The general lack of focus on resilience, response and recovery is largely reflected in vendor offerings too. JupiterOne CISO Sounil Yu, creator of a Cyber Defense Matrix adopted by OWASP, noted the concentration of security products in protection and detection and wondered, “Is our industry actually solving the right problems?”<\/p>\n\n\n\n How to build in that cyber resiliency was the focus of a number of talks at the conference.<\/p>\n\n\n\n Unpatched vulnerabilities are at fault in anywhere from a third to more than half of all data breaches, depending on the study, so it’s natural to wonder why organizations don’t do a better job of patch management<\/a>. The answer, based on a couple of presentations at the conference, is that patching is incredibly difficult to get right, requiring way more attention than most companies can afford to give it.<\/p>\n\n\n\n Art Ocain, VP for Cybersecurity and Incident Response at Airiam, noted that patching should be approached with a continuous deployment mindset, so teams should be able to patch 10 times a day.<\/p>\n\n\n\n Phil Venables, CISO of Google Cloud, said Google Cloud treats patching like another company might treat its top revenue-generating applications, with continuous updates similar to what a development team would use (see slides below).<\/p>\n\n\n\n In addition to keeping up with patches, fixes and mitigations across applications, operating systems and endpoint and network hardware \u2014 there are roughly 20,000 new vulnerabilities a year, and several hundred of those are actively exploited by hackers \u2014 many organizations don’t even know everything they own, so asset management<\/a> is part of the problem too.<\/p>\n\n\n\n The sheer difficulty is one reason that vulnerability management as a service (VMaaS)<\/a> and similar services<\/a> have been gaining traction among security buyers.<\/p>\n\n\n\n Google’s cloud security is well regarded (and the company has shared some documentation<\/a> of its security architecture and practices too). Venables spent much of his presentation discussing the many ways Google Cloud reduces concentration risk (see slide below).<\/p>\n\n\n\n Also read<\/strong>:<\/p>\n\n\n\n Ransomware<\/a> is the most feared cybersecurity threat, and with good reason: Its ability to destroy and steal data is almost without peer.<\/p>\n\n\n\n That double threat \u2014 exfiltration and destruction\/encryption<\/a> \u2014 makes backup<\/a> and encryption<\/a> of data critically important for recovery and to avoid extortion when hackers threaten to release sensitive data.<\/p>\n\n\n\n “Immutable backups<\/a>” are often touted as the answer here. But even that needs to be incredibly secure \u2014 Ocain said Airiam has to take extra steps to protect even the laptop of the backup manager because hackers will find it. And keys and credentials are stored in a key vault so admins don’t keep them. The slide below shows the controls the MSSP<\/a> has built into its backup and disaster recovery<\/a> systems to keep customer data safe.<\/p>\n\n\n\n Continuous pentesting<\/a> and ransomware simulations are among Airiam’s many controls. As Ocain put it, the company’s evolution “from good MSP to good resilience provider” was borne of necessity, and the company is now called in to consult on high-profile ransomware cases.<\/p>\n\n\n\n Also read: Building a Ransomware Resilient Architecture<\/a><\/p>\n\n\n\n The conference \u2014 held in McLean, Va., and virtually \u2014 had a strong government and financial services focus, two sectors with high security needs that understand the limits of security tools<\/a> and the need for resilience. That element gave the conference an air of realism: No one was claiming that they could stop every threat, and the focus was on the layers of defense that can keep an attack from spiraling out of control.<\/p>\n\n\n\n Government agencies and industries with high security needs have faced attacks and know they will continue, but most smaller businesses and non-IT companies don\u2019t have the time or money to focus on cyber attacks until they happen. ResilienCyCon showed the error of that thinking. Those secondary layers of defense and response are critical, and are far cheaper than dealing with the consequences of an attack. They can make the difference between bending and breaking, so businesses would be wise to prepare now.<\/p>\n\n\n\n Read next: Best Incident Response Tools and Software<\/a><\/p>\n\n\n![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/11\/security-response-products-1024x552.jpg\")
Patching Is Hard. Real Hard.<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/11\/google-cloud-sdi-1024x485.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/11\/google-cloud-patching-1024x485.jpg\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/11\/google-reducing-cloud-risk-1024x574.jpg\")
<\/figure>\n\n\n\n\n
Backup Is Hard. Really Hard.<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/11\/immutable-backup-1024x574.jpg\")
<\/figure>\n\n\n\nPrepare Now<\/h2>\n\n\n\n