In our latest report, The State of Offensive Security 2022, we provide insight into what we discovered about how well organizations have adopted the offensive approach to security. We surveyed 400 decision makers in IT and security last year, and found:
- Security hygiene is harder than it should be
- Attack surfaces are growing, leading to more frustrations
- Asset inventories are incomplete, creating breach risk
- Vulnerability management processes can’t scale
- Security testing needs to be continuous to truly be effective
The problem? Organizations have built strong fortresses, but have few ways to prove they’re defending the right things or if their defenses work as intended. For the last 20 years, we’ve spent billions of dollars on tools to improve detection, make it easier to remediate incidents, and more efficiently stem the rising flood of vulnerabilities. Unfortunately, it hasn’t been enough. The average cost of a breach is up to $4.24 million according to IBM despite Gartner predicting that enterprises will spend $172 billion on security in 2022.
At Randori, we believe solving this challenge requires organizations to adopt more proactive approaches to offensive security and that starts by adopting an attacker’s perspective.
Security Hygiene Is Harder Than It Should Be
This proactive approach to security starts with a solid foundation in the form of security hygiene. If you attempt to deploy an offensive strategy when, for example, there are massive blind spots in your organization, then the strategy will ultimately fail. That’s what security hygiene is at its core: the foundation that allows enterprises to deploy a proactive, offensive approach to securing their infrastructure.
During our research for the State of Offensive Security report, we found a few key barriers that enterprises face with their security hygiene. These include:
- 70% of organizations have more than 10 security tools to manage security hygiene and posture management
- 31% acknowledge that hygiene-related tasks have become more complex in the last two years
- 39% of organizations only have partial success at discovering gaps in coverage, data sources, and controls
A Growing Attack Surface Adds More Frustrations
The attack surface of the average organization is the sum of all software assets, regardless of whether they are exposed to the internet or not. Effective management of your attack surface is about minimizing the risk of exposure for any one of these cyber assets. When done properly, this means that attackers have as few ways as possible to infiltrate your systems and achieve their goals.
Enterprises overall struggle to fully understand their attack surface. This is partly due to shadow IT — those unmanaged or unknown assets that create the biggest risk – but also because the attack surface continues to grow.
Offensive security requires getting the attack surface under management, but there are a number of reasons why enterprises have struggled to accomplish this goal, including:
- The average attack surface has 55,000 assets
- Traditional asset management tools by some estimates miss 30% of internet-exposed assets
- 67% of organizations have experienced an increase in their attack surface
Asset Inventories Are Incomplete, Driving Up Breach Risk
Probably the first step in understanding your cyber risk is to create an accurate catalog of all the cyber assets attached to your organization. The problem is that most companies struggle to create an accurate asset inventory between the rise of shadow IT and the sheer scale of building asset inventories in the first place.
The average asset inventory takes 80 hours to build and it often isn’t even complete once finished. The rise of shadow IT – those unmanaged or unknown assets – means additional risk for enterprises. In fact, 7 out of 10 organizations have experienced breaches because of these unknown or unmanaged assets.
The decision-makers surveyed for the State of Offensive Security report also revealed that three quarters of organizations still use spreadsheets as part of their asset management. This likely ties back to the 10 data tools that organizations have to manage their attack surface, with information needing to be exported from multiple systems and then merged together. We also discovered that organizations tend to find assets in unusual places when creating their inventories.
Vulnerability Management Teams Can’t Patch Everything
More than 20,000 vulnerabilities were reported in 2021, the highest year ever, with growth every single year since 2004. More than 4,000 of these had a CVSS of critical, far outstripping the capabilities of even mature vulnerability management teams to address. Each reported vulnerability also can’t necessarily be immediately resolved. These CVEs need to be judged against your asset inventory to determine whether there is any impact on your systems, and then potential patches tested, and then deployed. Doing this for more than 4,000 high-severity vulnerabilities per year is simply not possible with any sort of speed.
In fact, keeping up with the number of open vulnerabilities is the biggest challenge enterprises face. At 29% each, automating vulnerability discovery/prioritization and coordinating processes across different tools are the next biggest barriers facing VM teams.
Continuous Security Testing Is the New Imperative
Without a strong testing program, however, there is no way to judge the effectiveness of this strategy short of experiencing an actual attack. No enterprise wants to find any flaws in their security in the midst of an active cyberattack. By conducting a security test, you’re able to find the flaws — if any — in your protection strategy ahead of time.
The question is a matter of frequency. We found during our research that 44% of enterprises conduct security testing at least weekly, with 86% validating their security controls at least monthly. Unfortunately, this isn’t nearly often enough to truly ensure that your security controls are reducing your risk.
Security testing must be conducted on a continuous basis to ensure that you stay ahead of threat actors and your security controls are functioning properly.
Download the State of Offensive Security 2022 for more information on how organizations are adopting more proactive approaches to security testing and to get our recommendations for how you can adopt a more proactive, offensive security strategy.