As members of the cybersecurity industry, it’s imperative to keep a pulse on industry trends and innovations – whether that be through podcasts, publications, a packed news feed, or industry reports such as our 2023 State of Cyber Assets Report (SCAR). But, they can be difficult to digest and internalize.
To help our SCAR readers make the most of the report, head researcher Jasmine Henry and JupiterOne Security Automation Architect Kenneth Kaye discussed the report recently in a webinar that we encourage everyone to check out, if you haven’t already.
Let’s take a look at some of the key facts and considerations discussed during the webinar.
First things first, a little housekeeping
The SCAR is a complex report. So, before we get started, let’s establish some baseline terminology.
The asset superclasses discussed in the report are centered around Sounil Yu’s Cyber Defense Matrix, a framework designed to organize the cybersecurity landscape. It’s composed of five asset superclasses:
- Devices: Devices are workstations, services, phones, tablets, containers, hosts, peripherals, storage devices, network devices, web cameras, infrastructure, and more. It also includes operating systems, firmware, and any other software native to a device.
- Networks: Networks are communications channels, connections, and protocols that enable traffic to flow among devices and applications, including both physical and virtual networking systems such as cloud firewalls. This superclass also includes Domain Name Systems (DNS), Border Gateway Protocol (BGP), Virtual Private Clouds (VPCs), Virtual Private Networks (VPNs), Content Delivery Networks (CDNs), and certificates.
- Applications: Applications are software code and applications on the devices, separate from the operating system/firmware. This class includes serverless functions, APIs, and microservices.
- Data: Data includes data-at-rest, data-in-motion, and data-in-use. This superclass includes databases, S3 buckets, storage blobs, files, logs, records of changes, tasks, and notification channels. Secrets are also grouped here, including encryption keys, key pairs, and vaults.
- Users: Users are people who use the resources in other asset superclasses, and the identities associated with these users. Users also include groupings of users, including teams, organizations, and sites.
These asset classes all have asset attributes that provide context into how they are managed and changed over time with respect to security improvements and the relationships and exposure levels between them.
- Findings: The findings category consists of alerts and results, incidents data, monitoring trails, threat intel, and vulnerabilities from both human and non-human sources. Findings are part of the complex graph of relationships and dependencies in security organizations, but they’re not an asset. Many findings are liabilities, particularly if they are related to a critical asset.
- Policy: Policy falls outside the classification of traditional assets and should be considered an attribute of cyber assets in the sense they act as guardrails to protect assets. IAM policies, control policies, configurations, requirements, and rulesets all fall within our classification model for policy. Human-generated policy and procedure documents are here, too, though they’re a negligible percentage compared to other forms of policy.
Now that we got that out of the way, let’s dig in.
Why we’re investigating the state of cyber assets
The reality is that modern enterprises are shifting the way they do business – but security teams aren’t able to evolve with it. In fact, they’re asked to secure the exponentially growing attack surface with the same headcount, resources, time, and a widening skills gap. Plus, it’s often difficult to communicate, quantify, and track risk.
The goal of the SCAR is to understand the cyber assets, liabilities, and relationships that make up the attack surface in modern enterprises. We analyzed 291.7 million cyber assets and findings across organizations of all sizes to see how security teams are discovering cyber assets, evaluating their asset relationships, and securing their attack surfaces.
Speedy innovation requires speedy security
The modern attack surface is an intricate tangle of relationships between cyber assets, the data they harbor, the findings and alerts they create, the networks they live on, the policies that secure them, and the applications and devices they operate from. Last year, the SCAR found that the average security team was responsible for 120.6k cyber assets. This year, the number is 393.4k, which relates to an increase of almost 2x as many security findings (cyber assets).
The rise of shift left and CI/CD frameworks signal that security teams are being asked to secure more with the same amount or less resources year over year. Further, the onset of COVID served as an inflection point of how services were built out – from contactless payments to telehealth to remote work, we saw a significant acceleration in the innovation cycle for security teams. Suddenly, the 6-18 month build of a new product or service was executed practically overnight. Now that that pace has been established, there’s very little room for slowing down.
Because the average security team is about 0.5% of headcount, this pace keeps them fatigued, understaffed, and left with an ever-increasing backlog of issues to resolve. The reality is that these backlog items never go away – they just get deprioritized and potentially forgotten about.
As security teams face the impossibility of resolving a backlog of hundreds of thousands or millions of unresolved findings, the industry reaches a tipping point: assign more resources to security headcount and unify cyber insights, or accept the consequences of a floundering security team.
Ultimately, we hope that the SCAR research provides under-resourced security teams with data to share in boardrooms, and hopefully, secure bigger budgets and hiring approvals.
Piecing your cloud environments together
Businesses are flocking to the cloud for cost savings, agility, ease, competitive advantage, and more. But, securing cloud assets and data is significantly more complex than securing a mainly on-premises organization.
Prior to cloud migrations, organizations used to struggle to manage a single data center. Now, device assets, especially cloud hosts, are responsible for 96% of the findings in that ever-growing backlog we talked about. Today’s CSP attack surfaces are highly distributed across hundreds or thousands of accounts, which resemble mini data centers in their complexity and the data they hold. And, CSPs are differentiating with the development of microservices and tools at an explosive rate. While misconfigurations remain as a top issue for CIOs, how can we expect our security teams to expertly configure tools that didn’t exist a few years ago, at scale?
Context and culture matter
In today’s world, cyber attacks are inevitable. Supporting your security team by creating a security-first culture can help alleviate the looming burden of backlogs and threats. Despite the increase in automation, the widening security skills gap and continuous vendor innovation create a greater chance for misconfigurations and unintentional security lapses. And while traditional tools like CSPMs and SIEMs can provide visibility, it’s no longer enough.
Cyber asset context helps you understand the web of applications, users, devices, data, code repos, and other cyber assets that live in your environment is the first step to securing your attack surface at scale. The goal of the 2023 SCAR, this webinar, and other related research is to shine a light on the challenges of securing the cloud and arm you with the information you need to achieve your goals and implement positive change at your organization.