,000 practitioners. This year’s session will share another massive study that will dig much deeper into those top practices to determine exactly what makes them even more (or less) effective in driving program success.
Presenters: Wade Baker; Wendy Nather (Cisco)
June 2022 | TBD | San Francisco
By leveraging existing data on employees’ past security decisions, teams can create a picture of which employees are the most at risk to make a mistake or fall for an attack. Research findings from a 200k employees data-set reveal trends into the most vulnerable populations. This session will share key findings, how to measure human risk, and explain how to apply findings to reduce incidents.
Presenters: Ben Edwards; Masha Sedova (Elevate Security)
May 11-13 2022 | Virtual
We’re proud to have multiple speaking sessions at SIRAcon this year, and we’re excited to share all the R&D we’ve been doing over the last year around cyber risk. Hope to see you there.
Jay Jacobs – Wed at 11:30ET – “Measuring a Risk Concept: Exploitability.”
David Severski – Thu at 4ET – “Better than Beta: Finding the PERT-fict Fit for Event Frequency”
Wade Baker – Fri at 1:45ET – “Risk Insights from Another Year of Data-Driven Research”
Ben Edwards – Fri at 2:15ET – “How to Indirectly Measure Things in Cybersecurity”
Tuesday, February 8 | 1:00 PM ET | Virtual
From Zero Trust to building private/public partnerships, there’s a lot that’s front of mind for those that know it best. Hear the latest ideas and perspectives on a range of cybersecurity topics impacting CISOs, businesses, and practitioners.
Presenters: Wade Baker; Trevor Hughes; Wendy Nather; Dena Haritos Tsamitis
Tuesday, December 14 | 11 AM ET | Virtual
In this recorded live event, guests discuss key data and actionable insights from the new Security Outcomes Study.
Presenters: Wade Baker, Wendy Nather (Cisco), Blair Anderson (Shawnee Heights Unified School District 450), Wouter Hindriks (Avit Group)
Wednesday, December 8 | 1 PM ET | Virtual
The financial damage from multi-party cyber incidents goes way beyond the losses from any “typical” security event. When more companies are involved, the checks get larger.
In this upcoming webinar, experts from Cyentia Institute and RiskRecon will discuss the details behind some of the largest multi-party cyberattacks since 2008, including:
Presenters: Wade Baker
Wednesday, November 17 | 11 AM ET | Virtual
The first step in assessing your organization’s security posture is to understand how attackers most frequently penetrate enterprise defenses. In this keynote address, “How Data Breaches Happen,” data breach investigator and Cyentia Institute co-founder, Wade Baker, outlines the latest trends in online compromises and the security vulnerabilities that are most commonly exploited in enterprise attacks. Attendees will also get advice on how to recognize these attacks, and how to shorten the time between the initiation of an attack and detection/discovery.
Presenters: Wade Baker
Friday, October 29 | 12 PM ET | Virtual
In almost every way imaginable, we live in a hyperconnected world. This connectivity has brought many benefits to modern business models, but it has also introduced myriad challenges and risks. If you take the time to decompose even the simplest of business transactions, you’ll find in the mix a surprising number of parties from technical components supporting the transaction to the completed delivery of products to the customer. But what happens to all these parties when something goes wrong?
That is ultimately the question the new IRIS Tsunami seeks to explore. We identified 50 of the largest multi-party cyber incidents over the past several years in an effort to understand their causes and consequences from beginning to end. If you are familiar with our other research in the Information Risk Insights Study (IRIS) series, Tsunami draws from the same rigorous methodology. We started with a huge dataset of cyber loss events, identified those that involved multiple organizations, and then researched each event to understand who was behind it, what happened, how the after effects propagated through the supply chain, and the financial losses for all parties involved.
Presenters: David Severski, John Sturgis
Wednesday, October 20 | 2 PM ET | Virtual
In our first-ever sponsored session, we’ll be presenting brand new research, a peek at future research, and demonstrating a new service that lets you tailor our research to your cyber risk quantification needs. Yes, it’s in the vendor track of the conference – but we promise to make it the most data-rich vendor session in history! And if it isn’t, you’re free to just show up and heckle us.
Presenters: David Severski and Wade Baker
Wednesday, September 29 | 3 PM ET | Virtual
Join data scientists from Cyentia Institute and the head of strategy from RiskRecon for a live webinar to hear about our exclusive research on multi-party breaches and the effect it can have on your firm and its supply chain, including:
Presenters: Jonathan Ehret (RiskRecon) and David Severski
Friday, August 6 | 11:00 AM ET | Virtual
Cyber security is human security. Every security incident involves, at some level, human actions and decisions. While technical solutions have made us more secure, the risk posed by humans in the loop continues to be a large unsolved problem. Solutions tend to be narrowly tailored, and involve training and simulation which may or may not reflect real world threats. Moreover, human risk is complex and interconnected, meaning those narrow solutions will necessarily miss important insights. A holistic view of this complexity is needed. This briefing will shed light on human risk based on findings from a recent report authored by the Cyentia Institute. We’ll draw on a data set of more than 4.5M actions taken by more than 114k users. We won’t solve human risk in this talk, but attendees will come away with a better idea of where human risk hides in their organization and actionable solutions that security teams can use to begin reducing their greatest human risk.
