As breach remediation costs rise, seemingly in direct proportion to the number of attackers and attacks, what are you doing to manage your cybersecurity vulnerabilities and risks? Sufficient proof is easily found to reinforce that how you respond to threats and breaches can have a significant impact on your business. For example… The 2021 Ponemon Institute Annual Cost of a Breach Report found that the average cost of a breach rose 10% to $4.24M. The report also found that it took an average of 287 days to identify and contain a data breach. Even if you can handle the reputation hit of a breach, and even if your insurer agrees to cover a portion of the damages, do you want to be on the hook for millions of dollars in remediation and restoration costs? Prevention is easier and less expensive. Your data and intellectual property (IP) are often the most valuable assets you own, and as such are deserving of all the resources your team can muster for effective security vulnerability and risk management. Read on to learn more about the cyber risks to watch out for in 2022 and how you can plan and prepare for them. What types of cyberattacks can you expect? Counterintuitive, of course, because many organizations don’t expect their network to be attacked, any more than they expect it to contain dangerous vulnerabilities. You want to believe those events occur to others, not you. Right? Except competent hackers can infiltrate your network and steal your data and IP while remaining undetected. Ransomware attacks For several years now, ransomware attacks have been the fastest growing segment of cybersecurity breaches. Typically, criminals breach an organization and encrypt its data, rendering it unusable. Inaccessible data renders a firm unproductive and unprofitable for as long as the data remains inaccessible. The Colonial Pipeline ransomware attack, for example, led to the shutdown of the largest fuel pipeline in the U.S, which in turn caused fuel shortages across the East Coast. Criminals also threaten to publicize intellectual property (IP) and customer information, unless they receive a ransom. Although small-to-midsize businesses (SMBs) are at the most risk of criminal ransom demands, payouts can reach seven or eight figures. The highest ransom amount confirmed to have been paid is $40 million USD, by CNA Financial, in May 2021. Few SMBs can afford such extravagance. Cloud vulnerabilities The first researchers to discover and report on critical vulnerabilities in the cloud focused on Microsoft Azure infrastructure. In detailing the vulnerabilities, those researchers, who were with Check Point, “wanted to disprove the assumption that cloud infrastructures are secure.” And did they ever disprove it — the discovered vulnerabilities included those that received the highest possible score of 10.0. The qualitative severity ranking of a score of 9.0-10.0 is “critical.” The discovered vulnerabilities allowed malicious actors to compromise applications and data of those using similar cloud infrastructure. Firmware vulnerabilities Firmware vulnerabilities expose not only the major computer manufacturers, but also their customers. Undiscovered firmware vulnerabilities are especially damaging, because they grant criminals free reign over any network on which the devices are installed, leaving networks open until the vulnerability gets reported and patched. As the number of connected devices continues to grow, Internet of Things (IoT) security becomes increasingly important to analyze. Software vulnerabilities Applications contain vulnerabilities. According to Veracode, 75.2% of applications have security flaws, although 24% of those are considered high-severity. Common flaws include: Information leakage. Carriage Return and Line Feed (CRLF) injection. Cryptographic challenges. Code quality. Credentials management. Insider threats Insider theft and trading of secrets is another growing vulnerability area. As demonstrated by recent Cisco and GE breaches, employees with perceived grievances or bad intentions can choose to steal or wreak all kinds of damage on their employers’ data and networks. Carelessness and poor training also contribute to insider threats. Cyber threats to healthcare In recent years criminals have increasingly trained their sights onto hospitals, insurers, clinics, and others in that industry. A 2016 report by IBM and the Ponemon Institute found the frequency of healthcare industry data breaches has been rising since 2010, and it is now among the sectors most targeted by cyberattacks globally. Whether or not the reputation is deserved,healthcare industry computer networks are often considered soft targets by malicious actors. In 2021 Armis discovered nine vulnerabilities in critical systems used by 80% of major North American hospitals. Additionally, rapid health device adoption has increased the number of available targets for malicious breachers. Numerous healthcare devices suffer security flaws, including imaging equipment. Added together, those factors point to an increase in attacks on health care institutions. Attacks against health care networks threaten lives, not just productivity. Criminals might believe health care administrators are willing to pay ransoms faster to retrieve health data and help patients. That’s not always the case, as ransomware allegedly led to the death of an infant and was initially thought responsible for the death of a German patient. Individual medical data – name, birth date, blood type, surgeries, diagnoses, and other personally identifiable information – is particularly interesting to criminals. Once compromised, it’s impossible to restore patient privacy, just as it’s impossible to reverse the social and psychological harm inflicted. Forgotten cyber hygiene When IT professionals are always in stressful firefighting mode, they can’t be expected to remember everything. Sometimes patches fall through the cracks, and those vulnerabilities come back later to bite your network. Your IT department may be aware of old vulnerabilities, but just hasn’t gotten around to applying the necessary patches or closing open holes. A virtual private network (VPN) account that remained open, although no longer in use, was how criminals penetrated Colonial Pipeline. Employees had previously used that account to access the company network remotely. How can you uncover cybersecurity vulnerabilities and risks? It’s easy for consumers to learn what to watch for and what to avoid. They can download, for example, the Annual Data Breach Report from the Identity Theft Resource Center. You, on the other hand, have a network full of devices, endpoints, applications, and the weakest link in the security chain – users. Yes, you can lower the possibility of user negligence with cybersecurity training. Sure, you can find and read reports about currently existing threats. But without a comprehensive vulnerability management program that brings together every vulnerability scanning tool across your entire attack surface, it’s almost impossible to know what’s threatening your network right now. How do you find a vulnerability in YOUR cybersecurity and IT environments? Most organizations rely on several different vulnerability scanning tools to achieve full vulnerability assessment coverage over their IT environments. Most vulnerability scanning tools focus on only one specific aspect of your attack surface — network devices, web applications, open source components, cloud infrastructure, containers, IoT devices, etc. Vulnerability management teams are often left with the unenviable job of bringing these disconnected tools, and the incompatible data they deliver, together into cohesive and consistent programs. Deploying Brinqa vulnerability management software to perform vulnerability enumeration, analysis, and prioritization allows you to effortlessly synchronize and orchestrate the best vulnerability scanning tools for your environment. The Brinqa platform is designed for data-driven, risk-based cybersecurity solutions. Brinqa include risk models for cybersecurity problems like vulnerability management and application security, which are essentially data ontologies developed based on industry standards and best practices to represent these cybersecurity challenges in terms of data. Brinqa data models and risk scores are adaptive, open and configurable, and include not just vulnerability data, but also additional business context from within the organization, as well as external threat intelligence. For example, the data model automatically considers that if a server is internal facing, and it’s for testing code, then it’s going to differ in priority from an external facing server that is hosting an e-commerce site, and which contains customer personal data and information. Similarly, if external threat intelligence discovers that a particular vulnerability is suddenly very popular among malicious actors and is being used to affect breaches, the data model automatically computes and assigns a higher risk score to the vulnerability. First and foremost, we get you away from having to log into numerous different tools to bring all relevant information together and make it usable. Second, we streamline and automate your common vulnerability analysis, prioritization, and remediation use cases. That's the enormous benefit of Brinqa... The centralization is great, but once you start consolidating, enhancing, and contextualizing all of that data, you can provide a level of prioritization that takes your risk response to another level. Beginning with generic, out of the box rules based on best practices, the environment allows every Brinqa customer the flexibility to tailor analysis to their needs, basically giving them a self-service mechanism to implement their own cybersecurity service level agreements (SLAs). The default rules are like templates or starting points, which you adjust and configure as necessary. It is ineffective and inefficient to make decisions on an ad hoc, case by case basis, about what should be fixed and in what order. Once you implement Brinqa, your automated vulnerability remediation and cyber risk response processes deliver effective, consistent, and reliable results. Spend a little time (no money) to see how simple solving a major headache can be, with a free trial. Frequently Asked Questions: What is vulnerability scanning? Vulnerability scanning is the detection and classification of potentially exploitable points on network devices, computer systems, and applications. What is vulnerability remediation? Vulnerability remediation includes the processes for determining, patching, and fixing cybersecurity weaknesses that have been detected in networks, data, hardware, and applications. What is NVD? National Vulnerability Database (NVD) is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). What is CVE? Common Vulnerabilities and Exposures is a list of publicly disclosed cybersecurity vulnerabilities that is free to search, use, and incorporate into products and services. What is CRLF? Carriage Return and Line Feed injection is a cyber attack in which an attacker injects malicious code.
Brinqa is actively investigating the impact of the Log4j library vulnerability CVE-2021-44228 disclosed on Dec 9 2021 and associated CVE’s (2021-45046, 2021-4104). This bulletin contains the latest information as it pertains to the impact of these vulnerabilities on Brinqa and will be updated as new information becomes available. We have been continuously monitoring for Log4j exploit attempts in our environment. At this time, we have not detected any successful Log4j exploit attempts in our systems or hosted solutions. We will continue to monitor our environment for new vulnerability instances and exploit attempts and will update this page as we learn more. The Cybersecurity and Infrastructure Security Agency (CISA) provides a useful summary of Log4J vulnerability guidance that customers may want to reference in addition to any product and version specific recommendations from your Brinqa customer success team. If you have any questions or concerns please feel free to reach out to us at security@brinqa.com
What does cybersecurity mean to your business? This might seem like an odd question, but how an enterprise responds to it can say a lot about the culture and practice of cybersecurity within that organization. There are many different ways to ask the same question — Which function does cybersecurity report to within the enterprise? Who are the internal clients of cybersecurity? Does cybersecurity leadership have a voice at the highest levels of corporate decision-making? There are 2 main schools of thought about the role and orientation of cybersecurity within the enterprise. The traditional school places cybersecurity within the Information Technology (IT) function of a business. In this model cybersecurity reports to IT, IT is the internal client for cybersecurity, and the CISO might report up to the CTO or CIO. It’s easy to see why one might make this association. IT and cybersecurity professionals often have similar or adjacent skillsets and overlapping educational and professional backgrounds. Both functions often deal with highly technical, specialized, and complex information and processes. However, the goals and KPIs of IT and cybersecurity are not only unaligned, they are often in direct conflict. The internal clients for IT are other business functions that essentially pay for the various technology assets (applications, servers, cloud instances, etc.) required to keep the enterprise running. IT performance is evaluated by how seamlessly, continuously, and cheaply they are able to deliver their services. IT doesn’t really have visibility into or an understanding of how these assets are being used by the business, what kind of data they process, which critical business functions they support. When cybersecurity comes to IT and tells them that a particular technology asset or part of the IT infrastructure has problems or weaknesses that could be exploited by malicious actors, they have to weigh the benefits — stopping a potential attack that may or may not happen vs. the costs — resources allocated to fix the problem, unhappy internal clients due to technology assets being unavailable during fixing, valuable time spent fixing and validating the issue. This is a hard sell and essentially amounts to self-regulation. A significant percentage of breaches exploit known vulnerabilities and weaknesses within an organization. Looked at from this lens, it's not difficult to see how such problems can go unaddressed. The modern school of thought recognizes Cybersecurity as its own independent vertical within the enterprise — like sales, marketing, HR, or any other function whose purpose is to help the business function and thrive. In this model, cybersecurity has various different business functions as internal clients, and the CISO might have a seat at the C-level table. Cybersecurity informs business stakeholders of the risks they face as a result of the technology infrastructure they utilize. The business stakeholders provide the context necessary for informed risk triage and collaborate with cybersecurity to identify which vulnerabilities or weaknesses pose the biggest threats to the part of business they own. These prioritized risks are then sent to IT for remediation. Cybersecurity provides guidance to IT on how they may remediate or mitigate a particular problem. Since risk remediation or mitigation is being driven by the business stakeholders, IT is incentivized to fix these problems. Risk-based cybersecurity is a methodology for program design that can help organizations put this modern approach into practice. By putting an emphasis on incorporating business context in the risk analysis process and data models, and by ensuring that business stakeholders are involved in the decision chain, risk-based cybersecurity programs provide a shared space where IT, business, and cybersecurity can come together and collaborate.
I'm proud and excited to announce that Brinqa has raised $110 Million in growth capital from leading global venture capital and private equity firm Insight Partners. This is our first institutional investment and represents a significant milestone for the company. Brinqa was bootstrapped and remained founder-backed as we shaped the Cyber Risk Management space, achieved strong organic growth and profitability, and acquired some of the biggest brand names in the world as customers. This new injection of funds combined with Insight Partners' ScaleUp expertise will fuel the next stage of our growth and accelerate ongoing efforts to make Brinqa an essential, unifying component of every enterprise cybersecurity ecosystem. Our mission, values, and objectives as a company remain the same; this partnership will help us achieve them faster and better. We decided to take this step with Insight Partners because of how aligned they are with our vision for Brinqa and the priority of long-term and short-term goals. We firmly believe that Brinqa is an essential platform for all enterprise cybersecurity organizations. As digital transformation proliferates across industries and saturates every aspect of business, the IT infrastructure to enable and the security ecosystem to protect become larger and more complex. Imagine a scenario where hundreds of different teams, systems, and programs — each focused on a task so demanding and technical that it requires specialized skills and tools — work towards the same overarching goal but rarely communicate with each other. Unfortunately, this is often the reality for most cybersecurity organizations. To be effective and a true contributor to business success, it must function as ONE TEAM aligned in purpose, connected in data, and transparent in communication. This is the vision that Brinqa helps our customers achieve. We know that this is possible because we have proven it at some of the world's largest and most complex enterprise IT environments. We are fortunate to count among our customers three out of the five largest retail companies in the world, the largest healthcare providers in the US, and the most prominent global brands in technology, financial services, insurance, healthcare, manufacturing, aviation, and critical infrastructure. This partnership will help us bring this vision to cybersecurity practitioners and organizations everywhere. The capital infusion will be used to accelerate sales and marketing initiatives, enhance customer experience and community building, and strengthen partner and channel ecosystems. I am so thankful to the Brinqa family — our employees, customers, and partners. You are the source of the immeasurable hard work, innovation, creativity, and conviction it has taken to reach this huge milestone, and all credit for this accomplishment goes to you. I am excited as we embark on this next stage of our journey and look forward to achieving greater heights together.
Microsoft Exchange Zero-Day Attackers Spy on U.S. Targets Microsoft has spotted multiple zero-day exploits in the wild being used to attack on-premises versions of Microsoft Exchange Server. Read More Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes The first Patch Tuesday security bulletin for 2021 from Microsoft includes fixes for one bug under active attack, possibly linked to the massive SolarWinds hacks. Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its January Patch Tuesday roundup of fixes. In total it patched 83 vulnerabilities. Read More Critical Cisco SD-WAN Bugs Allow RCE Attacks Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users. Read More SonicWall Breach Stems from ‘Probable’ Zero-Days SonicWall is investigating 'probable' zero-day flaws in its remote access security products that have been targeted by 'highly-sophisticated' attackers. The company says it is investigating the attack and will update customers within 24 hours. Read More Cisco DNA Center Bug Opens Enterprises to Remote Attack A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover. The high-severity security vulnerability (CVE-2021-1257) allows cross-site request forgery (CSRF) attacks. Read More Industrial Gear at Risk from Fuji Code-Execution Bugs Industrial control software (ICS) from Fuji Electric is vulnerable to several high-severity arbitrary code-execution security bugs, according to a federal warning. Authorities are warning the flaws could allow physical attacks on factory and critical-infrastructure equipment. Read More
Adobe Fixes 7 Critical Flaws, Blocks Flash Player Content Adobe Systems has patched seven critical vulnerabilities, which impact Windows, macOS and Linux users. The impact of the serious flaws range from arbitrary code execution to sensitive information disclosure. Read More Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes The first Patch Tuesday security bulletin for 2021 from Microsoft includes fixes for one bug under active attack, possibly linked to the massive SolarWinds hacks. Microsoft addressed 10 critical bugs, one under active exploit and another publicly known, in its January Patch Tuesday roundup of fixes. In total it patched 83 vulnerabilities. Read More Critical Cisco SD-WAN Bugs Allow RCE Attacks Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks (SD-WAN) solutions for business users. Read More SonicWall Breach Stems from ‘Probable’ Zero-Days SonicWall is investigating 'probable' zero-day flaws in its remote access security products that have been targeted by 'highly-sophisticated' attackers. The company says it is investigating the attack and will update customers within 24 hours. Read More Cisco DNA Center Bug Opens Enterprises to Remote Attack A cross-site request forgery (CSRF) vulnerability in the Cisco Digital Network Architecture (DNA) Center could open enterprise users to remote attack and takeover. The high-severity security vulnerability (CVE-2021-1257) allows cross-site request forgery (CSRF) attacks. Read More Industrial Gear at Risk from Fuji Code-Execution Bugs Industrial control software (ICS) from Fuji Electric is vulnerable to several high-severity arbitrary code-execution security bugs, according to a federal warning. Authorities are warning the flaws could allow physical attacks on factory and critical-infrastructure equipment. Read More
In a recent alert from the National Cyber Awareness System (NCAS) three government agencies — the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the broader US government came together to provide technical guidance to public and private sector organizations to prioritize the patching of commonly known vulnerabilities exploited by foreign cyber actors. As part of this guidance, the alert identifies the 10 most exploited vulnerabilities from 2016 - 2019. The alert also addresses emerging risks based on vulnerability exploit trends in 2020 so far. Here are 3 observations from the alert. Old Vulnerabilities Persevere In an analysis of the 10 most exploited vulnerabilities between 2016 and 2019, 2 older vulnerabilities (CVE-2012-0158 and CVE-2015-1641) made the cut. As indicated in the alert, this points to systemic problems with existing vulnerability management processes. It is difficult to rationalize why old vulnerabilities with known exploits and fixes continue to exist and be taken advantage of by malicious actors. Remediating vulnerabilities is certainly not a trivial task. Remediation can require a significant investment of time and effort, with security professionals having to balance the need to mitigate vulnerabilities with the mandate to keep systems running and ensure installed patches are compatible with other software. However, effective vulnerability management processes should make such vulnerabilities a top target for remediation, and guide practitioners with effective and efficient ways to implement remediation. The 2 older vulnerabilities mentioned are just the tip of the iceberg and the alert expects this trend to continue, citing that 'state cyber actors may continue to incorporate dated flaws into their operational tradecraft as long as they remain effective’. Microsoft Remains a Big Target It should be no surprise that Microsoft products, with their wide adoption across enterprise and personal users, are a big target for malicious actors. However, 7 out of the top 10 exploited vulnerabilities between 2016 - 2019 affecting Microsoft products should be a wakeup call for practitioners. 3 of these vulnerabilities are related to Microsoft’s Object Linking and Embedding (OLE) technology that allows documents to contain embedded content from other applications such as spreadsheets. This observation points to a widespread need for organizations to better understand and track the components that make up their IT infrastructure. While remediation can be time-consuming, robust vulnerability management programs should be able to provide instant insights into the prevalence and impact of these risks. How many of our IT assets have these vulnerable products or frameworks installed? What is the significance of these assets to our organization (what data do they store, what business processes do they support)? It should be possible for every vulnerability management program to answer these questions on demand, at a moment’s notice. Malicious Actors Adapt to Changes FAST In addition to the top 10 exploited vulnerabilities between 2016 - 2019, the alert also highlights the vulnerabilities being routinely exploited by sophisticated foreign cyber actors so far in 2020. With the Covid19 pandemic forcing the most drastic change in workplace norms in recent times and bringing an abrupt shift to work-for-home for large parts of the workforce, it’s no surprise that VPN solutions and cloud collaboration services are big targets for malicious actors. We have all heard news reports about trouble makers being able to ‘bomb’ open zoom meetings. There has also been scrutiny of Zoom’s privacy and encryption policies. There have been reports of malicious actors targeting organizations whose hasty deployment of Microsoft O365 may have led to oversights in security configurations leaving them vulnerable to attacks. These reports point to some systemic cybersecurity challenges. Malicious actors are extremely resourceful, well-coordinated, and opportunistic. Security practitioners should always expect that malicious actors will respond to any change in the status quo faster than software and security vendors can. It takes time for software vendors to roll out patches and security practitioners should have a plan in place to manage the risk posed to them between vulnerability discovery and remediation. This also underscores the dire need for better employee cybersecurity education and effective system recovery and contingency plans. Be sure to read to full alert notice here for mitigations and more details.
This is the first year that Brinqa has participated in the Forrester Wave™: Vulnerability Risk Management study, and we are extremely happy to be recognized as Forrester reshapes the traditional vulnerability scanning market to better reflect modern vulnerability risk management! Some thoughts from our participation in this process… An ecosystem approach to Vulnerability Management According to Forrester “vendors with improved prioritization and reporting are pushing the market forward”, however, coming from a traditional network vulnerability scanning background appears to still be critical to achieving ‘leader’ status. Brinqa customers have invested in the best scanning solutions (often more than one) for their environment, and they like the results, so we partner with these vendors – who have perfected their capabilities over 15+ years. This is particularly relevant when we consider that the scope of modern VRM programs has expanded to include applications (SAST, DAST, SCA), cloud, configurations, and containers. The best vulnerability management results across the extended scope are realized by leveraging an ecosystem of tools and vendors, each addressing a specific part of the process in the best way possible. Brinqa Vulnerability Risk Service integrates with 150+ security, asset, and threat intelligence sources enabling customers to get more out of their entire security environment without having to start over with one more disconnected solution. Remediation is key If you haven’t read the report, Forrester’s four-stage process for Vulnerability Risk Management remains the same and is spot on: 1) Asset management 2) Vulnerability enumeration 3) Prioritization 4) Remediation Each stage is critical to building a risk-aware vulnerability management program, and in combination they eliminate the biggest threats to your business faster. By transforming all vulnerability, asset, and threat data into knowledge-driven insights, organizations realize better prioritization, remediation, and ultimately mitigation of risks. This year, remediation was dropped from Forrester’s scoring criteria, and we would argue that it should have been included. Risk-aware remediation is the key to shifting to proactive and automated management of cyber risk, aligning information security processes with the organizational goal of building and growing a business. Risk-aware remediation increases productivity by automating the proactive management of cyber risk, and is absolutely essential for scale! Cyber risk is unique Forrester’s focus this year was prioritization, and they were very clear on asset criticality, vulnerability severity and network exposure being the critical underpinnings. We agree, and find our customers generally start with this subset of security data and leverage our OOB risk model to prioritize vulnerabilities for remediation. However, they very quickly want to bring in more security data from the plethora of solutions (certificate management, endpoint protection, patch management, SIEM, etc.) that they’ve invested in to add more nuance to risk analysis. The resulting adjusted risk model truly informs their unique risk posture. It’s impossible to effectively prioritize risk without the right underlying components and a complete risk model that connects everything to establish a common risk language. Scoring 13 vendors based on a common set of criteria is tough. Some vendors excel at scanning, some focus on prioritizing and remediating cyber risk while leaving the scanning to others, and some vendors specialize in specific infrastructure monitoring areas such as digital footprinting. Hats off and a big thank you to Forrester for helping organizations navigate through the process of making their vulnerability management processes risk-aware! Learn more about how Brinqa addresses the capabilities outlined in the 2019 Forrester VRM Wave™. How Brinqa addresses the technical capabilities outlined in The Forrester Wave™: Vulnerability Risk Management (VRM) Q4 2019 study Access the full 2019 Forrester Wave™: Vulnerability Risk Management report here.
Brinqa has been named as a ‘Contender’ in the Forrester Wave™: Vulnerability Risk Management study released in Q4 2019. This is Brinqa’s first placement in this annual study conducted by Forrester to evaluate the competitive landscape of this crucial cybersecurity field. While we may not entirely agree with the methodology used, we are grateful and appreciative of the opportunity to participate in this study. We also commend Forrester for their efforts to reshape the traditional vulnerability scanning market to better reflect modern vulnerability risk management programs. The analyst team has done an excellent job of outlining the critical product capabilities used to compare vendors in this space. Practitioners should look to these criteria not only as they evaluate vendors but also as they assess the effectiveness and maturity of their existing Vulnerability (Risk) Management processes. Read on to learn how we at Brinqa recommend organizations interpret and implement these critical capabilities for effective vulnerability risk management. Please note that this does not, in any way, represent Forrester’s position on these criteria. Vulnerability Enumeration Vulnerability enumeration capabilities determine how accurately, efficiently, and completely a VRM program identifies and catalogues the vulnerabilities and weaknesses in an organization’s IT infrastructure. As each enterprise IT environment is unique, organizations should focus on ensuring that all significant components of their infrastructure are covered and accounted for. Brinqa implements this function by utilizing our vast collection of integrations to the leading vulnerability scanning and assessment products. We take a vendor-agnostic approach that allows our customers to leverage the tools that best suit their environment and scanning requirements. This means providing the most comprehensive integrations with security tools for each important facet of the IT infrastructure : Networks — BeyondTrust, Digital Defense, OpenVAS, Qualys, Rapid7, Tenable, Tripwire, VulnDB Applications — Acunetix, BurpSuite, Checkmarx, Contrast Security, Fortify, IBM AppScan, Netsparker, Qualys WAS, Rapid7 Appspider, Sonatype, Synopsys, Veracode, Whitehat, Whitesource Cloud — AlertLogic, Amazon Inspector, Prisma Public Cloud Containers — AquaSecurity, Twistlock Configurations — Microsoft SCCM, Qualys PC, Tripwire Enterprise Mobile — NowSecure Bug Bounty — BugCrowd, Synack Penetration Testing — Generic Flat File, Direct-to-database However, effective vulnerability enumeration is about more than just collecting vulnerabilities. To handle real world scenarios (scanner replacement, separate scanners for internal vs. external assets, M&A activity, passive scanning, deduplication, false positives) organizations need advanced data management capabilities. The Brinqa solution allows organizations to normalize vulnerability data from disparate assessment tools to a common, standardized ontology. This is essential for implementing consistent vulnerability risk management practices across the entire scope of the program. The solution enables configurable scoping so that organizations can focus on the most critical infrastructure components and vulnerabilities first, and then gradually expand their program. In the case of overlapping scanning or assessment tools, the solution provides features to de-duplicate and coalesce vulnerability records from multiple sources. Digital Footprinting Digital footprinting can help organizations gain an understanding about which of their assets are publicly accessible and which are relatively protected behind firewalls and DMZs. This classification should be established, if possible, and used to inform determinations of asset criticality, ownership, escalation chains, SLAs, and other operational considerations. Brinqa Vulnerability Risk Service implements this function through integrations with asset discovery services like BitSight and incorporates an organization’s digital footprint (including determination of publicly accessible assets) into VRM processes. The real power of the solution is in operationalizing an organization’s digital footprint towards better asset management and hygiene. Rouge (or unknown) assets can be organized and monitored through rules that ensure the footprint matches the asset source of truth, and trigger automated tasks and tickets for corrective actions when necessary. By updating in near-real time, the digital footprint can be leveraged to determine the existence of new or unmanaged assets which can then be automatically assigned to the appropriate asset groups or risk owners. Asset Criticality (or better yet, Asset Management) An organization’s ability to correctly assign asset criticality directly impacts the accuracy and soundness of risk-based vulnerability prioritization. However, we would argue that asset management (and not just asset criticality) is a crucial function that VRM teams and programs should address with great attention. Effective asset management is accurate (results in an exhaustive inventory of all the assets in the scope of the program), comprehensive (covers every relevant factor of asset identity and usage), and functional (includes criticality, ownership, escalation chains, and all other operational aspects). Asset Management is likely the least standardized component of VRM programs. Almost every organization represents, classifies, and tracks assets in their own unique way. Further, asset information resides in a variety of systems and programs all across the organization. Brinqa addresses this unpredictability by (a) providing a comprehensive asset data model that represents most common technical (type, vendor, network segment, operational status, internal/external, publicly accessible) and business impact (data classification, monetary value, supported business services, compliance requirements, location, data center, business unit) factors, and (b) providing a completely dynamic, extendible data model (enabled by our graph database backend) so that organizations can easily incorporate any factors that are unique to them. This information is populated through purpose-built integration with a variety of systems — Asset Discovery (Nmap), CMDB (BMC, Cherwell, HP, ServiceNow), Network Management (RedSeal, InfoBlox), and GRC (Archer). Often this information resides in other programs (data protection, business impact analysis, disaster recovery) or in proprietary systems and is collected using flat file, LDAP, or direct-to-database connectors. The asset criticality calculation is part of the extensible data model and can be modified by administrators to accurately reflect the organization’s IT environment. This ensures complete transparency and control over the determination of asset criticality. Network Exposure Accurately determining network exposure can help organizations understand the true structure of their network infrastructure and establish the relationships and dependencies between assets that can be leveraged for attack path analysis. Building this information into the risk analysis model gives organizations a true picture of the risk associated with a vulnerability or asset. Brinqa Vulnerability Risk Service implements this function through integrations with network management (Cisco, InfoBlox, RedSeal) and CMDB (BMC, Cherwell, HP, ServiceNow) systems to present a complete picture of the network architecture. Network metadata like network criticality, type (e.g. DMZ), leap-froggable, accessible from untrusted networks, etc. and attack path data like attack depth and downstream risk can be incorporated in the risk prioritization model. The solution includes an OOB network segmentation model and assets can be dynamically associated with segments based on IP ranges and other factors. Organizing assets along network segments also gives IT users a perspective of vulnerability risk that aligns with their day-to-day operations. Vulnerability Severity The ability to accurately and expeditiously determine and incorporate threat intelligence into risk prioritization can mean the difference between a breach and a secured environment. VRM programs should ensure that factors of exploitability and indicators of compromise are evaluated continuously and there are measures in place to trigger the appropriate workflows if any changes are detected. Brinqa leverages our vast collection of purpose-built integrations with most common open source and commercial threat intelligence providers (Accenture iDefense, AlienVault, CrowdStrike, Digital Shadows, FireEye, NVD, Recorded Future, Secureworks, Symantec DeepSight Intelligence, TruSTAR) to establish the most accurate view of vulnerability severity. This incorporates factors like exploit availability, weaponization, zero-day, popularity, pervasiveness, and patch availability. The solution gives administrators complete control over how various threat intelligence criteria come together to determine vulnerability severity. Intelligent correlation easily sifts through large volumes of threat intel to identify and incorporate those factors that have an impact on the organization’s unique technology environment. Risk Based Prioritization Risk based prioritization brings together all the underlying asset, vulnerability, and threat information to accurately identify and highlight the vulnerabilities that pose the biggest risks to the organization. Risk is inherently subjective, so it’s imperative that VRM programs and teams incorporate in the prioritization process any unique aspects of the organization that have an impact on risk. Brinqa implements this function by first establishing a customer’s unique Cyber Risk Graph — a real-time representation of infrastructure and apps, delineation of interconnects between assets and to business services, and knowledge of overall cyber risk. This serves as the single, unified view and source of truth that drives an informed, risk-based prioritization of vulnerabilities. Brinqa Vulnerability Risk Service includes an OOB best-practices-based risk prioritization model that customers can use as is or that can be extended to incorporate any additional factors. The solution does this by providing administrators with access to editable Groovy scripts that represent calculation logic, a regulated means to referentially access the underlying cyber risk graph. This is a common design pattern for software platforms that brings the benefits (simple syntax and semantics, easy to learn and write) of scripting languages like Groovy to the implementation of powerful customizations without the need to rely on vendor product or service teams. The flexibility and control provided by the open calculations is key to VRM success in complex and dynamic environments. Enterprise technology environments are often in flux – scope expands, asset types diversify, scanners multiply, threat intel feeds are added, business context factors become relevant. Brinqa’s open data model and risk scoring is critical to our customers’ ability to adapt and continue to deliver effective results in these scenarios. Solutions that provide rigid and prescriptive risk models cannot handle this type of dynamic environment, a big reason why customers choose Brinqa. Metrics & Reporting Comprehensive metrics and reporting capabilities are crucial to VRM programs’ ability to effectively and intuitively engage and inform all the varied stakeholders across IT, security, and business at the appropriate instant in the risk lifecycle. The ability to visually communicate key risk and performance indicators through powerful metrics and reports are crucial to program success. Organizations must empower and encourage stakeholders to develop and communicate the metrics and reports that matter to them. Brinqa Vulnerability Risk Service includes an extensive library of risk and performance metrics and reports. The solution includes a sophisticated, BI-like analytics interface that is used to build all the views, reports and dashboards in the solution. This gives users complete access to the underlying graph data model and can be used to create powerful, self-service metrics and reports with the ability to configure nearly every aspect of visualization (layout, color schemes, metrics calculations, data representation). Role Based Management Role-based management of access, permissions, and data is necessary to ensure that the varied stakeholders in the VRM process can work together without any risk of data compromise. Brinqa delivers fine-grained access controls within the platform that are configurable from the UI. Default roles such as Configurator, Risk Analyst and Security Administrator are available out of the box, but most customers use default and custom roles to reflect the uniqueness of their organization. Large customers segment and define access levels based on responsibilities (executive/business owner/security), geography, business unit and regulatory restrictions. Limiting access to data makes it easier for individuals to own, manage and communicate risk responsibilities through a subset of vulnerability data, risk scores, metrics and reports. Role management capabilities and access controls are also used by enterprises and MSSPs to segregate data/knowledge to limit who can see what on a need-to-know basis, and to control who is empowered to customize the vulnerability risk solution. Brinqa also enables UI components such as menus and dashboards to be customized based on users’ roles. Remediation Management While the Forrester Wave study does a good job of outlining most important considerations for VRM programs, a crucial scoring criteria that is conspicuously missing is remediation management. While better prioritization can highlight the most important vulnerabilities from the backlog, better remediation management can significantly reduce the overhead associated with risk remediation and improve remediation effectiveness, efficiency, and consistency. Organizations should look to improve their vulnerability remediation practices and replace ad hoc decisions with well thought out, repeatable policies that leverage automation to achieve predictable results. Brinqa implements a rule-based ticketing mechanism for automated remediation management. Brinqa customers are encouraged to formulate policies that govern how tickets should be created and managed. These rules are run automatically when new vulnerabilities are discovered. The rules allow vulnerabilities to be grouped together based on common criteria, thereby significantly reducing the volume of tickets being created (and the overhead associated with managing them). Rule configuration also allows ownership and SLAs to be set and enforced dynamically, ensuring consistency of remediation efforts. Brinqa solution includes native ticket lifecycle management but it’s more common for Brinqa customers to utilize an external ITSM tool for managing ticket lifecycles. This is achieved through bi-directional integrations with leading ITSM systems (Jira, BMC Remedy, CA Service Desk, Cherwell, ServiceNow). Similar to ticket creation rules, ticket closure rules can be set up to validate risk remediation effectiveness and close tickets automatically. Access the full 2019 Forrester Wave™: Vulnerability Risk Management report here.
Brinqa was a sponsor of the Data Connectors Dallas event at the Sheraton Galleria Dallas on April 4, 2019. We were fortunate to meet some new partners, refresh old connections, and learn about the latest in what global brands and non-profits are doing to protect their network infrastructure.
Brinqa was excited to be a part of the 10th Anniversary BSides Austin event at the J.J. Pickle Research Center on March 28-29, 2019. The venue was just a couple of miles away from our headquarters office, and the room was chock-full of brilliant minds in the cybersecurity realm.
On a bustling Thursday afternoon, as the RSA 2019 Conference was winding-down, more than 100 of our partners and new friends came to the Tabletop Tap House for a hosted happy hour on March 7, 2019. The venue was conveniently located across the street from the Moscone Center in San Francisco - the site of the sprawling RSA event. With relieved faces and tired feet, the revelers joined us for food, specialty cocktails, and networking.
