There’s a lot of talk about how to make the most of what you’ve got, especially in light of the less-than-amazing economic situation at the moment. And no surprise here, CISOs and their respective teams are also feeling the squeeze. Security teams are doing more with the same – and often less – and therefore, they need to become more efficient in their processes.
But in my experience, frequently, this is not what’s really happening. The XM Cyber research team and I crunched the data from 60 million exposures affecting over 10 million entities (yes, all data was anonymised!). These data sets were then given to the Cyentia Institute to analyze. We used this info to create our annual State of Exposure Management report.
The report is filled with fascinating nuggets of information that a data freak like myself just exults in. And believe me, there was a lot of cool data – but among those juicy bits, there was an underlying theme that kept rearing its (very ugly) head – teams are spending (way) too much time looking at the wrong issues and until it’s corrected for. And this inability to discern what’s critical and what can wait is making a negative impact on that efficiency that’s so needed right now.
Lets see how the above finding comes to light via some data points we collected:
- Organizations typically have 11,000 security exposures that could be exploited by an attacker (larger enterprises have over 20 times that number).
- However, 75% of exposures lead to dead ends – and those dead ends can’t reach critical assets, i.e., the assets that matter to the organization most.
- And to build on the previous point, only 2% of those exposures lie on choke points leading to critical assets.
Do you see where I’m going with this? Yeah? Okay, great, let’s keep breaking the above down a bit further; Of the average 11,000 exposures (or 220,000 for a large enterprise), only 220 (or 4,400) are actually of immediate concern. What’s more, research shows firms only have resources to really address 10% of their exposures. So, of the 220 exposures of concern, only 22 can actually be addressed – meaning that only 22 vulnerabilities out of 11,000 (that’s 0.002%) could actually be fixed if they were being identified.
Spoiler alert: they’re not. The reason? Security teams keep heading into dead ends.
Thing is, the really fascinating story here is not the relative rarity of dangerous exposures in the organizational ecosystem. It’s how security teams can better identify and remediate them before they develop into attacks. It’s how security teams can learn to avoid wasting time pursuing dead ends.
Fewer Dead Ends = Smaller Haystack
The classic cybersecurity equation states that risk is essentially the product of Threat × Vulnerability × Impact.
We take a slightly broader view of the term ‘vulnerability’ – thinking rather in terms of exposures. We define an ‘exposure’ as any combination of a vulnerable resource and credible threat technique along an attack path. This includes unpatched vulnerabilities, system misconfigurations, mismanaged credentials, inadequately protected resources, and many other security issues.
As far as ‘threats’ go, our research has shown an average of 39 unique techniques for each organization that attackers could leverage to compromise assets – that’s 39 threats.
In any case, coming back to the cybersecurity equation – ‘impact’ is the only factor we’ve not yet discussed. And identifying which exposures represent the most risk to critical assets (i.e. their impact) is arguably what exposure management is all about.
But what does impact have to do with it? Well, just about everything.
Every organization has critical information assets that, if compromised, would result in unacceptable operational and financial impacts. Some people call these the crown jewels, others call them critical assets – I don’t really care what you want to call them – you just need to make sure they are protected at all costs.
As I mentioned above, an average of 75% of exposures (90% in cloud-only environments) are found along attack paths that lead to “dead ends” which cannot impact critical assets and therefore represent minimal risk. These are isolated exposures that can’t be used by attackers to compromise the crown jewels, and thus, fixing them will not significantly reduce risk.
You can only rule out this 75% by examining impact. And you can only quantify impact by examining attack paths – something that not all organizations have yet chosen to do. But once you do factor in attack paths, wow! You can determine which necessary preconditions for exploiting paths to the crown jewels exist – and which don’t. Basically, you can end up shrinking the dead ends your security teams need to pursue by (you guessed it) 75%!
By eliminating dead ends, we shrink the haystack – making it far, far easier to find the needle.
The Bottom Line
The key takeaway is this: out of the huge pool of exposures, only a small fraction truly warrants concern. The trick is to stop focusing time and effort on the wrong ones and instead, find and focus on these. To make this happen, it’s crucial to shift to monitoring exposures and understanding their impact.
Once we eliminate the dead ends, teams can stop packing their precious working hours into the great big garbage can where productivity goes to die. (Annnd as a huge mega-bonus, the IT and other non-security teams will come to trust the security team more as a result of doing work that’s actually impactful in a way that can be quantified – but more on that in a different post.) Focusing on what matters will help teams do more with what they already have and eventually, reach that goal of becoming efficient exposure-reduction machines.