A new report from XM Cyber finds that, among other insights, dramatic There is a gap between the security priorities of most organizations and where the most serious threats actually exist.
The new report, “Exploring Risk Pathways: The State of Exposure Management in 2024,” is based on hundreds of thousands of attack path assessments conducted by the XM Cyber platform in 2023. ——Key assets. Anonymous data on these exposures was then provided to the Cyentia Institute for independent analysis. To read the full report, view it here.
Download the report to discover:
- Key findings on the types of exposure that put organizations at greatest risk of breaches.
- The status of the attack path between the local network and the cloud network.
- Top attack techniques emerging in 2023.
- How to focus on what matters most and fix high-impact risks to critical assets.
These findings criticize the continued overemphasis on fixing CVEs in cybersecurity programs.In fact, XM Cyber found CVE-based vulnerabilities account for less than 1% of the average organization’s local exposure. Even taking into account high-impact exposures that cause damage to critical business assets, these CVEs still represent a small portion (11%) of the exposure risk profile.
Where actually are the biggest risks? Let’s dig deeper into the results:
CVE: not necessarily exposed
When analyzing on-premises infrastructure, the XM Cyber report unsurprisingly found that in the vast majority of organizations (86%), remote code executable vulnerabilities accounted for less than 1% of all exposures and only 11% key exposure.
Research has found that identity and credential misconfiguration accounts for up to 80% of security risks in organizations, with one-third putting critical assets at direct risk of exposure, making this a huge attack vector actively exploited by adversaries.
Therefore, the report makes it clear that while patching vulnerabilities is important, it is not enough. Compared to CVEs, more common threats, such as attackers using malicious code to poison shared folders (contaminating shared content) and using common local credentials across multiple devices, exposed a greater share of critical assets (24%) .
Therefore, security planning needs to go far beyond patching CVEs. Good cyber hygiene and a focus on mitigating risks such as bottlenecks and weak credential management are crucial.
Don’t get stuck in dead ends, look for high-impact bottlenecks
Traditional security attempts to fix every vulnerability, but XM Cyber’s report shows that 74% of vulnerabilities are actually dead ends for attackers – providing them with minimal opportunity for forward or lateral movement. This makes these vulnerabilities, exposures, and misconfigurations less critical to your remediation efforts, giving you more time to focus on actual issues that pose proven threats to critical assets.
The remaining 26% of vulnerabilities identified in the report would allow adversaries to spread attacks to critical assets. XM Cyber Attack Graph Analysis(™) identifies critical intersections where multiple attack paths against critical assets converge into “choking points.” The report emphasizes that only 2% of risk exposures are at “bottlenecks.” Give security teams a much smaller subset of high-impact risks to focus on remediation efforts. These “bottlenecks” are highlighted in yellow and red in the image below. They are particularly dangerous because compromising just one can expose a large portion of a critical asset. In fact, the report found that 20% of choke points expose 10% or more of critical assets. Therefore, identifying attack paths and targeting high-risk chokepoints can yield greater benefits for defenders – mitigating risk more effectively. To learn more about bottlenecks, check out this article.
Finding and classifying risk exposures: focus on key assets
Where are they exposed and how can attackers exploit them? Traditionally, attack surface has been viewed as everything in an IT environment. However, effective security requires knowledge of where valuable assets are and how they are exposed, the report shows.
For example, the report analyzed the distribution of potential attack points across environments and found that not all entities are vulnerable (see figure below). A more critical metric is exposure to key assets. Cloud environments hold the most critical asset risks, followed by Active Directory (AD) and IT/network equipment.
It is worth delving into the extreme vulnerability of organizations to AD. Active Directory remains the cornerstone of organizational identity management – but report finds 80% of all discovered security vulnerabilities originate from Active Directory misconfigurations or flaws. Even more worrying, one-third of all critical asset vulnerabilities can be traced to identity and credential issues in Active Directory.
What’s the point here? Security teams are often organized by key asset categories. While this may be enough to manage the total number of entities, it may miss the bigger picture. Critical exposures, while fewer, carry much higher risks and require dedicated attention. (To help you troubleshoot AD security concerns, we recommend this handy AD Best Practices Security Checklist.)
Different needs of different industries
The report also analyzes the different cybersecurity risks across industries. Industries with more entities (potential attack points) tend to have more vulnerabilities. For example, healthcare is 5 times more risky than energy and utilities.
However, the key risk indicator is the proportion of risk exposure that threatens key assets. Here, the tables are turned. While overall vulnerabilities are lower, transportation and energy have a much higher proportion of key risk exposures. This means they have a greater concentration of critical assets that attackers may target.
The conclusion is that different industries require different approaches to security. Compared with energy, financial companies have more digital assets but lower key exposures. Understanding the attack surface of a specific industry and the threats it faces is critical to an effective cybersecurity strategy.
bottom line
A final important finding shows that risk management cannot be a one-time or annual project. This is a process of constant change and continuous improvement. However, today’s excessive focus on patching vulnerabilities (CVEs) can lead to neglect of more pervasive threats.
Today’s security ecosystem and threat landscape are not what they used to be. It’s time for a paradigm shift in cybersecurity. Rather than patching every vulnerability, organizations need to prioritize high-impact vulnerabilities that provide attackers with opportunities for significant forward and lateral movement within compromised networks, focusing specifically on the 2% that are at the “bottleneck.” of vulnerabilities, fixing the critical weaknesses in your environment will have the most positive reduction in your overall risk profile.
Now is the time to move beyond the checkbox mentality and focus on real-world attack vectors.
The State of Exposure Management report findings are based on data from the XM Cyber Continuous Exposure Management Platform, which is independently analyzed by the Cyentia Institute. Get your free report here.
Note: This article was professionally written by Dale Fairbrother, Senior Product Marketing Manager at XM Cyber.
3 Comments
Pingback: 80% of the risk comes from configuration errors and less than 1% comes from CVE – Tech Empire Solutions
Pingback: 80% of the risk comes from configuration errors and less than 1% comes from CVE – Paxton Willson
Pingback: 80% of the risk comes from configuration errors and less than 1% comes from CVE – Mary Ashley