Originally Aired on Wed, Feb. 6, 2019 Brinqa's BrightTalk Channel Application Risk Management is a discipline that tries to identify and remediate the most critical risks in an organization’s software infrastructure. By taking a knowledge-driven and risk-centric approach, these organizations strategically leverage existing investment in security tools (SAST, DAST, Open Source, Penetration Testing, CMDB, Asset Management, Threat Intel, ITSM) to design application security programs that identify, prioritize and remediate vulnerabilities that pose the biggest threats to the organization — in a highly automated and efficient manner.
Originally aired on Wed, Dec. 19, 2018 Brinqa's BrightTalk Channel In part 1 (now available as an On-Demand video), Pezhman made the case for why vulnerability management is a crucial security control that all organizations must embrace. Part 2 (also available On-Demand), picked up from where he left-off with Syed elaborating on how knowledge graphs are a vital solution to vulnerability management as we tackle challenging aspects that you and your team deal with daily. In part 3 (available On-Demand), Pezhman presented a case study detailing vulnerability management at a Fortune 100 Utility company. You heard about how they went from handling about 65 tickets a month manually to more than 2 thousand in 6 months - with the power of Brinqa automation in their workflow. Here in part 4, Syed will look at the nuances of risk modeling, data connectors, automation, remediation, and analytics. He discusses how they come together effectively and highlights the 10 rules of thumb for solution architects consider as they build vulnerability management programs.
Originally aired on Wed, Dec. 12, 2018 Brinqa's BrightTalk Channel In part 1, Pezhman made the case for why vulnerability management is a crucial security control that all organizations must embrace. Part 2 (also available On-Demand), picked up from where he left-off with Syed elaborating on how knowledge graphs are a vital solution to vulnerability management as we tackle challenging aspects that you and your team deal with daily. In part 3, Pezhman presents a case study detailing vulnerability management at a Fortune 100 Utility company. You’ll hear about how they went from handling about 65 tickets a month manually to more than 2 thousand in 6 months - with the power of Brinqa automation in their workflow.
Originally aired on Wed, Dec. 5, 2018 Brinqa's BrightTalk Channel Part 2 picks up from where Pezhman left-off in part 1 - with Syed Abdur elaborating on how knowledge graphs are a modern solution to vulnerability management as we tackle unavoidable risks that your team will face. You’ll see the benefits of taking a knowledge-centric & risk-centric approach to vulnerability management & how these impact your program’s structure & performance.
Originally aired: Wed, Nov 29, 2018 Brinqa's BrightTalk Channel In the first part, we make the case for why vulnerability management is a critical security control that all modern organizations must address. We look at the timeline of the Equifax breach and how the problems leading up to it can be attributed to poor vulnerability management practices. We also discuss common challenges that most organizations face when trying to implement a vulnerability management program.
Brinqa spent two days amongst brilliant minds in Application Security and Development at the LASCON 2018 Conference on October 25-26, 2018 in Austin TX. The event featured training, keynotes, experts sharing their knowledge, and a happy hour - complete with a mechanical bull (which has been a historic fixture at all LASCON events). [caption id="attachment_7754" align="aligncenter" width="600"] James Walta, Brinqa's Lead Sales Engineer at the booth at LASCON 2018[/caption] [caption id="attachment_7759" align="aligncenter" width="600"]James Walta running a demo at the Brinqa booth at LASCON 2018[/caption] Classic video game consoles were placed around the expo floor and hallways, and as a #HumbleBrag, Brinqa's own Troy Vera held the top score on Mario Bros. Amid all the fun and friendship, there was a true focus on the importance of a modern and serious approach to AppSec. Attendees included web app developers, security engineers, mobile developers, and information security professionals - all of whom had their own unique approach to cybersecurity. Hacker handles were the name du jour on the badges and because curious minds love a challenge, there was a lock-picking zone to flex one's manual mischief. [caption id="attachment_7764" align="aligncenter" width="600"] Lock picking table at LASCON 2018[/caption] Some event-goers were dazzled with fancy socks at other booths (who isn't, right?), but the "cool" prizes were the YETI Tumblers that were won at the Brinqa booth. Here are the 4 winners: [caption id="attachment_7763" align="aligncenter" width="355"] PJ Abrams from University of Texas System[/caption] [caption id="attachment_7762" align="aligncenter" width="355"] Scott Trest from UFCU[/caption] [caption id="attachment_7761" align="aligncenter" width="355"] Megan Fotter from The Home Depot[/caption] [caption id="attachment_7760" align="aligncenter" width="355"] R. Scott Graschel from USAA[/caption] As we packed up the booth, said our goodbyes, and exchanged business cards and LinkedIn profiles there was a sense of community and connections that go well-beyond the expo floor. To those whom we met, shared a booth demo with, and enjoyed each others' company, we appreciate the chance to share about Brinqa - schedule a demo here and see for yourself why we are the industry's leading cybersecurity management platform.
Join us on 10/15/18 for an engaging session at the 2018 ISACA Fall Conference in San Francisco, CA at Hotel Nikko (222 Mason Street) Mon Oct 15, 2018 from 1:15 - 2:45 PM
Join us on 9/20/18 for an engaging session at the Cherwell Software #CGC18 event at The Broadmoor in Colorado Springs, CO Thur, Sept 20, 2018 (Breakout Session Block 9) 10:15 AM - 11:15 AM
How pervasive is the insider threat in your company?The pervasiveness of the insider threat is something every company worries about. And according to the conclusions reached by Dtex Systems based on threat assessments from several global organizations, 100 percent of companies have blind spots that enable ...Ream MoreHP Launches Printer Bug Bounty ProgramBugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program. Bugcrowd is heading up HP's new private bug bounty p...Ream MoreReddit Breached After SMS 2FA FailReddit has become the latest big-name tech firm to admit to a major data breach, after hackers compromised staff accounts by intercepting SMS-based two-factor authentication codes. The firm’s CTO, Christopher Slowe, explained in a lengthy Reddit post that i...Ream MoreHacking group combines spear-phishing with mass malware campaignA hacking group is attempting to carry out targeted attacks against nation states while at the same time using the same infrastructure to carry out spam campaigns with the intention of delivering malware.Active since at least February 2018, the att...Ream MoreIoT security warning: Your hacked devices are being used for cyber crime says FBIInternet of Things devices including routers, IP cameras and even smart locks and connected doors are being targeted by cyber criminals who are looking to exploit them as a gateway for hacking and other cyber attacks, the FBI has warned. An alert fro...Ream More
"Red Alert" Warning on US Cyber-Attacks, Now at "Critical Point" The United States' director of national intelligence issued a "red alert" warning on a dangerous new level of cyber-warfare during a Washington think tank conference. He also spoke of Russia as one of the "worst offenders" ahead of US President Trump's... Ream More Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.During the period of the World Cup, almost 25 million cyber-attacks and other cr... Ream More Telefonica breach leaves data on millions exposed Telefonica breach leaves data on millions exposed Hackers exploited a flaw at Spanish operator Telefonica early Monday and likely exposed all the personal data of millions of the company's customers. Identity and payment information – including lan... Ream More North Korean Hackers Launch New ActiveX Attacks A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group. In May, ... Ream More Vulnerability or Not? Pen Tester Quarrels With Software Maker A SpiderLabs security researcher has published details of what he considers to be a vulnerability in the RLM web application provided by Reprise Software. Reprise CEO Matt Christiano has ... Ream More Cisco patches critical vulnerabilities in Policy Suite Cisco has resolved a set of critical vulnerabilities in Policy Suite which permit attackers to cause havoc in the software's databases. This week, the tech giant released a security advisory detailing four vulnerabilities which could place enter... Ream More The Fundamental Flaw in Security Awareness Programs It's a ridiculous business decision to rely on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, or nation-state. Most security awareness programs are at best gimmicks that will statistica... Ream More Adobe Patches Vulnerability Affecting Internal Systems Adobe has patched what researchers describe as a potentially serious security issue in its internal systems, but the company has downplayed the impact of the vulnerability.White hat hackers at Germany-based security research firm Vulnerability Lab claim t... Ream More
"Red Alert" Warning on US Cyber-Attacks, Now at "Critical Point" The United States' director of national intelligence issued a "red alert" warning on a dangerous new level of cyber-warfare during a Washington think tank conference. He also spoke of Russia as one of the "worst offenders" ahead of US President Trump's... Ream More Russia Targeted by Almost 25 Million Cyber-Attacks During World Cup: Putin Russia was the target of almost 25 million cyber-attacks during the World Cup, President Vladimir Putin said, though he did not indicate who may have been behind the attacks.During the period of the World Cup, almost 25 million cyber-attacks and other cr... Ream More Telefonica breach leaves data on millions exposed Telefonica breach leaves data on millions exposed Hackers exploited a flaw at Spanish operator Telefonica early Monday and likely exposed all the personal data of millions of the company's customers. Identity and payment information – including lan... Ream More North Korean Hackers Launch New ActiveX Attacks A new series of reconnaissance attacks targeting ActiveX objects has been associated with the North Korean-linked Andariel group, a known branch of the notorious Lazarus Group. In May, ... Ream More Vulnerability or Not? Pen Tester Quarrels With Software Maker A SpiderLabs security researcher has published details of what he considers to be a vulnerability in the RLM web application provided by Reprise Software. Reprise CEO Matt Christiano has ... Ream More Cisco patches critical vulnerabilities in Policy Suite Cisco has resolved a set of critical vulnerabilities in Policy Suite which permit attackers to cause havoc in the software's databases. This week, the tech giant released a security advisory detailing four vulnerabilities which could place enter... Ream More The Fundamental Flaw in Security Awareness Programs It's a ridiculous business decision to rely on the discretion of a minimally trained user to thwart a highly skilled sociopath, financially motivated criminal, or nation-state. Most security awareness programs are at best gimmicks that will statistica... Ream More Adobe Patches Vulnerability Affecting Internal Systems Adobe has patched what researchers describe as a potentially serious security issue in its internal systems, but the company has downplayed the impact of the vulnerability.White hat hackers at Germany-based security research firm Vulnerability Lab claim t... Ream More
60,000 Android devices hit with ad-clicking malware Android Hack mobile security A new malicious Android app has infected at least 60,000 devices gaining the ability to extract some important information from each device along with installing some ad click malware. The scam's, which was uncovered by... 60,000 Android devices hit with ad-clicking malware Android Hack mobile security A new malicious Android app has infected at least 60,000 devices gaining the ability to extract some important information from each device along with installing some ad click malware. The scam's, which was uncovered by... Read More 60,000 Android devices hit with ad-clicking bot malware Android Hack mobile security A new malicious Android app has infected at least 60,000 devices gaining the ability to extract some important information from each device along with installing some ad click malware. The scam's, which was uncovered by... Ream More Hundreds Report WannaCry Phishing Campaign Action Fraud is warning of a new phishing campaign using the infamous WannaCry ransomware attack of May 2017 as a lure. The UK’s national cybercrime reporting center claimed on Friday that it had already received 300 reports over the previous two days about... Ream More Oracle's latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses Video: Intel says it can't protect all chips vulnerable to Meltdown and Spectre. Oracle has released patches for the latest Spectre CPU flaws and a fix for the Lazy floating-point unit (FPU) state restore issue affecting Intel CPUs. Oracle'... Ream More Not hackers, but exes are remotely controlling smart devices as a form of domestic abuse One of the conveniences of smart devices such as thermostats, lights, locks, speakers, and cameras is that they can be remotely controlled. But remotely controlling smart home technology has also become a modern pattern of behavior in domestic abuse.Do you... Ream More Thanatos ransomware: Free decryption tool released for destructive file-locking malware Victims of a destructive form of ransomware, which fails to unlock files even if the ransom is paid, can now retrieve their files for free with a new file decryptor released by security researchers.Thanatos ransomware first started targeting Windows ... Ream More Hundreds of Hotels Hit in FastBooking Breach The hotel booking software provider reports an actor stole personal and payment card data of guests from hundreds of properties.FastBooking, a Paris-based provider of hotel-booking software, is alerting client hotels to a data breach in which an attacker... Ream More Ticketmaster Breach Discovered in April Question marks have been raised over Ticketmaster’s internal security and incident response processes after a bank revealed that it alerted the ticketing giant to a recently discovered breach in April. Mobile banking start-up Monzo claimed in a blog post on... Ream More The 6 Worst Insider Attacks of 2018 – So Far Stalkers, fraudsters, saboteurs, and all nature of malicious insiders have put the hurt on some very high-profile employers. If recent statistics are any indication, enterprise security teams might be greatly ... Ream More
This Week in InfoSec we've seen phishing campaigns, ransomware, and breaches. Some vulnerability fixes and an announcement from Cisco to patch known vulnerability immediately. 60,000 Android devices hit with ad-clicking bot malware Android Hack mobile security A new malicious Android app has infected at least 60,000 devices gaining the ability to extract some important information from each device along with installing some ad click malware. The scam's, which was uncovered by... Ream More Hundreds Report WannaCry Phishing Campaign Action Fraud is warning of a new phishing campaign using the infamous WannaCry ransomware attack of May 2017 as a lure. The UK’s national cybercrime reporting center claimed on Friday that it had already received 300 reports over the previous two days about... Ream More Oracle's latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses Video: Intel says it can't protect all chips vulnerable to Meltdown and Spectre. Oracle has released patches for the latest Spectre CPU flaws and a fix for the Lazy floating-point unit (FPU) state restore issue affecting Intel CPUs. Oracle'... Ream More Not hackers, but exes are remotely controlling smart devices as a form of domestic abuse One of the conveniences of smart devices such as thermostats, lights, locks, speakers, and cameras is that they can be remotely controlled. But remotely controlling smart home technology has also become a modern pattern of behavior in domestic abuse.Do you... Ream More Thanatos ransomware: Free decryption tool released for destructive file-locking malware Victims of a destructive form of ransomware, which fails to unlock files even if the ransom is paid, can now retrieve their files for free with a new file decryptor released by security researchers.Thanatos ransomware first started targeting Windows ... Ream More Hundreds of Hotels Hit in FastBooking Breach The hotel booking software provider reports an actor stole personal and payment card data of guests from hundreds of properties.FastBooking, a Paris-based provider of hotel-booking software, is alerting client hotels to a data breach in which an attacker... Ream More Ticketmaster Breach Discovered in April Question marks have been raised over Ticketmaster’s internal security and incident response processes after a bank revealed that it alerted the ticketing giant to a recently discovered breach in April. Mobile banking start-up Monzo claimed in a blog post on... Ream More The 6 Worst Insider Attacks of 2018 – So Far Stalkers, fraudsters, saboteurs, and all nature of malicious insiders have put the hurt on some very high-profile employers. If recent statistics are any indication, enterprise security teams might be greatly ... Ream More
This week in InfoSec news highlighted a plethora of new vulnerabilities and zero-day exploits. Be sure to register for our upcoming webinar Vulnerability Analytics: The Visual Language of Vulnerability Management. Nearly Half of All Web Apps Vulnerable to Unauthorized Access New research from Positive Technologies has discovered that almost half (48%) of web applications are vulnerable to unauthorized access, with 44% placing users’ personal data at risk of theft. Ream More Equifax names former IBM Watson exec as new CTO "Equifax said Thursday that it has appointed Bryson Koehler as its new chief technology officer. The move comes as Equifax works to overhaul its security systems and cope with the ongoing fallout related to its 2017 data breach." Read More PageUp confirms some data compromised in breach PageUp has confirmed that some data held on its clients may be at risk, after revealing earlier this month it had fallen victim to a malware attack."Forensic investigations have confirmed that an unauthorized person gained access to PageUp systems," the company wrote at the weekend. "Although the incident has been contained and PageUp is safe to use, we sincerely regret some data may be at risk." Read More Why Cisco doesn’t disclose flaws for months after it patches them Cisco explains why it fixes some security flaws months before telling customers a patch is available. Cisco’s recently patched and extremely dangerous Adaptive Security Appliance (ASA) bug brought attention to a peculiarity about its security advisories. U... Read More Improving the Adoption of Security Automation Four barriers to automation and how to overcome them. IT has always added value through automation, but its penetration into security practices historically has been lower than in other functional areas. For example, in the just-released Oracle and KPMG Cl... Read More Cisco patches critical Nexus flaws: Are your switches vulnerable? Cisco patches critical Smart Install flaw: 8.5 million devices affected. Cisco has released fixes for 34 flaws in its software, including 24 that affect its FXOS software for Firepower firewalls and NX-OS software for Nexus switches.Cisco's June... Read More Execs don’t believe their companies learn the right lessons in cybersecurity A majority of executives around the world feel their organizations can do better when it comes to learning from their past cyber mistakes, according to the results of a newly released global survey conducted by The Economist Intelligence Unit (EIU) and Wil... Read More Attackers Pick Microsoft Office for Zero-Day Exploits Being top choice as an attack vector is likely not a contest any platform wants to win. Unfortunately for Microsoft, Office will not only continue to be the attackers’ vector of choice but will also be the platform for exploiting vulnerabilities, according ... Read More Four New Vulnerabilities in Phoenix Contact Industrial Switches A series of newly disclosed vulnerabilities could allow an attacker to gain control of industrial switches.Phoenix Contact has disclosed four vulnerabilities in switches in the FL SWITCH industrial line. The affected devices are typically used in automated ... Read More [WEBINAR] Vulnerability Analytics : The Visual Language of Vulnerability Management
Vulnerabilities were the name of the game this week in InfoSec news. The amount of threats and vulnerabilities is increasing at an exponential pace, be sure to catch on what ones were found this week. New Threats, Old Threats: Everywhere a Threat First-quarter data shows crypto-jacking on the rise -- but don't count out some "classic" threats just yet. Ream More The week in security: Welcome to the era of GDPR you ready? Years of anticipation and preparation came to a head with the commencement of the European Union’s general data protection regulation (GDPR) privacy scheme. Yet even as the new regime kicked into gear, Australian companies were still figuring out their exposure and, by some accounts, had failed to train employees how to handle GDPR data requests. Read More Chrome 67 Patches 34 Vulnerabilities Google this week released Chrome 67 to the stable channel to provide various improvements, including patches for 34 vulnerabilities. Read More Jira bug exposed private server keys at major companies, researcher finds Several tech giants and major companies are exposing private server keys, thanks to a bug in widely used development software, which could allow a hacker to gain a foothold into their corporate networks. Read More Dozens of Vulnerabilities Discovered in DoD's Enterprise Travel System In less than one month, security researchers participating in the Pentagon's Hack the Defense Travel System program found 65 vulnerabilities. Read More Git Fixes Serious Code Repository Vulnerability GitHub, Visual Studio Team Services, and other code repositories patching to prevent attackers from targeting developer systems. Read More Tens of Vulnerabilities Found in Quest Appliances Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details. Read More Ticketfly yanks website offline to recover from cyberattack Ticketfly has taken its website offline following a cyberattack which reportedly exposed customer data. Read More Brinqa will be taking a trip across the pond next week to InfoSec Europe 2018 Make sure to pay us a visit in the US Pavilion at booth #M150. Our team of experts will be available to talk about cybersecurity risk management and giving demos so you can see Brinqa in action.Get registered today for one of the biggest cybersecurity conferences in Europe. Register Here
Vulnerabilities were the name of the game this week in InfoSec news. The amount of threats and vulnerabilities is increasing at an exponential pace, be sure to catch on what ones were found this week. New Threats, Old Threats: Everywhere a Threat First-quarter data shows crypto-jacking on the rise -- but don't count out some "classic" threats just yet. Ream More The week in security: Welcome to the era of GDPR you ready? Years of anticipation and preparation came to a head with the commencement of the European Union’s general data protection regulation (GDPR) privacy scheme. Yet even as the new regime kicked into gear, Australian companies were still figuring out their exposure and, by some accounts, had failed to train employees how to handle GDPR data requests. Read More Chrome 67 Patches 34 Vulnerabilities Google this week released Chrome 67 to the stable channel to provide various improvements, including patches for 34 vulnerabilities. Read More Jira bug exposed private server keys at major companies, researcher finds Several tech giants and major companies are exposing private server keys, thanks to a bug in widely used development software, which could allow a hacker to gain a foothold into their corporate networks. Read More Dozens of Vulnerabilities Discovered in DoD's Enterprise Travel System In less than one month, security researchers participating in the Pentagon's Hack the Defense Travel System program found 65 vulnerabilities. Read More Git Fixes Serious Code Repository Vulnerability GitHub, Visual Studio Team Services, and other code repositories patching to prevent attackers from targeting developer systems. Read More Tens of Vulnerabilities Found in Quest Appliances Researchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details. Read More Ticketfly yanks website offline to recover from cyberattack Ticketfly has taken its website offline following a cyberattack which reportedly exposed customer data. Read More Brinqa will be taking a trip across the pond next week to InfoSec Europe 2018 Make sure to pay us a visit in the US Pavilion at booth #M150. Our team of experts will be available to talk about cybersecurity risk management and giving demos so you can see Brinqa in action.Get registered today for one of the biggest cybersecurity conferences in Europe. Register Here
Vulnerabilities were the name of the game this week in InfoSec news. The amount of threats and vulnerabilities is increasing at an exponential pace, be sure to catch on what ones were found this week.New Threats, Old Threats: Everywhere a ThreatFirst-quarter data shows crypto-jacking on the rise -- but don't count out some "classic" threats just yet.Ream MoreThe week in security: Welcome to the era of GDPR you ready?Years of anticipation and preparation came to a head with the commencement of the European Union’s general data protection regulation (GDPR) privacy scheme. Yet even as the new regime kicked into gear, Australian companies were still figuring out their exposure and, by some accounts, had failed to train employees how to handle GDPR data requests.Read MoreChrome 67 Patches 34 VulnerabilitiesGoogle this week released Chrome 67 to the stable channel to provide various improvements, including patches for 34 vulnerabilities.Read MoreJira bug exposed private server keys at major companies, researcher findsSeveral tech giants and major companies are exposing private server keys, thanks to a bug in widely used development software, which could allow a hacker to gain a foothold into their corporate networks.Read MoreDozens of Vulnerabilities Discovered in DoD's Enterprise Travel SystemIn less than one month, security researchers participating in the Pentagon's Hack the Defense Travel System program found 65 vulnerabilities.Read MoreGit Fixes Serious Code Repository VulnerabilityGitHub, Visual Studio Team Services, and other code repositories patching to prevent attackers from targeting developer systems.Read MoreTens of Vulnerabilities Found in Quest AppliancesResearchers at Core Security say they have discovered a total of more than 60 vulnerabilities in disk backup and system management appliances from Quest. The IT management firm has released patches, but threatened to take legal action against Core if it disclosed too many details.Read MoreTicketfly yanks website offline to recover from cyberattackTicketfly has taken its website offline following a cyberattack which reportedly exposed customer data.Read MoreBrinqa will be taking a trip across the pond next week to InfoSec Europe 2018 Make sure to pay us a visit in the US Pavilion at booth #M150. Our team of experts will be available to talk about cybersecurity risk management and giving demos so you can see Brinqa in action.Get registered today for one of the biggest cybersecurity conferences in Europe. Register Here
As always it's been an eventful week in InfoSec, it seems like we can't go a week without witnessing another breach of a large well-recognized company. Popular restaurant chain Chili's announced a breach of credit card information. While Adobe and Cisco both dropped patches and fixes for critical flaws and vulnerabilities. Card Breach Announced at Chili’s Restaurant Chain “Malware has harvested payment card details from some Chili's restaurants, Brinker International, the company behind the restaurant chain announced on Friday.” Ream More Chili's Fires Up Incident Response, Post-Breach “After suffering a data incident in which the payment card information of Chili’s Grill & Bar customers was compromised, Brinker International, the restaurant chain's owner, has issued an apology, letting guests know that it is deeply sorry.” Read More GDPR compliance deadline still a 'significant' challenge for many “GDPR is just days away, but organisations are still struggling to meet the requirements for compliance with the incoming data protection legislation” Read More Cisco critical flaw warning: These 10/10 severity bugs need patching now “Cisco is warning customers who use its new Digital Network Architecture (DNA) Center software to install newer releases that address three critical vulnerabilities that can give remote attackers access to enterprise networks.” Read More Adobe Slings Fixes For a Further 47 CVEs “Adobe has issued fixes for 47 CVEs, including multiple critical vulnerabilities, less than a week after it released a scheduled set of Patch Tuesday updates.” Read More Smashing Silos and Building Bridges in the IT-Infosec Divide “The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they're protected.” Read More Long-Term Plans to Address Risk in Energy Sector “On the heels of the Department of Homeland Security releasing its cybersecurity strategy, the US Department of Energy has unveiled its own Multiyear Plan for Energy Sector Cybersecurity, an effort to make US energy systems more resilient and secure.” Read More Briqna @ Cybersecurity Summit Dallas Brinqa had a great time talking with cybersecurity professionals this past Tuesday at CyberSecurity Summit Dallas about their cyber risk management and some of the problems they face each day. Register for our Next webinar “ Modern Vulnerability Management : Knowledge, Automation, Analytics” With growing numbers of new vulnerabilities disclosed every year, increasing attacker sophistication, and a myriad of tools and teams that have to be synchronized for effective response, most organizations struggle with designing and implementing an effective vulnerability management program. In this webinar we discuss 3 key components that all modern vulnerability programs must address - Knowledge: How to create actionable intelligence from business context, threat intelligence, and any other relevant data source - Automation: How to implement automation to streamline significant parts of the VM process - Analytics: How to effectively engage and inform all stakeholders Register Here
As always it's been an eventful week in InfoSec, it seems like we can't go a week without witnessing another breach of a large well-recognized company. Popular restaurant chain Chili's announced a breach of credit card information. While Adobe and Cisco both dropped patches and fixes for critical flaws and vulnerabilities. Card Breach Announced at Chili’s Restaurant Chain “Malware has harvested payment card details from some Chili's restaurants, Brinker International, the company behind the restaurant chain announced on Friday.” Ream More Chili's Fires Up Incident Response, Post-Breach “After suffering a data incident in which the payment card information of Chili’s Grill & Bar customers was compromised, Brinker International, the restaurant chain's owner, has issued an apology, letting guests know that it is deeply sorry.” Read More GDPR compliance deadline still a 'significant' challenge for many “GDPR is just days away, but organisations are still struggling to meet the requirements for compliance with the incoming data protection legislation” Read More Cisco critical flaw warning: These 10/10 severity bugs need patching now “Cisco is warning customers who use its new Digital Network Architecture (DNA) Center software to install newer releases that address three critical vulnerabilities that can give remote attackers access to enterprise networks.” Read More Adobe Slings Fixes For a Further 47 CVEs “Adobe has issued fixes for 47 CVEs, including multiple critical vulnerabilities, less than a week after it released a scheduled set of Patch Tuesday updates.” Read More Smashing Silos and Building Bridges in the IT-Infosec Divide “The relationship between IT and information security can be difficult to navigate: there are traditionally conflicting interests and perspectives between IT, which is responsible for making sure tools and systems work, and security, which must make sure they're protected.” Read More Long-Term Plans to Address Risk in Energy Sector “On the heels of the Department of Homeland Security releasing its cybersecurity strategy, the US Department of Energy has unveiled its own Multiyear Plan for Energy Sector Cybersecurity, an effort to make US energy systems more resilient and secure.” Read More Briqna @ Cybersecurity Summit Dallas Brinqa had a great time talking with cybersecurity professionals this past Tuesday at CyberSecurity Summit Dallas about their cyber risk management and some of the problems they face each day. Register for our Next webinar “Modern Vulnerability Management : Knowledge, Automation, Analytics” With growing numbers of new vulnerabilities disclosed every year, increasing attacker sophistication, and a myriad of tools and teams that have to be synchronized for effective response, most organizations struggle with designing and implementing an effective vulnerability management program. In this webinar we discuss 3 key components that all modern vulnerability programs must address - Knowledge: How to create actionable intelligence from business context, threat intelligence, and any other relevant data source - Automation: How to implement automation to streamline significant parts of the VM process - Analytics: How to effectively engage and inform all stakeholders Register Here
With #RSAC18 coming to a close we wanted to recap what you might have missed this week while attending. Odd-Job Marketplace, TaskRabbit, took their entire site offline after a security incident. Rather than waiting for the problem to worsen, they chose to take their site offline and require users to change their passwords. While it was found in a recently released report that Federal Agencies are hit with more data breaches than other sectors. Lastly, Oracle released a massive CPU update with 245 new security fixes. Three Things that Need to Change in Cyber Security “ Hardly a week goes by where there isn’t coverage of a major security breach in the media. Organisations are spending more and more money on cyber security preventive measures yet the breaches seem to keep increasing. I am often asked “what are the top things that need to change to stem this flow?”.”Read More Federal Agencies Hit With More Data Breaches Than Other Sectors - 330 Million at Risk “According to Thales e-Security's 2018 Data Threat Report—Federal Government Edition, US federal agencies are experiencing more data breaches than other sectors. The report reveals that 71% of IT security professionals in US federal agencies disclosed that at least one breach had occurred at their respective agencies.” Read More TaskRabbit Takes Site Offline After Security Incident “Odd-job marketplace TaskRabbit has taken its website offline and urged users to change any online passwords reused on the platform after a suspected breach.” Read More Oracle Patches 254 Flaws With April 2018 Update “Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.” Read More Tackle Five Top Security Operations Challenges With Threat Intelligence “The Industry Needs a Common Understanding of How to Best Put Threat Intelligence Into Practice “Knowledge is of no value unless you put it into practice.” When Russian author Anton Chekhov said this more than a century ago, he very well could have been speaking of threat intelligence.” Read More LinkedIn Vulnerability Allowed User Data Harvesting “LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.”Read More Google's Project Zero exposes unpatched Windows 10 lockdown bypass “Google's Project Zero researchers have published details and a proof-of-concept code for a method to bypass a Windows 10 security feature."Read More Brinqa is excited to be an inaugural member of the Recorded Future Connect Xchange. A great initiative for much needed collaboration between modern cybersecurity technologies. #RSAC18 Read More The remediation gap is real. You have completed your network and application scans to identify the vulnerabilities in your technology infrastructure. Now begins the long journey from a vulnerability being identified and reported, to appropriate actions being taken to address the problem. This ‘Remediation Gap’ is the window of opportunity for attackers to exploit a weakness. According to research, vulnerabilities typically spend hundreds of days in this limbo, leaving organizations exposed to attacks. Fortunately, there are concrete steps that you can take to combat this problem.Join us for this webinar as we discuss 7 practical strategies designed to reduce the remediation gap while improving effectiveness, efficiency, and consistency, including how to - Ensure that remediation efforts prioritize the most critical problems - Improve remediation coverage while reducing overhead - Leverage existing ITSM systems and processes - Automate significant parts of the process
Brinqa is a sponsor next week at Cyber Security Summit which is close to home in Dallas, Texas on Tuesday, May 15th. Make sure to stop by our booth where we will be available for product demos and discussions around cyber risk management. Make sure to register before tickets sell out Click Here
With #RSAC18 coming to a close we wanted to recap what you might have missed this week while attending. Odd-Job Marketplace, TaskRabbit, took their entire site offline after a security incident. Rather than waiting for the problem to worsen, they chose to take their site offline and require users to change their passwords. While it was found in a recently released report that Federal Agencies are hit with more data breaches than other sectors. Lastly, Oracle released a massive CPU update with 245 new security fixes. Three Things that Need to Change in Cyber Security “ Hardly a week goes by where there isn’t coverage of a major security breach in the media. Organisations are spending more and more money on cyber security preventive measures yet the breaches seem to keep increasing. I am often asked “what are the top things that need to change to stem this flow?”.”Read More Federal Agencies Hit With More Data Breaches Than Other Sectors - 330 Million at Risk “According to Thales e-Security's 2018 Data Threat Report—Federal Government Edition, US federal agencies are experiencing more data breaches than other sectors. The report reveals that 71% of IT security professionals in US federal agencies disclosed that at least one breach had occurred at their respective agencies.” Read More TaskRabbit Takes Site Offline After Security Incident “Odd-job marketplace TaskRabbit has taken its website offline and urged users to change any online passwords reused on the platform after a suspected breach.” Read More Oracle Patches 254 Flaws With April 2018 Update “Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.” Read More Tackle Five Top Security Operations Challenges With Threat Intelligence “The Industry Needs a Common Understanding of How to Best Put Threat Intelligence Into Practice “Knowledge is of no value unless you put it into practice.” When Russian author Anton Chekhov said this more than a century ago, he very well could have been speaking of threat intelligence.” Read More LinkedIn Vulnerability Allowed User Data Harvesting “LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.”Read More Google's Project Zero exposes unpatched Windows 10 lockdown bypass “Google's Project Zero researchers have published details and a proof-of-concept code for a method to bypass a Windows 10 security feature."Read More Brinqa is excited to be an inaugural member of the Recorded Future Connect Xchange. A great initiative for much needed collaboration between modern cybersecurity technologies. #RSAC18 Read More The remediation gap is real. You have completed your network and application scans to identify the vulnerabilities in your technology infrastructure. Now begins the long journey from a vulnerability being identified and reported, to appropriate actions being taken to address the problem. This ‘Remediation Gap’ is the window of opportunity for attackers to exploit a weakness. According to research, vulnerabilities typically spend hundreds of days in this limbo, leaving organizations exposed to attacks. Fortunately, there are concrete steps that you can take to combat this problem.Join us for this webinar as we discuss 7 practical strategies designed to reduce the remediation gap while improving effectiveness, efficiency, and consistency, including how to - Ensure that remediation efforts prioritize the most critical problems - Improve remediation coverage while reducing overhead - Leverage existing ITSM systems and processes - Automate significant parts of the process
With #RSAC18 coming to a close we wanted to recap what you might have missed this week while attending. Odd-Job Marketplace, TaskRabbit, took their entire site offline after a security incident. Rather than waiting for the problem to worsen, they chose to take their site offline and require users to change their passwords. While it was found in a recently released report that Federal Agencies are hit with more data breaches than other sectors. Lastly, Oracle released a massive CPU update with 245 new security fixes. Three Things that Need to Change in Cyber Security “ Hardly a week goes by where there isn’t coverage of a major security breach in the media. Organisations are spending more and more money on cyber security preventive measures yet the breaches seem to keep increasing. I am often asked “what are the top things that need to change to stem this flow?”.”Read More Federal Agencies Hit With More Data Breaches Than Other Sectors - 330 Million at Risk “According to Thales e-Security's 2018 Data Threat Report—Federal Government Edition, US federal agencies are experiencing more data breaches than other sectors. The report reveals that 71% of IT security professionals in US federal agencies disclosed that at least one breach had occurred at their respective agencies.” Read More TaskRabbit Takes Site Offline After Security Incident “Odd-job marketplace TaskRabbit has taken its website offline and urged users to change any online passwords reused on the platform after a suspected breach.” Read More Oracle Patches 254 Flaws With April 2018 Update “Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.” Read More Tackle Five Top Security Operations Challenges With Threat Intelligence “The Industry Needs a Common Understanding of How to Best Put Threat Intelligence Into Practice “Knowledge is of no value unless you put it into practice.” When Russian author Anton Chekhov said this more than a century ago, he very well could have been speaking of threat intelligence.” Read More LinkedIn Vulnerability Allowed User Data Harvesting “LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.”Read More Google's Project Zero exposes unpatched Windows 10 lockdown bypass “Google's Project Zero researchers have published details and a proof-of-concept code for a method to bypass a Windows 10 security feature."Read More Brinqa is excited to be an inaugural member of the Recorded Future Connect Xchange. A great initiative for much needed collaboration between modern cybersecurity technologies. #RSAC18 Read More The remediation gap is real. You have completed your network and application scans to identify the vulnerabilities in your technology infrastructure. Now begins the long journey from a vulnerability being identified and reported, to appropriate actions being taken to address the problem. This ‘Remediation Gap’ is the window of opportunity for attackers to exploit a weakness. According to research, vulnerabilities typically spend hundreds of days in this limbo, leaving organizations exposed to attacks. Fortunately, there are concrete steps that you can take to combat this problem.Join us for this webinar as we discuss 7 practical strategies designed to reduce the remediation gap while improving effectiveness, efficiency, and consistency, including how to - Ensure that remediation efforts prioritize the most critical problems - Improve remediation coverage while reducing overhead - Leverage existing ITSM systems and processes - Automate significant parts of the process