Presenters: Ben Edwards
Thursday, August 5 | 11:15 PM ET | Virtual
A primordial cybersecurity question facing organizations is “What is an incident going to cost me?”. Many people with a quantitative bent have zero-ed in on Bayesian Modeling as an appropriate methodology for dealing with the uncertainty inherent in cyber risk. Despite the age of the question and the relative consensus (at least at SIRA) around the approach there still exists considerable confusion about exactly how to deploy this methodology.
In this talk we’re going to try to clear up the confusion, and show, in clear simple terms, how to do some basic Bayesian risk analysis. This will include answers to questions like:
After we clear up the answers to these questions, we’ll take the audience through two basic risk models. First, we’ll use public data (courtesy of the Cyentia IRIS Risk Retina data set) to build a simple Monte Carlo simulation of the losses an organization might experience in a year. Next we’ll do just a little bit of Bayesian inference to show a FAIR-compatible alternative approach. We’ll even include some basic code in a variety of platforms (R, Python and Excel). We’ll end with a call to arms: Stop arguing about frameworks and how you might assess risk. Get out there with the tools you have now and do risk! Give your organization the assessment it needs.
Presenters: Ben Edwards and David Severski
Thursday, July 15 | 12 PM ET | Virtual
The human aspect of cybersecurity is one of the most challenging ones to manage. Headlines are filled with cyber incidents everyday from ransomware, data breaches, and account compromise. New findings on current efforts to deal with employee risk in the workforce reveal that traditional employee efforts simply don’t work.
Join us for a deep-dive into the data with actionable insights as we discuss innovative approaches to dealing with cyber risk and how managing the human attack surface can lead to safer outcomes in today’s digital world.
Presenters: Wade Baker and Robert Fly, Elevate Security CEO
Thursday, June 24 | Virtual
2 PM – 2:30 PM ET | Q&A 2:30 PM – 3 PM ET
Risk managers often struggle when they get to executive and board level stakeholder, finding vague and scary sounding cyber risks are the dominant conversation. With extensive research into over 100 of the largest breaches in the past several years, we help arm professionals with data to have conversations about catastrophic risks to be better partners with the business and produce better results.
Presenters: Wade Baker, David Severski
Thursday, May 20 | 8:00 AM PT | Virtual
What makes a successful security program? Ask 3 infosec pros and you’ll get 3 different answers. So we asked 4,800 of them and looked for meaningful consensus among their answers. We evaluated security program performance across 25 practices and 11 different outcomes. Our rigorous, analytical approach will yield insights into how security teams can enable business, manage risk and operate efficiently.
Presenters: Wade Baker and Wendy Nather, Head of Advisory CISOs at Cisco
May 11 | Virtual
CISO Forum is for CISOs to share and engage in a closed-door environment. Held under Chatham House Rule, there are no recordings, media/press. Attendance is limited to 100 people. Wade will be leading a panel on measuring success in cybersecurity programs.
May 11 | Virtual
How we handle employee risk today is broken – it’s no wonder ransomware, account compromise, data loss, and other threats are rampant. Humans have been the largest unsolved element of security, until now. Join industry luminaries as we explore the human attack surface, bust myths with cutting-edge research about what works and what doesn’t, and unveil a new perspective to solving this decades-old problem.
May 11 | Virtual
Jay and Ben are speaking at Secure360 security conference
Date and Time: Tuesday, May 11th, 2021, 1:15 PM Central
Staff: Jay Jacobs and Ben Edwards
Venue: Virtual Presentation
April 14 | Webinar
During this live webinar, we will examine the results of our new research study which measures the value of better information for third-party risk assessments using FAIR methodologies. We put many traditional third-party risk management practices to the test to determine if these methods can identify which vendors represent the greatest risk to sourcing organizations, or if there is a better way to predict third-party risk through risk surface data.
Join this webinar to learn:
Time: 2 PM Eastern
Staff: David Severski and John Ehret (RiskRecon)
Venue: Webinar
Dec 16 | Live Webinar
We’re all looking forward to putting 2020 behind us. As we all look ahead to the new year organizations must consider the immense changes to their digital infrastructure, supply chain, and overall risk surface that occurred as a result of global events.
The research experts from Cyentia Institute recently mined through the scans of millions of internet-facing hosts using the RiskRecon platform to explore and measure the current risk surface of firms and hosting providers around the world.
Speakers are Jonathan Ehret, Vice President, Strategy and Risk at RiskRecon and Wade Baker, Partner & Co-Founder Cyentia Institute.
During the webinar, attendees will learn:
Time: Wednesday, December 16 at 1:00pm ET
Staff: Wade Baker and Jonathan Ehret (RiskRecon)
Venue: Live Webinar
Dec 1 | Live Webinar
Wouldn’t it be great if you could pull together thousands of your cybersecurity peers from all over the world and speak candidly to find out what works for them? Well, now you can, in this engaging live broadcast that covers our new cybersecurity report. Poised for Success: Proven Factors for Your Security Program.
