Everyone can agree that cybersecurity is of vital importance for any organization. The combination of increasing threats, dependence on technology, high-profile incidents and regulatory pressures over the past few years made cybersecurity a pressing issue that cannot be ignored.
To delve deeper into cybersecurity, provide critical insights into global cybersecurity effectiveness and reveal top attack tactics, techniques and procedures (or TTPs), Cymulate released its "2022 Cybersecurity Effectiveness Report.” The report analyzed 1.7 million hours of offensive cybersecurity testing within Cymulate's production environments.
The report found that many organizations test trending threats at the expense of ones they are more likely to experience. Sure, it's good for organizations to test against emergent threats seen in the news. However, it shouldn't take away from assessing other, less-mainstream threats that are more likely actively targeting the business. Businesses that used scheduled and full kill-chain testing demonstrated the broadest testing coverage and the most in-depth validation when they added advanced scenario testing to their programs.
Another key area the report found is that known and cataloged industry-wide security issues remain unaddressed. Almost half of the top 10 CVEs identified most by Vulnerability Management platforms are older than two years. Well-known vulnerabilities in cybersecurity include unaddressed CVEs and poorly configured IAM and PAM. Organizations that use outdated infrastructure without support must rely on additional security measures to mitigate risks.
The report also found that more than nine in 10 of the top 10 exposures are related to domain and email security. This is important to watch because unmanaged externally visible infrastructure (or what some like to call ShadowIT) plus a delay in implementation of newer standards are often difficult to detect with purely defensive analysis. Thinking like an attacker and simulating different techniques of attack, safely, is critical in finding these systems and gaps.
“It’s understandable that organizations want to protect themselves against the major threats making headlines today,” said Carolyn Crandall, Chief Security Advocate for Cymulate. “But the findings of the report underscore the fact that many attackers aren’t using advanced new strategies — they’re continuing to find success using known tactics.”
So, what do organizations need to do to address these gaps? The answer is simple. Organizations need to shift their vulnerability management strategies. One strategy that has had a significant impact on cyber resiliency is Breach and Attack Simulation.
In the report, comparing the anonymized data between the first endpoint security assessment completed and the most recent assessments completed, significant improvements in risk reduction were seen when BAS testing was regularly performed. The improvements were seen consistently across customers of various industries and sizes.
For example, Windows Signature-Based anti-virus scanning, MacOS anti-malware defenses and Linux anti-malware defenses all went from high risk to moderate risk. Sure, improvements can be made, but the trend of improved protection is promising.
The report's findings demonstrate that many organizations need to focus on testing against threats and exposures that are more likely to affect their business. There is a need for greater attention to be paid to addressing known and cataloged industry-wide security issues.
Edited by
Alex Passett
