XM Cyber, the leader in hybrid cloud security, released the findings of its second annual research report, Navigating the Paths of Risk: The State of Exposure Management.ย Produced in collaboration with theย Cyentia Institute, the report found that 75 percent of security exposures do not put organizationsโ critical assets at risk. However, while most of these exposures are not particularly relevant to an organization, there are a minimal amount of exposures that put more than 90 percent of their critical assets at risk.
With advanced tooling, modern security teams are faced with an overwhelming volume of exposures to validate and analyze, despite the fact that most exposures uncovered do not lead to critical assets. XM Cyberโs latest research, which analyzed more than 60 million exposures in over 10 million entities, both on-premise and in the cloud, revealed that the average organization has 11,000 exploitable security exposures in a given month with up to 250,000 exposures in larger enterprises. This highlights the need for more efficient exposure remediation in order to remain ahead of the attack curve.
CIO INFLUENCE:ย Anglicare Leverages Ribbon and Switch Connect for Voice Consolidation and Path for Microsoft Teams Deployment
Lack of efficiency exists with remediating exposures
XM Cyber research uncovered that 75 percent of exposures along attack paths lead to โdead endsโ which cannot impact critical assets and therefore represent minimal risk. Only two percent of security exposures are actually located on โchoke pointsโ โ entities through which multiple attack paths converge enroute to critical assets. By focusing efforts on remediating exposures on these choke points, organizations can maximize risk reduction while minimizing remediation workload amongst security and IT teams.
โSecurity teams are inundated with increasing volumes of alerts and attackers are actively exploiting this,โ saidย Zur Ulianitzky, Vice President, Research at XM Cyber. โAs illustrated by our research, the vast majority of security alerts are benign and do not lead to critical assets. Threat actors are not working any harder than they have to, and most find success with attack paths which are simple, short and lead straight to fruitful returns. By diligently focusing remediation efforts on first and foremost eliminating the 2 percent of exposures which provide attackers with seamless access to critical assets, organizations can significantly reduce their risk without adding any additional strain to security teams.โ
Attackers easily pivot from on-prem to cloud networks
The report also conveys the importance of having strong security controls for both cloud and on-premise environments. 71 percent of organizations have exposures in their on-prem networks that put their critical assets in the cloud at risk.
CIO INFLUENCE:ย Ascend.io Launches Solution in Partnership with Snowflake, Enabling Cost Savings for Data Teams
โOrganizations face tough challenges in managing their diverse on-prem and cloud environments, often failing to consider the bigger picture and only focusing on each piece in isolation,โ continued Ulianitzky. โOnce attackers infiltrate cloud environments, itโs easy for them to compromise assets. Cloud security is not yet mature and many security teams donโt fully understand what security issues they need to look for. Challenges also surface from how cloud identities and permissions are (mis)managed. Moving forward, organizations must rethink their approach to security to ensure the protection of all of our identities, systems, and interdependencies among them holistically.โ
Credentials and misconfigurations are highest risk exposures
The research also reveals that attack techniques targeting credentials and permissions affect 82 percent of organizations. Many continue to overlook attack paths that leverage credentials and permissions however these results make it clear that attackers prey upon trusted administrative services and identities to execute attacks.
โAs we analyzed data and reflected on the findings for this report, my mind kept coming back to one concept: the cost of attack. Through attack path analysis, we see what the attacker sees and identify their least costly (quickest, easiest) routes to whatever it is they value. If we operationalize that knowledge, I have hope that we can finally shift the cost of attack in our favor,โย Wade Baker, PhD, Partner at Cyentia Institute.
CIO INFLUENCE:ย PlainID Launches The PlainID Technology Network to Enable Identity Aware Security for Advanced Access Control
[To share your insights with us, please write toย sghosh@martechseries.com]