Agenda:
Staff: Wade Baker, Wendy Nather (Cisco), and Mike Hanley (Cisco)
Time: Tuesday, December 1 at 1:00pm ET
Venue: Live Webinar
Tag(s): Security Outcomes Study
Nov 18 | Webinar
Vulnerability management is all about time. How long does it take us to find, prioritize and remediate vulnerabilities? How long until our adversaries discover and exploit these weaknesses? Do the actions of vendors and security researchers help or hinder? In the sixth volume of the Prioritization to Prediction series, we look at the life of vulnerabilities and answer these questions. We track over 500 vulnerabilities that were known to be exploited-in-the-wild, from the initial discovery of the vulnerability through publication and exploitation, all the way through remediation across millions of assets. We look at the sequence of events unfold and the affect of vendors and researchers in the real world.
Staff: Jay Jacobs and Ed Bellis (Kenna)
Time: Wednesday, November 18 at 2:00pm ET
Venue: Webinar
Tag(s): Prioritization to Prediction, Vulnerability management, Kenna Security
Nov 18 | Webinar
Early in 2020, the Cyentia Institute published the Information Risk Insights Study (IRIS 20/20). This first-of-its-kind study leveraged a vast dataset from Advisen, spanning tens of thousands of cybersecurity incidents over the last decade. Our extensive analysis of that dataset yielded valuable insights aboutthe frequency and financial impact of cyber incidents to organizations of all types and sizes. The IRIS 20/20 Xtreme is a follow-up to that research, focusing on the 100 largest cyber incidents of the last five years, totaling $18 billion in reported losses and 10 billion compromised records. We once again started with Advisen’s Cyber Loss Data and then collected hundreds of additional data points on each of these extreme cyber loss events. Our goal was to breakdown the costs, categorize incident types, identify the actors behind these events and the actions they employed, and better understand how these events impacted the organizations involved. Our primary goal remains the same as the IRIS 20/20—to clear the fog of fear, uncertainty and doubt (FUD) surrounding cyber risk and help managers see their way to better data-driven decisions.
Staff: David Severski, Wade Baker, and Derek Vadala (Visible Risk)
Time: Wednesday, November 18 at 9:00am PST
Venue: Webinar
Tag(s): IRIS2020, Xtreme
Sep 17 | FAIR Institute sponsored webinar
Bad security data leads to bad security policies; better data enables better policies. That, in a nutshell, is the thesis of this talk. To back that up, we’ll share a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents, with a special focus on events that impact multiple organizations.
Are we under or overestimating the economic risk of cyber events? How might errant estimates of breach likelihood or probable losses affect organizational governance and risk management? Could misunderstandings about the true extent of incident propagation across supply chains hamper the development of effective policies to manage third-party risk? What would an inter-organizational approach to security policies and practices look like? Can the study of past events aid future-looking decisions such as establishing risk appetite and evaluating cyber insurance needs? Could poor risk data lead to regulatory and/or compliance requirements that fail to meet their objectives? These are just some of the policy-oriented questions we’ll explore in the talk.
The dataset we’ll use to explore those questions spans 56,000 cyber events experienced by 35,000 organizations over the last decade. More than 800 of those incidents generated nearly 5,500 downstream loss events impacting firms beyond the primary victim. We’ll examine these inter-organizational events in detail and discuss the implications these have for future policy decisions.
Attendees will gain an understanding how readily available data can be used to first orient to this problem space. From there, the audience will get a picture of ground truth to make better policy decisions on issues ranging from cyber insurance, supply chain management, and the near-mythical risk management ROI.
Staff: Wade Baker, David Severski
Time: Thursday, October. 22th at 1 PM EST
Venue: Virtual
August 1 – 6 | BlackHat USA 2020
In this session, Wade will accept the challenge of sharing data-driven research findings relevant to every factor in the FAIR Framework. Can he do it? Tune in during FAIRcon 2020 to find out!
Staff: Wade Baker
Time: Tuesday, Oct 6 from 2-2:30 PM ET.
Venue: Virtual
Sep 17 | FAIR Institute sponsored webinar
RiskRecon and Cyentia Institute examined how organizations are handling essential security practices and the impact of failing to manage these properly. The research has found that:
Join our webinar on Thursday, September. 17th at 11 AM EST as Dr. Wade Baker, Partner at Cyentia Institute and Jon Ehret, VP of Strategy & Risk from RiskRecon discuss the findings from our research study and the security implications facing organizations who are not following these foundational security practices.
Staff: Wade Baker
Time: Thursday, September. 17th at 11 AM EST
Venue: Virtual
August 25 – 27 | SIRAcon 2020
Early this year, the Cyentia Institute released our IRIS 20/20 report. Using publicly available data, we debunked some myths on the cost of publicly discoverable breaches and replaced supposition with fact. This substitution of dogma with data is the core mantra for SIRA and a theme we’ll explore in this talk. Performing data-driven risk analysis does not require constant reading of academic papers and extensive (and expensive) data collection efforts. We’ll cover how research from the vendor community — including Cyentia and beyond — can be used to make the job of a quant minded risk analyst easier.
