Article written by cybersecurity expert Yuriy Tsibere.
Gone are the days when cybersecurity meant stopping annoying viruses like the Love Bug. Today, it’s about battling a massive, financially motivated cybercrime industry. Attacks are smarter, faster, and more damaging—and that changes everything for product teams.
For product managers (PMs), this means understanding that attackers are constantly exploiting the same weak spots: stolen admin credentials, missing multi-factor authentication (MFA) on VPNs, remote encryption, and clever “living off the land” (LOTL) tricks like using Office to launch PowerShell.
Even something as simple as an unpatched firewall or a rogue USB drive can open the door to a breach.
New vulnerabilities and zero-days are popping up all the time, and product teams have to stay on their toes. A few examples:
- WannaCry (2017): Used the EternalBlue flaw in SMBv1 to spread ransomware fast. It forced companies to disable SMBv1 altogether.
- Some Exchange Server bugs: Let attackers run malicious scripts, sometimes leading to ransomware.
- Log4j vulnerability: A vulnerability in a popular Java logging framework that enables arbitrary code execution. Still showing up in outdated firewalls and VPNs.
- Follina (MSDT): Let Office apps launch PowerShell without any user interaction.
Timely patching helps, but it’s not enough. There’s always a gap between discovering a flaw and fixing it. That’s why teams need layered defenses and a mindset that’s ready to respond to incidents as they happen.
How breach reports drive real-time product shifts
The 100 days to secure your environment webinar series from ThreatLocker is a great example of incident-driven development. It helps security leaders focus on what matters most in their first few months.
Real-world breaches often directly lead to new product features or policy changes. Here’s how:
- Unlocked machines: a threat actor once accessed a hospital computer that was left open and ran PowerShell. Now, password-protected screen savers are a must.
- USB data theft: USB drives are still a go-to for stealing data. Products now offer fine-grained USB controls—blocking unencrypted drives, limiting file types, or capping how many files can be copied.
- Lateral movement: Ransomware often spreads using old admin accounts. Tools now detect and remove these after review.
- LOTL attacks: Follina showed how legit tools can be misused. Ringfencing™ helps stop apps from launching things they shouldn’t.
- Outbound traffic abuse: Attacks like SolarWinds used outbound connections. Now, default-deny policies for server traffic are becoming standard.
- Stolen credentials: MFA is non-negotiable for cloud accounts, remote access, and domain controllers.
- Vulnerable VPNs: Unpatched VPNs are a big risk. Features now include IP-based access controls or even disabling unused VPNs.
The PM’s response: From advisory to actionable feature
For cybersecurity PMs, reacting to threats means more than just writing advisories. It’s about building smarter, safer products. Here’s how:
- Get full visibility
Start by understanding what’s running in your environment. Use monitoring agents to track file activity, privilege changes, app launches, and network traffic. - Prioritize risks
With a complete picture, PMs can focus on high-risk tools and behaviors:- Remote access tools like TeamViewer or AnyDesk
- Software with too many permissions (e.g., 7-Zip, Nmap)
- Risky browser extensions
- Software from high-risk regions
- Drive adaptive policy creation
Security policies should evolve with the threat landscape:- Test first: Use monitor-only mode and test groups before enforcing new rules.
- Be precise: Go beyond on/off switches—use dynamic ACLs, Ringfencing, and app-specific admin rights.
- Encourage adoption by minimizing disruption
- Offer a store of pre-approved apps
- Make it easy to request new software
- Explain why restrictions exist—it builds trust
- Continuous improvement and monitoring:
- Use health reports to spot misconfigurations
- Block USB file copies if thresholds are exceeded
- Clean up old policies and unused apps regularly
- Embrace patch management
Make sure everything—from operating systems to portable applications like PuTTY—is up to date. Use tools to find missing patches and test them with pilot users before rolling out. - Protect backups
Backups must be shielded from compromise. This includes limiting which apps can access them and requiring MFA for backup services. PMs should also test the backups regularly to validate recovery readiness.
Cybersecurity PMs are on the front lines of using real-world protections against real-world threats.
By staying informed, collecting the right data, and building with users in mind, you can reduce risk without making life harder for your team.
Sponsored and written by ThreatLocker.