• The study also reveals that 82% of organizations are affected by attack methods that target credentials and permissions.
  • It was discovered that 71% of organizations’ on-premises networks had vulnerabilities that put the security of their crucial cloud assets at risk.

According to a recent report from cybersecurity company XM Cyber Inc., while 75% of security exposures do not put organizations at risk, a small number of exposures can endanger more than 90% of critical exposures.

These key findings were highlighted in Navigating the Paths of Risk: The State of Exposure Management, XM Cyber’s second annual research report. The report, created in partnership with the Cyentia Institute, discovered that modern security teams are confronted with an overwhelming volume of exposures to validate and analyze, even though only some uncovered exposures lead to critical assets.

The study examined more than 60 million exposures in over 10 million entities, both on-premises and in the cloud, and discovered that the average organization has 11,000 exploitable security exposures per month, rising to 250,000 for larger businesses. The statistics show that exposure remediation must be more effective to stay ahead of the attack wave.

It is a little surprising to learn that 75% of exposures along attack paths result in “dead ends”. Dead ends pose a low risk because they cannot and do not affect critical assets. Only 2% of security exposures were discovered to be situated near “choke points”—structures where several attack paths collide—on their way to important assets. The report makes the case that organizations can reduce risk to the lowest possible level by concentrating efforts on addressing exposures at these choke points and distributing as little remediation work as possible among security and IT teams.

Vice president of Research at XM Cyber, Zur Ulianitzky, said, “Security teams are inundated with increasing volumes of alerts and attackers are actively exploiting this. As illustrated by our research, the vast majority of security alerts are benign and do not lead to critical assets.”

Threat actors, according to Ulianitzky, are not working any harder than necessary, and the majority of them succeed with straightforward and concise attack paths. He said, “By diligently focusing remediation efforts on first and foremost eliminating the 2% of exposures which provide attackers with seamless access to critical assets, organizations can significantly reduce their risk without adding any additional strain to security teams.”

The need for strong security controls in both cloud and on-premises environments is another finding of the report. It was discovered that 71% of businesses had vulnerabilities in their on-premises networks that put the security of their crucial cloud assets at risk.

The study also shows that 82% of organizations are impacted by attack methods that target credentials and permissions. Attackers take advantage of trusted administrative services and identities to carry out attacks, but many organizations ignore attack paths that use credentials and permissions.

According to Mike Parkin, Senior Technical Engineer at the cyber risk management firm Vulcan Cyber Ltd., a few key conclusions can be drawn from the XM Cyber report. First, only a tiny percentage of exploitable vulnerabilities result in serious compromise.

He said, “Even when only a few of them could be considered significant, it doesn’t mean we can discount even those minor breaches. A threat actor in the environment can still do considerable damage, even if they don’t have immediate access. If they can gain persistence on a low-value target, they have a chance down the line to escalate when a better opportunity presents itself.”

According to Parkin, “the second significant finding reinforces something we, in the cybersecurity community, have been saying for a while, namely that misconfigurations and compromised credentials are still a major risk.”