Staff: Jay Jacobs and David Severski
Time: 11:30 PST
Venue: Virtual – Slides (PDF)
August 1 – 6 | BlackHat USA 2020
We all know that lurking within even the most popular open source packages are flaws that can leave carefully constructed applications vulnerable. In fact, 71% of all applications contain flawed open source libraries, many (70.7%) coming from downstream dependencies which might escape the notice of developers. Using graph analytics and a broad data science toolkit, we untangle the web of open source dependencies and flaws, and show the best way for developers to navigate this seemingly intractable game of whack-a-mole.
In this analysis, we examine over 85,000 applications and their use of more than 500k open source libraries. We provide an overview of open source usage showing that typical applications have hundreds or thousands of libraries, with most coming from a cascade of transitive dependencies. We find that proof-of-concept exploits exist for 21.7% of libraries with flaws, and that even very tiny (162 LoC) and very popular (included in 89% of applications) JavaScript libraries can contain exploitable flaws.
We describe the complex relationship between libraries and security flaws, and show that more libraries doesn’t necessarily mean more problems — in fact, we see applications that manage to use thousands of libraries while inheriting few or no flaws. Also, an analysis of exploitability in the data set makes clear that attackers are focusing most heavily on two types of flaws – Insecure Deserialization and Broken Access Control.
We conclude by examining strategies to manage open source library flaws. We reveal more than 81% of flaws can be fixed with minor patch or revision updates, but updated libraries can themselves be flawed or can disrupt dependencies. We show that developers can prioritize risk mitigation by focusing on the 1% of flaws that are known to exist on an application’s executable path and have seen exploitation in the wild..
Staff: Ben Edwards with Chris Eng (Veracode)
Time: TBD
Venue: TBD
August 1 – 6 | BlackHat USA 2020
Bad security data leads to bad security policies; better data enables better policies. That, in a nutshell, is the thesis of this talk. To back that up, we’ll share a FUD-free and data-driven analysis of the frequency and economic costs of tens of thousands of historical cyber incidents, with a special focus on events that impact multiple organizations.
Are we under or overestimating the economic risk of cyber events? How might errant estimates of breach likelihood or probable losses affect organizational governance and risk management? Could misunderstandings about the true extent of incident propagation across supply chains hamper the development of effective policies to manage third-party risk? What would an inter-organizational approach to security policies and practices look like? Can the study of past events aid future-looking decisions such as establishing risk appetite and evaluating cyber insurance needs? Could poor risk data lead to regulatory and/or compliance requirements that fail to meet their objectives? These are just some of the policy-oriented questions we’ll explore in the talk.
The dataset we’ll use to explore those questions spans 56,000 cyber events experienced by 35,000 organizations over the last decade. More than 800 of those incidents generated nearly 5,500 downstream loss events impacting firms beyond the primary victim. We’ll examine these inter-organizational events in detail and discuss the implications these have for future policy decisions.
Attendees will gain an understanding how readily available data can be used to first orient to this problem space. From there the audience will get a picture of ground truth to make better policy decisions on issues ranging from cyber insurance, supply chain management, and the near-mythical risk management ROI.
Staff: Wade Baker and David Severski
Time: TBD
Venue: TBD
Jun 17 | Veracode live webinar
Did you know that 70% of applications have a security flaw in an open source library on initial scan? Learn more about this and other eye-opening findings from the latest Veracode report – the Open Source Edition to our annual State of Software Security report, which offers in-depth analysis of the open source libraries in 85,000 applications.
Watch this webinar to find out:
Get up to speed on the security of open source libraries and how to reduce your risk; register for this webinar today!
Staff: Ben Edwards with Brittany O’Shea of Veracode
Time: Live at 8:00am PT on June 17. 2020. On-demand after that.
Venue: Webinar
May 29 | SIRA Webinar
The 2020 Information Risk Insights Study (IRIS 20/20) helps clear the fog of uncertainty surrounding cyber risk and helps managers see their way to better data-driven decisions. This ground-breaking study leverages a large dataset from Advisen Ltd. spanning tens of thousands of public breaches over the last decade. Cyentia’s extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes.
In this SIRA-specific webinar with the Cyentia team you will gain an understanding of the key findings, how the IRIS 20/20 results can inform quantitative risk practices, and get a special deep dive into some of the models that are possible with this research. Whether you are just wanting to make better quick risk decisions based on possible losses or looking for better baselines for quantitative assessments, IRIS has something for you!
Staff: Jay Jacobs and David Severski
Time: May 29, 2pm ET
Venue: Webinar
May 5 | Secure360
This talk will draw from multiple research projects we’ve done across a spectrum of security domains from weaknesses in software development, to patching strategies and defensive measures, and finally data breaches. We’ll start with an examination of software development, and dive into how organizations fix flaws, what can contribute to security debt, and how proactive developers can reduce the density of flaws in their apps. Then we’ll follow vulnerabilities in products as we move on to enterprise vulnerability management. We’ll show how to create objective measures of vulnerability remediation performance and highlight practices of high performing orgs. We’ll then look at what we can learn about the risk surface of an organization from outside measurement. We’ll tackle whether cloud deployment is more secure than on-prem (it depends, but in interesting ways). Finally, we’ll investigate data breaches, and show that even if your network isn’t breached, the impact of a partner’s breach could be just as devastating. All the results in this talk are grounded in real world data, derived from organizations facing daily security challenges.
