Organizations mostly monitor what they already know about, leaving unknown assets unprotected and open to attackers
The new report, Gaps in Attack Surface Monitoring and Security Testing for Cyber-risk Mitigation, was based on a survey of 200 cybersecurity and IT professionals who are directly involved with their organization’s cybersecurity strategies, controls, and operations. Respondents came from companies with at least 4,000 employees in industries like technology, manufacturing, financial services, and healthcare, among others. According to 98 percent of survey respondents, attack surface monitoring is a “Top 10” security priority at organizations. But that positive perspective belies what is actually being done. A deeper analysis of survey responses reveals significant gaps across attack surface monitoring coverage and cadence.
“Why is attack surface monitoring so critical? To paraphrase an old business adage, ‘You can’t manage what you can’t measure,’” said Jon Oltsik, ESG senior principal analyst and fellow. “By discovering and monitoring these assets, security professionals can then find the ‘path of least resistance’ that hackers may use as a doorway to penetrate corporate networks and commence a cyber-attack. Armed with this intelligence, security teams can close the gaps, fine-tune security controls, and develop countermeasures.”
Other key findings from the report include:
- Attack surface monitoring typically involves only known attack surface. As a result, attack surface visibility is limited. Many organizations never know about numerous attack surface assets, exposing them to unknown and likely easily fixable cyber-risks.
- Security testing remains separate, and periodic. Rather than tight integration between attack surface monitoring and security testing, many organizations keep these activities stovepiped and continue to conduct security testing — such as penetration tests — only on a periodic basis. While penetration tests are valuable, they are limited in scope due to costs and rarely identify out-of-scope attack surfaces, leaving organizations open to cyber-attack.
- Organizations must create a continuous closed-loop process between attack surface monitoring and security testing. The attack surface grows and changes all the time, opening new conduits for attackers to penetrate organizations as well as leaving business systems exposed. To get ahead of this, CISOs must create a closed loop that starts with attack surface monitoring, proceeds immediately to security testing and risk prioritization, and concludes with the right remediation actions like controls adjustments or new security investments.
“It’s great to see the validation that monitoring all aspects of an organization’s attack surface and testing for critical weaknesses has become a point of emphasis across all industries, but the data in this report shows there is still much work to be done,” said Rob Gurzeev, CEO and co-founder, CyCognito. “Because so many organizations are using inefficient and costly legacy processes to manually monitor and test their attack surfaces, they’re not able to discover the paths of least resistance that attackers are likely to target first.”
- 68 percent of organizations have experienced an attack originating from an unknown, unmanaged, or poorly managed company asset. Even more (75 percent) expect they will experience this type of attack in the future.
- Security testing must be done frequently across all vulnerable attack surface assets to maximize benefits. 98 percent say testing is a Top 10 security issue, yet only 43 percent claim they perform penetration testing continuously, and only 9 percent claim to test 100 percent their entire attack surface.
- Nearly half of organizations do not include SaaS applications and public cloud workloads in their definition of "attack surface." Similarly, less than half consider partners and affiliates as extensions of their “attack surface.” Organizations need scalable methods to continuously discover unknown and unmanaged assets–including those in cloud, vendor, partner, and subsidiary environments.
To download the complete report, visit: https://www.cycognito.com/research-report-learn-how-security-testing-and-attack-surface-monitoring-work-together
To gather data for this report, ESG conducted a comprehensive survey of IT and security professionals with purchase process responsibility for security technologies in use at their organization, as well as their organizations’ future security strategies. Respondents were based in North America (US and Canada) and employed at large enterprises with 4,000 or more employees. The survey was fielded between July 15, 2020 and July 29, 2020.
CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk and how you can eliminate the exposure. Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. The Palo Alto-based company is funded by leading Silicon Valley venture capitalists, and its mission is to help organizations protect themselves from even the most sophisticated attackers. It does this with a category-defining, transformative platform that automates offensive cybersecurity operations to provide reconnaissance capabilities superior to those of attackers.
Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community. Learn more at www.esg-global.com.