With #RSAC18 coming to a close we wanted to recap what you might have missed this week while attending. Odd-Job Marketplace, TaskRabbit, took their entire site offline after a security incident. Rather than waiting for the problem to worsen, they chose to take their site offline and require users to change their passwords. While it was found in a recently released report that Federal Agencies are hit with more data breaches than other sectors. Lastly, Oracle released a massive CPU update with 245 new security fixes.Three Things that Need to Change in Cyber Security“ Hardly a week goes by where there isn’t coverage of a major security breach in the media. Organisations are spending more and more money on cyber security preventive measures yet the breaches seem to keep increasing. I am often asked “what are the top things that need to change to stem this flow?”.”Read MoreFederal Agencies Hit With More Data Breaches Than Other Sectors - 330 Million at Risk“According to Thales e-Security's 2018 Data Threat Report—Federal Government Edition, US federal agencies are experiencing more data breaches than other sectors. The report reveals that 71% of IT security professionals in US federal agencies disclosed that at least one breach had occurred at their respective agencies.”Read MoreTaskRabbit Takes Site Offline After Security Incident“Odd-job marketplace TaskRabbit has taken its website offline and urged users to change any online passwords reused on the platform after a suspected breach.”Read MoreOracle Patches 254 Flaws With April 2018 Update“Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.”Read MoreTackle Five Top Security Operations Challenges With Threat Intelligence“The Industry Needs a Common Understanding of How to Best Put Threat Intelligence Into Practice “Knowledge is of no value unless you put it into practice.” When Russian author Anton Chekhov said this more than a century ago, he very well could have been speaking of threat intelligence.”Read MoreLinkedIn Vulnerability Allowed User Data Harvesting“LinkedIn recently patched a vulnerability that could have been exploited by malicious websites to harvest data from users’ profiles, including private information.”Read MoreGoogle's Project Zero exposes unpatched Windows 10 lockdown bypass“Google's Project Zero researchers have published details and a proof-of-concept code for a method to bypass a Windows 10 security feature."ReadMoreBrinqa is excited to be an inaugural member of the Recorded Future Connect Xchange. A great initiative for much needed collaboration between modern cybersecurity technologies. #RSAC18Read MoreThe remediation gap is real. You have completed your network and application scans to identify the vulnerabilities in your technology infrastructure. Now begins the long journey from a vulnerability being identified and reported, to appropriate actions being taken to address the problem. This ‘Remediation Gap’ is the window of opportunity for attackers to exploit a weakness. According to research, vulnerabilities typically spend hundreds of days in this limbo, leaving organizations exposed to attacks. Fortunately, there are concrete steps that you can take to combat this problem.Join us for this webinar as we discuss 7 practical strategies designed to reduce the remediation gap while improving effectiveness, efficiency, and consistency, including how to - Ensure that remediation efforts prioritize the most critical problems - Improve remediation coverage while reducing overhead - Leverage existing ITSM systems and processes - Automate significant parts of the process
Delta, Sears, and Best Buy were all impacted this week by a breach from their online service provider, putting credit card info for many customers at risk for exploitation. With breaches like this occurring it's important to look back at Q1 of this year and improve your approach. Several of this week's articles cover best practices for getting Q2 kicked off. Improve your cybersecurity strategy: Do these 2 things “As cybersecurity gets more dangerous and more critical to organizations of all sizes, the answer is to prioritize your resources to guard the right stuff—because you can't protect it all.”Read More What Changes Q1 Brought to Cybersecurity “The first quarter of 2018, what an interesting time to be in cybersecurity! While there haven’t been any major issues (equivalent to the size of Equifax or Yahoo), there are a number of things going on in the cyber space that are worth noting.” Read More Panera Bread Data Leak May Have Hit Millions: Report “Panera Bread has become the latest US restaurant chain to be exposed by poor cybersecurity after its website leaked personal data on millions of customers, according to reports.” Read More 3 Security Measures That Can Actually Be Measured “The massive budgets devoted to cybersecurity need to come with better metrics.” Read More Several U.S. Gas Pipeline Firms Affected by Cyberattack “Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology.” Read More Critical Vulnerability Patched in Microsoft Malware Protection Engine“An update released this week by Microsoft for its Malware Protection Engine patches a vulnerability that can be exploited to take control of a system by placing a malicious file in a location where it would be scanned.”Read More Unpatched Vulnerabilities the Source of Most Data Breaches“Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.”Read More Delta, Sears Hit by Card Breach at Online Services Firm “Delta Air Lines, Sears Holdings and likely other major companies have been hit by a payment card breach suffered last year by San Jose, CA-based online services provider ...” Read More Best Buy Impacted by Payment Card Breach "After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider ... " Read More
Delta, Sears, and Best Buy were all impacted this week by a breach from their online service provider, putting credit card info for many customers at risk for exploitation. With breaches like this occurring it's important to look back at Q1 of this year and improve your approach. Several of this week's articles cover best practices for getting Q2 kicked off.Improve your cybersecurity strategy: Do these 2 things“As cybersecurity gets more dangerous and more critical to organizations of all sizes, the answer is to prioritize your resources to guard the right stuff—because you can't protect it all.”Read MoreWhat Changes Q1 Brought to Cybersecurity“The first quarter of 2018, what an interesting time to be in cybersecurity! While there haven’t been any major issues (equivalent to the size of Equifax or Yahoo), there are a number of things going on in the cyber space that are worth noting.”Read MorePanera Bread Data Leak May Have Hit Millions: Report“Panera Bread has become the latest US restaurant chain to be exposed by poor cybersecurity after its website leaked personal data on millions of customers, according to reports.”Read More3 Security Measures That Can Actually Be Measured“The massive budgets devoted to cybersecurity need to come with better metrics.”Read MoreSeveral U.S. Gas Pipeline Firms Affected by Cyberattack“Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology.”Read MoreCritical Vulnerability Patched in Microsoft Malware Protection Engine“An update released this week by Microsoft for its Malware Protection Engine patches a vulnerability that can be exploited to take control of a system by placing a malicious file in a location where it would be scanned.”Read MoreUnpatched Vulnerabilities the Source of Most Data Breaches“Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.”Read MoreDelta, Sears Hit by Card Breach at Online Services Firm“Delta Air Lines, Sears Holdings and likely other major companies have been hit by a payment card breach suffered last year by San Jose, CA-based online services provider ...”Read MoreBest Buy Impacted by Payment Card Breach"After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider ... "Read More
This week in InfoSec news we saw even more large companies hit with WannaCry and breaches, it's always important to stay vigilant and up to date on who and what has been affected. Investments in cloud and IoT have lead to new levels of risk exposure, that being said learn how to cut back on your exposure by watching our most recent webinar Vulnerability Risk Management - Lessons From the Trenches.Breaches Missed, Companies Don't Know What They're Looking For“Less than half of IT professionals (48%) would be fully confident knowing a breach had even happened, meaning that more could have taken place without their knowledge.”Read MoreExecutives regret hasty cloud investments as risk, security issues pile up"With NDB now law and GDPR looming, 71 percent of executives believe business risk was not taken seriously enough during cloud migration ”Read MoreEnergy Sector Most Impacted by ICS Flaws, Attacks: Study"The energy sector was targeted by cyber attacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab."Read MoreGetting Ahead of Internet of Things Security in the Enterprise"In anticipation of an IoT-centric future, CISOs must be rigorous in shoring up defenses that provide real-time insights across all network access points. "Read MoreOver 90% of companies expect to spend more on cybersecurity in 2018"More than 90 percent of respondents expect to spend more on cybersecurity measures this year, up from 55 percent last year, according to the 20th Global Information Security Survey released by Ernst & Young."Read MoreBoeing Computers Hit by WannaCry"Aerospace giant Boeing was struck with the notorious WannaCry ransomware this week, but initial fears it had infected a production facility have since been dismissed as speculation."Read MoreNo Pain, No Gain? Seven Common CISO Pain Points and How to Fix Them"Hackers and the latest malicious unleashing aren’t the only headaches CISOs have to deal with. LogRhythm’s Chief Information Security Officer, James Carder, explains seven common pain paints – from endless meetings to inflated egos – and outlines some (pain) killer strategies to alleviate them."Read More[Webinar] Vulnerability Risk Management - Lessons From the TrenchesOne of the largest retailers in the world, top 5 medical insurance firm, largest US electric utilities provider - these are just some of the industry leaders that rely on Brinqa Vulnerability Risk Management to secure their critical assets. How do these cybersecurity organizations - representing some of the most complex, diverse and vast technology ecosystems in the world - tackle the most pressing vulnerability management problems of today?Watch Webinar
Russian Cyberspies Hacked Routers in Energy Sector Attacks"A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported"Read MoreAccelerating cyber risk: Complacency is not an option"Every day financial services organisations deal with hundreds of thousands of indicators that could evolve into a cyber incident. According to the Australian Prudential Regulation Authority, Australian financial institutions are among cyber criminals’ top targets, and the threat is accelerating. While APRA states none of the entities that it regulates have experienced a material loss due to a cyber incident, a significant breach is “probably inevitable”.Read MoreThe Cybercrime Crisis: Top FinTech Attack Vectors"Consumer demand for anytime, everywhere services has resulted in over half of all transactions now coming from mobile devices."Read MoreCybersecurity Spring Cleaning: 3 Must-Dos for 2018"Why 'Spectre' and 'Meltdown,' GDPR, and the Internet of Things are three areas security teams should declutter and prioritize in the coming months."Read MoreCompliance and Your Data Center"As a topic, regulatory compliance is unlikely to set your pulse racing. Yet for businesses, it remains incredibly important."Read MoreGartner Expects 2018 IoT Security Spending to Reach $1.5 Billion"Enterprises worldwide will spend $1.5 billion this year protecting their IoT networks and connected devices against a range of security threats, according to new estimates from Gartner."Read MoreGitHub: Our dependency scan has found four million security flaws in public repos"GitHub says its security scan for old vulnerabilities in JavaScript and Ruby libraries has turned up over four million bugs and sparked a major clean-up by project owners."Read MoreBreaches Missed, Companies Don't Know What They're Looking For"Less than half of IT professionals (48%) would be fully confident knowing a breach had even happened, meaning that more could have taken place without their knowledge."Read MoreBrinqa @ Women in CyberSecurity Friday & SaturdayBrinqa will be at booth #907 this weekend at the Women in CyberSecurity Conference make sure to stop by and talk with our amazing founder Hilda Perez.Upcoming WebinarOne of the largest retailers in the world, top 5 medical insurance firm, largest electrical utilities provider - these are just some of the industry leaders that leverage Brinqa Vulnerability Risk Management solution to secure their critical assets. Join us as we talk to Brinqa solution experts to learn how these leading cybersecurity organizations tackle the most pressing vulnerability management problems of today.Join us as we share lessons learned from down in the trenches of vulnerability risk management :- How top risk leaders and organizations approach remediation prioritization- How you can future-proof your vulnerability risk management program- How to improve your security without actively scanning your assetsRegister Today
This week in infoSec news vulnerabilities and the importance of tracking and patching were common discussions whether you are in the healthcare industry or as a large utility provider. With the number of critical vulnerabilities constantly increasing, a comprehensive approach to managing that risk needs to be implemented before the real world consequences of breaches and fines occur.Hospital hacks: Default passwords and no patching leaves healthcare at risk“Poor security practice, shared passwords and vulnerabilities in software increasingly aid attackers access treasure troves of sensitive personal data, warns report.”Read MoreThe Most Vulnerable Assets Are Also the Hardest to Patch“Over the past few years, cybercrime has evolved into a money-making enterprise. Threat actors are always on the lookout for the path of least resistance — using existing attack tools and often re-using the same attack method on as many victims as possible — think WannaCry or NotPetya.”Read MoreDigital transformation exposing healthcare’s insecure underbelly to increasingly voracious attackers“As IoT attacks join malware surge, healthcare organisations must decide whether to protect their networks or just secure their data”Read MoreMicrosoft Remote Access Protocol Flaw Affects All Windows Machines“Attackers can exploit newly discovered critical crypto bug in CredSSP via a man-in-the-middle attack and then move laterally within a victim network.”Read MoreElectric Utility Hit with Record Fine for Vulnerabilities“An unnamed power company has consented to a record fine for leaving critical records exposed.”Read MoreAdobe patches critical vulnerabilities in Flash, Dreamweaver“Adobe Flash Player, Connect, and Dreamweaver are the focus of this month's patch cycle.”Read MoreCybersecurity Incident Response Still Major IssueOver 75% of respondents across the globe admitted that they do not have a formal cybersecurity incident response plan in place across their organization, according to researchconducted by Ponemon Institute and sponsored by IBM Resilient.Read MoreBrinqa @ SecureWorld Boston Brinqa braved the latest Nor'easter to make our way to Boston for the SecureWorld Conference. We had a successful and safe trip once we made it! Upcoming WebinarOne of the largest retailers in the world, top 5 medical insurance firm, largest electrical utilities provider - these are just some of the industry leaders that leverage Brinqa Vulnerability Risk Management solution to secure their critical assets. Join us as we talk to Brinqa solution experts to learn how these leading cybersecurity organizations tackle the most pressing vulnerability management problems of today.Join us as we share lessons learned from down in the trenches of vulnerability risk management :- How top risk leaders and organizations approach remediation prioritization- How you can future-proof your vulnerability risk management program- How to improve your security without actively scanning your assetsRegister Today
Enjoy some great articles about the importance of good cybersecurity policies and how they can mitigate the risk of massive lawsuits. Yahoo was hit with a payout of $80 million in a securities class action settlement this week for data breaches. Brinqa also had a busy week hitting the road to local Texas conferences, be sure to check out our upcoming events!Yahoo Agrees $80m Securities Class Action Settlement“Yahoo has agreed to pay $80m to settle a class action suit filed by investors relating to data breaches affecting three billion customers.”Read MoreUS DHS Slammed for Infosecurity Deficiencies“The US government agency tasked with securing the nation “could protect its information and systems more fully and effectively,” according to a damning new report.”Read MoreIs This The Year of Reckoning for the CISO“... CISO must drive change in the team they surround themselves with and businesses must play their part supporting and elevating the CISO role. “Read MoreApplebee’s Hit by POS Malware“Over 160 Applebee’s restaurants in the US may have been breached, after the franchise company overseeing them admitted it found malware on Point of Sale (POS) systems. “Read MoreWhy Security-Driven Companies Are More Successful“Software Security Masters are better at handling application development security and show much higher growth than their peers. Here's how to become one.”Read MorePragmatic Security: 20 Signs You Are 'Boiling the Ocean'“Ocean-boiling is responsible for most of the draconian, nonproductive security policies I've witnessed over the course of my career. Here's why they don't work.”Read MoreIf you don’t change security policies after a data breach, when will you do it?“As if it wasn’t already bad enough that many companies are plodding along with inadequate cybersecurity policies, new research suggests that more than half of Australian businesses ...”Read MoreMillions of Office 365 Accounts Hit with Password Stealers“Phishing emails disguised as tax-related alerts aim to trick users into handing attackers their usernames and passwords.”Read MoreBrinqa hit the road to several local Texas conferences this week at CS4CA in Houston and BSides Austin!Upcoming Events:Make sure to stop by and visit us at SecureWorld Boston next week!In this webinar we discuss how two innovative technologies, Brinqa and Netsparker work together to create a comprehensive web application security program that helps AppSec programs identify, prioritize, remediate and report the most imminent and impactful vulnerabilities in your organization's software infrastructure.Register Today!One of the largest retailers in the world, top 5 medical insurance firm, largest electrical utilities provider, top 5 airline - these are just some of the industry leaders that leverage Brinqa Vulnerability Risk Management solution to secure their critical assets. Join us as we talk to Brinqa solution experts to learn how these cutting-edge cybersecurity organizations tackle the most pressing vulnerability risk problems of today.Register Today
Enabling Better Risk Mitigation with Threat Intelligence“In order to get the maximum benefit from threat intel you need to be able to operationalize it. Here's how.”Read MoreLeveraging Security to Enable Your Business“When done right, security doesn't have to be the barrier to employee productivity that many have come to expect. Here's how.”Read MoreProtecting data means protecting business“As technology continues to advance, so does the threat of cybersecurity attacks. This will require a drastic shift in perception for Australian businesses: to prioritise prevention, rather than reaction, in order to combat the various complexities of cyber-attacks.”Read MoreCybersecurity in the Cloud Era"As CFOs assume greater responsibilities for operational risk management, it’s critical to understand security, privacy, and compliance controls. Here’s the practical guidance needed"Read MoreWindows Updates Deliver Intel's Spectre Microcode Patches"Microsoft announced on Thursday that Windows users will receive the microcode updates released by Intel to patch the notorious Spectre vulnerability.Read MoreTrustico States They Stored Private Keys for Customers' SSL Certificates"Trustico, a reseller of SSL certificates, has stated that they stored the private keys of some of the SSL certificates it issued to its customers over the past years. This came in the form of a statement Trutico posted on its website late last night."Read MoreEquifax hack just got worse for a lot more Americans"An additional 2.4 million Americans have been identified as victims of the company's 2017 breach."Read MoreGDPR: Two thirds of organisations aren't prepared for the 'right to be forgotten'"With new EU data protection legislation just weeks away, a large number of organisations risk fines by being non-compliant."Read MoreHalf of Orgs Don't Change Security Strategy, Even After an Attack"That’s according to the CyberArk Global Advanced Threat Landscape Report 2018, in which the security vendor surveyed 1300 IT security decision makers to explore the current state of enterprise security practices."Read MoreBuilding Resilience Against Evolving Technology: An Interview With a Cyber Risk Expert"Emerging technologies are rife with opportunities for organizations of all shapes and sizes. Self-driving cars may be some ways into the future still, but connected devices in hospitals, factories and homes are already sharing troves of data for better analytics and decision-making. Workloads are moving to the cloud, and digital personal assistants are becoming commonplace for both enterprises and consumers."Read More Thorough and Consistent Post-Incident Activity Strengthens Security Posture"The NIST 800-61 guidelines stress that IR is a cycle, not a linear process. This is exemplified by how post-incident activity feeds directly into the preparation for future events."Read MoreUpcoming Events: Register Today! Register Today!
As enterprises embrace the opportunities enabled by digital transformation, they also expose themselves to newer and deadlier threats. Cloud infrastructure, SaaS, explosive growth of mobile computing power, IoT and other emerging technologies are drastically changing the technology footprint and security culture for most businesses. Information security organizations, long struggling to keep up with the pace of change are now firmly falling behind. To address these challenges effectively, InfoSec organizations have to re-evaluate how they approach cyber security. It is critical to develop a clear understanding of the risks associated with the ever-changing technology infrastructure, and their potential to impact business adversely. By quantifying the technology risk associated with business entities, security professionals can take the most effective decisions to harden a vital business unit or secure a mission-critical business process. Effective cyber risk management can help organizations achieve these goals. Brinqa Brings the Best in Cyber Risk Management Platforms Brinqa Risk Platform delivers a complete set of capabilities to represent, integrate, and correlate unlimited sources of security and business data for secure and rapid analysis. The platform provides management and automation support throughout the risk analysis, identification, mitigation, validation and communication processes. With its emphasis on structure, transparency, extensiveness and adaptability, it is the perfect platform for tackling new and emerging cyber risk management problems. Brinqa applications deliver a streamlined, user-friendly experience for common cyber risk management functions: Consolidate: Integrate, correlate and represent data from all relevant security tools and programs. Contextualize: Augment technical data with business and technology context from CMDB, HR, BC/DR, Network Management, etc. Analyze: Integrate threat intel, implement risk scoring and prioritization models to identify the most critical vulnerabilities and assets. Execute: Implement remediation playbooks to automatically create and assign tickets for manual remediation. Trigger orchestration systems for automation risk mitigation. Two critical components of any cyber risk management program are IT Asset Management (ITAM) - which serves as the source of invaluable asset information, and business and technology context - and IT Service Management (ITSM) - which serves as the engine for remediation and task management. Brinqa partner Cherwell is a leader in these fields. Cherwell Brings the Best in ITAM and ITSM A global leader in IT service management and IT asset management, Cherwell empowers IT to lead through the use of powerful and intuitive technology that enables better, faster, and more affordable innovation. The Cherwell Service Management platform is built from the ground up with a unique codeless architecture that enables rapid time to value, infinite flexibility, and frictionless upgrades every time—at a fraction of the cost and complexity of legacy solutions. Because of Cherwell’s focus on delivering solutions that are easy to configure, customize, and use, IT organizations extend Cherwell to solve a wide range of IT and business problems. A Better Approach to Cyber Security A risk-centric approach to cyber security encourages organizations to embrace a new way of looking at existing problems - one that puts emphasis on creating value, being an integral part of organizational and decision-making process, being systematic, processing accurate and extensive information, and continuously adapting and improving. With Brinqa Risk Platform, and crucial integration with Cherwell Service Management, you can take control of your cyber security posture, and join the growing list of businesses realizing the benefits of this new perspective on cyber security problems: Improved visibility into IT infrastructure and processes. Representation and communication of relationship between critical business functions and technology assets. Prioritization of the most critical, impactful, and imminent threats and weaknesses. Automated, efficient and streamlined remediation efforts. Improved communication between teams, departments and stakeholders. Want to learn more about incorporating Cherwell’s ITSM capabilities into your cyber risk management program? Contact a Brinqa solutions expert today.
This week in the InfoSec Roundup Equifax is making its rounds in the news all over again. With more details surfacing about the breach and the announcement of a new CISO, it's proving that a breach can haunt you for months. New Details Surface on Equifax Breach “Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.” Read More Thousands More Personal Records Exposed via Misconfigurations “Two more misconfigured databases exposing the personal details of thousands of people were disclosed late last week.” Read More IBM Patches Spectre and Meltdown for Power Servers “IBM has finally released patches to mitigate the notorious Spectre and Meltdown vulnerabilities on its Power server line, whilst adding protection from a new flaw affecting its Notes collaboration platform.” Read More Zero-Day in Telegram's Windows Client Exploited for Months “A zero-day vulnerability impacting Telegram Messenger’s Windows client had been exploited in malicious attacks for months before being discovered and addressed." Read More Equifax Names New CISO “Former Home Depot CISO takes the reins in the wake of Equifax's massive data breach and fallout.” Read More Cybercrime Costs for Financial Sector up 40% Since 2014 “A 9.6% increase just in the past year, and denial-of-service attacks are partly to blame.” Read More Financial Services Sector Breaches Triple in Five Years “Cybersecurity challenges and risks continue to emerge as top threats to business as usual for large and small organizations alike.” Read More Is compliance the best insurance for managing cybersecurity risk in 2018? “Cybersecurity challenges and risks continue to emerge as top threats to business as usual for large and small organizations alike." Read More Unsecured server exposed thousands of FedEx customer records "FedEx has exposed private information belonging to thousands of its customers after a legacy server was left open without a password." Read More U.S. Government Contractors Score Poorly on Cyber Risk Tests “Attacks against the supply chain are not uncommon. It represents the soft underbelly of large organizations that are otherwise well defended. ” Read More U.S. Energy Department Announces Office for Cyber, Energy Security “The U.S. Department of Energy announced this week that it’s creating a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER).” Read More Two Billion Files Leaked in US Data Breaches in 2017 “Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.” Read More
This week in InfoSec news cybersecurity culture and best practices for companies has been brought to the forefront. Get caught up on how you can build that culture and avoid becoming the next target of 2018. NIS and the Critical National Infrastructure Scale “Cyber-resilience of critical national infrastructure (CNI) is now fundamental to the security and prosperity of the UK.” Read More NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000 “A security researcher has ported three leaked NSA exploits to work on all Windows versions released in the past 18 years, starting with Windows 2000.” Read More Cybersecurity report card: Why too many companies are graded 'could do better' “The vast majority of organizations don't have a cybersecurity strategy, leaving them unable to protect against attacks due to a lack of both budget and skills.” Read More 2017 Smashed World's Records for Most Data Breaches, Exposed Information “Five mega-breaches last year accounted for more than 72% of all data records exposed in 2017.” Read More Maturity in Your Cybersecurity Culture “ENISA recently published their Cybersecurity Culture in Organizations report, where they propose a structure for building security culture in organizations. I did participate in the review of this report, and my work in this space is referred to in the report.” Read More Risky Business (Part 3): The Beauty of Risk Transfer “Previously, I’ve talked about four primary risk treatment options: mitigate, avoid, accept, and transfer. Over the history of the security industry, we’ve tended to focus on mitigation. Implementing controls is where the action is.” Read More 20 Signs You Need to Introduce Automation into Security Ops “Far too often, organizations approach automation as a solution looking for a problem rather than the other way around.” Read More Hackers Pounce on Cisco ASA Flaw (CVE-2018-0101) “Five days after details about a vulnerability in Cisco ASA software became public, hackers have now started exploiting this bug in the wild against Cisco ASA devices.” Read More
It was a busy week for Brinqa and the InfoSec industry. Brinqa attended AppSec California in Santa Monica, while we were soaking up the rays plenty of critical bugs and vulnerabilities hit the scene. Cisco Fixes Remote Code Execution Bug Rated 10 Out of 10 on Severity Scale “Cisco has released software patches that fix a major vulnerability affecting Cisco devices running Adaptive Security Appliance (ASA) Software.” Read More DNS Hijacking: The Silent Threat That's Putting Your Network at Risk “The technique is easy to carry out and can cause much damage. Here's what you need to know about fighting back." Read More New Adobe Flash Zero-Day Spotted in the Wild "According to a security alert issued by the South Korean Computer Emergency Response Team (KR-CERT), the zero-day affects Flash Player installs 28.0.0.137 and earlier. Flash 28.0.0.137 is the current Flash version number." Read More Data Encryption: 4 Common Pitfalls “To maximize encryption effectiveness you must minimize adverse effects in network performance and complexity. Here's how.” Read More CISOs map out their cybersecurity plan for 2018 “What's on the short list for enterprise cybersecurity programs in the coming year? As attack vectors increase -- think IoT -- we ask information security leaders to discuss their plans.” Read More Cisco 'waited 80 days' before revealing it had been patching its critical VPN flaw “A sysadmin has criticized Cisco for releasing software that fixed a high-severity bug 80 days before telling customers just how dangerous it was.” Read More Web Server Used in 100 ICS Products Affected by Critical Flaw “Bell Canada has started informing customers that their personal data has been compromised in a breach that reportedly affects up to 100,000 individuals.” Read More Brinqa @ AppSec Califoria Brinqa enjoyed the sunshine while at AppSec California. Our CEO, Amad Fida, will be speaking at the Cyber Security Summit Silicon Valley this month. Hear from Amad and other industry experts during the panel "The Compliance Nightmare: No One Gets Extra Points for Spending More to Pass and Audit"
The best security strategy starts from the top, shifting how executives are viewing cybersecurity has been a popular topic this week and no question why! With 1/3 rd of global firms experiencing breaches it's never been more important to bake security in from the beginning. Responding in the Wake of a Cyberattack “With cyber threats, it’s only a matter of when and not if you’re going to be impacted. Some attacks are within your control, and some aren’t, so you need to be prepared on what to do when you do become a victim.” Read More In the Eyes of a Chief Information Security Officer “Chief Information Security Officer (CISO)! it's a position that first appeared in the 1980s when Steve Katz was given the title while working with Citibank in New York City. “ Read More 9 Steps to More-Effective Organizational Security “Too often security is seen as a barrier, but it's the only way to help protect the enterprise from threats. Here are tips on how to strengthen your framework.” Read More Most Companies Suffer Reputation Damage After Security Incidents “New Kroll Annual Global Fraud & Risk Report says 86% of companies worldwide experienced security incidents and information theft and loss in the past twelve months.” Read More Dell Advising All Customers To Not Install Spectre BIOS Updates “The Spectre & Meltdown mess continues with Dell now recommending their customers do not install the BIOS updates that resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system instability.” Read More The Top Five Global Cyber Security Threats for 2018 “In the year ahead, businesses of all sizes must prepare for the unknown so they have the flexibility to withstand unexpected and high impact security events.” Read More Code Execution Flaw Impacts Popular Desktop Apps“A remote code execution vulnerability was addressed in the Electron framework, which powers highly popular desktop applications, including Slack, Skype, Signal, GitHub Desktop, Twitch, Wordpress.com, and others.” Read More Bell Canada Hit by Data Breach “Bell Canada has started informing customers that their personal data has been compromised in a breach that reportedly affects up to 100,000 individuals.” Read More Use of multiple cloud platforms makes it harder to secure digital transformation “Cloud changes how developers build and secure apps – but using more clouds makes it harder to secure the business” Read More Government CIOs will increase spending on cloud, cybersecurity and analytics “Cloud solutions, cybersecurity and analytics are the top technologies targeted for new and additional spending by public sector CIOs in 2018, while data center infrastructure is the most commonly targeted for cost savings, according to a survey from Gartner.” Read More Embracing the Cultural Shift that Comes with Secure DevOps “As organizations strive to innovate quickly and be more agile, development teams are driven to deliver code faster and with more stability.” Read More Over a Third of Global Firms Breached in 2017 “Over a third (36%) of global organizations were breached last year, a 10% increase from 2016, according to new figures from Thales.” Read More Security Automation: Time to Start Thinking More Strategically “To benefit from automation, we need to review incident response processes to find the areas where security analysts can engage in more critical thought and problem-solving.” Read More Threat and Vulnerability Management: Sometimes You See the Bullet Coming “Cybersecurity risk management is complicated. Threats, both known and unknown, are omnipresent. We are compelled to evaluate the likelihood of a threat exploiting a vulnerability in our organization and the possible impact the threat may have on our operations.” Read More Basics for soaring above security challenges “Getting the basic “must-haves” right will not only enable you to handle today’s issues, you’ll establish an approach you can build upon to soar above a future of challenges.” Read More Brinqa @ Data Connectors Houston The Brinqa team had a successful show in Houston this week for Data Connectors Houston
Brinqa is a Gold Level Sponsor next week at AppSec in beautiful Santa Monica, CA January 30 - 31st. Make sure to stop by our booth where we will be available for product demos and discussions around cyber risk management. Make sure to register before tickets sell out: https://2018.appseccalifornia.org/index.php/register/
This weeks roundup covers some of the continued headaches and heart aches that have been associated with Spectre's many patches, CPU failures, and now malware that has sprung to life in the form of fake patches. Brinqa will also be attending Data Connectors in Houston next week for more details read on. List of Links: BIOS Updates for the Meltdown and Spectre Patches “As Intel, AMD, and other CPU manufacturers have started releasing CPU microcode (firmware) updates for processor models affected by the Meltdown and Spectre patches, those updates are trickling down to OEMs and motherboard vendors, who are now integrating these patches into BIOS/UEFI updates for affected PCs.” Read More World Economic Forum Publishes Cyber Resiliency Playbook “The World Economic Forum (WEF) has released a playbook for public-private collaboration to improve cyber resiliency ahead of the launch of a new Global Centre for Cybersecurity at the Annual Meeting 2018 taking place on January 23-26 in Davos, Switzerland.” Read More Backdoor Found in Lenovo, IBM Switches “A high severity vulnerability described as a backdoor has been patched in several Flex System, RackSwitch and BladeCenter switches from Lenovo and IBM.” Read More Windows Meltdown-Spectre: Watch out for fake patches that spread malware “Criminals have yet to exploit Meltdown and Spectre, but they're playing on users' uncertainties about the CPU flaws in their malware and phishing schemes.” Read More Incident Readiness and Response, an Evolution in Cyber Risk Mitigation “Most Organizations Have an Incident Response Plan, But All Too Often It is Filed Away Somewhere and Forgotten.” Read More Most Common Exploits of 2017 in Microsoft Office, Windows “The most common exploit affects Microsoft Office and has been used by attackers in North Korea, China, and Iran.” Read More Who should be responsible for cybersecurity? “Clearly, cybersecurity is everybody’s problem. It's high time this truth was recognized, starting with the executive suite on down.” Read More Oracle Patches Spectre Flaw in x86 Servers “Oracle has released its first update round of the year, which includes fixes for products affected by one of the recently disclosed Spectre CPU vulnerabilities.” Read More Cloud computing: Why a major cyber-attack could be as costly as a hurricane “The economic damage of a successful major cyber-attack against a large cloud services provider could be similar in scale to the financial impact of a destructive hurricane.” Read More Google’s G Suite gets new dashboard to spot new threats “Google has launched a new tool for G Suite that gives admins a quick snapshot of phishing and malware threats and trends that affect overall email security.” Read More Meltdown-Spectre: Intel says newer chips also hit by unwanted reboots after patch “Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too.” Read More Cisco Patches Flaws in Email Security, Other Products “Cisco has patched several high severity vulnerabilities, including ones that allow privilege escalation and denial-of-service (DoS) attacks, in its Unified Customer Voice Portal (CVP), Email Security, and NX-OS products.” Read More Strong Incident Response Starts with Careful Preparation “Through working every day with organizations’ incident response (IR) teams, I am confronted with the entire spectrum of operational maturity. However, even in the companies with robust IR functions, the rapidly evolving threat landscape, constantly changing best practices, and surplus of available tools make it easy to overlook important steps during planning. As a result, by the time an incident occurs, it’s too late to improve their foundational procedures.” Read More Understanding Supply Chain Cyber Attacks “While the attack surface has increased exponentially because of the cloud and everything-as-a-service providers, there are still ways in which host companies can harden supply chain security.” Read More How to engage with the C-Suite on cyber risk management, part 4 “Creating metrics to indicate risk." Read More Brinqa @ Data Connectors Houston Brinqa is a sponsor at the upcoming Data Connectors Conference in Houston on January 25, 2018! Make sure to stop by our booth where we will be available for product demos and discussions around cyber risk management. See y’all in Houston next" Read More
Brinqa is a sponsor at the upcoming Data Connectors Conference in Houston on January 25, 2018! Kicking off the first of several events we have set for this year. Make sure to stop by our booth where we will be available for product demos and discussions around cyber risk management. See y'all in Houston next week! PS: If you are a cyber security professional in the greater Houston area contact us at info@brinqa.com for complimentary access to the event.
