90% of Critical Assets Jeopardised by Just a Few Flaws, Says XM Cyber Study


Organisations Can Eliminate Nearly All Attack Paths to Critical Assets by Remediating Just Two Percent of Exposures That Lie on Choke Points

XM Cyber, the provider of hybrid cloud security, released the findings of its second annual research report, Navigating the Paths of Risk: The State of Exposure Management. Produced in collaboration with the Cyentia Institute, the report found that 75% of security exposures do not risk organisations’ critical assets. However, while most of these exposures are not particularly relevant to an organisation, a minimal amount of exposures puts more than 90% of their critical assets at risk.

With advanced tooling, modern security teams face an overwhelming volume of exposures to validate and analyse, despite the fact that most uncovered exposures do not lead to critical assets. XM Cyber’s latest research, which analysed more than 60 million exposures in over 10 million entities, both on-premise and in the cloud, revealed that the average organisation has 11,000 exploitable security exposures in a given month, with up to 250,000 exposures in larger enterprises. This highlights the need for more efficient exposure remediation in order to remain ahead of the attack curve.

Lack of efficiency exists with remediating exposures

XM Cyber research uncovered that 75% of exposures along attack paths lead to “dead ends”, which cannot impact critical assets and therefore represent minimal risk. Only two per cent of security exposures are actually located on “choke points” – entities through which multiple attack paths converge en route to critical assets. By focusing efforts on remediating exposures at these choke points, organisations can maximise risk reduction while minimising remediation workload amongst security and IT teams.

“Security teams are inundated with increasing volumes of alerts and attackers are actively exploiting this,” said Zur Ulianitzky, Vice President, Research at XM Cyber. “As illustrated by our research, the vast majority of security alerts are benign and do not lead to critical assets. Threat actors are not working any harder than they have to, and most find success with attack paths which are simple, short and lead straight to fruitful returns. By diligently focusing remediation efforts on, first and foremost, eliminating the two per cent of exposures which provide attackers with seamless access to critical assets, organisations can significantly reduce their risk without adding any additional strain to security teams.”

Attackers easily pivot from on-prem to cloud networks

The report also conveys the importance of strong security controls for cloud and on-premise environments. Seventy-one per cent of organisations have exposures in their on-prem networks that put their critical assets in the cloud at risk.

“Organisations face tough challenges in managing their diverse on-prem and cloud environments, often failing to consider the bigger picture and only focusing on each piece in isolation,” continued Ulianitzky. “Once attackers infiltrate cloud environments, it’s easy for them to compromise assets. Cloud security is not yet mature, and many security teams don’t fully understand the security issues they must look for. Challenges also surface from how cloud identities and permissions are (mis)managed. Moving forward, organisations must rethink their approach to security to ensure the protection of all of our identities, systems, and interdependencies among them holistically.”

Credentials and misconfigurations are the highest-risk exposures

The research also reveals that attack techniques targeting credentials and permissions affect 82 per cent of organisations. Many continue to overlook attack paths that leverage credentials and permissions however, these results make it clear that attackers prey upon trusted administrative services and identities to execute attacks.

“As we analysed data and reflected on the findings for this report, my mind kept coming back to one concept: the cost of attack. Through attack path analysis, we see what the attacker sees and identify their least costly (quickest, easiest) routes to whatever they value. If we operationalise that knowledge, I have hope that we can finally shift the cost of attack in our favour,” Wade Baker, PhD, Partner at Cyentia Institute.