2022 The State of Cyber Assets Report Reveals Security Vulnerabilities
Research Finds 97 Percent of Security Findings Tied To Cloud Assets, Expanding Attack Surface Threats Puts Organizations At Risk
MORRISVILLE, N.C., March 22, 2022 /PRNewswire/ -- The 2022 State of Cyber Assets Report (2022 SCAR) conducted by JupiterOne, the industry's leading cyber asset attack surface management (CAASM) platform provider, analyzed more than 370 million assets at nearly 1,300 organizations. It reveals the current state of enterprise cyber assets - cloud workloads, devices, networks, apps, data, and users.
The top findings include:
The Expanding Attack Surface Puts Organizations At Risk
The enterprise technology ecosystem is being rapidly reshaped by API-first, cloud-first, and digital transformation initiatives, but they come at a high cost to security. As more assets are deployed into enterprise production environments, companies face an increased risk of a cyber attack that starts by exploiting unknown, unmanaged, or poorly managed internet-facing assets. The modern attack surface has grown too large and complex for security professionals to manage using traditional, manual approaches to the asset lifecycle.
Security Teams Have Too Many Assets to Secure
Security teams are fatigued and understaffed. Teams have an unprecedented number of assets to inventory, manage, and secure across a cloud-based organization. The report found that, on average, modern security teams are responsible for more than 165,000 cyber assets, including cloud workloads, devices, network assets, applications, data assets, and users. With cybersecurity talent in short supply, organizations need to help their existing teams become more efficient.
Cloud is Huge and is Here to Stay
Cloud deployments are taking over as the de facto deployment model in companies of all shapes and sizes, leading to 97 percent of security findings coming from cloud assets. Nearly 90 percent of device assets in the modern organization are cloud-based, meaning physical devices such as laptops, tablets, smartphones, routers, and IoT hardware represent less than 10 percent of total devices. Cloud network assets outnumber physical networks by a ratio of nearly 60:1, yet analysis of nearly 10 million security policies found that cloud-specific ones represent less than 30 percent of the total.
Understanding Asset Relationships Provides An Opportunity For Improvement
Most security teams pay little attention to the indirect relationships between users, devices, networks, and critical data. Just 8 percent of queries asked the JupiterOne platform to consider second-degree or third-degree relationships between assets. Data, including critical data and sensitive information , is among the most-related types of assets, with 105 million first-degree relationships (i.e. direct access from) to users, apps, devices, and workloads. The analysis also uncovered nearly 45 million relationships between security findings, indicating that many security backlogs contain findings identified as critical vulnerabilities or policy exceptions.
This leads to the average security team being blind to some security risks, and many are under-resourced or under-skilled to fully understand the risk of potential compromises. Organizations need to invest in cloud-native security tools that allow for automation and data-driven decision-making, helping security teams gain true visibility of their cyber asset landscape and asset relationships.
Additional 2022 SCAR Findings
About the 2022 State of Cyber Assets Report
The SCAR report analyzes cyber asset inventories and user queries derived from users of the JupiterOne Cyber Asset Attack Surface Management (CAASM) platform over one week from Sept. 28 to Oct. 5, 2021. The total data set included more than 372 million security findings from 1,272 organizations, including enterprises, mid-market organizations, and small businesses.
The complete 2022 State of Cyber Assets Report, Executive Summary, and Infographic are available on the SCAR resource page.
The SCAR team invites its readership to provide feedback on the findings and analysis within this year's report. Any organization wishing to do so or become a SCAR contributor should contact [email protected] for further information.
Jasmine Henry, Field Security Director at JupiterOne and Lead Author of 2022 The State of Cyber Assets Report
"Shifts towards cloud-native development, microservices, and scale-out architecture have profoundly impacted security teams, who are overworked, understaffed, underskilled, and navigate an average backlog of over 120,000 security findings. Enterprise asset inventories have changed significantly, and for the first time in history, assets are not necessarily deployed by humans. The landscape demands new, automated approaches to attack surface management."
"The major cybersecurity headlines last year included some terrifying software supply chain vulnerabilities from enterprise sources like SolarWinds and open-source software like Log4j. In fact, software supply chain security became nearly unmanageable for security teams in 2021, and the state of cyber assets in 2022 shows why."
Sounil Yu, CISO and Head of Research at JupiterOne
"During the pandemic, businesses turned to cloud technologies to support the surge in remote work and maintain some semblance of normalcy in business operations. Unfortunately, the rapid digital transformation also resulted in new entry points for cyber attacks by malicious threat actors. This research shines a light on the sheer volume of cyber assets in today's landscape and serves as a warning to business leaders and security professionals to take better stock of their assets so that they can understand the risk implications from their expanded attack surface."
JupiterOne is a cyber asset attack surface management (CAASM) platform company, providing visibility and security into your entire cyber asset universe. Using graphs and relationships, JupiterOne provides a contextual knowledge base for an organization's cyber asset operations. With JupiterOne, teams can discover, monitor, understand, and act on changes in their digital environments. Cloud resources, ephemeral devices, identities, access rights, code, pull requests, and much more are collected, graphed, and monitored automatically by JupiterOne.
For Media Inquiries:
Nathaniel Hawthorne for JupiterOne
View original content to download multimedia:https://www.prnewswire.com/news-releases/2022-the-state-of-cyber-assets-report-reveals-security-vulnerabilities-301506421.html