Flaws, vulnerabilities, patches oh my! This past week was busy in InfoSec with serious flaws and vulnerabilities popping up left and right, followed quickly by patches. With so much going on you may have missed some of the top stories. Check out our list below to get caught up. Vulnerability Management: The Most Important Security Issue the CISO Doesn't Own “Information security and IT need to team up to make patch management more efficient and effective. Here's how and why.” Read More Hardcoded Backdoor Found on Western Digital Storage Devices “Firmware updates released by Western Digital for its MyCloud family of devices address a series of security issues, including a hardcoded backdoor admin account.” Read More Serious Flaws Affect Dell EMC, VMware Data Protection Products “Data protection products from both Dell EMC and VMware are impacted by three potentially serious vulnerabilities discovered by researchers at Digital Defense.” Read More Companies will make major enterprise-wide changes to address cyber risk “In the face of increased cyber risks, companies are likely to take out more standalone cyber insurance policies to mitigate the threats” Read More Adobe patches information leak vulnerability “In comparison to Microsoft which is having a busy month patching due to Spectre and Meltdown, Adobe's latest patch update addresses only one vulnerability.” Read More Patch Tuesday: More Work for Admins With 56 Flaws to Fix “Microsoft heaped more work on IT administrators this week with a Patch Tuesday update round that will bring the total CVEs addressed in January to 55, including four public disclosures and one zero-day vulnerability.” Read More Survey: Most Security Pros Aim to Patch Vulnerabilities within 30 Days “High-profile cybersecurity incidents continue to result from the simple mistake of leaving a known vulnerability unpatched. To understand how organizations are keeping up with vulnerabilities, Tripwire partnered with Dimensional Research to survey 406 IT security professionals about their patching processes.” Read More SCADA security: Bad app design could give hackers access to industrial control systems “'Shocking' flaws show apps for industrial control systems are being built without enough thought for security, according to researchers.” Read More Risky Business (Part 2): Why You Need a Risk Treatment Plan “No company has the ability to mitigate all risks at all times. No company I’ve ever visited has even had all of its identified risks treated at any given point.” Read More Equifax Would Have Paid $1.5bn Under New US Breach Laws “Senators have proposed new legislation which would impose strict liability penalties on credit agencies (CRAs) in the event of a data breach.” Read More Data Breaches Remain Top Concern for Chief Information Security Officers in 2018 “High-profile data breaches at Equifax Inc., Yahoo Inc., and Uber Technologies Inc. dominated headlines in 2017, propelling cybersecurity-related issues to the top of concerns for businesses and consumers. According to a recent report based on a survey of more than 15,000 chief information security officers (CISOs) by the Ponemon Institute, concerns over data breaches will continue to haunt companies in 2018.” Read More Shocking new Intel flaw gives hackers full control of laptops in less than 30 seconds “A newly-disclosed Intel security flaw impacting most corporate laptops can let hackers with physical access to a computer backdoor the device in "less than 30 seconds".” Read More Majority of Companies Lack Sufficient IoT Policy Enforcement Tools “Majority of Companies Lack Sufficient IoT Policy Enforcement Tools Shortfall exists despite nearly all global technology enterprise companies having security policies to manage IoT devices.” Read More How 2017 Thrusted Cybersecurity Into the National Spotlight “What a year 2017 has been. From Shadow Brokers, WannaCry and Petya to the constant and consistent discussion about diversity in cybersecurity and tech, 2017 has been a whirlwind of changes.” Read More
Happy New Year from the Brinqa team, let's kick off the new year with some interesting InfoSec news. Our first week into the new year and we are already hitting the ground running. With Meltdown-Spectre affecting almost every device and the macOS Exploit that can be found in every macOS since 2002 means there is a lot to cover this week! A Pragmatic Approach to Fixing Cybersecurity: 5 Steps “The digital infrastructure that supports our economy, protects our national security, and empowers our society must be made more secure, more trusted, and more reliable. Here's how.” Read More 17 Things We Should Have Learned in 2017, but Probably Didn't “The worm has returned and the Yahoos have all been exposed, but did 2017 teach us any genuinely new lessons we shouldn't already have known?” Read More Patching Takes More than a Fortnight for Many Firms “The major WannaCry and NotPetya ransomware outbreaks of 2017 appear to have had little if no impact on organizations’ approaching to patching, with visibility into systems still crucially missing in many cases, according to Ivanti.” Read More macOS Exploit Published on the Last Day of 2017 “On the last day of 2017, a security researcher going online by the pseudonym of Siguza published details about a macOS vulnerability affecting all Mac operating system versions released since 2002, and possibly earlier.” Read More Google Patches Multiple Critical, High Risk Vulnerabilities in Android “Google patched several Critical and High severity vulnerabilities as part of its Android Security Bulletin for January 2018.” Read More The Internet of (Secure) Things Checklist “Insecure devices put your company at jeopardy. Use this checklist to stay safer.” Read More DHS Admits Major Leak Affecting 247,000 Employees “The US Department of Homeland Security (DHS) has confirmed a major privacy leak affecting nearly a quarter of a million employees as well as others associated with departmental investigations.” Read More Windows Meltdown-Spectre patches: If you haven't got them, blame your antivirus “Microsoft says your antivirus software could stop you from receiving the emergency patches issued for Windows” Read More No one is safe: 5 cybersecurity trends for 2018 “The theme of cybersecurity in 2017 was "no one is safe."Any consumer who managed to emerge from the Equifax, Yahoo, OPM and a host of POS breaches unscathed should consider entering the lottery. And any company that escaped 2017 without a cybersecurity crisis should should give its security team a raise.” Read More Windows Meltdown-Spectre fix: How to check if your AV is blocking Microsoft patch “Antivirus firms are gradually adding support for Microsoft's Windows patch for the Meltdown and Spectre attack methods that affect most modern CPUs.” Read More Zero-day vulnerabilities hijack full Dell EMC Data Protection Suite “Security researchers have discovered a set of zero-day vulnerabilities within the Dell EMC Data Protection Suite Family products which allow attackers to fully hijack systems.” Read More Industry Reactions to Meltdown, Spectre Attacks: Feedback Friday “Researchers disclosed this week the details of two new attack methods allowing malicious actors to gain access to sensitive information stored in a device’s memory by exploiting security holes in Intel, AMD and ARM processors.” Read More
As the year comes to a close, the InfoSec community looks back to another eventful and action-packed year. We hope you enjoy reading up on these informative reviews of 2017, and get ready for the new year with some great articles on how you can be better prepared in 2018. The week in security: You’ve just been breached. Do you know what to do? “Are you prepared for a security breach? Not if you’re among the nearly half of security practitioners and business executives that admit they have no idea what they would do once a breach was discovered.” Read More What are IT professionals guilty of in 2017? “New Year’s resolutions are funny things. I'd place a strong wager that as 2016 was put to bed and 2017 awoke, a great many IT professionals made promises to themselves regarding their roles, their IT environments, and how they'd make changes to ensure that the organization’s IT infrastructure would run smoother and safer than ever.” Read More How to engage with the C-suite on cyber risk management, part 3 “In this article, we’ll deep dive into some of the metrics associated with our four-step methodology for qualifying threats and prioritizing risk (see details in part 2). The ultimate goal of metrics and controls – and of the entire security organization – is to lower risk to a palatable level for the business.” Read More Massive Cloud Leak Exposes Alteryx, Experian, US Census Bureau Data “A misconfigured Amazon Web Services S3 storage bucket exposed sensitive data on consumers' financial histories, contact information, and mortgage ownership.” Read More 84 Percent of Healthcare Organizations Don't Have a Cybersecurity Leader as the Industry Becomes 2018's Top Target: Black Book Study “A recent survey conducted by Black Book Research indicated the majority of healthcare provider and payer organizations are not taking cybersecurity seriously enough. Responses included 323 strategic decision makers from the US.” Read More Businesses Fail in Risk Modeling and Management: Report “Poor risk management leads to a slippery slope of weak prioritization, wasted resources, and unaddressed security issues. Most businesses don't know how to quantify and manage risk, and their failures lead to repeating the same security problems and facing new, major ones.” Read More 2017 was a dumpster fire of privacy and security screw-ups “2016 may have killed every famous person we ever cared about, but it was tame compared to the dumpster fire of security screw-ups and privacy violations that 2017 had in store. Here's our look back.” Read More Best Practices for Building a Successful BRI Program “Business Risk Intelligence (BRI), as I’ve written previously, is becoming a new industry standard. As someone who’s faced the limitations of cyber threat intelligence (CTI) -- BRI’s predecessor -- firsthand, I can attest to the immense value to be gleaned from abandoning CTI’s indicator-centric approach in favor of a comprehensive BRI program. But since BRI’s enterprise-wide focus is a relatively new and less-familiar concept, I realize that some organizations might be unsure of how to initiate and maintain a BRI program effectively.” Read More Why Network Visibility Is Critical to Removing Security Blind Spots “There's an axiom used by security professionals that states: "You can't secure what you can't see." This rather simplistic statement actually has many different meanings when it comes to securing a business because of the rapidly growing number of network blind spots that exist in today's information technology infrastructure.” Read More Resolve to Mitigate Your Business' Digital Risk in 2018 “As we look to the New Year many of us make resolutions – getting healthier, learning a new skill, saving money, or making more time for family and friends. With 2018 just around the corner, the challenge now is to stick to that resolution and this is where many of us fail. Often the goal is too broad, or we don’t have a plan for achieving it.” Read More Be a More Effective CISO by Aligning Security to the Business “These five steps will you help marshal the internal resources you need to reduce risk, break down barriers, and thwart cyber attacks.” Read More Nissan Canada Data Breach: 1.1 Million Customers Notified “Nissan Canada’s finance business revealed on Thursday that all of its 1.13 million current and former customers may have had their details compromised in a data breach.” Read More Here’s How to Develop a Cybersecurity Recovery Plan “66 percent of organizations would not recover from a cyberattack if it occurred today. Is your organization prepared? Here’s what every CIO and CISO needs to know to start or improve their cybersecurity recovery plan.” Read More CISO Holiday Miracle Wish List “If CISOs could make a wish to solve a problem, these would be among the top choices.” Read More
As the new year approaches, many are reflecting on this year's news and events that received the most attention. 2017 was wrought with large scale breaches and outdated/ill planned cyber security policies. Here is a look at what was in the news this week. WannaCry and NotPetya Had Little Impact on Security Spend “Despite the huge impact WannaCry and NotPetya had on organizations, the two ransomware campaigns earlier this year did little to affect budgets or boardroom interest in security, according to a new study.” Read More Post-Breach Carnage: Worst Ways The Axe Fell in 2017 “Executive firings, stock drops, and class action settlements galore, this year was a study in real-world repercussions for cybersecurity lapses.” Read More Security in 2018: Automation, boardrooms and the Notifiable Data Breaches Act “The security threats and breaches of 2017, from WannaCry to Petya, Equifax to DaFont, have set new records for personal data invasion and impacted hundreds of millions of people globally.” Read More What Lies Beneath – Avoiding the Unseen Dangers of OT Vulnerabilities “A recent Accenture survey found that 76 percent of utility executives in North America believe the country faces a moderate risk of interruption to electricity due to a cyberattack. Process control networks (PCNs) in critical infrastructure sites − refineries, chemical plants, and manufacturing facilities − all have potential danger swimming just below the surface in the form of undiscovered vulnerabilities.“ Read More Cybersecurity Incidents Hit 83% of U.S. Physicians: Survey “A majority of physicians in the United States have experienced a cybersecurity incident, and many are very concerned about the potential impact of a cyberattack, according to a study conducted by professional services company Accenture and the American Medical Association (AMA).” Read More Adobe Patches 'Business Logic Error' in Flash Player “The only security update released by Adobe this Patch Tuesday addresses a moderate severity regression issue affecting Flash Player.” Read More Microsoft fixes 33 bugs in December patch, mostly for IE and Edge “Microsoft’s December patch update is relatively small judged by the number of vulnerabilities it fixes but there are a host of critical scripting engine flaws that affect Windows 10 Edge and Internet Explorer 11.” Read More Cyber Risk Management simplified: Your business is your kingdom “One of the big misconceptions about cyber security is that organisations can maximise protection by focusing their attention—and investments—predominantly on protecting the headquarters environment and physical network. In today’s era of remote workers, mobility and workplace transformation, executives who embrace this centralised approach may be undermining or missing imminent risks at their network perimeters.” Read More Critical Flaws Found in Palo Alto Networks Security Platform “Updates released by Palo Alto Networks for the company’s PAN-OS security platform patch critical and high severity vulnerabilities that can be exploited for remote code execution and command injection.” Read More TRITON Malware Used in Attacks Against Industrial Safety Equipment “Security researchers from FireEye's Mandiant investigative division have spotted a new form of malware that's capable of targeting industrial equipment.” Read More Are You Complying with the Executive Order on Cybersecurity? “In May 2017, the President issued an Executive Order on Cybersecurity. Among other requirements, the order holds agency heads accountable for appropriate cyber defenses.” Read More Is Your Security Workflow Backwards? “The pace at which information security evolves means organizations must work smarter, not harder. Here's how to stay ahead of the threats.” Read More Perceived Data Value Varies Wildly Across Industries, Countries “When it comes to the value placed on critical data, there is major variance in perception across countries and industry sectors.” Read Me
This week in infosec was full of compromised data, vulnerabilities, and patches to match. With apple's big flaw leaving Mac’s exposed to easy hacking it reminds us that critical flaws can pop up at any moment, requiring swift response. Imgur Confirms 2014 Breach of 1.7 Million User Accounts “Popular image sharing community Imgur said last week it was the victim of a data breach in 2014 that exposed 1.7 million user accounts. In a breach notice posted to its website last Friday, the company said users are being notified via email that they must update their passwords immediately.” Read More Scarab Ransomware Uses Necurs to Spread to Millions of Inboxes “First spotted on November 23, the Scarab ransomware is being sent primarily to .com addresses, followed by co.uk inboxes. It was sent to 12.5 million email addresses in the first four hours alone, according to Forcepoint.” Read more Newly Published Exploit Code Used to Spread Mirai Variant “Qihoo 360 Netlab researchers reported on Friday that they are tracking an uptick in botnet activity associated with a variant of Mirai. Targeted are ports 23 and 2323 on internet-connected devices made by ZyXEL Communications that are using default admin/CenturyL1nk and admin/QwestM0dem telnet credentials.” Read More Hackers are exploiting Microsoft Word vulnerability to take control of PCs “ Hackers are using a recently disclosed Microsoft Office vulnerability to distribute backdoor malware capable of controlling an infected system, providing attackers with the ability to extract files, execute commands and more.” Read More No Patch Available for RCE Bug Affecting Half of the Internet's Email Servers “A critical remote code execution flaw affects over half of the Internet's email servers, and there's no fix for it available, just yet. The bug is a vulnerability in Exim, a mail transfer agent (MTA), which is software that runs on email servers and that relays emails from senders to recipients.” Read More Several Vulnerabilities Patched in PowerDNS “Updates released for the authoritative nameserver and recursive nameserver components of PowerDNS patch several vulnerabilities that can be exploited for denial-of-service (DoS) attacks, records manipulation, modifying configurations, and cross-site scripting (XSS) attacks.” Read More Critical Code Execution Flaw Found in Exim “Serious vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks have been found in the popular mail transfer agent (MTA) software Exim.” Read More Cybersecurity: Fighting a Threat That Causes $450B of Damage Each Year “With recent high profile hacks of companies such as Uber, Equifax, and HBO, it’s safe to say that cybersecurity is already top of mind for many of the world’s biggest companies.“ Read More Big Apple Flaw Allows Root Access to Macs without Password “Mac users and administrators need to be on the lookout for compromised machines after a security researcher disclosed late yesterday a big flaw in Apple's macOS High Sierra platform that allows for password-less logins to root accounts. Publicly disclosed by software engineer Lemi Orhan Ergin via Twitter, the flaw allows someone with physical access to the machine to log in as "root" by leaving the password field empty in a System Preferences unlock screen.” Read More Conference Calls a ‘Significant & Overlooked’ Security Gap in the Enterprise Conference calls present a significant and overlooked security gap in the enterprise, according to a new research study from LoopUp. Read More Recently Patched Dnsmasq Flaws Affect Siemens Industrial Devices “Some of the vulnerabilities discovered recently by Google researchers in the Dnsmasq network services software affect several Siemens SCALANCE industrial communications products.” Read More Cisco Patches Critical WebEx Vulnerabilities “Updates released by Cisco for components of its online meetings and video conferencing platform WebEx patch nearly a dozen vulnerabilities, including critical flaws that can be exploited for remote code execution.” Read More Patch for macOS Root Access Flaw Breaks File Sharing “The patch released by Apple on Wednesday for a critical root access vulnerability affecting macOS High Sierra appears to break the operating system’s file sharing functionality in some cases. The company has provided an easy fix for affected users.” Read More First US Federal CISO Shares Security Lessons Learned “Greg Touhill's advice for security leaders includes knowing the value of information, hardening their workforce, and prioritizing security by design.” Read More Why it’s great news that cyber insurance is becoming more popular “It’s not really in our nature to love competition. In fact, it’s complete animal instinct to want there to be no competition at all. This applies to business, relationships and basically every other form of human interaction. Nobody wants to compete. So you can imagine how a growth in businesses taking out cyber insurance (and therefore business insurance) could be a little concerning to certain people in the digital sphere.” Read More New-But-Old US Bill Introduces Prison Time for Execs Who Conceal Data Breaches “Three US senators have introduced a bill on Thursday that will make it mandatory for companies to report breaches to customers within 30 days, but also carries fines and possible prison time for execs who conceal breaches from users and authorities.” Read More National Credit Federation leaked US citizen data through unsecured AWS bucket “The National Credit Federation (NCF) has become the latest in a long list of companies to leave the sensitive, private data of customers exposed for all to see online. According to Chris Vickery, UpGuard Director of Cyber Risk Research, the Tampa, Florida-based credit repair firm left 111GB of internal customer information on an Amazon Web Services S3 cloud storage bucket configured to allow public access without restriction.” Read More Siemens Patches Several Flaws in Teleprotection Devices “Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices. The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.” Read More
With Thanksgiving right around the corner, here is an early roundup of the week's cybersecurity news and events.5 information security threats that will dominate 2018“The global security threat outlook evolves with every coming year. To combat the threat in 2018, enterprises must understand these five global cyber threats."Read MoreGitHub Rolls Out Security Alerts for Developers“Popular software development platform GitHub made it easier last week for users to spot security issues with their code, by including a new vulnerability alerts feature.”Read MoreMicrosoft Manually Patched Office Component: Researchers“Microsoft engineers appear to have manually patched a 17 year-old vulnerability in Office, instead of altering the source code of the vulnerable component, ACROS Security researchers say.”Read MoreResearcher Finds Hole in Windows ASLR Security Defense“A security expert found a way to work around Microsoft's Address Space Randomization Layer, which protects the OS from memory-based attacks.”Read MoreCrypto-Currency Firm Tether Loses $30m to Hackers“Crypto-currency firm Tether has become the latest to suffer a damaging cyber-attack, claiming hackers have made off with over $30m worth of tokens.”Read MoreIntel: We've found severe bugs in secretive Management Engine, affecting millions“Thanks to an investigation by third-party researchers into Intel's hidden firmware in certain chips, Intel decided to audit its firmware and on Monday confirmed it had found 11 severe bugs that affect millions of computers and servers.”Read MoreUber Shock: Firm Hid Breach of 57 Million Users“The information security industry is in shock after Uber confessed to a massive data breach affecting 57 million customers and drivers around the globe, which it concealed last year by paying off the hackers.”Read MoreHP to Release Patch This Week for Printer Security Bugs“HP said it would release firmware patches later this week for several security bugs reported to the company by various cyber-security experts.”Read MoreApple Patches USB Code Execution Flaw in macOS“One of the vulnerabilities addressed by Apple in its latest set of security patches for macOS is an arbitrary code execution flaw, which could be exploited via malicious USB devices.”Read MoreHappy ThanksgivingWe are immensely thankful for our amazing colleagues, customers and partners! We wish you and your family a time of togetherness, gratitude and joy.
November Patch Tuesday, role of the board in cybersecurity… find these and other interesting updates and news in this week’s InfoSec roundup.The Board’s Role in Managing Cybersecurity Risks“Cybersecurity can no longer be the concern of just the IT department. Within organizations, it needs to be everyone’s business — including the board’s.”Read MoreMobile Malware Incidents Hit 100% of Businesses“Attempted malware infections against BYOD and corporate mobile devices are expected to continue to grow, new data shows.”Read MoreCritical Flaw Exposes Cisco Collaboration Products to Hacking“A dozen Cisco collaboration products using the company’s Voice Operating System (VOS) are exposed to remote hacker attacks due to a critical vulnerability, users were warned on Wednesday.”Read MoreTerdot Banking Trojan Spies on Email, Social Media“Terdot Banking Trojan, inspired by Zeus, can eavesdrop and modify traffic on social media and email in addition to snatching data.”Read MoreGoogle Home and Amazon Echo hit by big bad Bluetooth flaws“Google and Amazon have rolled out patches for their respective smart home speakers, Home and Echo, to plug the widespread Bluetooth flaws known as BlueBorne.”Read MoreForever 21 Informs Shoppers of Data Breach“Forever 21 has notified customers of a credit card breach affecting certain stores. Shoppers who used payment cards between March 2017 and October 2017 may be affected.”Read MoreAdobe patches 67 vulnerabilities in Flash, Reader“Adobe's latest security update has swatted a total of 67 bugs, some of them critical, in Adobe Flash, Acrobat, and Reader.”Read MoreOracle Patches Critical Flaws in Jolt Server for Tuxedo“Oracle informed customers on Tuesday that it has patched several vulnerabilities, including ones rated critical and high severity, in the Jolt Server component of Oracle Tuxedo.”Read MoreRetailers Beware: 50 Million Fraud Attacks Expected Next Week“Experts are predicting an astonishing 50 million global fraud attempts next week as scammers look to capitalize on a busy shopping period to slip past fraud filters.”Read MoreFasten Database Error Exposed One Million Customers“A popular US ride-hailing service has become the latest firm to publicly expose customer details after researchers found data on an estimated one million users of the service and thousands of drivers.”Read MoreSecurity vulnerability in IoT cameras could allow remote control by hackers“Newly uncovered vulnerabilities in a popular brand of indoor internet-connected cameras could be exploited by attackers in order to gain complete control of the device.”Read More7 Assumptions CIOs Make that Impact Cybersecurity“We’ve all heard the question “what keeps you up at night?” And of course every vendor and consultant has exactly what’s needed let us get some much needed shut-eye. All of their technologies and strategies play a role in the concepts below. Seasoned CIOs will look at this list and see them as obvious."Read More
We have lots of interesting news and updates in this week's InfoSec roundup. With ever evolving and increasing cyber threats, it is more important than ever to address cyber risk proactively, rather than waiting to act until an incident occurs. AWS S3 Buckets at Risk of "GhostWriter" MiTM Attack“The exposure of sensitive data via misconfigured AWS S3 buckets has been regular over the last few years. In two months this summer, researchers discovered thousands of potentially sensitive files belonging to the U.S. National Geospatial-Intelligence Agency (NGA); information on millions of Verizon customers; and a database containing details of 198 million American voters.”Read MoreThe Internet Sees Nearly 30,000 Distinct DoS Attacks Each Day : Study“The incidence of denial-of-service (DoS) attacks has consistently grown over the last few years, steadily becoming one of the biggest threats to Internet stability and reliability. Over the last year or so, the emergence of IoT-based botnets -- such as Mirai and more recently Reaper, with as yet unknown total capacity -- has left security researchers wondering whether a distributed denial-of-service (DDoS) attack could soon take down the entire internet.”Read MoreGlobal CISOs Unprepared for Evolving Threats“Drawing on insights from 184 global CISOs, the report noted that today’s IT security strategies and tactics are shifting away from a focus on strong perimeters to smart data, networks, devices and applications.”Read MoreMajority of US Companies' DDoS Defenses Breached“Survey finds 69% of companies' distributed denial-of-service attack defenses were breached in the past year - despite confidence in their mitigation technologies.” Read More4 Proactive Steps to Avoid Being the Next Data Breach Victim“Despite highly publicized data breaches, most companies are not taking the necessary actions to prevent them.”Read MoreIoT devices are an enterprise security time bomb“The Internet of Things (IoT) is causing serious security concerns for enterprises worldwide with few companies capable of securing them as they are unable to identify devices properly, according to new research.”Read MoreAmazon Adds New Encryption, Security Features to S3“Amazon announced this week that it has added five new security and encryption features to its Simple Storage Service (S3), including one that alerts users of publicly accessible buckets.”Read More'Goldilocks' Legislation Aims to Clean up IoT Security“Cybercrime in general — and most recently, crime perpetrated using IoT devices — has become a serious problem. Legislatures around the world have struggled to write laws to rein things in. The problem has been that governments have issued cybersecurity laws that are either too burdensome or ineffective.”Read MoreForrester: Expect POS Ransomware Outages in 2018“Cyber-criminals will up their game in 2018 to drive profits, targeting IoT systems and installing ransomware on mission critical POS systems, according to Forrester Research”Read MoreBankBot Android malware sneaks into the Google Play Store - for the third time“BankBot first appeared in the official Android marketplace in April this year, was removed, and then was discovered to be have returned in September before being removed again. Now BankBot has appeared in the Google Play store yet again, having somehow bypassed the application vetting and security protocols for a third time.”Read MoreGoogle: Our hunt for hackers reveals phishing is far deadlier than data breaches“Google has released the results of a year-long investigation into Gmail account hijacking, which finds that phishing is far riskier for users than data breaches, because of the additional information phishers collect.”Read MoreThe growing importance of network security for retail brand protection“Information technology is playing an ever-increasing role in the retail sector, and having effective security in place has never been more important when it comes to brand protection. Security incidents can have a big hit on a retailer's reputation, causing customers reduce their spend or shift allegiance to a competitor.”Read MoreHow better data governance can help banks keep pace with the rising tide of regulations“Like their counterparts around the world, Australian banks have to operate in a rapidly evolving regulatory environment. Shifting APRA restrictions on lending and looming mandatory data breach notification requirements mean they must constantly review their activities to ensure compliance.”Read MoreBrinqa @ Cyber Security Summit, BostonBrinqa was a platinum sponsor at this week’s Cyber Security Summit event in Boston, MA and we had a great time at the conference. Read our recap of the event below.Read MoreBrinqa Threat & Vulnerability Management : ConnectorsRegardless of the scope of Vulnerability Management programs, the ability to connect all relevant systems efficiently and seamlessly is a distinct competitive advantage. This article describes core data integration competencies that security architects and program managers must address when designing their vulnerability management and cyber risk programs.Read More
Brinqa was a platinum sponsor at this week's Cyber Security Summit event in Boston, MA and we had a great time at the conference. It even looks like we brought a little bit of the cold weather back home with us to Austin, TX.Brinqa Director of Products, Syed Abdur, presented a session discussing how Brinqa customers are creating the next generation of cyber security programs - starting with effective vulnerability management and expanding the scope to bring in additional source of security data. It was well received and we had several great follow up conversations at our booth with attendees.Shout out to Cyber Summit USA for a great event!The Brinqa team had a great time at the event and we can't wait for next year!
This week’s InfoSec news highlighted the importance of risk management in an ever changing and fast paced cyber security environment. Hilton found themselves in trouble over a data breach that cost them $700,000. Read on for more news and information on risk from this week. How to focus C-Suite Attention on the Issue of Cybersecurity"With large-scale cyber attacks becoming increasingly common, having an effective defence strategy in place has never been more important. A big challenge, however, is ensuring senior management fully understands the issue."Read MoreOracle Fixes "Default Account" Issue Rated 10 Out of 10 on Severity Scale“Oracle has released patches for a security issue affecting the Oracle Identity Manager that has received a rare 10 out of 10 score on the CVSSv3 bug severity scale. The giant software maker has remained tight-lipped about the issue and has not released any type of meaningful explanation in an attempt to delay the start of attacks trying to exploit this flaw as long as possible, giving customers more time to patch.”Read MoreHilton agrees to $700,000 settlement over data breaches"On Tuesday, Attorney General Eric Schneiderman said that the Hilton Domestic Operating Company, formerly known as Hilton Worldwide, will pay $700,000 in recompense for failing in its duty -- not simply by having poor security in the first place which allowed the data breaches to occur, but for then leaving customers in the dark."Read MoreMeasuring cyber resilience – a rising tide raises all ships“I admit it … I am one of the 143,000,000 people afflicted by the Equifax breach. For those of us who reside in the U.S., that number approaches 60% of all adults, based on recent numbers from the U.S. Census Bureau. Perhaps most unsettling is that failing to perform something as routine as a timely patch produced an event so catastrophic that it cost the CISO, CIO and CEO their jobs.”Read MoreWannaCry, Cerber most used ransomware types, hospitals most hit sector, report“WannaCry and Cerber has totally dominated the ransomware landscape so far this year comprising almost all the attacks that have taken place, while other big names such as Locky were barely a blip on the radar.”Read MoreCisco patches 16 vulnerabilities to kick off November"Cisco Systems on Wednesday issued patches and corresponding security alerts for 16 different product vulnerabilities, half of which are considered high impact in nature."Read MoreAnother misconfigured Amazon S3 server leaks data of 50,000 Australian employees“Another misconfigured Amazon server has resulted in the exposure of personal data - this time on 50,000 Australian employees that were left unsecure by a third-party contractor.”Read MoreJust one day after its release, iOS 11.1 hacked by security researchers“News of the exploits came from Trend Micro's Mobile Pwn2Own contest in Tokyo, where security researchers found two vulnerabilities in Safari, the mobile operating system's browser.””Read MoreSilence Please: New Carbanak-Like Group Attacks Banks“Researchers have uncovered a new advanced threat group which has targeted at least 10 financial institutions globally using tools and techniques similar to the notorious Carbanak group.”Read MoreCisco Patches Serious DoS, Injection Flaws in Several Products"Cisco Systems on Wednesday issued patches and corresponding security alerts for 16 different product vulnerabilities, half of which are considered high impact in nature."Read MoreAnalysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques“Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium's login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials -- both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing.”Read MoreShadow IT Growth Introducing Huge Compliance Risks: Report"Shadow IT continues to grow, while senior management remains in denial. The average enterprise now uses 1,232 cloud apps (up 33% from the second half of last year), while CIOs still believe their organizations use between just 30 and 40 cloud apps and services. Within this cloud, 20% of all stored data is at risk from being 'broadly shared'."Read MoreHacker holds university for ransom threatens to dump student info“A hacker is trying to extort a Canadian university, threatening to dump student information unless university top brass pay 30,000 CAD (23,000 USD).”Read MoreCybersecurity Pros Can't Keep Pace with Threat Landscape"Most (54%) cybersecurity professionals believe the threat landscape is evolving faster than they can respond, with a lack of preparation and strategic thinking endemic, according to RedSeal."Read MoreBrinqa @ Cyber Security Summit BostonBrinqa is a platinum sponsor at the upcoming Cyber Security Summit Boston on November 8, 2017. We will be available at booth #27, #28 for product demos and discussions around cyber risk management. Syed Abdur, Director of Product Management, will be hosting a session on “Building a Comprehensive Cyber Risk Program through Effective Vulnerability Management”. If you’re a C-Level exec in the Boston area, contact us at info@brinqa.wpengine.com for complimentary access to the event.
Brinqa is a platinum sponsor at the upcoming Cyber Security Summit Boston on November 8, 2017. Make sure to stop by booth #27, #28 where we will be available for product demos and discussions around cyber risk management.Syed Abdur, Director of Product Management, will be hosting a session on “Building a Comprehensive Cyber Risk Program through Effective Vulnerability Management”. In this session, we’re going to discuss how Brinqa customers are creating a new breed of cyber risk intelligence programs by making vulnerability management a central focus of their efforts.See y'all in Boston next week!PS: If you’re a C-Level exec in the Boston area, contact us at info@brinqa.wpengine.com for complimentary access to the event.
It was a busy week in InfoSec with KRACK, DUHK, Reaper, Whole Foods and more. Read on for a round-up of the most interesting InfoSec news this week. The Week in Crypto: Bad News for SSH, WPA2, RSA & Privacy“Between KRACK, ROCA, new threats to SSH keys, and the European Commission's loosey-goosey stance on encryption backdoors, it's been a difficult time for cryptography.”Read MoreHackers are attacking power companies, stealing critical data: Here's how they are doing it“Hackers are continuing to attempt to gain access to the networks of nuclear power companies and others involved with critical national infrastructure, raising concerns about cyber-espionage and sabotage.”Read MoreNearly 100 Whole Foods Locations Affected by Card Breach“Amazon-owned Whole Foods Market informed customers last week that a recent hacker attack aimed at its payment systems affected nearly 100 locations across the United States.”Read MoreAfter quietly infecting a million devices, Reaper botnet set to be worse than Mirai“A little over a month ago, a sizable botnet of infected Internet of Things devices began appearing on the radar of security researchers. Now, just weeks later, it's on track to become one of the largest botnets recorded in recent years.”Read MoreDUHK Crypto Attack Recovers Encryption Keys, Exposes VPN Connections, More“After last week we had the KRACK and ROCA cryptographic attacks, this week has gotten off to a similarly "great" start with the publication of a new crypto attack known as DUHK (Don't Use Hard-coded Keys).”Read MoreThirty Percent of CEO Email Accounts Exposed in Breaches: Study“Thirty percent of CEOs from the world's largest organizations have had their company email address and password stolen from a breached service. Given the continuing tendency for users to employ simple passwords and reuse the same passwords across multiple accounts, the implication is that at least some of these CEOs are at risk of losing their email accounts to cyber criminals or foreign nation state hacking groups.”Read MoreNew Locky Ransomware Strain Emerges"The latest Locky strain, which began appearing on Oct. 11 and goes by the .asasin extension, is collecting information on users' computers such as the operating system used, IP address, and other such information, says Brendan Griffin, PhishMe threat intelligence manager."Read MoreWhy Patching Software Is Hard: Organizational Challenges“The Equifax breach shows how large companies can stumble when it comes to patching. Organizational problems can prevent best practices from being enforced. In instances like the Equifax breach, it's understandable to try to assign blame, but the reality is there are many organizational challenges preventing best practices. To solve the problem and not just point fingers, companies should look at the teams and individuals involved with patching and identify potential blockers.”Read MoreBad Rabbit: Ten things you need to know about the latest ransomware outbreak“A new ransomware campaign has hit a number of high profile targets in Russia and Eastern Europe. Dubbed Bad Rabbit, the ransomware first started infecting systems on Tuesday 24 October, and the way in which organisations appear to have been hit simultaneously immediately drew comparisons to this year's WannaCry and Petya epidemics.”Read MoreCybersecurity and the CFO: Risk, Responsibility and Resilience“You’re the CFO. Your company’s capital structure, the current sentiment of your stakeholders and constantly-evolving economic modeling are all things for you to worry about. You likely know what keeps your fellow executives up at night as well. But what about your organization’s cybersecurity team?”Read More3 Steps to reduce risk in your supply chain“Many companies have very limited visibility into their vendors' security posture -- and some may have thousands of vendors. Here are steps that every company should take to lock down their supply chains.” Read MoreIndustrial Products Also Vulnerable to KRACK Wi-Fi Attack“Some industrial networking devices are also vulnerable to the recently disclosed KRACK Wi-Fi attack, including products from Cisco, Rockwell Automation and Sierra Wireless.”Read MoreBrinqa QSC17 SessionAt the Qualys Security Conference in Las Vegas last week Brinqa Director of Products, Syed Abdur, presented a session about how Brinqa customers are starting their cyber risk efforts by focusing on addressing Vulnerability Management in an effective manner, but through efforts to address critical questions of vulnerability risk or to enhance their programs, developing programs that deliver a much more comprehensive perspective on cyber risk than was originally anticipated. See a recording of the session here.https://youtu.be/dvv_WZFbuvM
The Brinqa team was at the Qualys Security Conference in Las Vegas this past week. It was great spending time with some of our customers and connecting with the extended Qualys community.Brinqa Director of Products, Syed Abdur, presented a session discussing how Brinqa customers are creating the next generation of cyber security programs by starting with effective vulnerability management and expanding the scope to bring in additional source of security data.[caption id="attachment_6746" align="alignleft" width="600"] Syed Abdur speaking at the Brinqa session[/caption]What was the buzz during the show? #QSC17https://twitter.com/malik22/status/921067541715337218https://twitter.com/worldnetcindy/status/921053347796234240https://twitter.com/ChrisGoettl/status/920684004767969281Our Passport to Prizes winner picked up a pair of Bose noise cancelling headphones from Brinqa President, Hilda Perez.Shout out to Qualys for having us at the event and the complimentary tickets to a great Cirque du Soleil show.The Brinqa team had a great time at the event and we can't wait for next year!