Staff: Jay Jacobs and Ben Edwards
Time: Tuesday, May 5 at 10:00 – 11:00am ET
Venue: Webinar
April 21 | Webinar
Staff: Jay Jacobs
Time: Tuesday, April 21 at 2:00pm ET
Venue: Webinar
Tag(s): Prioritization to Prediction, Vulnerability management, Kenna Security
April 16 | Webinar
Join us for a virtual meeting of the Chicago Chapter. We will be reviewing the Cyentia 2020 IRIS report and providing an introduction to FAIR.
Agenda:
The 2020 Information Risk Insights Study (IRIS 20/20) clears the fog of FUD surrounding cyber risk and helps managers see their way to better data-driven decisions. This first-of-its-kind study leverages a vast dataset from Advisen Ltd. spanning tens of thousands of public breaches over the last decade. Cyentia’s extensive analysis of that dataset yields valuable insights about the frequency and financial impact of cyber incidents to organizations of all types and sizes.
We will be providing a practical example of how to apply this amazing data to your own FAIR Analyses.
Staff: David Severski
Time: Thursday, April 16th at 2:30pm CT
Venue: Webinar
Tag(s): Information risk, cyber risk, breaches, incidents, cyber loss events, financial losses, FAIR
On Demand Webinar
Risk management is the foundation upon which financial institutions are built, but many important questions remain: What are the key dimensions of the financial sector internet risk surface? How does that surface compare to other sectors? Which specific industries within financial services appear to be managing that risk better than others?
RiskRecon and the Cyentia Institute take up these questions and more in their latest research report, Risk Surface in the Financial Sector.
Register for this upcoming live webinar and learn exclusive insights from the report as well as:
Staff: Wade Baker
Time: On Demand
Venue: Webinar
Tag(s): Cloud Risk Surface Report, Internet Risk Surface Report, RiskRecon, Cloud Security
April 2 | Webinar
What are the chances of experiencing a $10 million cyber loss? Are traditional methodologies for assessing potential costs doing more harm than good? Join Advisen and Cyentia Institute on Thursday, April 12 at 11 a.m. ET for a free, one-hour webinar that will clear the fog of FUD (fear, uncertainty, and doubt) surrounding the true costs of cyber risk. Whether you’re buying, selling, or underwriting cyber insurance, you’ll appreciate this thoughtful new perspective informed by Cyentia’s data-driven loss insight and research. Register today.
Staff: David Severski
Time: Thursday, April 12th at 9:20am
Venue: Webinar
Tag(s): Information risk, cyber risk, breaches, incidents, cyber loss events, financial losses
April 2 | Webinar
Ask ten different security professionals how to do vulnerability management, and you’ll likely get ten different answers. But if you ask several hundred, you start to see a trend: some organizations stand out from all the others. They’re not just closing vulns, they’re lowering risk. These are the top performers in vulnerability management. So what is it, exactly, that they do differently?
In the fourth volume of our “Prioritization to Prediction” research, Kenna Security and our research partner, the Cyentia Institute, provide the answers. Join Cyentia’s Ben Edwards Ph.D., and Kenna’s Ed Bellis for this insightful webinar where they’ll share the key contributing factors of top performing vulnerability management teams drawn from analyzing real-world data from hundreds of organizations.
Staff: Wade Baker
Time: On Demand
Venue: Webinar
Tag(s): Prioritization to Prediction, Vulnerability management, Kenna Security
February 26 | RSA Conference | San Francisco, CA
What can we learn from 8.3 million software security findings? Plenty, and the presenters have the visuals to prove it. Analysis of millions of security flaws across tens of thousands of applications found that not all flaws (or applications) are created equal. This presentation will dive into the state of secure coding practices as observed from over 1 million application security scans.
Staff: Jay Jacobs and Chris Wysopal (Veracode)
Time: Wednesday, February 26th at 9:20am
Venue: Moscone West
Tag(s): Application security, DevOps, State of Software Security, Veracode
February 27 | RSA Conference | San Francisco, CA
How do you assess a vulnerability management program? This talk will outline four data-driven measures that give a holistic view of vulnerability management: coverage, efficiency, velocity and capacity. Presenters will compare these measures across several hundred organizations, highlight practices of exceptional programs, and demonstrate how any organization can apply these measures to their program.
Staff: Wade Baker and Ben Edwards
Time: Thursday, February 27th at 1:30pm
Venue: Moscone West
Tag(s): Prioritization to Prediction, Vulnerability management, Kenna Security
January 16 | ISSA NOVA Chapter meeting | Arlington, VA
Vulnerability management is one of the oldest domains in the cybersecurity field. But anyone who’s worked in it knows that this old dog would benefit from learning some new tricks. And it could be argued there’s no area where that’s more true than prioritizing vulnerability remediation efforts to minimize risk to the organization. For some, that process boils down to little more than gut instinct. Others follow the prevailing wisdom, which is usually instantiated in scoring systems like CVSS. Approaches like the latter sound more scientific, but empirical data shows few perform any better than random chance. Clearly, we need a better way forward for making more rational remediation decisions.
