Attack surface growth exceeds security team expansion at unmanageable pace

by

Last year, (ISC)2 found that security teams grew 6.2% year-over-year (YOY) in North America, 11.1% worldwide. Despite this momentum, nearly 70% of the (ISC)2 respondents felt their organization did not have enough cybersecurity staff to be effective. (ISC)2 predicts that an additional 3.4 million cybersecurity workers are needed to effectively secure assets. This workforce gap in cybersecurity is exacerbated by the growth of attack surface evident in the 2023 State of Cyber Assets Report (SCAR).

According to the SCAR, the average security organization has experienced a 132.86% increase in cyber assets YOY and a 588.98% increase in security findings YOY.

Compared against any reasonable metric for security team growth on the market, it’s easy to see that both the volume of cyber assets and velocity of security findings are far outpacing the resources responsible for enterprise security. Understanding the composition of these cyber assets may help provide the key to this long standing conundrum.

The most vulnerable asset superclasses

The cyber assets analyzed in the SCAR are categorized into five superclasses:

  • DEVICES
  • NETWORKS
  • APPLICATIONS
  • DATA
  • USERS

Out of these superclasses, DATA is the most vulnerable, accounting for 59.51% of security findings. 

The DATA superclass encompasses data-at-rest, data-in-motion, and data-in-use. This includes databases, S3 buckets, storage blobs, and files. The DATA superclass also includes logs, records of changes, tasks, notification channels, and secrets (encryption keys, key pairs, vaults, etc.). Images, records, and containers account for 87% of the 46.62 million findings in the DATA superclass. 

The second-most vulnerable asset superclass was DEVICES, accounting for 36.84% security findings. 

Cloud hosts make up 57.2% of the DEVICES superclass, but this superclass also consists of workstations, servers, phones, tablets, containers, peripherals, storage devices, network devices, web cameras, infrastructure, and more. It also includes operating systems, firmware, and any other software native to a device. Even though DEVICES overall accounted for roughly a third of the security findings overall, they represent 96.1% of critical security findings.

Cloud sprawl challenges security teams to figure out scalability

The average security team at large organizations (500+ employees) manages 225 AWS accounts, GCP projects, and Azure subscriptions. Mid-sized organizations (50-499 employees) are responsible for securing an average of 559 accounts, projects, and subscriptions across cloud service providers. Account sprawl is a real challenge, and teams struggle to assess their state of security at scale.

The creation and use of these cloud resources are often spread across business units, purpose (develop, test, production, archive), or customers. So how do teams secure the sprawling number of cloud resources that are spun up to support company innovation?

Visibility is often the first solution that people jump to - see more, uncover more, keep chipping away at the unknowns to identify known risks. Unfortunately, increased visibility is not scalable. 

Increased visibility typically leads to a flood of data. However, without a means to make sense of the data, it ends up in a pool, unused and meaningless. While visibility has its place, there are better solutions available.

Context, not visibility alone, can drive decision making

Assets in isolation don’t tell the complete story – it’s how they interoperate and work together that provides value.

Threat actors have long recognized the importance of relationships. The relationship between an over-privileged user and sensitive assets is how and why social engineering and account takeover are highly successful tactics for threat actors. 

Organizations likely have the information they need, but it's simply residing in siloed, unrelated systems. The dawn of big data gave way to correlating information about consumer behavior and driving more business. Now is the time for security to correlate security and infrastructure information to make data-driven decisions to effectively defend their organizations.

New call-to-action
Ashleigh Lee
Ashleigh Lee

As Senior Product Marketing Manager at JupiterOne, I love getting to the heart of what problems our customers are solving and how that ties in with the cybersecurity mission at their organizations. With over a decade of experience in B2B tech marketing, and the last 7 years in cybersecurity, I have honed my digital swiss army knife background into sharing customer stories that resonate and drive action.

Keep Reading

How are CAASM and CSPM different? | JupiterOne
June 13, 2024
Blog
How are CAASM and CSPM different?

Comparing Cloud Security Posture Management to Cyber Asset Attack Surface Management

CAASM and IAM to Strengthen Your Security Posture | JupiterOne
June 5, 2024
Blog
CAASM and IAM to Strengthen Your Security Posture

Discover how CAASM and IAM can reduce security risks from over privileged accounts and inefficient user deprovisioning.

Next-Gen CMDB or Paradigm Shift? CAASM Leads the Way to Proactive Defense | JupiterOne
May 30, 2024
Blog
Next-Gen CMDB or Paradigm Shift? CAASM Leads the Way to Proactive Defense

CAASM empowers proactive defense by integrating internal insights and external threat visibility, enabling prioritization of critical cybersecurity risks.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.

15 Mar 2022
Blog
One line headline, one line headline

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud eiut.