Organizations Can Eliminate Nearly All Attack Paths to Critical Assets by Remediating Just Two Percent of Exposures That Lie on Choke Points
XM Cyber, the leader in hybrid cloud security, today released the findings of its second annual research report, Navigating the Paths of Risk: The State of Exposure Management. Produced in collaboration with the Cyentia Institute, the report found that 75 percent of security exposures do not put organizations’ critical assets at risk. However, while most of these exposures are not particularly relevant to an organization, there are a minimal amount of exposures that put more than 90 percent of their critical assets at risk.
With advanced tooling, modern security teams are faced with an overwhelming volume of exposures to validate and analyze, despite the fact that most exposures uncovered do not lead to critical assets. XM Cyber’s latest research, which analyzed more than 60 million exposures in over 10 million entities, both on-premise and in the cloud, revealed that the average organization has 11,000 exploitable security exposures in a given month with up to 250,000 exposures in larger enterprises. This highlights the need for more efficient exposure remediation in order to remain ahead of the attack curve.
Lack of efficiency exists with remediating exposures
XM Cyber research uncovered that 75 percent of exposures along attack paths lead to “dead ends” which cannot impact critical assets and therefore represent minimal risk. Only two percent of security exposures are actually located on “choke points” – entities through which multiple attack paths converge enroute to critical assets. By focusing efforts on remediating exposures on these choke points, organizations can maximize risk reduction while minimizing remediation workload amongst security and IT teams.
“Security teams are inundated with increasing volumes of alerts and attackers are actively exploiting this,” said Zur Ulianitzky, Vice President, Research at XM Cyber. “As illustrated by our research, the vast majority of security alerts are benign and do not lead to critical assets. Threat actors are not working any harder than they have to, and most find success with attack paths which are simple, short and lead straight to fruitful returns. By diligently focusing remediation efforts on first and foremost eliminating the 2 percent of exposures which provide attackers with seamless access to critical assets, organizations can significantly reduce their risk without adding any additional strain to security teams.”
Attackers easily pivot from on-prem to cloud networks
The report also conveys the importance of having strong security controls for both cloud and on-premise environments. 71 percent of organizations have exposures in their on-prem networks that put their critical assets in the cloud at risk.
“Organizations face tough challenges in managing their diverse on-prem and cloud environments, often failing to consider the bigger picture and only focusing on each piece in isolation,” continued Ulianitzky. “Once attackers infiltrate cloud environments, it’s easy for them to compromise assets. Cloud security is not yet mature and many security teams don’t fully understand what security issues they need to look for. Challenges also surface from how cloud identities and permissions are (mis)managed. Moving forward, organizations must rethink their approach to security to ensure the protection of all of our identities, systems, and interdependencies among them holistically.”
Credentials and misconfigurations are highest risk exposures
The research also reveals that attack techniques targeting credentials and permissions affect 82 percent of organizations. Many continue to overlook attack paths that leverage credentials and permissions however these results make it clear that attackers prey upon trusted administrative services and identities to execute attacks.
“As we analyzed data and reflected on the findings for this report, my mind kept coming back to one concept: the cost of attack. Through attack path analysis, we see what the attacker sees and identify their least costly (quickest, easiest) routes to whatever it is they value. If we operationalize that knowledge, I have hope that we can finally shift the cost of attack in our favor,” Wade Baker, PhD, Partner at Cyentia Institute.
The second annual report presents key insights drawn from tens of thousands of attack path assessments conducted through XM Cyber’s exposure management platform during 2022. To download the full report, please visit https://info.xmcyber.com/2023-state-of-exposure-management.
XM Cyber will also be showcasing at RSA Conference 2023 in booth #1755, located in the South Hall Expo. The company will be running theater presentations on how organizations can resolve the remediation deficit that exists between the identification of exposures and a team’s ability to address them.