Welcome to a weekly round-up of the most relevant and interesting happenings and events at Brinqa and from across the Information Security industry.WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping“A security protocol at the heart of most modern Wi-Fi devices, including computers, phones, and routers, has been broken, putting almost every wireless-enabled device at risk of attack.”Read MoreUsers Report Fraudulent Transactions After Pizza Hut Admits Card Breach"Pizza Hut has suffered a data breach, and a hacker has stolen payment card details for a small number of clients, the company admitted on Saturday in an email sent to affected customers."Read MoreAdobe Patches Zero Day Vulnerability Used to Plant Government spying Software“On Monday, researchers from Kaspersky Lab revealed the new, previously unknown vulnerability, which has been actively used in the wild by advanced persistent threat (APT) group BlackOasis. In a security advisory, Adobe said Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, Adobe Flash Player for Microsoft Edge, and Internet Explorer 11 are affected by the vulnerability.”Read MoreMicrosoft kept quiet about 2013 bug"A cyber-attack by a notorious hacking group back in 2013 compromised highly sensitive information on unfixed Microsoft vulnerabilities, data which could have been used to devastating effect, it has emerged. Microsoft’s statement at the time downplayed the seriousness of the attack."Read MoreOracle swats 252 bugs in patch update"On Tuesday, Oracle's security advisory said the latest Critical Patch Update (CPU) addresses a total of 252 security fixes for hundreds of products. Oracle Fusion Middleware, Oracle Hospitality, Oracle MySQL, and PeopleSoft have received the most fixes in the latest update."Read MoreReport: 88% of Java Apps Vulnerable to Attacks from Known Security Defects"A new report from CA Veracode has exposed the pervasive risks companies face from vulnerable open source components. In its 2017 State of Software Security Report the firm reviewed application security testing data from scans of its base of 1400 customers, discovering that 88% of Java applications contain at least one vulnerable component, making them susceptible to widespread attacks."Read MoreNew Locky Ransomware Strain Emerges"The latest Locky strain, which began appearing on Oct. 11 and goes by the .asasin extension, is collecting information on users' computers such as the operating system used, IP address, and other such information, says Brendan Griffin, PhishMe threat intelligence manager."Read MoreDomino’s Australia Blames Former Supplier for Info Leak"The firm explained that the information potentially leaked by this third party did not include financial information but most likely did feature: Domino’s store name, customer order name and customer email address."Read MoreThe US Offers Black Hats Zero-Day Opportunities with Lagging CVE Reporting"When it comes to software vulnerability (CVE) disclosure, the US lags China when it comes to turnaround time. Recorded Future, which had previously uncovered unexpectedly large gaps between public disclosure of a vulnerability and its inclusion in the US National Vulnerability Database (NVD), found that on any given day, there’s more current information about software vulnerabilities on China’s National Vulnerability Database (CNNVD) than on NVD."Read MoreCisco warns 69 products impacted by krack"Cisco said Wednesday that multiple Cisco wireless products are vulnerable to the recently identified Key Reinstallation Attacks (KRACK). On Monday, researchers revealed how the KRACK vulnerabilities plagued the WPA2 protocol used to secure all modern Wi-Fi networks. In their report, researchers demonstrated how the KRACK vulnerabilities can be abused to decrypt traffic from enterprise and consumer networks with varying degrees of difficulty."Read MoreBrinqa @ Qualys Security Conference 2017Brinqa attended the Qualys Security Conference in Vegas this week. Part of the conference focused on moving away from the mentality of cybersecurity as an afterthought which aligns perfectly with Brinqa’s risk centric approach to security. The Brinqa team hosted as session and connected with many members in the Qualys community. Building a comprehensive risk and vulnerability management program is an important aspect of cyber risk management programs and we appreciate Qualys efforts and advancements in this field.
Welcome to a weekly round-up of the most relevant and interesting happenings and events from across the Information Security industry.High-profile breaches, interesting studies, patch tuesday announcements and more! More Businesses Accidentally Exposing Cloud Services “53% of businesses using cloud storage services unintentionally expose them to the public. More than half of organizations using cloud services like Amazon Simple Storage Service (S3) have inadvertently exposed at least one of these services to the public, up from 40% earlier this year.”Read More Research Reports Stolen in Forrester Website Hack“Forrester, one of the world’s most influential market research and advisory firms, informed customers late on Friday that its main website had been breached.”Read More Microsoft Office 0-day headlines Patch Tuesday, update now! “The second Tuesday of the month means it’s Microsoft’s formerly-known-as Patch Tuesday, currently-known-as Security Update Tuesday, and this month’s update patches 61 vulnerabilities in all, with 23 rated as Critical and 35 as Important. We always urge that you apply patches as soon as possible, but if that’s not convincing enough, read the details below of what’s out there in the wild.”Read More Ransomware Sales on the Dark Web Spike 2,502% in 2017“Ransomware is a $6.2 million industry, based on sales generated from a network of more than 6,300 Dark Web marketplaces that sell over 45,000 products, according to a report released Wednesday by Carbon Black.”Read More Hacked Equifax Website Redirects Users to Adware, Scams“A security researcher noticed recently that an Equifax service designed for obtaining free and discounted credit reports had been redirecting users to websites set up to serve adware and scams.”Read More Flaws in SmartVista Payment Platform Expose Sensitive Data“The SmartVista platform is used by major organizations around the world for online banking, e-commerce, ATM and card management, and fraud prevention. The core components of the SmartVista suite are the Front-End and Back-Office systems.”Read More Data Sample in Equifax Hack Scam Possibly From Third-Party Servers“A data sample provided last month by scammers trying to make a profit by claiming to have breached U.S. credit reporting agency Equifax may have been obtained from unprotected Amazon Web Services (AWS) instances owned by a different company.”Read More Hyatt Hotels Hit by Another Card Breach"Chicago-based hotel operator Hyatt Hotels Corporation informed customers this week that their credit card information may have been stolen by cybercriminals. This is the second data breach discovered by the company within a period of two years."Read More
Brinqa is participating as a Premier Sponsor at this year’s Qualys Security Conference in Las Vegas, Nevada on October 18 - 19th.We will be available both days for product demos and discussions in the Exhibitor Hall and Syed Abdur, Director of Product Management, will be conducting a Solution Session on Thursday, Oct 19th @ 10:15 AM. He will be presenting a case study on ‘Building a Comprehensive Cyber Risk Program through Effective Vulnerability Management’ which highlights how Brinqa customers are expanding the scope of traditional vulnerability management programs to create fascinating perspectives of infrastructure and application security. Come say Hello and pick up some cool Brinqa gear!Date: October 18 - 19Location: Bellagio Hotel, Las Vegas, Nevada
The Brinqa team will be at the Cyber Security Summit in New York on September 15. Visit booth #55 to see the latest advancements in the Brinqa Risk Platform - the engine driving the cutting edge of Vulnerability Management and Application Security programs. Talk to Brinqa experts to see how you can implement advanced use cases for your InfoSec programs — comprehensive inventory and representation of technology assets, vulnerability prioritization based on business context and threat intel, automated creation and publishing of tickets to ITSM systems, advanced metrics and dashboards.We look forward to meeting local InfoSec executives and having some great conversations about Cyber Risk Management and its ability to transform how organizations view and manage their cyber security programs.
The Brinqa team will be at the Google Cloud Next conference in San Francisco. Like you, we are excited to see the latest and greatest innovations to this amazing platform.As enterprises continue to expand their cloud infrastructure, cybersecurity and risk management become crucial criteria for adoption. Come talk to us to learn how one of the most sophisticated risk analytics platforms can help you address critical security concerns on your path to cloud success.Brinqa brings cloud-scale cyber security risk management to the Google Cloud Platform. With Brinqa, customers get comprehensive visibility into their cloud and data center resources, along with the ability to measure and manage risk across key security controls like comprehensive asset inventory, vulnerability management, policy compliance, and privileged access monitoring.Soon to be available for deployment directly from the Google Cloud Launcher, Brinqa Risk Platform analyzes data from native GCP APIs and seamlessly integrates results from the best security monitoring and assessment services across the Google Cloud ecosystem — giving you complete visibility, insight and command over crucial cybersecurity disciplines.We look forward to meeting you at Next!
Join Brinqa and BitSight for cool drinks, delicious food and the smartest minds in cybersecurityIn less than a month, the world’s largest collection of CISOs, InfoSec practitioners and vendors will converge in San Francisco to discuss the biggest trends and topics on cybersecurity.Join us at the trendy Chronicle Books right around the corner from Moscone Center (3 min. walk) to kick off your RSA week in style. Hobnob with thought leaders from the world’s most disruptive cybersecurity companies, InfoSec organizations and journalists as you enjoy the open bar.Space is limited so be sure to RSVP and reserve a spot now!We look forward to seeing you there!RSVPWhereChronicle Books165 4th Street,San Francisco, CA 94103WhenMonday, February 13th7:00 – 9:00 pm
We will be at the Data Connectors San Francisco Tech Security Conference 2016 on December 8 in San Francisco,CA.Visit our booth to see the ground-breaking Brinqa Risk Platform and our security analytics applications. The Risk Platform includes connectors to 100's of security systems, delivering unprecedented visibility and insight into your security data. We are giving away a kindle fire reader so make sure to stop by the booth.Click on the following link to register for your VIP pass:http://sanfranciscotechsecurity2016.eventbrite.com/?aff=sp VIP passes include Breakfast, Lunch, Conference materials and Entrance into conference sessions and exhibit areas. This conference qualifies for CPE credits and Certificates of Attendance. Gift Cards, iPads, Kindles and many other door prizes and give aways. Featuring (11) IT Security speakers and over 30 exhibits!!See an example of a Security Analytics application built on the Brinqa Risk Platform here For full conference agenda click on:http://www.dataconnectors.com/event/san-francisco-thursday-12-08-2016/
With the latest release of Brinqa Risk Platform, we have made it a lot easier for end-users to create powerful metrics and reports on their own. Good reporting can transform the effectiveness and efficiency of risk and security programs — by increasing visibility, encouraging accountability and improving communication. While Brinqa application come pre-configured with a library of metrics and reports, providing end-users the ability to define their own metrics and reports enables them to fully exploit the analytics capabilities of the platform and create reports that speak to their distinct environment and ecosystem. Some highlights of the latest iteration of Brinqa Risk Analytics : Dynamic Layouts : Complete control over component alignment and report structures. Drag & Drop : Move components around with ease Report Inputs : Report-level filters that can be dynamically generated and applied over the entire report data-set Traversable Relationships : Create cross-domain metrics by traversing the relationship graph indefinitely Selective Metrics : Create metrics for a targeted subset of application data Easy Transformations : Date-time transformations, grouping and aggregation Eminently Styleable : Complete control over colors, labels and representations Inherently Actionable : Drill-down at the flick of an option Interactive : Share with other stakeholders, provide feedback, collaborate Watch Self-Service Metrics and Reports with Brinqa Risk Analytics for a video detailing how you can create a report from scratch. [caption id="attachment_6274" align="aligncenter" width="825"] A quick GIF snapshot of the report creation process[/caption] Contact us to see how you can create powerful reports for your security programs with Brinqa.
We will be at the Data Connectors Austin Tech Security Conference 2016 on November 9 in Austin,TX.Visit our booth to see the ground-breaking Brinqa Risk Platform and our security analytics applications. The Risk Platform includes connectors to 100's of security systems, delivering unprecedented visibility and insight into your security data.Click on the following link to register for your free VIP pass:http://austintechsecurity2016.eventbrite.com/?aff=sp VIP passes include Breakfast, Lunch, Conference materials and Entrance into conference sessions and exhibit areas. This conference qualifies for CPE credits and Certificates of Attendance. Gift Cards, iPads, Kindles and many other door prizes and give aways. Featuring (11) IT Security speakers and over 30 exhibits!!For full conference agenda click on:http://www.dataconnectors.com/event/austin-wednesday-11-09-2016/
In Part 1 of this blog series, we talked about why Vulnerability Management should be an integral part of all InfoSec programs and tried to define the scope for this discussion. In Part 2 of the Vulnerability Management Primer blog series we are going to talk about the common challenges that prevent organizations from being effective in achieving their vulnerability management goals.Data OverloadMost organizations manage, monitor and scan tens of thousands of assets. Often these assets are owned and maintained by different teams, each with their own sets of tools and processes. With the exponential growth of non-traditional enterprise boundaries - cloud infrastructure, other virtual environments, mobile devices, IOT - existing lines of ownership and responsibility are constantly being blurred and redrawn. The vulnerability monitoring industry has done a great job of keeping up and extending coverage to accommodate the new normal, but to ensure coverage InfoSec teams invariably end up using more than one analysis method and tool. The reasons for doing so may be strategic - passive and active network scanning afford different opportunities for monitoring. While in some cases this might be necessary - SAST and DAST tools may have overlaps is results but they serve different purposes. Whatever the reasons, it is reasonable to expect that in such highly diverse environments the vulnerability data you are going to have to process and analyze is going to be increasingly heterogenous. The better you do at ensuring complete monitoring coverage for your infrastructure, the more prepared you must to be to analyze, parse and take decisions at the speed that vulnerabilities are being reported.Changing Attack LandscapeThe problem of analyzing very large volumes of highly diverse data is compounded by the fact that there is a lot of invaluable metadata associated with these vulnerabilities that is constantly changing. If a new toolkit is released that exploits a particular vulnerability to create a successful breach, should that have an impact on your priority for remediating that particular vulnerability?The answer to this question for most organizations would be YES, however very few programs factor in this information into their vulnerability prioritization models. While vulnerability scanners are constantly improving to provide more threat metadata, this pales in comparison to intelligence that is available from other, more dedicated sources.Zero-day vulnerabilities provide another stark example of this. A zero-day vulnerability refers to a hole in software that is unknown to the vendor. These provide ripe opportunities for hackers to affect compromises before vendors, scanners and the host organization catch on. In 2014, a record 24 zero-day vulnerabilities were reported. The fallout from the most significant of these - Poodle, Shellshocked, Heartbleed, highlighted some dire facts :These vulnerabilities were successfully exploited within hours of disclosure which tells us that potential hackers are well equipped and highly coordinated.The nature of these vulnerabilities (ShellShock exploited a design flaw that went unnoticed for 25 years) tells us that attackers are evolving their methods and tactics. They are investing in vulnerability research to target areas and products that might not be a focus for traditional vulnerability management programs.The top 5 zero-day vulnerabilities of 2014 combined, left organizations exposed for a total of 295 days which tells us that vendors are not responding at the speed required to deal with emerging threats.Lack of Business ContextSecurity intelligence systems provide real-time, real-world context for vulnerabilities. Just like this external context is invaluable for remediation prioritization, an understanding of how a vulnerability impacts your particular organization can provide tangible benefits to remediation effectiveness. In an ideal world InfoSec teams would have the resources necessary to fix all critical vulnerabilities. In reality, this is hardly ever the case. InfoSec teams have to perform a balancing act of fixing critical vulnerabilities across the entire infrastructure, and keeping critical infrastructure as vulnerability-free as possible. If you are an investment bank, is a Severity 5 vulnerability on Box 1 (delivering your cafeteria menus) the same as a Severity 5 vulnerability on Box 2 (running your trading applications)? What about a Severity 4 vulnerability on Box 2?The answer may depend on whether these network devices are on segregated network segments or if they are interconnected. But regardless of the actual configuration, we need this information to take an informed decision. Business context provides a powerful dimension, not only for remediation prioritization but also to demonstrate that remediating efforts are being undertaken with a clear understanding of cost and impact.Unintelligent PrioritizationThreat intelligence and business context can significantly improve remediation efforts by highlighting vulnerabilities that are most at risk of being exploited as well those that can have the biggest impact to the organization. In spite of this, most organizations leverage basic criteria like vulnerability severity or CVSS score as the primary dimension for vulnerability prioritization. This is often due to the effort required to aggregate, consolidate and collate data from multiple sources to build a prioritization model that takes all these factors into account. Manually consolidating and analyzing threat intel and business context is an option but one that is hardly repeatable or consistent. Despite the effort and cost associated, organizations that can find the right tools or resources to build a prioritization model that not only factors in default classifications like CVSS, but also leverages threat intelligence and business context can expect a significant improvement is program effectiveness.Manual ProcessesMost vulnerability management programs employ manual processes in several stages of the remediation cycle. Analyzing vulnerabilities, collating threat intel, creating tickets, assigning ownership, setting SLAs - are often done manually. In addition to being inefficient, manual processes are also detrimental to the crucial goals of maintaining consistency and developing repeatable processes.Gap to RemediationA survey of vulnerability management programs reported that it often takes hundreds of days for vulnerabilities to be targeted to remediation. This statistic does not reflect the actual amount of time it takes to remediate a vulnerability, simply the time before vulnerabilities are assigned to a ticket/owner for remediation. This is surely a consequence of the challenge we have discussed above, but on its own represents a big challenge that vulnerability management programs face. To keep the organization safe, InfoSec teams must be able to react quickly and directly to any emerging threats. They must address all of the challenges above with the goal that they can identify critical vulnerabilities quickly and accurately and target them for remediation. This means streamlining all the processes involved in identification, contextualization, analysis, and remediation of vulnerabilities.In the next post in the series we are going to discuss the crucial components that all vulnerability management programs must have in place to address these challenges effectively.Read more about Brinqa Threat and Vulnerability Management here.
Vulnerability Management (VM) is consistently ranked among the top priorities for most information security organizations today. It is no longer an optional initiative for infoSec departments, with security compliance reviews and audits explicitly calling for vulnerability management as a necessary component of enterprise security. SANS lists 'Vulnerability Assessment and Remediation’ as #4 in its list of Top 20 Critical Security Controls with the NSA assigning it a criticality ranking of ‘Very High’. While these are great reasons to get buy-in from executives, the true goals of a vulnerability management program must be more strategic to have any real impact on enterprise security. Vulnerability management programs must go beyond an audit checkbox and become a real weapon in your InfoSec toolkit for combating intruders and attackers.In a series of Vulnerability Management Primer posts we are going to attempt to first outline and then detail the crucial aspects that enterprises MUST address to achieve this. Before we get into details about components and functions, let’s first attempt the impossible task of defining the scope for vulnerability management programs. When talking about vulnerability management it’s not uncommon to hear some wide-ranging questions.Are you not just talking about a network vulnerability scanner?Shouldn’t it include everything that is on my network?When it comes to Vulnerability Management is there a difference between a workstation, a laptop, a phone, a printer and a wifi-enabled coffee machine?What about my Web Application Scanners or DAST tools?What about my SAST tools?What about my Penetration Test program?Where does configuration or firewall management fit in all of this?In reality, the answers to these questions vary based on factors like program maturity, scale, organization etc. Unfortunately, organizations often take a tool-centric (rather than goal-centric) view to structuring InfoSec, resulting in several distinct programs, disconnected or barely-connected, working towards the same goal but not working together. It is fairly common that vulnerability management refers only to the detection and management of weaknesses that can be exploited by threats to your network assets. This is especially true for smaller organizations or programs that are in early stages of maturity. In its most regressive state, this devolves to just a network scanning tool and manual processes built around it.Increasingly though, organizations are incorporating additional sources of information and building processes that successfully factor these in. These could be threat intel feeds, vendor bulletins, CMDB systems, HR systems, network traffic/segmentation, or anything else that provides 'better context to / additional information about' the data being analyzed. Some mature organizations are also combining their n/w and application security initiatives with the knowledge that, in a lot of cases, the effort to build context and collect intelligence can be successfully applied to security data coming from both of these distinct sets of tools. And then there are organizations that take this one step further and implement security orchestration to build automated response and remediation capabilities into their programs. For the most part, we are going to stay away from discussions that are only relevant to a particular segment of the wide range of scope discussed above. Successful programs are built around goals and strategies (as opposed to around specific tools) and that is the discussion we want to have here. Whether you are analyzing network or application vulnerabilities, there is tremendous benefit to be had from incorporating other relevant sources of information. Whether you are doing remediation manually or through automatic orchestration you need to be able to define and implement strategies to be successful. In the next blog in the series we will discuss the key challenges vulnerability management programs must pay attention to. No matter where you land on the scope questions above you need a strategy for addressing these.Read more about the Brinqa Threat & Vulnerability Management here.
We will be at the 2016 Qualys Security Conference on October 12, 13 in Las Vegas.Visit our booth to see the latest iteration of the Brinqa Risk Platform in action as we present our most comprehensive and advanced vulnerability management solution ever. Talk to Brinqa experts to see how you can implement advanced use cases for your vulnerability management program — develop an extensive asset repository, combine results from multiple scanners, publish tickets to multiple external systems, and develop advanced metrics and dashboards with the new and improved Brinqa 'Views'. With Brinqa, you can leverage powerful risk models and graph analytics to proactively identify and address threats to your organization. See the latest in Vulnerability Management, Application Security Risk, IT Risk Management and Security Operations technology.Registration is free! Sign up HERE.
"Austin-based Brinqa has confidently managed to carve out a slice of the security analytics sector, thanks to their flagship product – the Brinqa Risk Platform" writes Javvad Malik for Fourth Wall Research. A renowned security analyst and co-founder of Security B-Sides London, Malik notes "The Brinqa Risk Platform shows a lot of promise. As the company and the product goes from strength-to-strength, you can guarantee their profile will grow in the increasingly competitive security monitoring market. The biggest strength of the platform is the emphasis it places on business risk intelligence. Vulnerabilities and threats are related to organizational and business risks, and are presented in a way that’s clear and understandable to both technical and non-technical staff."Read the full article On the Brinqa of Risk Intelligence
Join us at the 2016 Black Hat USA conference at the Mandalay Bay in Las Vegas from July 30 to Aug 2.Talk to Brinqa professionals to learn about the latest Brinqa cyber security and risk analytics solutions. Learn how you can leverage powerful risk models and graph analytics to proactively identify and address threats to your organization. See the latest in Vulnerability Management, Application Security Risk, IT Risk Management and Security Operations technology.Black Hat is the most technical and relevant global information security event series in the world. For more than 16 years, Black Hat has provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors.
Join us at the 2016 Shared Assessments Summit at the Renaissance Baltimore Harborplace in Baltimore on May 18th and 19th.Talk to Brinqa professionals to learn how to leverage Brinqa Risk Management solutions to get unparalleled visibility and insights into your risk posture.The Shared Assessments Annual Summit brings together the leading experts in risk management to identify the latest trends and to share best practices and insights about effective third party risk management strategies. Learn to evaluate the effectiveness of your third party risk management program. Network with your peers on the latest standards, and best practices. Understand how benchmarking can improve the maturity of your program. Learn how to implement robust and efficient methodologies. Leave understanding how to effectively respond to a cyber incident and /or a data breach.
Join us at the inaugural Retail Cyber Intelligence Summit at the Hyatt Regency Hotel in Chicago on April 25th and 26th.Talk to Brinqa professionals to learn how Brinqa Risk and Cyber Security solutions are serving the greater retail and consumer services community. The Retail Cyber Intelligence Summit agenda reflects the collective priorities of the retail and consumer services community with session topics, speakers and formats hand-picked by a Summit Steering Committee comprised of information security professionals from R-CISC member organizations.
Register for the WebinarVulnerability management is a top priority for most security organizations today - and for good reason. Of all the attack surfaces monitored and evaluated at most organizations, networks and associated vulnerabilities present some of the most lucrative opportunities for attackers. The spate of highly publicized Zero-Day vulnerabilities in the past couple of years has highlighted what industry professionals must have suspected for some time - that the nature of vulnerabilities being used to affect compromises is evolving, that attackers are re-focusing on vulnerability research, and that vendors are not moving nearly fast enough to plug the holes in their products (There is an excellent article by Tim Gallo called "The Vulnerability Rises" in the Symantec Internet Security Threat Report Vol 20 from April 2015 that analyzes some of these trends). However, there is a silver lining - the network and vulnerability monitoring space is well-evolved and mature, most of the products available do an excellent job of identifying and reporting vulnerabilities and the boundaries of what can/should be scanned are consistently being pushed to reflect the increasingly-fluid and ever-expanding borders of corporate infrastructure. With organizations frequently reporting millions of vulnerabilities on a daily or weekly basis, the data overload problem is very real and the challenge now is to identify and remediate those vulnerabilities that pose the biggest and most urgent threats to an organization, while maximizing returns on remediation efforts. To address this challenge, we must confront an ever-changing attack landscape — where new vulnerabilities are discovered daily, malwares and toolkits are developed at an alarming rate, and attackers frequently change their strategies.Jayson Jean, Director of Vulnerability and Exploit Intelligence at Verisign and I will be discussing some of these challenges and talking about how threat intelligence and risk analysis can be incorporated into the vulnerability prioritization process to focus on the most imminent and detrimental threats in a joint webinar on March 15. We will also talk about the importance of streamlining and automating the post-prioritization processes of remediation and reporting and how this can greatly improve the efficiency of a vulnerability management program.Register Now
Join Us once again at this year's RSA Conference and get up close with our latest solutions.We will be in the North Expo Hall, booth N4327.
The integrated solution combines Brinqa VRM and SecurityScorecard Security Ratings to deliver Continuous Vendor Risk Management through Data-driven Security RatingsAustin, TX – December 22, 2015Brinqa, a leader in Unified Risk Management solutions and SecurityScorecard, the standard in security ratings, today announced a joint integration to deliver the industry’s most comprehensive continuous Vendor Risk Management (VRM) Solution. The integrated solution presents a holistic perspective of vendor risk by consolidating and harmonizing internal self-assessments with continuous monitoring capabilities from Security Scorecard.“Security Scorecard ratings deliver a unique and invaluable dimension to Vendor Risk – one that is objective, data-driven, automated and continuous. The adaptability and extensibility of the Risk Platform underlying the Brinqa VRM solution make Security Scorecard security ratings an ideal and natural complement to our solution.” Hilda Perez, President and Co-founder, Brinqa.The New Standard in Continuous Vendor Risk ManagementThe integrated solution considers all aspects of a vendor’s profile and its usage within the organization. The solution combines business-driven risk classifications, contextual control assessments, continuous monitoring based on security events and diligence measures, closed loop remediation of gaps and threats, complete workflow and governance, and advanced analytics to gain insights and deliver the most complete model for vendor risk management. The Power of Security AnalyticsThe extensive security data collected by Security Scorecard to evaluate its external compromise and diligence risk vectors is now accessible within the powerful Brinqa Risk Analytics Platform. Advanced diagnostics and analytics can be applied to this security data to get insights previously hidden. The analytics module can also be used independently outside of vendor management and governance as a powerful tool for security teams to benchmark their own security program against itself, peers, and industry.“As cloud services proliferate, companies are struggling to accurately assess, monitor and benchmark the security posture of their own enterprises. Add in the security risks introduced by third-party vendors and the challenge becomes nearly unmanageable”, observes Sam Kassoumeh, co-founder and COO of SecurityScorecard.“Brinqa’s Risk Analytics Platform offers a multi-dimensional view of the inherent risks posed by a company’s third-party ecosystem. The ability to select and focus on different aspects of risk or compliance-gaps makes it more likely that the risk and IT teams can act accordingly. We are excited to work with Brinqa to continuously update the critical vulnerability factors that contribute to the overall risk facing companies today”About BrinqaBrinqa is a leading provider of unified risk management – enabling stakeholders, governance organizations, and infrastructure and security teams to effectively manage technology risk at the speed of business. Brinqa software and cloud services leverage an organization’s existing investment in systems, security, and governance programs to identify, measure, manage and monitor risk. With Brinqa, organizations are reducing response time to emerging threats, impact to business, and technology risk and compliance costs by over 50% through real-time risk analytics, automated risk assessments, prioritized remediation, actionable insights and improved communication.Founded in 2008 by industry leaders in risk management with a proven track record in delivering cutting edge, innovative and cost-effective solutions. Brinqa’s award winning software and cloud services are trusted by fortune 500 companies across risk disciplines such as information technology risk, vendor risk, and regulatory compliance risk. Brinqa is headquartered in Austin, Texas and has a global presence.For more information, please visit www.brinqa.wpengine.com.About SecurityScorecardSecurityScorecard was founded in 2013 by two former Chief Information Security Officers -- Dr. Aleksandr Yampolskiy and Sam Kassoumeh. SecurityScorecard is made up of veteran security researchers, cryptographers, data scientists, and software engineers. The company is privately held, with headquarters in New York City. Security Scorecard investors include Sequoia Capital, Evolution Equity Partners, Boldstart Ventures, and others.About SecurityScorecard's Benchmarking ServiceSecurityScorecard allows organizations to benchmark the security of any partner, competitor, supplier, vendor -- any third party or company— without requiring permission.The proprietary foundation of the platform is the ThreatMarket™ data engine that collects over 30 million daily security risk signals from the entire Internet. SecurityScorecard collects and grades the security risk of companies in the following ten categories and factors: Web Application Security, Network Security, Endpoint Security, IP Reputation, Patching Cadence, Password Exposure, Hacker Chatter, Social Engineering, DNS Health, and CubitTM Score, a metric that assesses common system configurations.For further information, please visit www.securityscorecard.com.
Join us for a webinar on December 15th, 10:00am PSTPrioritize and remediate the most critical vulnerabilities threatening your organization by combining internal asset risk evaluation with external real-time exploit and threat intelligence to create the most accurate picture of incidence and impact. Effective vulnerability management is within reach through emphasis on key functions — robust vulnerability scanning strategy, dynamic prioritization mechanism that considers internal and external factors, intelligent automated remediation policies, and analytics to monitor risk, exposure and performance indicators. This live webcast will demonstrate how Qualys and Brinqa work together to provide you with all the tools required to implement a successful vulnerability management program. Attendees will learn how to implement key functions that dramatically improve the effectiveness and performance of their programs, including : Establishing and leveraging asset risk and context during vulnerability prioritizationApplication of threat intelligence for real-world likelihood and modes of compromiseEffective remediation through automated, risk-centric remediation policiesEssential risk and performance metricsBusiness risk and exposure reporting for key stakeholdersRegister Now
This is the third post in our ongoing series on IT risk assessments. In our first post we established critical foundational concepts and considerations. In our previous post we discussed different frameworks and how to best make use of them. In today’s post we will delve into the topic of qualitative versus quantitative risk assessment methods. This topic is important because there is much quackery in the industry claiming to be quantitative while masquerading as bad mathematics. We will get into some of the dos and don’ts of quant, including how you can start applying quantitative techniques now, regardless of program maturity.Using Numbers Is Not Inherently QuantMany tools, models, and methodologies like to claim that they provide a quantitative risk analysis capability, but there is a great deal of misunderstanding and misperception around what is and is not “quantitative analysis.” In fact, it is quite common to find that there isn’t anything truly quantitative happening, despite some rather complex calculations, all because the creators of the method or formula have failed to take into consideration foundational principles of statistical mathematics.Just because your “assessment” (or, more often, your data collection tool) makes use of numbers does not mean that you are doing quantitative analysis. In fact, depending on the type and nature of the numbers being used, and the subsequent manipulation of those numbers, you might be breaking mathematical laws in addition to not doing quant analysis.Specifically, an understanding of this topic must start from foundational concepts, such as understanding the difference between categorical data (for example, labels like high, medium, and low), ordinal data (such as used in ranking and prioritization, as in first, second, third), and real number data (either actual measured values or estimated measured values). Only the latter case (real number, or numerical, data) generally provides the basis for quantitative analysis. As a general rule, only numerical data can be acted upon using standard arithmetic.For example, if I ask you to take a list of five attributes (categorical data) and rank them in order of importance from 1 to 5 (ordinal data), then we are most definitely not doing a quantitative analysis. We’re doing a simple ranking exercise. You can take all the ranked scores for each of the attributes and then average them out to help determine which attribute was deemed “most important” and so on. However, that’s about the extent of the arithmetic that you would be allowed to do on categorical and ordinal data.Now... here is where things can start to get tricky. You would not take this data and add all the values together and/or start multiplying them by random weighting factors. You wouldn’t decide “Today, a 1 (“most important”) is worth 100 points, whereas a 5 (“least important”) is only worth 10 points.” You would not then add and multiply and perform logarithmic derivations. You collected ordinal stack-rankings, not real number data, and to treat it otherwise ends up violating important mathematical principles.Sadly, this is exactly what we see happening time and time again in all manner of “risk assessment” programs. We see categorical rankings like Critical, High, Medium, Low, and Very Low - that are then converted into arbitrary numerical values and acted upon arithmetically in violation of statistical rules. While it is ok to associate those labels with ordinal values in order to calculate a straight average (because there’s an implied ordinal ranking), you cannot arbitrarily assign real number values to these labels and then start applying quantitative analysis techniques using arithmetic.This point is often very confusing to people. We have seen many examples of elaborate spreadsheets that collect variously ranked data and then do some absolutely confounding arithmetic calculations that result in things like single arbitrary numbers that, ultimately, not only have no inherent meaning, but are really reflective of any number of biases (from assumptions) being introduced into the calculations, often without meritorious explanation.If there is one thing you take away from today’s post, let it be this: Just because you are using numbers does not mean that you can perform standard arithmetic on those numbers. It is incredibly important to understand foundational statistics principles and realize that ordinal rankings are essentially a form of categorical data, which means you cannot rightly add, multiply, etc. After all, you would never say Ford + Chevy + Audi = 79, right? Nor would you even take it a step further and say “3*Ford + 2*Chevy + 100*Audi = 79.” These statements may seem absurd, and yet if you look at many “risk assessment” methods in practice today, we see exactly this happening, except Ford is High, Chevy is Medium, and Audi is Low (or some such). Beware quantitative analysis claims!Getting a (Real) Start With Quantitative AnalysisNow that you have been suitably warned about bad math masquerading as quantitative analysis, let’s now look at ways in which we can apply real, legitimate quantitative methods in a manner that will benefit your program, regardless of program maturity.First and foremost, a great start for quantitative analysis is, in fact, to apply it during context setting and not in the risk assessment itself. Specifically, a key hurdle to clear in any risk management program is establishing a reasonable, rational basis for business impact. What’s important to the business? What sort of (financial) losses can the business incur without experiencing “material harm” (a legal, meaningful term)? What lines of business or applications or systems or services provide the most and/or least amount of revenue, and what is their tolerance for disruption?Answering these questions can provide a valuable basis for starting with quantitative risk analysis. Note that we haven’t even started to delve into the topic of probability estimates at this junction. Keep it simple. Start establishing actual, ranged value estimates (ranges are always best - see Douglas Hubbard’s book How to Measure Anything). Speak with people in the organization who can authoritatively answer these questions. Do not simply rely on your own best guess, nor should you stay simply within the IT department in hopes that techies can magically intuit actual business sensitivities (it turns out we’re not very good at estimating business impact).Once you have successfully established an approach for collecting basic impact information, then and only then does it make sense to look at maturing practices to get into more advanced quantitative topics, including probability estimates. However, in moving onto these more advanced stages, we highly recommend having a good grounding in statistics and/or data science. You may find a method like Open FAIR to be of interest (as discussed in the last post), and the associated Open FAIR training (from The Open Group) may be useful. However, you need not adhere to any single method and are encouraged to thoroughly explore statistics and data science to better understand the correct ways to create, test, and refine quantitative models for your organization.Right-Sizing Risk Assessment Efforts: Do You Even Need Quant?One question you might be asking at this point is just how much quantitative analysis is worthwhile, and if it’s worth using it. We think the answer is definitely yes, to a point, but perhaps falling short of full-fledged decision analysis and management (it’s still fairly rare to see decision trees in action in the real world, for those who may have experienced those in academia).The simple fact is that organizations have been muddling through without quantitative analysis all this time, and they seem to be surviving. In fact, this statement can be generalized and broadened to point out that, despite a lack of reasonable security protections and in the face of massive breaches, nobody is saying “Oh, what a pity seeing all those empty store fronts with the red bullseye logo.” or “Remember when we could go buy home improvement products from those large, orange-signed warehouse stores?” Despite the losses piling up, businesses are proving to be remarkably resilient, even if just out of sheer luck.So... to the question at hand... do we even need quantitative analysis? How do we “right-size” our risk assessment activities?The answer, simply, is this: You’re already doing risk assessment, whether or not it’s formalized. You’re weighing options. You’re roughly considering pros and cons. You’re trying to balance tradeoffs and hoping that your decisions are good ones that improve value while decreasing loss potential. You are likely considering business impact, albeit in a vaguely qualitative manner. For that matter, we do risk calculations in our heads every day. “Should I get on this airplane?” or “That fish smells funny, should I really eat it?” or “Let’s not drink the scummy green water that smells of petroleum byproducts.” are all examples of the kinds of risk management thoughts that pass through our brains every day. For the most part, we’re fairly good at making decisions.The question, then, is if we can get better at making decisions, and how to best go about doing that without falling into “analysis paralysis” (being unable to make a decision), without making decisions worse (such as due to relying on bad assumptions), or creating processes that are so slow or unwieldy that they are bypassed or too inefficient to be worthwhile.Yes, this can be done. No, it need not be excessive or inefficient. It may be as simple as establishing some baseline estimates for business impact in key areas, from which you can then drive short conversations that say things like “We know that if this application/service is down for an hour during peak business hours, it will cost us X dollars per hour. Thus, we should look at investing into the resilience of this application, up to 'X' dollars, to ensure that we are reasonably protected against downtime.” Notice, again, that at no point do we need to go down the rabbit hole of probabilities. Rather, it’s a better-informed conversation.As we become comfortable with introducing basic quantitative (real number) values into a conversation in order to drive more rational decision-making, then and only then can we look into better formalizing processes and discussions, and then and only then can we start getting more elaborate in our calculations, likely leveraging tools to help speed data collection and calculations (including using various statistical models and methods). Until that point, begin with what you can, where you can. Slowly change unfounded “belief state” assertions to being fact-based, and then iterate and evolve from there.---In our upcoming fourth and final post in the series, we will conclude by looking at how to leverage platforms to improve risk management programs. We will take a look at common ad hoc practices (Excel! SharePoint!),evaluate pros and cons of using a platform, and end with a discussion about how leveraging platforms can lead to improved communication and visibility into risk states.
