Last year, (ISC)2 found that security teams grew 6.2% year-over-year (YOY) in North America, 11.1% worldwide. Despite this momentum, nearly 70% of the (ISC)2 respondents felt their organization did not have enough cybersecurity staff to be effective. (ISC)2 predicts that an additional 3.4 million cybersecurity workers are needed to effectively secure assets. This workforce gap in cybersecurity is exacerbated by the growth of attack surface evident in the 2023 State of Cyber Assets Report (SCAR).
According to the SCAR, the average security organization has experienced a 132.86% increase in cyber assets YOY and a 588.98% increase in security findings YOY.
Compared against any reasonable metric for security team growth on the market, it’s easy to see that both the volume of cyber assets and velocity of security findings are far outpacing the resources responsible for enterprise security. Understanding the composition of these cyber assets may help provide the key to this long standing conundrum.
The most vulnerable asset superclasses
The cyber assets analyzed in the SCAR are categorized into five superclasses:
- DEVICES
- NETWORKS
- APPLICATIONS
- DATA
- USERS
Out of these superclasses, DATA is the most vulnerable, accounting for 59.51% of security findings.
The DATA superclass encompasses data-at-rest, data-in-motion, and data-in-use. This includes databases, S3 buckets, storage blobs, and files. The DATA superclass also includes logs, records of changes, tasks, notification channels, and secrets (encryption keys, key pairs, vaults, etc.). Images, records, and containers account for 87% of the 46.62 million findings in the DATA superclass.
The second-most vulnerable asset superclass was DEVICES, accounting for 36.84% security findings.
Cloud hosts make up 57.2% of the DEVICES superclass, but this superclass also consists of workstations, servers, phones, tablets, containers, peripherals, storage devices, network devices, web cameras, infrastructure, and more. It also includes operating systems, firmware, and any other software native to a device. Even though DEVICES overall accounted for roughly a third of the security findings overall, they represent 96.1% of critical security findings.
Cloud sprawl challenges security teams to figure out scalability
The average security team at large organizations (500+ employees) manages 225 AWS accounts, GCP projects, and Azure subscriptions. Mid-sized organizations (50-499 employees) are responsible for securing an average of 559 accounts, projects, and subscriptions across cloud service providers. Account sprawl is a real challenge, and teams struggle to assess their state of security at scale.
The creation and use of these cloud resources are often spread across business units, purpose (develop, test, production, archive), or customers. So how do teams secure the sprawling number of cloud resources that are spun up to support company innovation?
Visibility is often the first solution that people jump to - see more, uncover more, keep chipping away at the unknowns to identify known risks. Unfortunately, increased visibility is not scalable.
Increased visibility typically leads to a flood of data. However, without a means to make sense of the data, it ends up in a pool, unused and meaningless. While visibility has its place, there are better solutions available.
Context, not visibility alone, can drive decision making
Assets in isolation don’t tell the complete story – it’s how they interoperate and work together that provides value.
Threat actors have long recognized the importance of relationships. The relationship between an over-privileged user and sensitive assets is how and why social engineering and account takeover are highly successful tactics for threat actors.
Organizations likely have the information they need, but it's simply residing in siloed, unrelated systems. The dawn of big data gave way to correlating information about consumer behavior and driving more business. Now is the time for security to correlate security and infrastructure information to make data-driven decisions to effectively defend their organizations.