For the last year and a half, we’ve analyzed a huge amount of data with the goal of finding that better way. We’ve examined over 100,000 published vulnerabilities, exploits developed against those vulnerabilities, and the remediation practices of hundreds of real organizations to understand the principles at work. We learned a ton of important, practical lessons from that research including insights on why only 1 in 3 firms manage to gain positive ground on remediating security vulnerabilities in their environment. We will share those key lessons in this presentation to support security leaders in guiding their vulnerability management programs into a new age of enlightenment and effectiveness.
Staff: Wade Baker
Time: Thursday, January 165th at51:30pm
Venue: Marymount University Ballston Center
Tag(s): Prioritization to Prediction, Vulnerability management, Kenna Security
December 16 | Live webinar with Data Breach Today
During this webinar Kelly White, CEO of RiskRecon, Wade Baker, Co-Founder at the Cyentia Institute, and David Severski, lead data scientist from the Cyentia Institute, will discuss the findings from a new research report that analyzed over 800 multi-party security incidents to determine how organizations were impacted from the ripple of a security event.
Register for this webinar and you will learn:
Staff: Wade Baker, David Severski, and Kelly White of RiskRecon
Time: Monday, December 16, 2019 2:00 PM ET.
Venue: Live webinar
Tag(s): Ripples Across the Risk Surface, Multi-party incidents, Loss events, Ripple events, RiskRecon
November 19 | 2019 FS-ISAC Americas Fall Summit
Many published studies offer statistics about breaches that directly impact financial organizations. But very little analysis has been done on the long-term, downstream “ripple effects” associated with those breaches. This session reviews analysis of more than 70,000 security incidents, including a deep dive into over 800 that contain detailed information about the breadth of the ripple effects, the firms impacted, the firms that trigger these security incidents and the associated financial losses.
Staff: Wade Baker and Kelly White of RiskRecon
Time: Tuesday, November 19, 2019 11:00 AM ET.
Venue: Marriott Marquis in Washington D.C.
Tag(s): Ripples Across the Risk Surface, Multi-party incidents, Loss events, Ripple events, RiskRecon
November 19 | Infragard MN
We all want to know what can be done to avoid or stop the next breach. However, the complexities of our connected world combined with an intelligent adversary make accurate measurements, and the subsequent decisions, difficult in the best of times. This talk will share our recent research starting with security in the software development practices through to published vulnerabilities and how we can use data to better prioritize and address the weaknesses ever-present in our environments.
Staff: Jay Jacobs
Time: Monday, November 18, 2019 01:00 PM CT.
Venue: Cargill, 9320 Excelsior Blvd., Hopkins, MN
Tag(s): Prioritization to Prediction, Vulnerability management, Software Security, Veracode, Kenna Security
October 29 | Kenna Katalyst NYC
Get a head start on prioritizing and targeting your organization’s riskiest vulnerabilities with Kenna Katalyst workshops.
Attend this first-of-its-kind tutorial and come away with actionable tips from security heavyweights as they share firsthand lessons, risk-based vulnerability management best practices, and expert insight into what’s on the horizon.
.
Staff: Wade Baker and multiple speakers from Kenna Security
Time: Tuesday, October 29, 2019 08:30 AM ET.
Venue: Dream Hotel in New York, NY
Tag(s): Prioritization to Prediction, Vulnerability management, Risk management, Kenna Security
October 23 | 2019 Advisen Cyber Risk Insights Conference
The Cyentia Institute recently partnered with Advisen to incorporate their massive cyber loss dataset into our research projects. As we began exploring the data, we latched onto a feature whereby Advisen associates incidents and downstream loss events across multiple organizations. We shared some of those findings with Advisen and they kindly invited us to present to a group of their customers and partners at a breakfast event kicking off their Cyber Risk Insights Conference.
Staff: Wade Baker
Time: Tuesday, October 23, 2019 08:30 AM ET.
Tag(s): Multi-party incidents, Ripple events, Loss events, Advisen, RiskRecon
September 24&25 | 2019 FAIR Conference
Digital transformation is the new force multiplier for organizations to examine cybersecurity risk in an entirely new way. And its not just their own organization they need to get a handle on – it’s their entire ecosystem of third-party vendors, which factors into a seemingly insurmountable list of threat vectors and IT assets that are exposed externally.
The cloud, coupled with immature risk management processes organizationally, and insecure third parties, create a recipe for costly failed security audits and catastrophic data breaches where a shared common root system of risk governs whether companies succeed or fail.
Managing the risk of digital transformation at the speed of business requires new approaches to get better risk outcomes more efficiently. This panel discussion will examine:
–Quantitative and qualitative research data points on how and why organizations are currently, and should be managing organizational and third-party risk
–Field use cases for mitigating risk by understanding the layers of risk that impact most businesses today
–How to prioritize the handling of critical vulnerabilities taking a contextual approach to risk management
–Where managing third-party risk fits into the broader Integrated Risk Management (IRM) framework of enterprise risk mitigation
Staff: Wade Baker
Time: Tuesday, September 25, 2019 03:45 PM ET.