In our first post in this series, we introduced core concepts of risk assessments, including where they fit within the overall risk management process and the exceptional importance of first completing the context-setting stage of the process. In that post, we looked at ISO 31000 as a reasonable model for an overall risk management process, but stopped short of diving into specific standards (frameworks and methodologies) for risk assessment.In today's post we will look at standards and how they can best be leveraged by your organization to improve risk assessment efficiency and effectiveness. We will also highlight some common data collection standards that may be useful. The key takeaways for this article are to first determine whether or not a standard will benefit your organization, what sort of standards might be useful and how to pick one, and a brief summary of major standards that are available.Without further adieu, let's delve into the first question.Do I Even Need a Standard?At first, this may seem like a silly question. On the one hand, it may seem absurd that an organization would need a standard for what might appear to be basic and foundational. As ISO 31000 readily demonstrates, there is nothing "whiz bang" special about risk management and risk assessments. Create a process, gather data, conduct analysis, and make the best decision possible. However, is this true, or are we oversimplifying matters?On the other hand, standards can seem quite logical and appropriate - maybe even appealing - to help us construct and operate our risk management programs. However, not all standards are created equal, nor in fact do they accomplish the same things. As we'll discuss later in this post, some standards can be quite large and overwhelming, while other standards have a more focused purpose and may need to be used in conjunction with other standards.The base answer to the question of whether or not a standard will be useful ends up being fairly straightforward: All standards should be approached as guides to help fill in gaps in your overall risk management program. Standards can be useful in helping ensure you have the right steps in your overall process, and they can provide further value in helping you identify opportunities to refine and improve process definition and execution.Choosing a Good FitThankfully, most standards conform to the guidelines set forth in ISO 31000, which means picking a standard as a reference for risk management program development should not be scary (there are, of course, exceptions to this rule - COBIT 5, in particular). As such, the focus of your quest for a standard should be born out of a desire to find something that works for your organization without being so diametrically opposed to corporate culture that it will almost assuredly result in failure.That may seem scary, but at heart the point is this: Read several standards and find the one that sounds and/or feels most like your organization's culture. How does your organization function? How do people interact? What is the nature of the business being conducted? What sort of backgrounds do people have (e.g., public vs. private sector)? To what regulations is your organization subject?As is often the case with risk management, it is imperative that you know your organization, and know it well. Risk assessments are as much art as science, and thus require having a good sense for how people think and behave. For example, consider the differences in culture, operations, and personnel between a stringent military organization versus a manufacturer versus a very white-collar financial services company versus a Wall Street trading house with very sensitive real-time processing requirements versus the typically laid-back and laissez faire environment of most higher education institutions.Proper fit is key to success. If you want people to listen to you, hear you, and take you seriously, then you cannot present an approach that is radically different from how business is conducted, or worse, that interferes with their ability to complete their assigned duties.Common StandardsInformation Security Forum Information Risk Analysis Methodology (ISF IRAM): ISF IRAM is an interesting reference because it does an effective job of breaking down the process in a meaningful and useful manner. ISF’s overall approach to risk assessment starts with completing a business impact assessment (BIA), then performing a threat and vulnerability analysis, and then moving into control selection. This approach roughly approximates the ISO 31000 process (context-setting, assessment, and remediation), and the tooling support can be interesting. The biggest downsides to ISF IRAM are that organization membership can be expensive and the tools themselves may not easily integrate with a risk management or GRC platform. Nonetheless, studying their approach and any open materials you can find on how the conduct the BIA is interesting and might help you refine your approach.ISACA COBIT 5 for Risk: A very commonly referenced standard, COBIT 5 itself can be incredibly overwhelming as it is intended to be a full-scale IT governance program and not just a risk management standard. ISACA has produced subsidiary documents specific to defining and conducting a risk management program, and that documentation can be useful and interesting as a reference. One of the largest challenges with COBIT 5 is learning enough about it to go through scoping, design, and implementation. Often, specialized resources are required to get through these steps. However, the average organization is not in financial services (the primary audience), and thus we recommend reading the COBIT 5 for Risk documentation, approaching it as a comprehensive reference, but not as a standard that any sane person might try to implement as-is.ISO 27000 series: As has been noted before, ISO 31000 provides a generic guideline for the risk management process and its subsidiary components. This approach is further refined with more details within ISO 27005, which is designed to align with the Information Security Management System described in ISO 27001 and ISO 27002. For those organizations with an international presence, those subject to frequent external audits, or with a specific interest in acquiring an ISO certification as a liability shield, it is (obviously) useful to become acquainted with ISO 27005. Beyond that, the standard does not provide much more value beyond ISO 31000 itself, and thus may have limited reference value outside of seeking a certification.OCTAVE Allegro: A product of CERT’s Risk Resiliency Center, OCTAVE Allegro is the most recent risk management publication in the OCTAVE methodology series. Overall, OCTAVE can be a good fit for organizations that tend more toward an analytical or engineering mindset. It includes supplemental worksheets that can be fairly easily integrated into risk analytics tools, and it has a reasonable amount of reference materials that can help in identify gaps and opportunities for improvement. Training is available from CERT for using OCTAVE, which could also provide value, especially for organizations that are just getting started with a formalized risk management program.Open FAIR: In contrast to the other standards listed here, Open FAIR is not generally focused on the overall risk management process (not completely true, but bear with us), but rather provides a discrete approach for conducting risk assessment and risk analysis. That said, following the entire Open FAIR approach from start to finish definitely does take you through context-setting and risk assessment, and in some cases may even be used for analyzing risk remediation options. One of the most important and valuable components of Open FAIR is the Risk Taxonomy, which takes the concept of “risk” (defined therein as “probable frequency and probable magnitude of future loss”) and factors it into easily understood components. Open FAIR is intended as a quantitative risk assessment methodology, which is also unique in this list. However, the Risk Taxonomy itself can absolutely be used in a qualitative manner to quickly “back-of-the-napkin” assess a situation. Such a snap assessment can often be useful as an initial triage step before deciding whether or not an in-depth risk assessment is warranted. The Open FAIR standard is written in accessible language and can be a worthwhile resource for shaping your thinking and approach to risk assessment and risk management.USG Standards: The United States Government’s National Institute of Standards and Technology provides a large amount of free, open source standards on a number of interesting and useful topics. Included among these are an entire series of standards for risk management and risk assessment that generally conform to the ISO 31000 guideline and provide worthwhile information on structuring an approach. As is unsurprising, the NIST methodologies do tend to be a bit more bureaucratic in nature, but that attribute may fit well with some organizations. We recommend reviewing NIST Special Publications 800-39, 800-37r1, and 800-30r1.Regulatory guidance or requirements: When designing and refining your approach to risk assessment, please be mindful that most standards from the past decade have included guidance and requirements, to some degree, for risk management or risk assessment. Be sure to account for any such requirements when designing your approach. You may find that certain standards may have better alignment than others with these stipulations.Data collection tools: Most risk management platforms will include a reference library of questionnaires to aid in data collection. One common standard is the Shared Assessments SIG and SIG lite set of questionnaires. If your organization works in or with financial services you may already be familiar with these tools. Even if your organization is not in financial services, or you do not foresee direct use of them, they can be worthwhile references in developing your own data collection tools. That said, please bear in mind the point made in our first post: Data collection is not the same as risk assessment or risk analysis. Data is just the input, not the actual evaluation.---As we have discussed throughout this post, standards can provide value for defining and refining your risk management and risk assessment approach. Moreover, standards for data collection (such as from Shared Assessments) can provide additional value in improving overall performance. However, finding a standard can at times be daunting, and implementation can be soul-crushingly overwhelming.It is thus important to approach standards with a learning mindset intent on investigating different theories on risk assessment, and then assimilating those pieces that best match with your organization's culture, rather than necessarily seeking to make wholesale changes that may be at complete odds with how business is performed. As always, risk management must be nuanced and seek to integrate seamlessly with existing practices and processes in order to be successful. If not done well, the risk management process will get bypassed in the name of "getting work done" and, as a result, will falter (if not fail completely).In our next post in this series we will be exploring how to "right-size" risk assessments, as well as discussing the pros and cons of qualitative versus quantitative risk assessments (including defining just what those terms mean). Our decisions can only be as good as the data we collect and analyze, which means it's important to understand what both good and bad data look like. You may be surprised by what we have to share.
Join Us at the 2015 Qualys Security ConferenceOver the last few years we have been partnered and have supported the Qualys Security Conference. It is a great place to spend some quality time with technical members of our team and see the latest solutions around Vulnerability Risk Management.Drop by for a demo of the integrated solution that combines correlation of vulnerabilities, threat intelligence and business context with risk analysis and scoring to prioritize remediation efforts and measure program effectiveness.Where: Las Vegas, Aria ResortWhen: Thursday & Friday, October 8th - 9th
Welcome to first in a series of posts covering foundational topics in IT risk assessment and management. As a risk analytics company, we are often asked by clients where to start, how to optimize their risk management approach, and what types of practices and considerations should go into risk management program planning and execution. This series will provide some common answers that will be helpful for launching and tuning your programs.The phrase "Risk Assessment" has become a common part of our technical vernacular, yet it's quite surprising how variable our understanding is of the phrase and what it actually means. In this post we will explore the concept of the risk assessment, where it fits within an overall risk management program, and how we will typically enter into the risk assessment process.For starters, let's address what is not a risk assessment. Quite simply, data collection, such as via a questionnaire, is not itself "risk assessment." Rather, it's the analysis and evaluation of all collected data, in context and aimed toward producing a statement on risk that is the core objective of a risk assessment. Simply posing questions to constituents, while potentially worthwhile, is not an act of analysis, and thus we must be very careful not to misconstrue the data collection as the "assessment" itself. This, alas, is a common mistake within organizations involved in IT risk management.The Risk Management ProcessA great starting point for a discussion of risk assessment is to first talk about the overall risk management program and process. (Figure 1) Aligning with the three core sub-processes within ISO 31000's risk management process, we see that risk assessment is in fact the second step, not the first. Step 1 is to establish context within which we will conduct risk analysis, crucial to the determinations that will inform risk treatment decisions. Let's drill down into these topics.Context-setting is a critically important step, and one often overlooked. In setting context, we clearly define target and environment of the assessment: the technologies, the data, the stakeholders, the environment, and the business context (such as a business impact analysis and general rubric for risk tolerance, capacity, and/or appetite). It's only after framing the context that we can effectively then drill down to the next level and conduct the assessment itself.Risk Assessment is the step where we implement data collection and analysis in light of the information gathered during context-setting (including the definition of assessment target, risk and business context). We will have already determined what the purpose of the assessment is in terms of the type of decision(s) to be supported, and we should have a solid understanding of how the output should be structured in order to be useful for decision-makers. For example, simply producing a magically calculated aggregate number may not provide any value whatsoever if the purpose of the exercise is to determine whether or not a given environment is adequately secured against a defined threat actor.Risk Treatment (or remediation)_is the final core sub-process within the risk management process. In this step we take the output of the risk assessment and discuss options with the business owners/stakeholders, such as whether or not the assessed risks are palatable to the business or if additional controls should be adopted to reduce the identified exposure levels. Again, the output of the risk assessment should be in a format that is natively understood by your target audience, and it should align well with the desired use case for the report (that is, it should be tailored to how the report is to be used).Putting everything together, we find that it is indeed critical that information be gathered first in the context-setting stage before any sort of assessment is actually performed. If one were to rely just on the wording of many regulations and standards, then you might not realize that it's important to understand where risk assessments fall within the overall risk management process. Getting these steps right will make life easier, as well as lead to much happier customers (the recipients of the assessment output).What and When Should You Assess?Now that we have a general understanding of the risk management process and where risk assessments fit overall, the next logical question is "well, when do we need to do these things anyway?" At first blush this may seem like an easy question to answer, but it turns out there isn't typically just a single answer, there are two or three possible approaches.You can perform an assessment of varying degrees as a contributing data point for just about any decision. In fact, we do this all the time in our personal lives, implicitly, and without any sort of formal framework. Why in IT we think this has to be overcomplicated is somewhat of a head-scratcher, but in reality there are ways in which we can rapidly collect data and perform analysis toward improving decision quality. The mere step of collecting or maintaining contextual information can make a world of difference in overall decision quality.When thinking about what to assess and when to assess it, there are a few scoping questions to consider: Is this a periodic and/or recurring assessment or is it a one-time thing? Are you assessing a large portfolio or a specific target environment? What level of decision is being supported by the assessment (tactical/operational or strategic)?These questions are important to understand because the type of assessment you conduct will need to vary in order to meet the needs defined in scoping. Consider these risk assessment scenarios: If conducting a risk assessment that is tactical in nature to determine whether or not an environment, as built/designed, is suitably secured (hardened) for production deployment as part of a defined and limited production timeline, you typically cannot afford to halt all work on the project while you spend a couple weeks collecting information, analyzing it, and considering a variety of threat scenarios. In this scenario you will be providing input for real-time decisions, primarily for a technical audience, as to whether or not suitable controls are in place. If conducting a risk assessment that is strategic in nature, looking at an entire portfolio of products or services (for example, a cardholder environment), then you almost certainly can afford (and will need) at least a couple weeks to collect and analyze data. In this scenario, your output should be quite different, looking for broader themes and patterns, and addressed to a higher-level business audience.Getting engaged to perform a risk assessment can come through a variety of means and methods. At the most basic level, engagement may come through a simple conversation, email, or form-based request. Alternatively, certain types of assessments may be integrated into key processes - such as for procurement, project management, or M&A activities - to ensure that a proper risk assessment (that includes IT/information risk considerations) is performed, and early enough in the project to adequately account for IT or information risk. Lastly, it may also be appropriate to perform portfolio assessments on a regularly scheduled, recurring basis (such as quarterly or annually).Ownership and Common ActorsThe last topic we wish to highlight in this post is the role of people in the risk management and risk assessment processes. As has already been noted, the context-setting stage should capture important information prior to commencing the risk assessment itself. This information must include identifying the owner of the resultant assessment report (the person performing the work is rarely the owner in that risk analysts don't general own the identified risk). Typically, the owner will be someone in management (either business or technical, depending on the scope of the assessment) who is charged with making a decision or recommendation. It is essential that the risk assessment output be tailored to their specific needs, including ensuring that the report is written in a manner that they can understand and use.Beyond the risk owner, there will then often be the person performing the risk assessment (we'll just refer to them as a the "risk analyst" here) and the other stakeholders and subject-matter experts who will help provide valuable inputs for context-setting.The role of stakeholders and subject-matter experts is not to be understated. The worst thing the risk analyst can do is fail to seek out those people with a vested interest in the project or with specialized knowledge that is important for improving data quality and, by extension, decision quality. For example, IT professionals are notoriously bad at estimating business impact without the assistance of someone from the business. Think of all the IT and cybersecurity "sky is falling" moments trumpeted over the years only to fall flat in the face of reality. The simple fact is that, despite all the problems we see with IT and cybersecurity, businesses still manage to continue to exist and function. That alone is a testament to resiliency.As such, it is very important not to rely on a single source for all or most of the data. Instead, find the people who truly know the answers (verifiably!) and get them involved in the process (early!).At the end of the day, all of the considerations discussed within this post are critical to achieving success and demonstrating value. Knowing that risk assessment is not itself a starting point is key. Context is all-important. Good decisions cannot derive from poor assumptions or bad/non-existent data. Further, it's imperative that the right people be involved and that the output of the risk assessment be properly tuned to the target audience. Tuning the output is also a key facet of context-setting, again highlighting the importance of not jumping into later phases too quickly. And, lastly, remember this motto as pertains to being engaged to perform a risk assessment: Semper Gumby! (always flexible). Work diligently to establish hooks into key processes, but resist the urge to make the risk assessment process so rigid and inflexible that people can only engage the risk analyst through a very narrowly defined set of circumstances. Every opportunity to have a risk management conversation should be welcomed. Creating friendly conditions for engagement and conversation are key to success, both today and in the future.---In future posts we will talk about how to leverage risk assessment standards, some of the key differences between – and considerations for – qualitative vs. quantitative risk assessment, and how to leverage platforms to improve the overall risk management program and process. The next post in this series will look at common risk assessment standards and how to best leverage them within risk management programs.
Join us for a webinar on April 10th, 10:00am PSTBrinqa Risk Analytics, a leading provider of unified risk management solutions, is now integrated with ERPScan, the most respected and credible Business Application Security provider, to deliver a best-in-class Enterprise Security Management solution. Together, the industry leading and award winning technologies from ERPScan and Brinqa offer centralized security management for mission critical business applications such as SAP and Oracle.In this webinar Huzefa Olia, VP of Client & Partner Services at Brinqa and Alexander Polyakov, CTO of ERPScan will discuss how you can Monitor and analyze distributed deployments of ERPScan through a single interface Deliver sophisticated dashboards and reports on critical vulnerabilities, assets, business areas and locations in your organization Build comprehensive risk context and visibility by combining security data from several distinct systems Achieve closed-loop remediation by seamlessly operationalizing ERPScan security dataRegister Now
Join us for a webinar on April 2nd, 8:00am PacificBrinqa Vendor Risk Management, a leading vendor management and governance solution, is now integrated with BitSight Security Ratings for Vendor Risk Management, the standard in security ratings, to deliver an innovative new approach to continuous vendor risk management through data-driven security ratings. The integrated solution presents a holistic view of vendor risk analysis that consolidates and harmonizes internal self-assessment with external independent evaluation.In this webinar, Huzefa Olia - VP of Client & Partner Services at Brinqa and Mathew Cherian - Product Manager at BitSight will discuss how you can Establish a methodology for continuous vendor evaluation and monitoring Bring together and compare vendors’ security self-image with their public security footprint Improve relevance and quality of risk measurements and reporting Conduct granular risk assessment of vendor relationship, products and services Track and measure closed loop remediation of gaps in a vendor’s security controls and cyber threat readinessRegister Now
Integrated solution combines Brinqa VRM and BitSight Security Ratings to deliver Continuous Vendor Risk Management through Data-driven Security RatingsAustin, TX– March 26, 2015 - Brinqa, a leader in Unified Risk Management solutions and BitSight, the standard in security ratings, today announced a joint integration to deliver the industry’s first comprehensive and continuous Vendor Risk Management Solution. The integrated solution presents a holistic perspective of vendor risk by consolidating and harmonizing internal self-assessments with objective external evaluation.“BitSight security ratings offer a unique and invaluable perspective to Vendor Risk - one that is objective, data-driven and continuous. The adaptability and extensibility of the Risk Analytics Platform underlying the Brinqa VRM solution make BitSight security ratings an ideal and natural complement to our solution.” Hilda Perez, President and Co-founder, Brinqa “We are excited to announce our partnership with BitSight to deliver a true breakthrough in how organizations evaluate and monitor vendor relationships.”Complete, Comprehensive, Continuous — The integrated solution considers all aspects of a vendor’s profile and its usage within the organization. The solution combines business-driven risk classifications, contextual control assessments, continuous monitoring based on security events and diligence measures, closed loop remediation of gaps and threats, complete workflow and governance, and advanced analytics to gain insights and deliver the most complete model for vendor risk management. Unified Governance — The integrated solution provides a central platform for analysis, rating and governance of all threats and gaps, whether identified internally or externally. The common medium promotes understanding and addressing gaps that are otherwise hidden under layers of detailed security data. Advanced Analytics —The extensive security data collected by BitSight to evaluate its external compromise and diligence risk vectors is now accessible within the powerful Brinqa Risk Analytics Platform. Advanced diagnostics and analytics can be applied to this security data to get insights previously hidden. The analytics module can also be used independently outside of vendor management and governance as a powerful tool for security teams to benchmark their own security program against itself, peers, and industry.“BitSight is very excited about this integration with Brinqa," said BitSight Technologies Chief Product Officer and Co-founder, Nagarjuna Venna, "Security Ratings alone are a minimum standard of care for assessing third party risk, but incorporation into a broader vendor risk management program, as Brinqa has done, levels the playing field for organizations who need to trust and verify, on an continuous basis, the security performance of their vendors. Brinqa and BitSight enable organizations to augment the point in time assessments and questionnaires that have defined security risk management practices up to this point. This is truly a terrific step forward for our joint customers and we look forward to seeing how this collaboration improves vendor risk management practices in the market as a whole."About BrinqaBrinqa is a leading provider of unified risk management – enabling stakeholders, governance organizations, and infrastructure and security teams to effectively manage technology risk at the speed of business. Brinqa software and cloud services leverage an organization’s existing investment in systems, security, and governance programs to identify, measure, manage and monitor risk. With Brinqa, organizations are reducing response time to emerging threats, impact to business, and technology risk and compliance costs by over 50% through real-time risk analytics, automated risk assessments, prioritized remediation, actionable insights and improved communication.Founded in 2008 by industry leaders in risk management with a proven track record in delivering cutting edge, innovative and cost-effective solutions. Brinqa’s award winning software and cloud services are trusted by fortune 500 companies across risk disciplines such as information technology risk, vendor risk, and regulatory compliance risk. Brinqa is headquartered in Austin, Texas and has a global presence.About BitSightBitSight Technologies is transforming how companies manage information security risk with objective, evidence-based security ratings. The company's Security Rating Platform continuously analyzes vast amounts of external data on security behaviors in order to help organizations manage third party risk, benchmark performance, and assess and negotiate cyber insurance premiums. Based in Cambridge, MA, BitSight is backed by theNational Science Foundation, Commonwealth Capital Ventures, Flybridge Capital Partners, Globespan Capital Partners, and Menlo Ventures.For more information, please visit www.brinqa.wpengine.com
We are very excited to welcome ERPScan to the Brinqa Technology Partnership Program. ERPScan is widely recognized as the premier provider of Enterprise solutions for SAP & Oracle PeopleSoft Security. The partnership goes beyond mere technical integration and delivers a ready-to-use, best-in-class integrated solution that leverages ERPScan’s thought and technology leadership in SAP & Oracle PeopleSoft security systems and Brinqa’s powerful analytics platform to deliver invaluable insight and immediate benefits to risk and security professionals.If you are at GRC 2015 please visit the ERPScan booth for details about the integrated solution and a live demo.http://sapinsiderevents.wispubs.com/2015/Las-Vegas/FIN-GRC/GRCFind out more about the partnershiphttps://www.brinqa.com/brinqa-and-erpscan-announce-technology-and-solution-partnership/Enjoy the benefits when the most detailed ERP security solution comes together with the most powerful and comprehensive Risk Analytics platform to help you secure your most critical Business Applications. Get unlimited scalability. Manage Business Application Security from a single place, where you can accumulate, analyze and report the most comprehensive ERP security data on vulnerabilities, configuration issues, compliance, source code issues, and SOD violations from every single application in your landscape. Save time on daily operations. Manage risks at the enterprise level by integrating information from 7000+ configuration checks and 3000+ vulnerability checks from every SAP and Oracle system in one place with business context based correlation and advanced reporting from Brinqa. Gain actionable insights. Get clear management level view with management dashboards to better understand highlights and represent the most common, damaging or imminent vulnerabilities across the landscapes; or which locations, business areas and assets are more secure or prone to danger in terms of compliance to regulations. Get deeper understanding. Add invaluable context by augmenting security data with business priorities and mandates and by integrating OS and Network level security information from other sources such as Qualys, Rapid-7, Tennable, Tripwire, etc. into the Brinqa platform in addition to ERPScan’s data about specific application vulnerabilities in ERP, SRM, CRM, HR, and Industry solutions from SAP and Oracle. Achieve closed-loop remediation. Operationalize your ERP security data with Brinqa ticketing & workflow management to deliver a seamless experience from discovery to user engagement and remediation.
Integrated Solution for Comprehensive Enterprise Security ManagementGRC 2015, Las Vegas, NV (March 17, 2015) – ERPScan, the most respected and credible Business Application Security provider, and Brinqa, a leader in Unified Risk Management solutions, today announced a joint partnership to deliver a best-in-class Enterprise Security Management solution. Together, the industry leading and award winning technologies from ERPScan and Brinqa will offer centralized security management for mission critical business applications such as SAP and Oracle.“ERPScan offers the most comprehensive set of security monitoring solutions for SAP systems and other business critical applications. Consolidating and analyzing security data from these solutions with an eye on risk gives enterprises unprecedented visibility into the state of their cyber security.” said Amad Fida, CEO, Brinqa. “We are excited to announce our partnership with ERPScan to drive an evolution in how enterprises perceive and manage Business Application Security.”Distributed Monitoring, Central Management — Distributed deployments of the comprehensive ERPScan Security Monitoring Suite can now be natively clustered and managed with the Brinqa Risk Analytics platform to provide complete Enterprise Business Application Security Management. The combined solution delivers a simplified central point for advanced analysis and intelligent reporting of all ERPScan security data.Seamless Integration, Immediate Value — The integrated solution enables enterprises to implement and consolidate ERPScan Security Monitoring Suite instances deployed across different sites - configured to drive results automatically and effortlessly to a central, self-adjusting Brinqa platform with unlimited scale of magnitude and scope for near-real time analysis and risk ranking - delivering holistic risk and security insights immediately.Comprehensive Governance — A single interface for managing gaps and threats identified across the ERPScan suite with complete workflow management, user engagement and closed loop remediation tracking.“Organizations are faced with endless threats vectors across their global enterprise. Business Applications are core to the ability to function at a Global scale, therefor this information must be monitored and tracked on a continual basis,” said Dr. Alexander Polyakov, Co-Founder, CTO, ERPScan. “ERPScan’s ability to track and detect thousands of Enterprise Applications (such as SAP and Oracle) threats such as vulnerabilities, configuration errors, source code issues and SOD violations combined with Brinqa’s expertise in risk analytics will offer organization’s the most complete view of Risk for their critical business processes. We are excited to offer this combined valuable solution to the marketplace”About BrinqaBrinqa is a leading provider of unified risk management – enabling stakeholders, governance organizations, and infrastructure and security teams to effectively manage technology risk at the speed of business. Founded in 2008 by industry leaders in risk management with a proven track record in delivering cutting edge, innovative and cost-effective solutions. Brinqa’s award winning software and cloud services are trusted by fortune 500 companies across risk disciplines such as information technology risk, vendor risk, and regulatory compliance risk. Brinqa is headquartered in Austin, Texas and has a global presence.For more information, please visit http://www.brinqa.wpengine.comAbout ERPScanERPScan is the most respected and credible Business Application Security provider. Founded in 2010, the company operates globally. Named as an ‘Emerging vendor’ in Security by CRN and distinguished by more than 25 other awards - ERPScan is the leading SAP SE partner in discovering and resolving security vulnerabilities. ERPScan consultants work with SAP SE in Walldorf supporting in improving security of their latest solutions.For more information, please visit http://www.erpscan.com
Join Us at the Shared Assessments Summit 2015Over the last few years we have been an avid supporter of the Shared Assessments Summit. Their focus continues to be to help organizations keep an eye on the ever-changing environment-changes to regulations, standards, and technologies. While these changes impact our environment, the focus remains the same: a risk-based approach to managing third (and fourth) party vulnerabilities.This year, the 2015 Shared Assessments Summit sessions will focus on helping organizations to stay abreast of the ever-changing risk environment and to evolve to meet these new challenges, while still maintaining a holistic risk-based approach.Where: Four Seasons Hotel BaltimoreWhen: Wednesday & Thursday, April 29th - 30th
Join us for a webinar on February 24th, 11:00am PacificRisk Assessments are widely recognized as an essential step in the IT risk management process. Yet, most organizations struggle to maintain IT risk assessment programs that ensure that the greatest risks to business operations are identified and addressed on a continuing basis. Studies conducted by various private and federal agencies like the USGAO cite several challenges faced by organizations Lack of a repeatable process for evaluating different types of entities Difficulty allaying business impact with technical threats Frequently outdated information on risk factors Lack of standard reporting formats and result comparisonJoin our solution experts as they explore the foundations of an intelligent risk assessment program that evolves with your information security landscape and delivers actionable information to meet the needs of your risk management program. In this webinar you will learn how to Represent, manage and leverage risk scenarios and business context Identify, assess and rank critical IT assets and operations Measure and Monitor issues and findings Estimate threat impact and cost-effective mitigationRegister now
There is perhaps no term in the vocabulary of a modern enterprise that causes more confusion and misunderstanding than ‘Risk Analytics’. ‘Risk Management’ fares slightly better but is also a contentious definition. Depending on the vertical you belong to and your role within the organization, this could mean very different things. A typical day in the life of a professional working on Financial Risk Management is very different from that of one working on Technology Risk Management, which in turn varies vastly from a professional working on Operational Risk Management. However, there are some common themes that risk professionals across these diverse areas could agree upon.Risk management typically includes (but is not limited to) the following: Definition and identification of risks Identifying and monitoring the entities in the ecosystem impacted by risk Defining the quantitative impact of risk Identifying and defining the conditions that incur risks Data points required to evaluate the conditions for imminent risk A consistent and sustained process for collecting and collating said data Defining the measures to mitigate or remediate risk Managing the process for implementing mitigation and remediation measuresRisk Analytics attempts to build upon generic risk management themes by leveraging the power of intelligent systems to deliver a data driven and informed perspective of risk. These programs — typically driven by the analysis of a large magnitude of data points — aim to go beyond a reactionary approach to risk. They try to engender a better understanding of the current state of the organization with respect to risk and attempt to predict with some amount of confidence how things will look further down the line, if the risk environment stays the same or if certain factors change.Risk analytics programs and systems typically involve (but are not limited to) the following: A big data (since we’re on the topic of ambiguous terms...) backend for processing large magnitudes of data quickly and efficiently Ability to correlate and analyze risk data from disparate sources Factoring in business context and organizational bias or mandates to augment raw risk information Identifying and representing key risk criteria Metrics to define, evaluate, and monitor critical risk conditions Historical representation of risk information Application of mathematical and analytical libraries Ability to define alerts and notifications based on current or imminent conditions Manual and automated asset classification Data mining capabilities for analyzing existing risk data and providing recommendations Clustering capabilities to discovering hidden relationships between relevant risk assetsIf any of the themes listed above seem familiar to you, and you are involved in initiatives within your organization targeted towards these, then (consciously or not) you are using risk models to achieve these goals. Whether your model is designed and maintained through manual processes using spreadsheets, specialized ETL, custom applications etc. or through sophisticated data modeling tools, the success or failure of your risk management or analytics program is heavily predicated on the accuracy, efficiency and performance of your model. If you are managing your program manually, without the help of a dedicated risk-modeling tool and would prefer to continue to do so, it might still be beneficial to think about the design of the program as an exercise in risk modeling.Good risk models have certain key characteristics and functions including (but not limited to) the following: Identify and accurately represent all relevant types of risk— depending on the industry you work in and nature of the risks you are interested in evaluating, it is very likely that there are products or services that monitor and report relevant data. Some examples include geopolitical ratings for foreign investment risk, credit ratings for vendor or supplier risk, software vulnerabilities for technology risk etc. Whatever the source of risk data, good risk models should represent and interpret this information accurately. Identify and accurately represent all relevant risk entities — risk ecosystems are complex, fickle and infinitely diverse. It is highly unlikely that for any two distinct organizations, no matter how similar their risk management or analytics goals, the same risk model accurately captures all relevant risk criteria and mandates. By all means, see further by standing on the shoulders of giants (where they are offered), and learn from your peers, but it is imperative that you understand your organization’s risk ecosystem thoroughly and ensure that your risk model represents what is important to you as an organization. Within an organization itself, risk mandates and priorities change as you learn from your mistakes and react to the risk challenges the world poses, so it is crucial that your risk model is adaptive and capable of evolving. Represent relationships and risk flows — risk originates from different sources within the organization and propagates until it impacts critical business entities and functions. Good risk models define chains of risk inheritance and flow, which can allow you to preemptively understand the effect of specific events on the risk ecosystem and their impact to business. Play favorites — identify critical assets and functions so you can focus on the most critical risk information at any given time. Not all applications that support the daily operations of an organization have the same importance. Every partner and supplier serves a distinct (and rarely equally important) function. Make data collection painless — the accuracy of your risk model is directly affected by the efficiency and performance of your data collection processes. Spend time, effort and money to make data collection as painless as possible. Put measures in place to monitor the health of data collection processes and to catch and highlight errors and exceptions. Make provisions for manual data collection — while automated risk data collection represents the ideal situation, there will be scenarios where the required information resides with individuals and cannot be collected through automated means. Develop and implement structured processes to collect this information and complete the risk picture.Whatever your final risk management or analytics goals, you can realize the significant benefits of a more formal and structured process while identifying and reducing inefficiencies and gaps by using an actual risk model to represent your organization’s ecosystem or by thinking about the design of your program in data modeling terms.
