The Enterprise Strategy Group (ESG) and CyCognito recently released illuminating cybersecurity practices research based on a survey of 200 cybersecurity and IT professionals in enterprises with 4,000+ employees across multiple industries. One startling finding is that while 98% of these professionals identified attack surface monitoring among their top 10 security priorities, 45% of them don’t include SaaS applications, public cloud workloads and connected third-parties in their definition of “attack surface.”
That means that organizations are essentially ignoring significant parts of their extended IT ecosystem, even though attackers will not. In fact, attackers are likely to target exactly those portions that organizations neglect. Organizations also reported that they each have an average of 100,000 externally exposed assets. Imagine the additional number of assets that must exist in their extended IT ecosystem that they aren’t even considering.
How do the expanded boundaries of today’s enterprise attack surface get missed by so many educated and dedicated security and IT professionals charged with protecting it? One reason is that legacy security tools don’t cover these unwatched regions of the attack surface. Instead of providing visibility and protection across the entire attack surface, legacy tools only see where they are configured to look and thus miss the unknowns. The result is that they contribute to “security theater” and a false sense of confidence, at great cost.