Tag(s): Cloud Risk Surface Report, Internet Risk Surface Report, RiskRecon, Cloud Security
August 29 | SiRA webinar
Effective prioritization of vulnerabilities is essential to staying ahead of your attackers. While your threat intelligence might expose a wealth of information about attackers and attack paths, integrating it into decision-making is no easy task. Too often, we make the mistake of taking the data given to us for granted – and this has disastrous consequences.
We’ll explain what we miss by trusting CVSS scores, and what should absolutely be taken into consideration to focus on the vulnerabilities posing the greatest risks to our organizations. We’ll look at tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately end up with a few dozen data points that helped us understand the probability of a vulnerability being exploited.
Finally, we’ll use all that data as well as billions of in-the-wild events collected over 5 years in order to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.
Staff: Jay Jacobs
Time: Thursday, August 29, 2019 02:00 PM ET.
Tag(s): Kenna Security, Prioritization to Prediction, Vulnerability Managaement, CVSS
August 8 | BlackHat | Las Vegas, NV
Effective prioritization of vulnerabilities is essential to staying ahead of your attackers. While your threat intelligence might expose a wealth of information about attackers and attack paths, integrating it into decision-making is no easy task. Too often, we make the mistake of taking the data given to us for granted – and this has disastrous consequences.
We’ll explain what we miss by trusting CVSS scores, and what should absolutely be taken into consideration to focus on the vulnerabilities posing the greatest risks to our organizations. We’ll look at tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately end up with a few dozen data points that helped us understand the probability of a vulnerability being exploited.
Finally, we’ll use all that data as well as billions of in-the-wild events collected over 5 years in order to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.
Staff: Jay Jacobs
Time: Thursday, August 8 at 12:10 to 1:00 PM in South Seas CDF
Tag(s): Kenna Security, Prioritization to Prediction, Vulnerability Managaement, CVSS
August 8 | BlackHat | Las Vegas, NV
The Digital Transformation puts more value at risk in more places. This “risk surface” is the unforeseen undercurrent of high-velocity digital business. This keynote dives into the findings of our Internet Risk Surface research, revealing the true expanse of enterprise risk and forecasting solutions for managing risk surface in a hyper-connected and hyper-exposed world.
Staff: Wade Baker and Kelly White, CEO of RiskRecon.
Time: Thursday, August 8th from 10:25 to 10:45 AM at the Innovation Theatre
Tags: Cloud Risk Surface Report, Internet Risk Surface Report, RiskRecon, Cloud Security
August 8 | BlackHat | Las Vegas, NV
In the fourth volume of their Prioritization to Prediction research, Cyentia Institute and Kenna Security analyzed empirical data and real-world practices of hundreds of organizations to identify the key contributing factors of top performing vulnerability management teams and discover the factors that hinder performance.
In this talk, Wade Baker and Ed Bellis walk through the data and key findings, tying real-world practices to actual outcome measures. Aimed at vulnerability and risk management professionals, this session will provide evidence of the practices used by top performers that attendees can apply to their own vulnerability management programs.
Staff: Wade Baker and Ed Bellis, CTO of Kenna Security
Time: Thursday, August 8th from 2:30 PM – 3:20 PM at Oceanside F
Tags: Vulnerability management, Prediction to Prioritization, Kenna Security
August 7 | BSides LV | Las Vegas, NV
With myriad threats facing organizations, eliminating all avenues for attack is impossible. Accepting this reality means organizations need to focus resources where they are most likely to be impactful. But this begs many questions: What types of hosts are most likely to have vulnerabilities? Are those same hosts critical parts of the business? What about cloud infrastructure that isn’t fully controlled? Are hosts on foreign soil in compliance with local laws?
We could tap into prevailing FUD and personal opinions to answer these questions, but haven’t we all had enough of that? We’d prefer to know what the data says. In this talk we introduce the concept of risk surface and explore its shape by tapping into a fascinating data set spanning millions of internet-facing hosts from tens of thousands of firms and major hosting providers around the world. We find that for most organizations risk is global with more than half locating infrastructure in multiple countries. Not only are hosts spread far and wide, but vulnerabilities are too: more than half of organizations have high or critical vulnerabilities on external infrastructure. Armed with this new perspective, we can make recommendations to organizations on where their resources are best deployed.
Staff: Wade Baker and Ben Edwards
Time: Wednesday, August 7 at 6:00PM in the Ground Truth track
Tag(s): Cloud Risk Surface Report, Internet Risk Surface Report, RiskRecon, Cloud Security
August 5 | BlackHat CISO Summit | Las Vegas, NV
Vulnerability management is one of the oldest domains in the cybersecurity field. But anyone who’s worked in it knows that this old dog would benefit from learning some new tricks. And it could be argued there’s no area where that’s more true than prioritizing vulnerability remediation efforts to minimize risk to the organization. For some, that process boils down to little more than gut instinct. Others follow the prevailing wisdom, which is usually instantiated in scoring systems like CVSS. Approaches like the latter sound more scientific, but empirical data shows few perform any better than random chance. Clearly, we need a better way forward for making more rational remediation decisions.