Join us for a webinar on January 15th, 11:00am PacificFor security professionals knowledge of imminent risks and threats can mean the difference between securing your virtual borders and incurring a catastrophic breach. If your organization deals with external entities, then your most vulnerable aspects may not be protected by your security policies. Implementing a comprehensive vendor risk management program enables you to identify, monitor and manage risks associated with external interactions.This webinar will highlight the key differentiating elements of modern vendor risk management programs that deliver complete and true vendor risk management, including: A methodology that ensures all stakeholders are engaged and informed How to manage, profile and classify vendors Improving relevance and quality of risk measurements and reporting A risk framework to monitor and evaluate every distinct vendor relationship Quantitative risk targets and predictive remediation
We are excited to announce that Brinqa is in the Gartner Magic Quadrant for Vendor Risk Management! The category includes vendors that offer IT VRM solutions to assess, monitor and manage exposure to risks arising from the use of third parties that provide products and services.A little about the quadrant - Earlier this year Gartner posted several blog entries regarding the “burning” of the EGRC Magic Quadrant. In a blog entry, Paul Proctor announced: Gartner Resets Their New Approach to GRC. One of the reasons for the new approach is stated as, “GRC solutions buyers are shifting away from a platform-centric approach to one focused on targeted solutions for specific use cases.”We, of course, have been one of those vendors sharing our experiences with Gartner and our experience was consistent with this change as most conversations we engaged in with our customers and prospects were driven to a specific area of the broader GRC market. Needless to say, we wholeheartedly agreed with the new approach. Gartner defined several use cases, including IT Risk Management, Vendor Risk Management, Operational Risk Management and a few others. Our expertise and industry knowledge drives us to one of several use cases we offer, Vendor Risk Management. Our unique Risk Analytics Platform (we are the only vendor with an underlying core analytics platform) allows us to bring together many of the use cases in one solution. In the report, Gartner calls out one of our strengths as, “…an innovative risk analytics platform that uses a graph database and has highly flexible data collection, aggregation and reporting capabilities.” As a technology vendor, we enjoy solving our customers’ problems, we work hard at anticipating their needs before they do but we also keep our eye on the market for shifts and changes. This shift has put a spot light on us that is very welcome and validating. The IT VRM software market is a small but growing market. Gartner has chosen only 10 vendors in this magic quadrant, and we are pleased to be among them.Earlier this year Brinqa was also recognized as one of the “Cool Vendors in Security Intelligence”. Gartner selected Brinqa as one of only five vendors in the Security Intelligence category.Get more details about Brinqa Vendor Risk Management here.
Join us for a review of the Vendor Risk Management Use CaseWebinar: Thursday, November 13, 2014 - 1:00 PM Central / 2:00 PM EastVendor Risk Management is a complex, involved task and doing it right has never been more relevant. Eliminate duplication and utilize your existing investments in information security and governance to address vendor risk in a holistic manner with a Blue Bay & Brinqa Vendor Risk Management solution.What you will learn: How you can standardize your vendor classification process How to automate risk and control assessments How to track findings and issues and prioritize remediation How to leverage the tool to manage the end-to-end vendor life cycleREGISTER TODAY
Join us at the 12th Annual Qualys Security Conference and meet some of the industry experts, customers and engineers that are driving today's ground breaking technologies in security. Learn how Brinqa models an organizations risk framework by defining and representing hierarchies, tolerances, ownership and performance indicators, and by assigning business impact and quantitative value to risk information to deliver risk prioritization, management and remediation.Where: Las Vegas Aria ResortWhen: Thursday & Friday, October 16th - 17thSpeaking Slot: Friday, October 17th at 12pm
2014 Gartner Cool Vendors CounterTack and Brinqa Announce Strategic PartnershipJoint Initiative to deliver high-value endpoint security analytics to customers for Security Incident Response, Insider Threat Monitoring and Tracking Endpoint State Changes Across the EnterpriseWaltham, MA and Austin, TX – August 7, 2014 -- CounterTack, a pioneer in delivering real-time endpoint threat detection, context and visibility around targeted attacks, and Brinqa, a leader in unified risk analytics solutions helping enterprise customers to extract useable knowledge from their data, today announced a joint partnership to deliver a best-in-class endpoint security analytics platform.The combined best-in-class technologies from CounterTack and Brinqa, both identified by Gartner as Cool Vendors for 2014, will prove critical in making incident responders more successful, and will help security teams gain more visibility across insider threat activity and endpoint state changes through advanced dashboarding and analytics.CounterTack’s Sentinel gives security teams the ability to own their endpoints through a real-time endpoint threat detection and response platform. Sentinel collects enormous amounts of endpoint threat data from workstation, laptop and server endpoints, enabling security professionals to analyze and automatically classify attacks in real-time – ultimately prioritizing how to handle advanced threats through a Big Data analytics engine. Brinqa takes risk analytics to a new level, helping its customers visualize information with advanced drill-down and multiple levels of dashboard views that can be customized to support specific business initiatives.“Brinqa has delivered an easily configurable, comprehensive risk analysis platform that has helped our customers in the further exploration of their data,” said Amad Fida, CEO, Brinqa. “We are pleased to announce our joint partnership with CounterTack as a means of providing organizations with the tools they need to appropriately understand their risk posture. Leveraging CounterTack’s innovative endpoint threat detection platform with the Brinqa Risk Analytics platform will give customers an easy-to-understand view of their risk posture, while providing executives with the knowledge they need to make better, and more informed business decisions.”Key use cases in combining CounterTack’s real-time endpoint threat detection and response platform, Sentinel, and Brinqa Risk Analytics, include: Tracking incidents on assets to show Enterprise & Security Risk posture to assessing the risk associated with the Change Management Process with End Points. Full issue and remediation tracking for incident response including ownership, notifications, remediation plans and what-if analysis for risk forecasting Monitoring insider threats through continuous analysis to discover impact of highest risk threats to critical business applications“In security, it’s not always about Big Data, but more so handling the right data, with the right tools. The industry is in need of a solution that will provide context and visibility into a company’s data, all while helping to mitigate risk,” said Neal Creighton, CEO, CounterTack. “CounterTack’s ability to track and detect endpoint threats combined with Brinqa’s expertise in risk reduction will help create a full view into an attack cycle.”About CounterTack:CounterTack's real-time endpoint threat detection and response platform, CounterTack Sentinel, delivers unprecedented visibility and context to enterprise security teams around targeted, persistent threats. CounterTack dramatically reduces the impact of advanced attacks, providing real-time, behavioral-based intelligence on attacker activity upon infiltration, so organizations can defend their business leveraging Sentinel's contextual attack evidence for a rapid, prioritized response.By combining 'stealthware' technology and Big Data analytics, CounterTack turns the tables on attackers, giving security teams and incident responders an advantage over their adversaries to make better security decisions with real-time, automated, forensic-level analysis. CounterTack is revolutionizing how companies defend their endpoints -- across the enterprise.About Brinqa:Brinqa is a leading provider of unified risk analytics solutions, empowering organizations with a centralized risk platform and a standard, multifaceted, actionable representation of risk across the entire organization. Brinqa software and cloud services leverage an organization’s existing investments in security, risk and compliance programs to analyze and identify critical risks and help businesses respond rapidly to the emerging threats. With Brinqa, organizations are reducing their risk management and compliance costs by over 50% through automated risk assessments, prioritized remediation processes, and improved risk insights and communication.For more information, please visit www.brinqa.wpengine.com.Read More
Advanced Analytics to Attain Risk Insights and Reduce RiskLive Webcast: Thursday, August 21, 2014 - 11:00 AM Pacific / 2:00 PM EastEnterprises today are dealing with “it’s not a matter of if you will be breached but a matter of when.” Executives are taking an increased interest in their organization’s security posture and the impact on business goals and objectives—their job depends on it. Because of this, there is a need to quickly detect, prioritize and remediate information technology risks.In this upcoming webcast, Tripwire and Brinqa will highlight how security professionals can leverage security controls and analytics to gain more visibility and business context, in order to protect sensitive data from breaches, vulnerabilities and threats. This webinar will also cover how to establish a risk reporting framework that enables you to communicate technology risk, using context based metrics to help support key business decisions.What you will learn: How you can align business information with security risk data, to reduce the time from detection to response The importance of standardized security risk quantitative scoring and remediation workflows How to use critical security control data, powered by advanced analytics, to create actionable dashboards and reportsREGISTER TODAY
Unified Risk Analytics To Power Actionable Security IntelligenceAUSTIN, TX. -- July 31, 2014 -- Brinqa, a leader in unified risk analytics solutions, today announced its partnership with Tripwire, Inc., a leading provider of advanced threat, security and compliance solutions. The collaboration enhances Brinqa Technology Risk Management offering by coupling the company’s cutting-edge risk analytics platform with Tripwire’s expertise and leading technical solutions in information security risk and compliance to deliver an advanced integrated security analytics solution with native capabilities to represent, interpret, augment, analyze and report on risk and compliance issues.“Continuous and comprehensive risk analysis is the most effective solution to address today’s information security challenges”, said Amad Fida, CEO Brinqa. “We are excited to offer this integrated solution to our customers, to help them gain key insights into their security risk programs, improve communication with business owners and make smarter informed decisions.”Security analytics allow organizations to get the most value out of their existing security investments, to dramatically expand risk visibility and develop a much deeper understanding of security risks. With the integrated solution, customers can combine the precise change, event and policy information originating in Tripwire tools with business context represented and captured in Brinqa risk models to get a complete view of their technology risk.Normalization, augmentation and subsequent transformation of risk data along business context enable greater visibility into the organization’s risk posture and result in risk and threat identification that is significantly more accurate and relevant to the organization. By improving efficiency and accuracy of the process to determine critical assets and threats, remediation effort and cost can be significantly reduced. Pre-defined reports and actionable metrics deliver immediate tangible value to help support key business decisions, services and initiatives.“Big data analytics is the key to next generation security intelligence programs,” said Rekha Shenoy, vice president of corporate development for Tripwire. “Analytics informed by rich intelligence about asset state, context and vulnerability can automate many risk assessments and threat detection processes. This, in turn, reduces reaction times to threats. This powerful combination helps organizations save time and resources and empowers informed decision making.”Register for a webinar on Thursday, August 21, 2014 to learn more about the Brinqa integration with Tripwire: http://info.tripwire.com/Register-Advanced-Analytics-Insights-Brinqa.htmlFor more information about Brinqa partnerships, please visit: https://www.brinqa.com/partners/About BrinqaBrinqa is a leading provider of unified risk analytics solutions, empowering organizations with a centralized risk platform and a standard, multifaceted, actionable representation of risk across the entire organization.Brinqa software and cloud services leverage an organization’s existing investments in security, risk and compliance programs to analyze and identify critical risks and help business respond rapidly to the emerging threats. With Brinqa, organizations are reducing their risk management and compliance costs by over 50% through automated risk assessments, prioritized remediation processes, and improved risk insights and communication.Learn at http://www.brinqa.wpengine.com.About TripwireTripwire is a leading provider of advanced threat, security and compliance solutions that enable enterprises, service providers and government agencies to confidently detect, prevent and respond to cybersecurity threats. Tripwire solutions are based on high-fidelity asset visibility and deep endpoint intelligence combined with business-context and enable security automation through enterprise integration. Tripwire’s portfolio of enterprise-class security solutions includes configuration and policy management, file integrity monitoring, vulnerability management and log intelligence. Learn more at www.tripwire.com, get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc.
Brinqa will join Tripwire at Black Hat 2014 in a lineup of speaking sessions that will include the latest security analytics advancements. Brinqa is partnered with Tripwire to deliver the critical system state data necessary to power analytics. Armed with this insight, organizations can detect, investigate and remediate vulnerabilities and indicators of compromise quickly before they impact critical business assets.
Almost 2000 security strategists and business leaders will be coming together to talk cyber security in just a few days, and Brinqa will be among them. The annual Gartner Security & Risk Management Summit takes place in Maryland from June 23 – 26. The focus this year is on finding the balance between enabling the organization to move forward against its objectives while also protecting it, it's customers and employees, so it can have faster business process and improved ROI..If you’re attending the conference, stop by Booth #1100 for a demo on how Brinqa analyzes and identifies critical risks to help business rapidly respond to emerging threats. We’ve got a treat for the eyes, too, since we’ll be raffling off a Google Glass.We’re excited to be a silver sponsor at the summit, and we hope to see you there!
Drop by for a visit and let one of our experts give you insights into the Brinqa Risk Analytics Platform and how it is being used today to manage security risk.HIMSS Media and Healthcare IT News have partnered once again to bring you The Privacy & Security Forum in San Diego. The 3rd annual Privacy & Security Forum will deliver what CIOs, CISO and other healthcare IT leaders want to hear from an industry conference: peer-to-peer learning, case studies and forums where they can brainstorm and share ideas.June 16-17, 2014 -- Manchester Grand Hyatt -- San Diego, CA -- Exhibit #20
Earlier this month Brinqa was recognized as one of the “Cool Vendors in Security Intelligence”. Gartner selected Brinqa as one of only five vendors in the Security Intelligence category. Over the last few years we have focused primarily on risk analytics around specific business areas such as application risk, vendor risk, privacy risk and IT security risk. Most recently, we launched a cloud application for supplier risk management that includes standards based assessments for vendor profiles and controls assessments. The cloud application leverages our robust Brinqa Risk Analytics Platform and has proven to be a very simple, low cost entry point for many organizations. Getting recognition for our accomplishments certainly is cool, rest assured that we will continue to be thought leaders in risk analysis and deliver solutions in this emerging market. Gartner defines being a cool vendor as those who are a “signal” of what is coming in the near future. Those vendors who are showing what is possible in terms of technology and helping businesses “future proof” their IT roadmaps. Cool vendors are innovative and transforming the way businesses operate as well as how consumers are engaging with technology. It turns out, this is exactly what we are passonite about doing at Brinqa! You can find out more about the Brinqa Risk Analytics Platform here. Brinqa is solving security problems with cutting edge technology to make it easier for our customers to do their jobs faster, cheaper and smarter. We are excited about the Gartner recognition and will continue to forge forward with innovation and coolness! Read more about Brinqa & Cool Vendor here.
Vendors Selected for the “Cool Vendor” Are Innovative and on the Cutting Edge of Risk Monitoring AUSTIN, TX – May 7, 2014 – Brinqa, a provider of an integrated risk analytics platform that helps enterprises extract knowledge from their data today announced that it has been named one of five “Cool Vendors in Security Intelligence” in a report by Gartner, Inc., the world's leading information technology research and advisory company. Gartner publishes a series of research reports that evaluate "Cool Vendors" in key areas of technology. This is the second year for Cool Vendors in Security Intelligence; the report states “vendors featured are expanding monitoring from multiple monitoring sources to develop risk metrics based on tracked deviations”. Those selected are innovative vendors on the cutting edge of risk monitoring. “I am extremely pleased that Brinqa is included in Gartner’s Cool Vendors in Security Intelligence 2014,” said Amad Fida, CEO, Brinqa. ” Brinqa has proven success in showing that organizations can use risk as a guide to achieve business goals and create growth opportunities”. The dynamic, big data-powered Brinqa platform is extensible and configurable by customers and supports visualization of data for exploration. Some of the unique benefits include what-if-analysis for evaluating business impact on decisions and risk data having connected relationships to business controls for immediate analysis. Brinqa’s analytics engine supports the use of context data to enable risk-based prioritization of issues as well as its integration with multiple security vendors to provide holistic risk views and metrics. “We have built a flexible risk platform that is easy to use and have kept the complexity behind the curtain”, continues Fida, “keeping it simple for our users is one of the most appealing features of our platform.” About Brinqa: Brinqa is the leading independent software vendor in developing risk analytics solutions that enables enterprise customers to minimize risk, meet stringent regulatory mandates and increase the operational efficiency of their IT infrastructures. Brinqa’s flagship product is a one-stop platform for comprehensive risk aggregation, analysis and reporting, providing companies with an easy-to-understand view of their risk posture. This gives executives the knowledge needed to make much more informed business decisions for a competitive advantage. For more information, please visit www.brinqa.com. Gartner "Cool Vendors in Security Intelligence, 2014" by Ray Wagner, Neil MacDonald, Joseph Feiman, Avivah Litan, Ruggero Contu, Eric Ouellet, Peter Firsbrook – 28 April Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose
This year’s Gartner Security & Risk Management Summit shows you how to find the balance between enabling your organization to move forward against its objectives while also protecting it, your customers and employees, so you can have faster business process and improved ROI. Come by and see the full spectrum of security and risk management emerging trends.
Join us at the Seventh Annual Shared Assessments Summit and hear how senior risk executives are responding to the need to expand and enhance third party oversight and due diligence. Understand the importance of moving from "managing" third party risk to proactive third party risk oversight and assurance.
It’s THE conference “where the world talks security,” and this year’s RSA Conference in San Francisco is expected to be the largest yet. More than 20,000 people are expected to attend the conference and expo being held February 24-28 and Brinqa will be right there in the middle of it.The term “security” has grown at RSA far beyond malware and viruses. Innovations in technology now allow businesses to look at securing their entire business, not just their computers or websites. As a result, we will be a part of the expo meeting with people looking at ways to secure their businesses utilizing risk analytics.The theme of this year’s RSA is “Share. Learn, Secure.” We aim to do just that by sharing our knowledge of risk analytics, learning more about the pain points businesses have in regards to risk and helping them secure their businesses with our solution.If you are attending RSA, please stop by booth 115 and say hello. We’ll be there all week, meeting with attendees and spreading the Brinqa word.We’ve chosen RSA to unveil a brand new offering from Brinqa. We won’t spoil the surprise right now, but we are taking risk analytics to new “heights” with a solution that will appeal to businesses of all sizes.Check back on our blog next Tuesday for all the details. See you in San Francisco!
Brinqa Offers Industry-First Risk Analytics as a ServiceBuilt Upon the Brinqa Enterprise Platform, Brinqa’s Cloud Service is a Powerful, On Demand, Risk Analytics SolutionSAN FRANCISCO, Calif. – (RSA, Booth # 115), – Feb 25, 2014 – Brinqa, a provider of an integrated risk analytics platform that helps enterprises extract knowledge from their big data for better decision-making, today announced the industry’s first Risk Analytics as a Service offering. The Cloud service solution is a powerful, cost-effective solution, addressing a need in the market for an easy-to-use risk analytics solution that does not require an expensive deployment process. Brinqa’s Risk Analytics as a Service will be generally available beginning February 28, 2014.“Risk Analytics as a Service is aimed at companies that are struggling to find a cost-effective and efficient way to extract knowledge from their security and operations data that will help them identity their true risks and make better-informed business decisions,” said Amad Fida, CEO, Brinqa. Our Cloud solution allows these companies to forego spending on a six-figure GRC system and instead pay for what they use by focusing on a specific set of features that are essential to their needs.”Key product features in Brinqa’s Risk Analytics as a Service include: Data aggregation from sources behind the firewall using a secure cloud connector gateway server Pre-built and ready to use applications and such as Application Security Risk, Service Provider Risk and Technology Risk Analytics; No customizations or coding required Complete data encryption; data at rest as well as data in motion Advance analytics using Machine Learning algorithms Pay per use pricingBrinqa is the first to offer an affordable Cloud-based risk analytics solution that includes complete automation and continual tracking and reporting of risk that can be used by non-Fortune 1000 companies. By moving to the Cloud, Risk Analytics as a Service users benefit from Brinqa’s years of experience working with large enterprises by getting proven processes and workflows out-of-box with no additional cost or expensive consulting.“Risk data is often siloed in various documents and spreadsheets across the enterprise and must be manually processed for risk analysis,” adds Fida. “Brinqa’s Cloud service automates the aggregation and analysis of this data for a clearer picture of risk posture.”Brinqa’s Risk Analytics as a Service offering is built upon the foundation of the Brinqa Enterprise Platform. The platform provides organizations visibility into all essential data and the metrics needed to proactively offset potential threats. Through complete automation of risk data aggregation and analysis, Brinqa shortens response time to emerging threats and reduces effort and cost to organizations by utilizing a common platform across the enterprise. The Brinqa Risk Analytics platform is the most affordable and easy to use platform in the industry, offering more data aggregation, correlation and analysis covering more business functions than any other single solution available today.For more information on Brinqa, visit www.brinqa.wpengine.com.To learn what Brinqa can bring to your company, contact us via email at sales@brinqa.wpengine.com.About BrinqaBrinqa is the leading independent software vendor in developing risk analytics solutions that enables enterprise customers to minimize risk, meet stringent regulatory mandates and increase the operational efficiency of their IT infrastructures. Brinqa’s flagship product is a one-stop platform for comprehensive risk aggregation, analysis and reporting, providing Fortune 500 companies with an easy-to-understand view of their risk posture. This gives executives the knowledge needed to make much more informed business decisions for a competitive advantage.For more information please contact us via email at info@brinqa.wpengine.comMedia ContactArlene Limarlene@lmgpr.com510-274-8500
RSA Conference is helping drive the information security agenda worldwide with annual industry events in the U.S., Europe and Asia.
This week, Brinqa held a very special webinar: “Application Software Risk: Going Beyond Code Analysis.” The hour-long discussion looked at the challenges companies face in regards to recognizing and understanding application software risk and how risk analytics can be used to measure, prioritize and report on these findings to ultimately help companies make more informed business decisions.Brinqa’s Senior Director of Client Solutions Huzefa Olia and Senior Product Manager Syed Rahman shared their insight on the topic, giving an introduction to the risk analytics-based methodology to measure application software security and explaining how this is one single comprehensive methodology which can take input from a variety of different sources and prioritize the risk and present this to different audience members.Olia and Rahman also highlighted the quantitative qualifications of application risk as it moves in the SDLC process and how the methodology can help measure application software security and risk.Another area of focus was on using a metrics-driven process and how it also helps identify the key areas that are important to help facilitate remediation decisions. Olia and Rahman pointed out that it is now very easy for companies to highlight and recognize what the top areas pertaining to risk are that need to be addressed.An application software risk case study of a financial services organization was also shared, highlighting the challenges the company faced and the benefits it has since realized after implementing Brinqa’s risk analytics-based methodology.If you happened to miss the webinar, an archived recording is available for listening at LINK. We believe you’ll find this timely discussion on application security risk both insightful and valuable.Additionally if you’d like more information on how Brinqa’s solution can help your business, drop us a note at info@Brinqa.com.
AppSec California is the first of hopefully many annual conferences hosted by all of the California chapters. Join us on the beaches of Santa Monica which is closest to our Los Angeles Chapter.
Brinqa will be presenting on Risk Analytics and Application Security at the local chapter meeting on January 14, 2014.
Innovation is at the core of Brinqa. From the very start, we’ve set out to build an innovative platform that solves the enterprise big data and risk management dilemma. Through our innovation, companies are receiving a complete view of their risk, resulting in more informed business decisions.This innovation has not gone unnoticed. SC Magazine has named Brinqa a “2013 Industry Innovator in Security Infrastructure.”In the article, Author Peter Stephenson points out some of the key features of our platform: “the Brinqa schema-less model allows the free-form flow of information and data that characterizes today's business environment.” Stephenson adds that Brinqa is not just about collecting data, but also doing something with it: “Brinqa develops analyses of data that result in understanding the real impact of the risks discovered.” Stephenson says Brinqa’s ability to “consume business metrics” connects business departments as it “allows IT risks to be understood in the context of the rest of the organization.”But, according to Stephnson, what really makes Brinqa stand out as an innovator is the ability to capitalize on the “Three V’s” of big data: velocity, variety and volume. Stephenson says, “The Brinqa Risk Analytics Platform does that, creatively and effectively.”It’s always an honor to be recognized for our hard work, and to receive that honor from esteemed publication SC Magazine really ties a bow around 2013 as the year comes to a close. It’s been a great year for us at Brinqa and we look forward to continue to innovate in the coming year.To read the SC Magazine article “2013 Industry Innovators: Security Infrastructure,” click here.
Back in 2008, in the early days of Brinqa, the company was focused on regulatory compliance and the Sarbanes-Oxley Act (SOX). So what led to Brinqa’s shift to risk analytics? That was a question posed to Brinqa President and Co-Founder Hilda Perez during a recent interview with Security Week’s Noa Bar-Yosef.According to Perez, there were four reasons why Brinqa turned its focus to risk analytics: The need for better insight. According to Perez, businesses began “building up a lot of data around specific areas in security. They were asking us whether we could provide better insight as to what the data was saying on a business level.” Getting more from compliance reports. Perez said, “it wasn’t just about the compliance report being checked off. It was more about what goals the business was targeting against those particular risks that were showing up in the report. Risk analytics was more about analyzing those results and being able to remediate.” Educating around having a risk-based culture. Perez gave the example of “what if you have ten risks sitting on a list somewhere- why would you be working on three risks rather than on all ten? Risk analytics allows us to address and evaluate all the risks against where they came from and against their priority to the business.” Data Clarity. As Perez explains, “Brinqa filters out just the relevant stuff- anything coming out of it is prioritized and analyzed while everything else is noise or clutters the view.”The business need for risk analytics resulted in the creation of the Brinqa Risk Analytics Platform, which offers more data aggregation, correlation and analysis covering more business functions than any other single solution today. By listening to its customers, understanding their pain points and offering a solution, Brinqa has turned risk into reward, carving a niche in the risk analytics space that remains unparalleled.To read the entire Hilda Perez interview with Security Week, click here.
It’s been a big year for Big Data. What started out as a buzzword has become a valuable asset for businesses of all sizes across the globe. Forbes even ran a story recently called “Big Data: It’s Not a Buzzword, It’s a Movement.” The acceptance of big data has allowed it to evolve as companies use big data for different purposes. Some use it to identify risks, some use it for a competitive advantage, while some use it to have a better understanding of their customers. The bottom line is that big data is being used to help organizations make better business decisions. Now as we approach 2014, a new big data technology trend is building buzz and looking to break out: Predictive Analytics.Predictive analytics takes current and historical data and repurposes that information to make predictions about future events.The availability of predictive analytics not to just large corporations, but to companies of all sizes has not gone unnoticed. A recent survey by Decision Management Systems found that more than 90% of companies surveyed have plans to implement predictive analytics “within the next several years.” Of those already using predictive analytics, 43% said it has “delivered either a transformative or significant impact to their organizations.”In Forrester’s “Top Technology Trends for 2014 and Beyond,” the research firm points to a predictive approach as a means for an organization to be able to “sense their environment and respond in real-time, anticipate user action, and meet users in their moment of need.”Here at Brinqa, we’ve implemented predictive analytics into our core services. Our users can utilize predictive analytics to help identify potential risks by running simulations and “what if” scenarios. By leveraging that past and current data, we help our users better manage their risk and predict what risks may occur in the future. The end result is a company that is more informed and capable of making better decisions on risk no matter what the future holds in store.To learn more about how Brinqa can help your business, take a product tour today.
One of the key features of Brinqa is the ability to delve into the details and allow our users to really look at the root cause of what’s going on. With Brinqa, our users can go from a business process all the way down into the database that supports that business process to understand the risk associated all the way through. They’re able to map all this information together and are able to look at it at each level to determine where their risk lies.A Custom ViewOne of the big things that our users are excited about is the ability to adjust thresholds and tolerance levels based on the view they are looking at. So if a CIO wants to have his own threshold and not be alerted until a particular scenario arises, we can have that set up. So the CIO can have a different threshold level versus the CISO, etc. With Brinqa, we can set up those adjustable threshold and tolerance levels for a custom view for everyone.Taking a Deeper DiveOnce the data has been aggregated and brought in and the information has been calculated and correlated, Brinqa has the ability to display that information in a way that makes sense to the organization. Brinqa users are able to drill down specifically into those views and see where the actual risks lie. It gives our users the ability to address the issues that are most important to their organizations based off of risks. It takes them from a gap-based approach of looking at issues to a risk-based approach of looking at issues.A Clear PictureWith a deeper dive, Brinqa users can say “okay, these are the top ten issues I need to address today that will have the biggest bang for the buck to my organization.” This is the cornerstone of what Brinqa is all about. Brinqa provides users with the risk analytics that give them the ability to make much more informed decisions and increase operational efficiencies across the organization. With Brinqa, we give organizations a complete view of risk, from the aggregation standpoint all the way to being able to remediate the issues that are most important to them.
Brinqa named Industry Innovator 2013 by SC Magazine"This company with a unique name is unabashedly a GRC analytics organization. The Brinqa Risk Analytics Platform uses extremely sophisticated Big Data concepts to analyze risk and provide real solutions to mitigating what it finds. That sounds like every other GRC vendor, but every other GRC vendor Brinqa definitely is not." ~ Peter StephensonAt A GlanceFlagship Product: Brinqa Risk Analytics PlatformInnovation: Strong application of Big Data analytics to GRCGreatest Strength: Combination of technical excellence with wide-ranging visionRead more
A recent article in Business Finance finds Brinqa CEO Amad Fida speaking to the publication about all things risk analytics.Fida was questioned about some “common misconceptions that people have about risk analytics specifically surrounding the data itself” and points out the importance of effectively analyzing data by making sure there is proper representation of “all factors associated with the given risk being identified.” Failure to do so can potentially impact proper assessment of a particular risk.Fida also pointed out the areas in which risk analytics are most commonly used including security, application security, compliance and operational. Fida adds the metrics within those particular areas vary based on the company and their needs.Strengthening information security continues to be a priority for many companies. Fida says supply chain security and data security continue to be a focus for risk managers as sensitive data is becoming more frequently scattered due to offsite housing. To shore up information security, Fida recommends that risk managers implement an “aggregated, centralized risk view, where all metrics are combined and reported on by application, process, risk area and line of business.”What is the recipe for success in implementing a successful risk analytics program? Fida says those that are using risk analytics to their advantage have “processes in place that are accepted and there is company-wide awareness of these processes.” Additionally, Fida says having a manual practice in place and making the data accessible for continuous analysis can only contribute to the ongoing success of a risk management program.To read the entire Business Finance article, click here.
Security risk, application risk, vendor risk … the number of risks companies can address with the use of analytics continues to increase—as does the confusion surrounding the use of risk analytics. Brinqa CEO Amad Fida took time to address some common misconceptions about risk analytics while shedding light on the ways in which organizations are using risk analytics. Read more
As IT organizations seek to make better risk-based decisions about security practices, perhaps the No. 1 component for success is the IT risk assessment. However, even when organizations actually conduct a risk assessment, they frequently fall prey to mistakes that can greatly devalue the exercise. Here are some of the most common blunders to avoid. Read more
In today's crowded business environment, gaining a competitive advantage in the marketplace is a must. But where does that competitive advantage come from? Traditionally, it's been about knowing the competition and either differentiating yourself or simply just doing it better. Today, however, Brinqa has developed technology in the form of risk analytics tools that allows companies to be introspective and focus on key areas that may need improvement and overall maximize a company's potential.Here are five ways to gain a competitive advantage using Brinqa’s risk analytics platform: THE NEED FOR SPEEDIf you think about business today, everything is about how fast you can do things, and doing something faster than your competitor is always an advantage. Brinqa’s innovations in analytics now allow people to automate processes that were once done manually, such as moving from spreadsheet analysis to analytics dashboards shared across organizations. The end result is a faster route to obtaining the information you need, which could ultimately put you ahead of the competition.MEASURING THE RIGHT STUFFData is scattered everywhere and enterprise risk professionals are tasked with turning volumes of unstructured risk data that is difficult to analyze into actionable information. But how do you know you are measuring the right data? You could potentially be measuring ten things that you’ve been measuring for the past 20 years and it really isn’t showing you what you need to see today. Brinqa gives you a big picture view so that you can immediately find and measure potential trouble areas to resolve the problems faster. If you measure the right stuff, you know exactly what needs improvement.MAKING BETTER USE OF YOUR DATASo even if you are measuring the right stuff, up until now, there has been no real way to bring all the information together consistently. It’s been a manual undertaking resulting in documents, spreadsheets and plenty of personal opinion. Brinqa’s risk analytics tools paint the whole picture and make the data richer. Users now have the ability to take that data, break it down and do more with it such as creating charts or visual tables that include numerous categories. The smarter data is not only easier to digest, but derives more value across the board. The analysis becomes business knowledge that is data driven and is a value to the organization instantly.WORK SMARTER, NOT HARDERBeing efficient is a key competitive advantage in any business and Brinqa really puts efficiency at the forefront. The ability to replace what has been a manual process with an automated one saves time, effort and, occasionally, error. It’s a repeatable process that you put in place that you really don’t have to think about anymore. You set it up once and you get the smartest people to put all the rules in place and then you just let it work. No intervention required. Put scheduled assessments to work for you whether it is gathering information from employees or assessing your third party partners against the latest regulations.LOOKING INTO THE CRYSTAL BALLBrinqa not only lets you look at the past and present metrics to make knowledgeable decisions, but also allows you to simulate future scenarios. It’s about knowing the consequence of doing something versus not doing it. It’s about uncovering consequences and making consequences tangible. The ability to use real data to evaluate a decision that you are trying to make is a huge competitive advantage when every decision counts.THE TRUTH IS OUT THEREPreviously, companies collected data on risk analytics but struggled with reports that were subjective and sometimes unreliable. With Brinqa, that is no longer the case. Our solution allows you to easily bring all of the data together as a single source of truth, resulting in much more informed decisions and overall operational efficiency, ultimately keeping your company ahead of the competition.The Bottom Line: Your data is your single biggest resource and might just be the biggest competitive advantage you can achieve, so why not use it to your advantage?
The GraphConnect Awards (“Graphies”) recognize and celebrate individuals and teams that are developing innovative and impactful graph database applications. GraphConnect 2013 is the second year of these awards. Brinqa Risk Analytics -- Most Innovative Graph Application in Risk Management
As a car owner, you have two approaches to maintaining your vehicle: You can take an “if it ain’t broke, don’t fix it” reactive approach or you can go the proactive preventive maintenance route. How you decide to proceed will likely be based on the situation.Perhaps your car is due for a tune-up. You may ask yourself, “Do I need to spend money to do a tune-up or not?” From a risk perspective, it’s not necessarily the tune-up itself, but the consequence of doing or not doing the tune-up. Perhaps your vehicle is one you don’t drive very often, so a tune-up can be put off until later. Then again, you may have an important business meeting coming up and the possibility of potentially missing that meeting due to your car being stuck on the side of the road just isn’t worth the risk. After weighing all the consequences, you are able to decide if the cost of a tune-up is really worth it or not.Managing your business risk with brinqa works in the same way. Brinqa helps clients weigh the consequences of a situation and make better-informed decisions on their risks.The bottom line is that a lot of companies just don’t have money for business tune-ups. What they want to know is, “Should we or should we NOT do a tune-up and how long do we have before we REALLY need to do that?”That’s where Brinqa comes in.Brinqa is not just about whether or not to tune-up. Brinqa is not going to choose one or the other for you. Brinqa looks at the causes and consequences of the risk so that you have a complete understanding of the situation. With that information, you now have the ability to not just make a decision, but the ability to make that decision smartly.In short, Brinqa is going to allow you to pick the best solution for your business needs.