For the last year and a half, we’ve analyzed a huge amount of data with the goal of finding that better way. We’ve examined over 100,000 published vulnerabilities, exploits developed against those vulnerabilities, and the remediation practices of hundreds of real organizations to understand the principles at work. We learned a ton of important, practical lessons from that research including insights on why only 1 in 3 firms manage to gain positive ground on remediating security vulnerabilities in their environment. We will share those key lessons in this presentation to support security leaders in guiding their vulnerability management programs into a new age of enlightenment and effectiveness.
Staff: Wade Baker
Time: Tuesday, August 6 at 3:20 to 3:50 PM at the Four Seasons
Tag(s): Kenna Security, Prioritization to Prediction
June 17 – 20 | Gartner Risk Summit | National Harbor, DC
The Digital Transformation puts more value at risk in more places. This “risk surface” is the unforeseen undercurrent of high-velocity digital business. This keynote dives into the findings of our Internet Risk Surface research, revealing the true expanse of enterprise risk and forecasting solutions for managing risk surface in a hyper-connected and hyper-exposed world.
Staff: Wade Baker
Tag(s): Cloud Risk Surface Report, Internet Risk Surface Report, RiskRecon
June 3 | Workshop on the Economics of InfoSec | Boston, MA
A key challenge faced by vulnerability management programs is trying to identify a remediation strategy that best balances two competing forces. On one hand, it could attempt to patch all vulnerabilities on its network. While this would provide the greatest coverage of vulnerabilities patched, it would inefficiently consume resources by fixing low-risk vulnerabilities. On the other hand, patching a few high-risk vulnerabilities would be highly efficient, but may leave the firm exposed to many other high-risk vulnerabilities. Using a large collection of multiple datasets together with machine learning techniques, we construct a series of vulnerability remediation strategies and compare how each perform in regard to trading off coverage and efficiency. We expand and improve upon the small body of literature that uses predictions of published exploits, by instead using exploits in the wild as our outcome variable.
Staff: Wade Baker, Jay Jacobs (in absentia; presented by co-author Sasha Romanosky)
Tag(s): Kenna Security, Prioritization to Prediction, Vulnerability Managaement, CVSS, Machine Learning, Prediction Models
April 30 – May 2 | SIRAcon | Cincinnati, OH
Over the last year the Cyentia Institute has worked with multiple partners and the data they’ve collected to study various aspects of risk. This talk draws from that research, focusing particularly on three large data sets: Veracode (risk in the development phase), Kenna (risk in the operational phase) and RiskRecon (risk from third parties).
Staff: Wade Baker and Jay Jacobs
Tag(s): Internet Risk Surface Report, Kenna Security, Prioritization to Prediction, RiskRecon, State of Software Security, Veracode
April 30 – May 2 | SIRAcon | Cincinnati, OH
Over the last year the Cyentia Institute has worked with multiple partners and the data they’ve collected to study various aspects of risk. This talk draws from that research, focusing particularly on three large data sets: Veracode (risk in the development phase), Kenna (risk in the operational phase) and RiskRecon (risk from third parties).
Staff: Jay Jacobs
Tag(s): Data Science, Risk Analysis
March 21 – 22 | Metricon X | Jersey City, NJ
For the last two years, Cyentia has worked with Focal Point Data Risk to study how cyber risk is communicated to the Board of Directors. Metrics are a major area of focus in that research. We will summarize our findings, seek input from the audience, and discuss how this information has been applied in corporate settings.
Staff: Wade Baker
Tag(s): Cyber Balance Sheet, Focal Point
March 21 – 22 | Metricon X | Jersey City, NJ
Why does it take so long to fix insecure code? We pair new data about the lifecycle of a vulnerability with learnings from application security programs to answer this perennial question. Our data comprises 700,000 individual assessments and a population of over 22 million unique security findings over a 12-month period, easily the largest application security data set of its size. Chris will discuss outcomes of this study with a particular focus on identifying the factors that correlate most strongly (or not at all!) with fix rates. He’ll also provide data-backed insights into the contentious question of whether DevOps is a boon or a burden for security. Jay will do a deep dive into the analysis process and some of the techniques, such as survival analysis, he applied to the data set in order to measure and visualize the outcomes we were interested in. We’ll also describe how we identified and handled anomalous customer data that would have otherwise produced skewed representations of developer behaviors.
Staff: Jay Jacobs
Tag(s): State of Software Security, Veracode
March 4 – 8 | RSA Conference | San Francisco, CA
Etiology is the study of causation, and the presenters wanted to understand why some vulnerabilities are exploited but many aren’t. Curiosity led them on a journey through tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately ended up with a few dozen data points that helped them understand the probability of a vulnerability being exploited.
Staff: Jay Jacobs
Tag(s): Kenna Security, Prioritization to Prediction
March 4 – 8 | RSA Conference | San Francisco, CA
We’re at a time of great discovery in our industry. The pace of published research and information is incredible, but who has time to read it all? We do! We analyze 1,000+ recent security industry reports using various machine learning and meta-analysis techniques to see the “forest” of knowledge through the “trees” of information. This talk will share consensus lessons found deep in that forest.
Staff: Wade Baker and Jay Jacobs
Tag(s): Global Cyber Alliance, Meta-analysis, RSA Conference, Striking Security Gold