THE RISE OF THE PREDICTIVE BUSINESS MODELIs Predictive Business the future? A Forbes article makes the case saying the convenience and agility of the Cloud, the connectivity and insight of social business models, the power and speed of in-memory database and analytics, and the accessibility of mobile are resulting in more companies adopting Predictive Business models.THE CHALLENGES OF PREDICTIVE ANALYTICSMeanwhile, you can’t have a Predictive Business Model without Predictive Analytics, and challenges to make the most of that data remain. Computerworld says challenges that can sidetrack predictive business models include data volume, data quality, model complexity and model usability.BUILDING AND SUSTAINING A DATA ANALYTICS TEAMAre you building a data analytics team? Here are a six tips from DataInformed: Make intellectual curiosity a priority, find techies who can also communicate visually, seek out storytellers, look for domain expertise in your industry, keep top talent in steady rotation and cultivate a touch of conflict. CAPITALIZING ON BIG DATAWhat’s preventing companies from capitalizing on big data? That was the subject of an infographic this week that looks at the top 10 challenges companies face. A mixture of technological and cultural challenges, the number one challenge for businesses was “getting business units to share across organizational silos.”PROACTIVE RISK MANAGEMENT FOR YOUR BOTTOM LINEDespite new technology, many businesses are still taking a reactive rather than proactive stance when it comes to risk management. An article in ITWeb says "Reacting to risk is simply admitting criminals got the better of you," and that by the time one reacts to risk, “the harm is done and the perpetrators have vanished.”
THE DRIVERS OF THE NEXT PHASE OF RISK MANAGEMENTBusinesses continue to adopt risk management programs and integrate it into their corporate strategies. According to Forbes, three key areas needing attention include improving the ability to turn data into insights, finding and retaining risk management talent and improving compliance efficiency and effectiveness.THE SEC LOOKS TO PREDICTIVE ANALYTICSPredictive analytics are lending a helping hand on Wall Street. A new article in FCW says the Security and Exchange Commission is now using a predictive analytics risk assessment model to “evaluate risks facing the brokerage industry regulated by the agency and, potentially, to pinpoint firms headed for trouble.”CATEGORIZING BIG DATASimplifying big data is easier said than done, but The VAR Guy has broken down big data into five categories for clarification. They include exploration & discovery, external & multi-type data sources, low latency, inflight data & real time analytics, insight, correlation & context, and oversight, enterprise, operations and security. CREATING A UNIFIED DATA MANAGEMENT INFRASTRUCTURE“If you don’t have quality data, you can’t be sure about anything.” That’s the gist of a new article in Banking Technology looking at the benefits of enterprise-wide data management. The article states that centralized data management should help to improve the accuracy of data and reinforce data consistency.ASSESSING YOUR DATA AND ANALYTICS LEVELEvery organization is at a different level of data and analytics maturity. Marketing Daily says a company can determine its maturity level by looking at six key components: Governance, Objectives, Scope, Team & Expertise, Improvement Process Methodology and Tools, Technology & Data Integration.
A look back at the week in Risk Analytics, Big Data and other buzzworthy itemsTHE ADOPTION OF ENTERPRISE RISK MANAGEMENTA new study of risk professionals finds that adoption of enterprise risk management programs continues to rise. According to the Risk & Insurance Management Society Inc., 63% of respondents said they have “fully or partially integrated ERM strategies into their risk management programs.” That’s up from 54% in 2011.DESCRIPTIVE, PREDICTIVE AND PRESCRIPTIVE: WHAT’S THE DIFFERENCE?There are three types of analytics that are “necessary to obtain a complete overview of your organization.” Descriptive Analytics is about the past, Predictive Analytics is about the future and Prescriptive Analytics provides advice based on the future. This article says all three “contribute to the objective of improved decision-making.”QUANTIFYING BIG DATAA recent article in Technology Spectator asks the question: “Big Data Transformation- are we there yet?” Despite advances in Big Data technology, the article suggests, “most organizations don’t know which questions they need to ask.” This is just one of the challenges that remain for new big data adopters. WHEN PREDICTIVE ANALYTICS AND CLOUD TECHNOLOGIES INTERSECTPredictive Analytics is proving to be “the most effective way to put big data to work.” Cloud technologies are “delivering new data sources and providing a scalable, pervasive platform for analytics.” As the two intersect, there are “new opportunities for value and new ways to exploit big data.” Read more here.GETTING STARTED WITH SECURITY ANALYTICSNew to the Security Analytics scene? Dark Reading has come up with seven tips to get started successfully. The tips include the need for pre-security analytics, measuring what’s important to the business, watching for changes to critical infrastructure and leveraging internal business intelligence experts.
Today’s enterprise risk professionals need to turn all types of risk data, structured and unstructured, across the enterprise into actionable information. A good risk analytics platform should aggregate risk data from any source, have a flexible correlation engine, and a robust reporting framework for executive level views. Large enterprises can turn their risk data into information that matters and remediate risk before it becomes a costly issue. This presentation will cover creating a holistic view of risk posture, establishing content risk models, translating metrics to business success and prioritization for remediation. Discussion topics include business drivers, challenges, solutions, methodology, data aggregation, correlation risk models, scoring and overall reporting.
Brinqa and guest Forrester Research, Inc hosts a very timely webinar on the current and future state of risk analytics. “Beyond Security- Everyday Risk Analytics” was held on September 11, 2013 and featured Brinqa CEO Amad Fida and Forrester Principal Analyst and Research Director Christopher McClean. Amad and Chris discuss where the risk analytics industry currently stands, what it is striving for and what the future holds.This webinar is an opportunity for people to hear from two industry leaders in the risk analytics space talking not only about how risk analytics can address immediate security risk challenges, but going beyond security, how risk analytics can protect and prepare for any other types of future threats by measuring and prioritizing risks to the business.
Big Data and Risk Analytics are new concepts. While much has already been written, many questions remain surrounding these new technologies and how businesses can use them to their advantage.As a result, Brinqa is hosting Forrester Research for a very timely webinar on the current and future state of risk analytics. “Beyond Security- Everyday Risk Analytics” will be held September 11, 2013 and will feature Brinqa CEO Amad Fida and Forrester Principal Analyst and Research Director Christopher McClean. Amad and Chris will be discussing where the risk analytics industry currently stands, what it is striving for and what the future holds.This webinar is an opportunity for people to hear from two industry leaders in the risk analytics space talking not only about how risk analytics can address immediate security risk challenges, but going beyond security, how risk analytics can protect and prepare for any other types of future threats by measuring and prioritizing risks to the business.Here at Brinqa, we are excited to participate in this webinar that will take an analytical approach to security risk management. We look forward to discussing the kinds of metrics businesses should collect and how to report them. We’ll talk about how to enable your business to gain insights into security risks and help you make the best business decisions.The webinar is free and open to everyone. We hope that you will join us. Please see the information below for more details.WHAT: “Beyond Security- Everyday Risk Analytics”is a timely webinar that will focus on the latest trends in risk analysis as well as where the industry is headed.WHO: Amad Fida, CEO, Brinqaan expert in risk analytics and security software, bringing over 15 years of hands-on experience to the discussion.Christopher McClean, Principal Analyst & Research Director, Forresterleads a team of analysts at Forrester covering topics including compliance and risk management, security management, security services, metrics and GRC.WHEN: September 11, 2013 at 2PM ET/11AM PT WHERE: “Beyond Security- Everyday Risk Analytics” webinar, please register here
A look back at the week in Risk Analytics, Big Data and other buzz worthy itemsFINANCIAL SERVICES FIRMS WEIGH IN ON RISK SYSTEMSAs more and more businesses update their risk systems, a new study from Deloitte finds that there’s still a long way to go. CIO reports a third of chief risk officers surveyed said they were concerned about the data quality and management capabilities of their risk management systems.PREDICTIVE ANALYTICS FOR EVERYONEThe Predictive Analytics Market is growing and it appears the sky’s the limit. New research from ReportsnReports.com predicts that by 2018, the market will be worth $5.24 Billion. The new report looks at how predictive analytics is growing across multiple verticals including financial services, government, healthcare and retail.ALL DATA, ALL THE TIMEDoes big data need to be compartmentalized? An opinion piece in VentureBeat this week suggested otherwise. The author offers an alternative to big data called “All Data” where existing data is linked together, analyzed more broadly, and provides value to a wide range of people within organizations.DATA ANALYTICS FOR THE BOTTOM LINEIssues such as healthcare reform and changing reimbursement have healthcare finance executives turning to data analytics to help their bottom line. A new article in Health Leaders Media says analytics tools are being used to find revenue cycle efficiencies and other cost savings.MLB TAKEAWAYS FOR BUSINESSESBaseball GM’s and managers are increasingly using analytics to evaluate players and manage games. An Information Week article suggest businesses can learn from MLB methods which include valuing data over intuition, embracing metrics, considering context, making predictions and declaring WAR (wins above replacement).
A look back at the week in Risk Analytics, Big Data and other buzzworthy itemsTHE FUTURE IS BRIGHT FOR PREDICTIVE ANALYTICS“What’s going to happen?” That’s the question that predictive analytics is answering for companies across all industries. CITEworld looks at how predictive analytics are evolving and being used not only as a business tool, but also as a healthcare resource that has the potential to save lives.ANALYTICS: AN IT DEPARTMENT’S NEW BEST FRIENDThe use of big data analytics by IT departments is resulting in major benefits. An article in CIOL says, “With the use of Analytics, IT can deliver more efficient services, improve resolution time, and better align its operations with the IT infrastructure and IT service management objectives.”TAKING RISKS WITH YOUR BIG DATAA new article in Information Week looks at big data and suggests a human element is needed to get the most out of it. A chief research officer says, “Make sure that if you are investing in a data analytics tool, you at least have one body sitting in front of it and you're investing just as much in people as you are in the process.”THE CASE FOR AUTOMATIONCompliance regulations continue to grow and SC Magazine UK says automation is a solution that can “alleviate mundane tasks.” The article points out the benefits of automation as a “major step if one wants to make the most of human resources, instead of marshalling them to manual tasks that never seem to complete.”RISKY THINKING!A new study from down under finds many business executives aren’t taken IT security seriously enough. The report from ISACA Australia finds “89%of 111 IT professionals surveyed said their businesses view IT risk as a compliance burden, while 71% felt their business teams aren't aware that risk management is important to attain business goals.”
Metrics that Matter – Security Risk Analytics- Huzefa Olia, CISSPToday’s enterprise risk professionals need to turn all types of risk data, structured and unstructured, across the enterprise into actionable information. A good risk analytics platform should aggregate risk data from any source, have a flexible correlation engine, and a robust reporting framework for executive level views. Large enterprises can turn their risk data into information that matters and remediate risk before it becomes a costly issue.The presentation will cover creating a holistic view of risk posture, establishing content risk models, translating metrics to business success and prioritization for remediation. Discussion topics include business drivers, challenges, solutions, methodology, data aggregation, correlation risk models, scoring and overall reporting.New Jersey Chapter ISSA Meeting 4p - 7p, Deloitte, Parsippany New Jersey
A look back at the week in Risk Analytics, Big Data and other buzzworthy itemsSTRATEGIC RISK MANAGEMENT CHALLENGESFor businesses implementing a Strategic Risk Management program, some common challenges tend to occur. These include “defining a risk appetite, poor internal communications, and tracking measurable results.” An ebiz article says these challenges can be overcome with an Enterprise Risk Management solution.FIGHTING CYBERCRIME WITH BIG DATAHow can big data be used to fight cyber attacks? A Trend Micro article suggests new ways of dealing with these threats including “the right combination of methodologies, human insight, an expert understanding of the threat landscape, and the efficient processing of Big Data to create actionable intelligence.”IT’S TIME FOR ANALYTICS TO GET PERSONALWith security attacks becoming more personal, Author Hugh Thompson says security and data analytics needs to become more personal as well. Speaking at the Rapid-7 United 2013 security summit, Thompson said a personal approach would help “understand the risk and know when it’s coming so you can prevent it.”BIG DATA REQUIRES BIG TEAMSThere’s growing concern about the lack of data scientists to coincide with the big data boom, but is big data too big for one title to tackle? An IT World article offers a solution of big data teams that would represent business analysis, analytics expertise, data technology expertise and visualization expertise.DECISIONS… DECISIONSA key element needed to successfully implement a big data program lies in the hands of a company’s decision makers. A Bloomberg Businessweek article says, “Although many people talk about turning data into insights, the under-appreciated problem is turning those insights into decisions.” Read more here.
November 18-21, NY Marriott Marquis, NYCAppSec USA is a world-class software security conference for technologists, auditors, risk managers, and entrepreneurs, gathering the world's top practitioner, to share the latest research and practices. Hosted by OWASP.
GraphConnect returns to San Francisco, welcoming all graph database enthusiasts to explore new ideas, share innovations in graph technology, and make connections with researchers and developers from around the globe.Amad Fida will be speaking at GraphConnect on Graphs to Measure and Manage Risk. The topic will highlight the graph data model used in Brinqa Risk Analytics our operational and security risk management solution.
Wednesday, September 11 at 2pm ET / 11am PTJoin us for a very timely webinar on the current and future state of risk analytics. Brinqa CEO Amad Fida and Forrester Analyst Christopher McClean will discuss where the risk analytics industry currently stands, what it is striving for and what the future holds.Topics to be discussed in this webinar include: The Accessibility of Risk Analytics Implementing a Strong Analytics Program Turning Data into Practical Decision Support Striving for Contextual Intelligence The Need for Comprehensive Analysis
A look back at the week in Risk Analytics, Big Data and other buzzworthy items“WE’RE THE FACEBOOK FOR DATA”As Brinqa unveiled a host of new features coming to its flagship platform this fall, CMS Wire took an in-depth look at how Brinqa is similar to Facebook in that it is built around relationships- not between people, but between data, and how those relationships aid enterprises in better decision-making. Read more here…THE COST OF DOING NOTHINGAn article in American Banker this week looks at how Brinqa has added cost of doing nothing modeling to its tech and ops risk software. Brinqa “crunches the worst-case costs to come up with an overall dollar amount associated with a risk” so that companies can decide whether or not that risk needs to be dealt with.WHERE BANKING AND BIG DATA ARE HEADEDThere’s been a lot of buzz surrounding banking and big data. A new infographic out this week showcases how big data is an asset to the banking business. Big data is solving many problems for the banking industry including scoring credit risks, understanding customer needs and managing rising security costs.THE IMPORTANCE OF BEING STRATEGICAccording to Gartner, in the next two years, eight out of ten of Fortune 500 companies will “fail to exploit big data opportunities for a competitive advantage.” Forbes Magazine came out with some tips this week on ways to develop a big data strategy that “relates to the success of the business.”WHERE THE JOBS ARE…So you want to be in the Big Data industry, eh? You’re in luck. Studies show the U.S. faces a shortfall of 140,000 to 190,000 big data professionals in the next five years. Worldwide, 4.4 million IT jobs will be needed to support big data by 2015. So how do you get your foot in the door of this exploding industry? Click here to find out.
Today we gave a sneak peek at new features coming to our risk analytics platform this fall that will give C-level executives the most comprehensive view of risk available on the market.The new capabilities will make risk even more transparent, allowing C-level executives to manage present and future risks by providing a complete understanding of consequences in “what if” scenarios and allow them to put a price on risk, which ultimately will allow them to make more informed decisions on risk within their organizations.The new capabilities include: Enhanced visualizations for mobile, tablet and retina-enabled desktop devices Dynamic assessments/survey New connectors including for IBM z-Secure, qRadar, JIRA, ServiceNow Industry-first business intelligence (BI) model for user-defined dashboards and reports Advanced machine learning integrated with smart analytics Customizable library of more than 170 out-of-the-box functions for increased flexibility Accelerated data processing for faster data integration, correlation searching and calculation New compatibility with mainframe operating systems such as IBM Z/OS, and z-Linux platformsWe’re thrilled to unveil these new features. They solidify Brinqa’s position as the most affordable and easy to use platform in the industry today, offering more data aggregation, correlation and analysis covering more business functions than any other single solution available.We’ve opened up risk management to the masses, allowing businesses that once struggled with interpreting big data to gain a complete understanding of their risk down to the smallest detail. We are able to really communicate risk to executives and businesses by putting a price on risk, speaking in a non-techie language that everyone can understand. They can then say, “I understand what impact this risk has. Let me decide what is best for my business in terms of what goals I need to achieve.”To read more about today’s announcement, click here.
Brinqa Gives C-Level Executives Unprecedented Data Analytics Tools to Manage Present and Future RisksUpcoming Release of Risk Analytics Platform Features Enhancements for Comprehensive Viewof Risk Data for Better Decision-MakingAustin, Texas – August 6, 2013 – Brinqa, a provider of an integrated risk analytics platform that helps enterprises extract knowledge from their big data for better decision-making, is announcing new capabilities to its flagship platform resulting in the most comprehensive view of risk data available for C-level executives.The new features will be available in Fall 2013 and include: Enhanced visualizations for mobile, tablet and retina-enabled desktop devices: The platform offers new design, layout and rendering configurations for charts and graphs. Its streamlined user interface provides a more interactive html5 client that is more responsive to different screen sizes. Dynamic assessments/surveys: New branch and skip logic allows users to create more focused, relevant assessments. Incremental assessment capabilities expedite traditionally long and manual assessment process through automatic reuse of recurring answers. Flexible question types include Yes/No, multiple choice, text/comment, etc. Matrix questioning allows for stronger visual interpretation of data. New connectors including for IBM z-Secure, qRadar, JIRA, ServiceNow: Customers can collect and collate data from virtually any source for analysis without additional cost or effort. The Brinqa connector framework now offers more than 80 connectors. Industry-first business intelligence (BI) model for user-defined dashboards and reports: Rich BI functionality allows executives to define dashboards with drill-down capabilities as well as automatically export reports. Advanced machine learning integrated with smart analytics: Clustering, classification and recommendation algorithms allow for deeper data insight and predictive analysis. Customizable library of more than 170 out-of-the-box functions for increased flexibility. Accelerated data processing for faster data integration, correlation searching and calculations. New compatibility with mainframe operating systems such as IBM Z/OS, and z-Linux platforms.“Brinqa continues to make risk more transparent and easier to manage,” said Amad Fida, CEO, Brinqa. Businesses that once struggled to fully extract knowledge from their big data now have a tool that automates risk data aggregation and analysis down to the smallest detail. The output helps provide a complete understanding of consequences in “what-if” scenarios, allowing C-level executives to make more informed decisions on risk within their organizations.”The Brinqa Risk Analytics platform provides organizations visibility into all essential data and the metrics needed to proactively offset potential threats. Through complete automation of risk data aggregation and analysis, Brinqa shortens response time to emerging threats and reduces effort and cost to organizations by utilizing a common platform across the enterprise. The Brinqa Risk Analytics platform is the most affordable and easy to use platform in the industry, offering more data aggregation, correlation and analysis covering more business functions than any other single solution available today.Understanding risk posture is critical to strengthening decision-making. A January, 2013 Forrester Research, Inc. report by Chris McClean and Nick Hayes states, “When managers and directors consider the risk implications of their decisions over time, they should see an improvement in performance based on those decisions. For example, the decision to outsource key business processes to a third party might have very clear cost and performance benefits, but unless they consider risks related to intellectual property protection, consumer privacy, process quality, or service reliability, the company is exposed to potentially costly scenarios that may nullify any of the benefits.”For more information on Brinqa, visit www.brinqa.wpengine.com.To learn what Brinqa can bring to your company, contact us via email at sales@brinqa.wpengine.com.About BrinqaBrinqa is the leading independent software vendor in developing risk analytics solutions that enables enterprise customers to minimize risk, meet stringent regulatory mandates and increase the operational efficiency of their IT infrastructures. Brinqa’s flagship product is a one-stop platform for comprehensive risk aggregation, analysis and reporting, providing Fortune 500 companies with an easy-to-understand view of their risk posture. This gives executives the knowledge needed to make much more informed business decisions for a competitive advantage.For more information please contact us via email at info@brinqa.wpengine.com or visit us at www.brinqa.wpengine.com.Media ContactWoody Mosquedawoody@lmgpr.com408-993-9113
A look back at the week in Risk Analytics, Big Data and other buzzworthy itemsRisk Management Is Important – Take That to the Bank!Some banks are still slow to invest in modern risk management technology. Bank Systems & Technology calls that “irresponsible” and says analytics and data management aren’t just for big banks. The article warns “without the practice of risk management at its highest level the industry cannot survive.”Connecting the Data DotsTying data collection to business objectives is a key to success for many. However, an Econsultancy study finds only 20% of businesses surveyed actually have “a company-wide strategy that ties data collection and analysis to business objectives.” Despite that, 86% said web analytics did “drive actionable recommendations.”Big Data: Not Just for the Big BoysBig Data is for everyone! That’s the gist in a recent article that explored the benefits big data can bring to SMB’s. The article talks about why some small businesses stray from big data whether it’s due to budget or lack of analytics skill, but says those not using big data “risk handing a massive advantage to their competitors.”Defining Real Time Risk DataJust what does “Real Time” mean? A recent webcast explored that question and concluded “implications differ from firm to firm.” One chief risk officer defined real time as “the ability of our systems to react to market events.” Others focused on the ability to be proactive when making business decisions. Read more here.Data Analytics: Still Some Growing up to Do?Data analytics continues to evolve and The Register says, “We are entering a new phase of computing where competitive advantage will be gained or lost based on the quality of data and the ability to analyze it.” But are we at that point yet? Read the article here to find out!
Innovations in risk management technology have not gone unnoticed, particularly within the financial services sector. A new survey by Deloitte Touche Tohmatsu Limited queried 86 financial institutions globally about the state of their risk management operations.Among the findings: 94% of company boards now devote more time to risk management oversight than five years ago. About 40% of institutions are concerned about their ability to manage risk data. 62% have risk management program in place, up from 52% percent in 2010, while a further 21% are building one. 65% reported an increase in spending on risk management and compliance, up from 55 percent in 2010. 58% plan to increase their risk management budgets over the next three years.So how are financial institutions using technology and operations risk to their advantage? Brinqa CEO Amad Fida recently spoke with American Banker about how banks are using Brinqa’s solution:“… the software is sometimes used for predictive analysis to help with decision making - for instance, to assess the risks of outsourcing an IT function such as mainframe database administration to China or Brazil. Others use it to prioritize risk problems that need to be fixed, say from a list presented by a regulator. But often, it's used by heads of technology or operations risk to wrestle funds from heads of finance, credit or market risk.”One bank executive says it has used Brinqa’s platform to “monitor the state of security across a large bank”"(It) gives you an understanding of your conditions, like patch management and app security; it helps you get an up-to-date, current view of the controls that would protect you from ethical hackers or from actual hackers."One of the key statistics in the survey, however, points out that while awareness of the benefits of a risk management program continues to grow, implementing such a program remains a challenge as less than half of the financial institutions surveyed rated themselves as “extremely or very effective at operational and technology risk.” This underscores the need for a viable solution like Brinqa, a one-stop platform for comprehensive risk aggregation, analysis and reporting, that provides financial institutions with an easy-to-understand view of their risk posture.Simply put, Brinqa is a risk management solution that financial institutions can bank on.To read the entire American Banker article “Banks Struggle to Manage Tech, Ops Risk: Survey,” click here.
A look back at the week in Risk Analytics, Big Data and other buzzworthy itemsWill Big Data Make The World A Safer Place?Big data is expected to “have a transformative effect on security.” That is, of course, if an organization “can collect all this data, intelligently manage and analyze it, and leverage it for investigations.” Sounds like a job for analytics! Read the article here.Risky Business In IndiaIndia is gearing up for a risk analytics explosion of sorts. A new report predicts that by the year 2020, risk analytics will be a $2.5 billion dollar industry in the country. India is predicted to be a global hub for the outsourcing of risk and procurement analytics services.Big Data Analytics On The Rise Down UnderA new IDC survey finds Big Data Analytics is being widely adopted in Australia. 80% of 300 organizations surveyed said they have already or plan to launch big data analytics within the next twelve months.Calling All Data ScientistsThe big data explosion has resulted in a growing need for people who can interpret the data into something tangible. By 2018, 190,000 more workers with analytics expertise and 1.5 million more data-savvy managers will be needed in the US alone.Read more here.How Big Data Could Potentially Save LivesA report this week showcased how big data is being used to analyze military veterans' Facebook posts to spot suicide risk factors. The opt-in program uses predictive analytics by monitoring social media posts to predict suicidal risks.
One of the key problems businesses face when trying to make the most of their data is the “inability to achieve efficient data integration.” Data is scattered everywhere in different silos making it time consuming and costly to access and interpret. That’s where the need for Brinqa and data aggregation comes into play.Brinqa is featured in a new article from Big Data Republic entitled “Temporary Data Integration Solutions.” In the article, Brinqa’s CEO Amad Fida weighs in on the problems businesses face trying to desilo their data and whether aggregation services actually slow that process by offering workarounds to access that data.Fida says it’s not really that simple, pointing out the complexities of implementing internal data integration and adding, “not all data can be centralized,” such as high security data. The article goes on to showcase just how Brinqa’s solution serves as an alternative for companies faced with silo problems, “aggregating the data and running massive risk calculations to outline critical issues.”It’s an interesting discussion on the internal problems businesses face and the outside solutions that are available.Read the full article here.
The term “Big Data” is everywhere these days.It’s a buzzword picked up by the media that most people still can’t define and yet every tech company under the sun is now looking for their “six degrees of separation” connection to latch on to the trend.Wikipedia probably has the user-friendliest definition calling Big Data “a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications.”But how did Big Data rise to such prominence? Where was the term first coined and how long has Big Data REALLY been in existence?A recent article in Forbes entitled “A Very Short History of Big Data” answers those questions within a comprehensive timeline that shows Big Data is not an overnight sensation, but instead was envisioned long before the technology to deal with it ever was. The article tracks the evolution of Big Data from its infancy as an idea into the $5 billion dollar market it is today and the $50 billion dollar market it is projected to reach by 2016.Despite its slow rise to becoming a household name, there’s no denying that Big Data has made an impressive showing in the tech world and is a key term that people WILL understand in the very near future.You can get ahead of the curve by reading “A Very Short History of Big Data” by clicking here.
A look back at the week in Risk Analytics, Big Data and other buzzworthy itemsBig Data and Risk Management Go Hand-In-HandChief Financial Officers are realizing the benefits of big data for smarter risk management. A CFO article this week said big data and predictive analytics are not only accelerating business performance, but are allowing CFO’s to move beyond the role of “corporate scorekeepers.”It's Time For a Deeper DiveA new survey finds 80% of risk managers believe deeper risk-related data is needed in order to fully reap the benefits of analytics. 29% don’t believe their companies know just how much risk they can take on. Read the full article here.The Scoop On HadoopHadoop took center stage in Silicon Valley this week. The open source framework has evolved into the leading big data platform, though not without some hiccups along the way. Read more here.Everybody Wants To Get Into ActBig data has expanded well beyond the tech world and is now growing across various industries. Articles this week included big data being used to “revolutionize healthcare” and to “shape the future of travel.”Big Brother is WatchingNot all the big data buzz was glowing this week. There is growing concern that big data may “spell trouble for consumer privacy.” Read what New Jersey Congressman Rush Holt has to say about it here.
Gartner Security & Risk Management Summit is the premier gathering for senior IT and business executives across IT security and risk management, including privacy, compliance, BCM, IT disaster recovery and business resiliency.The summit offers five role-based programs that delve into the entire spectrum of role evolution in IT security and risk, including: network and infrastructure security, IAM, compliance, privacy, fraud, BCM and resilience.Stop by for a visit and find out more about Brinqa Risk Analytics!
The 11th annual Security Professionals Conference, “No Boundaries: Security in an Open World,” will explore the inevitable changes to cybersecurity architecture and drivers, as well as the available solutions being developed or deployed to address the multitude of security and privacy challenges.Join us on April 16th for a roundtable discussion on the challenges and best practices of managing risk in higher education.
Join us as we sponsor FS-ISAC, an industry forum for collaboration on critical security threats facing the financial services sector. Find out more about the latest solutions and how Brinqa is helping customers get an advantage with the Risk Analytics Platform.
The world’s top security thought leaders will gather together at the annual RSA conference in San Francisco on February 25th and Brinqa will be there! Stop by and visit our booth (221) to find out more about Brinqa Risk Analytics.RSA Conference 2013
Welcome to the new and improved Brinqa. We’ve just revamped our product offering to recognize and address the new top of mind issues for our customers. Now, as today’s business environment changes more rapidly every minute, infrastructures have become more complex, more and more data is available that needs to be managed, more regulations must be addressed, and more threats and risks are developing all the time. So we’re introducing the Brinqa Risk Analytics platform to help companies manage all the risk and governance data in the enterprise, and to develop threat and compliance profiles, reports and action plans to address these issues.The new Brinqa risk analysis solution integrates data from all sources, including structured and unstructured data. It then correlates all the information to identify currently persistent threats from all the data in the network flow, like vulnerability details, logs, and audits. Then it combines it all with identity, IT infrastructure, enterprise-level security and applications data to find advanced threats, and to develop trend analysis and data models for future issue remediation. Deep dive functionality opens up new granular views on risk for the enterprise. It manages remediation strategies and efforts, along with providing the big view of overall enterprise risk.Brinqa sits on top of existing GRC (Governance, Risk and Compliance), security applications from all parts of the infrastructure, including other management tools and information repositories across the company. It provides analytics to make the data more actionable and more understandable by management. With Brinqa you’ll stay informed on all aspects, big and small, of risk and compliance for your business. Dashboards, trends analysis and reports are all part of the package so you’ll always know exactly what’s happening and what needs attention in your business.Welcome to the new Brinqa and to a new, more manageable business environment.
Brinqa, a leading independent software vendor in the risk analytics market, today announced Brinqa Risk Analytics 4.0, the newest version of its flagship product. Brinqa provides enterprises and government agencies with an integrated risk analytics platform for aggregation of risk data in large complex environments. The solution delivers insightful analysis and intelligent reporting for informed decisions and improved operational effectiveness.Brinqa Risk Analytics is a powerful solution that will help you aggregate, correlate, analyze and report on what matters most. In moments you have accurate information at your fingertips that support critical business decisions. At the core of the Brinqa Risk Analytics solution is the ability to aggregate risk data and report on metrics that are forward-looking as well as historical. The integrated Brinqa Risk Analytics platform is a single solution for aggregation of risk data in large complex environments. Organizations can expect reduce risk remediation efforts, improved operational efficiency and smarter metrics for more intelligent decision-making.Key new features of the Brinqa 4.0 Risk Analytics Platform include: Dashboard and application builder from the user interface, easy to customize Event-based assessments, with multi-point distribution to support multiple respondents Enhanced security to support more granular access restrictions Cloud security and data protection standards, controls and compliance reports Additional chart libraries to support advanced multi-dimensional dashboards Simplified connector framework with easy wizard setup from the user interface Enhanced scale and performance of the graph based frameworkBrinqa streamlines compliance through automation, monitoring of controls, measurement of key metrics and visibility through executive dashboards and reporting.For more information, contact us at sales@brinqa.wpengine.com
The SoCal Security Symposium features over 30 vendor exhibits and several industry experts discussing current security issues such as eDiscovery, cloud security, threat vectors, mobile security, and much more. There will be lots of give a ways and prizes! This conference will provide tremendous networking opportunities. You'll come away with advice and knowledge you can start applying to your environment immediately. Your registration will include your breakfast, lunch, ice cream social, CPE credits (8) and entrance into the conference sessions and exhibit area.
Brinqa Application Risk enables the centralization and standardization of the underlying services that are common across individual application and infrastructure risk management projects. The consolidation establishes an enterprise view of risk to allow executive management to make informed decisions related to resource management and funding allocations, reducing time and cost.Key Metrics Commonly Tracked Application Software Security Metrics Continuous Vulnerability Metrics Issues and Remediation Metrics Platform Compliance Scores Baseline Defense Metrics Security Roles and Responsibility MetricsKey Features Risk modeling supports complex, quantifiable risk calculations for business processes,assets, users, controls, and data/ information risk Mapping of risk scores to business policies and regulations Risk libraries for applications and infrastructure Business friendly interface for definition of key risk metrics (e.g., key risk indicators)and thresholds for metrics Support for unique scoring models per asset; scoring model accounts for relationships to other assets Risk engine supports statistical calculations for improved quantitative risk scoring “What if” analysis for risk forecasting, reduction in risk exposure, and risk mitigation plans Out of the box risk assessment questionnaires with advanced question editor for customization Pre-configured risk assessment processes resolve common issues through recommended remediation plans Workflow based risk assessment processes automate data collectioleveraging the Brinqa connector framework Comprehensive issue libraries facilitates automatic issue discovery; issues created as a result of an assessment, loss event, near-miss, scenario analysis, or control test failure Closed loop remediation of issues with full auditing Configurable workflows manage the complete life-cycle of remediation plans Integration with common third-party issue management systems Comprehensive risk dashboards and reporting provide CIO level views of a Company’s overall risk posture with drill down into detailed views Complete historical record of all issues and loss event dataKey Benefits Effective risk management through tools that enable top-down and bottom-up approaches to identify, measure and track risks Holistic view of application risk Enforced accountability for residual risks assigned to the appropriate owners (e.g., line of business) Reduced costs through pro-active risk management which increases risk protection levels with fewer resources Measured trends deliver real data to support return on investment
We are committed to keeping up with the most innovative security professionals and as has become customary, we will once again be sponsoring the RSA Conference in San Francisco this year. The RSA Converence has consistently attracted the world's best and brightest in the field, creating opportunities for conference attendees to learn about IT security's most important issues through first-hand interactions with peers, luminaries and emerging and established companies. As the IT security field continues to grow in importance and influence, RSA Conference plays an integral role in keeping security professionals across the globe connected and educated.Learn more about RSA® Conference 2013
Every enterprise environment has a challenge in having the data they need readily available at the moment they need it to make a critical decision. Our data aggregation framework connects to any source of information whether it is network data, event data, metrics, tickets or threats. Set it up once and it automatically synchronizes your aggregated source data on any given schedule that fits your needs.
Brinqa Risk Analytics addresses the need to ensure functions exist that easily identify, measure, monitor and control risks as they relate to critical applications in the enterprise. Brinqa Risk Analytics is a complete risk platform that keeps up with your constantly changing environment. Brinqa Risk Analytics combines robust risk modeling and prioritization with a correlation engine that takes the guesswork out of decision-making. Relevant data aggregated from various data sources are centralized in one warehouse. Correlating and analyzing that data provides a view of the information that matters most. This solution will ensure that the most critical risks to the business are identified and remediated.