A Security Survey on How to Close Your Organization's Attack Resistance Gap
Attack Resistance Management is the management of human security tests on your attack surface designed to increase your resistance to attackers. It is a cross-functional and continuous approach to improving security effectiveness and reducing risk.
While working with thousands of customers, we observed that digital transformations create an expanding attack surface, leaving gaps in most organizations’ security capabilities and processes.
To better understand and measure this gap, we surveyed over 800 security buyers across the U.S. and Europe and published our findings in The 2022 Attack Resistance Report We asked about security practices, attack surface management, and how they understood their attack resistance. Of the organizations surveyed, only 63% believe their team can protect their attack surface. And nearly half of those surveyed lack confidence in their ability to address the risks introduced by this gap.
The Gap—Why Organzations’ Attack Resistance is Low
Organizations face shortcomings in four key areas: attack surface management, infrequent testing, inadequate security testing tools, and a security talent shortage. Combined, these create the attack resistance gap. Our survey found the latter two areas— inadequate tools and understaffed or unskilled security teams are the most severe issues. The four attack resistance gap components are shown in Figure 1 below.
- Incomplete Knowledge of Attack Surface: Organizations can’t defend what they don’t know about, and gaps in their attack surface make it impossible to assess risk accurately. In some ways, this is the most foundational of the four components. Many of the surveyed organizations scan their attack surface frequently—however, over 90% acknowledge they have blind spots. Questions that arise include: What assets are missing? How is the shape and size of your organization’s attack surface changing? How long is too long to have an unknown asset on your organization’s network? Answers to these questions are crucial and must be confirmed regularly.
- Testing Frequency Does Not Keep Pace with App Updates: Continuous delivery and deployment are common practices. Your development team is likely to be pushing software updates weekly. It's intuitively insufficient to update production assets regularly and leave them untested, yet only one in three applications are tested more than once a year.
- Shallow Scanning Tools: Automated scanning tools look for and reliably find common and well-known vulnerabilities. Scanners can be the fastest, cheapest, and most effective tool available in these cases. But scanners cant find vulnerabilities they’re not programmed to see—the unknown unknowns. Your organization needs the human ingenuity of ethical hackers to find a different class of vulnerabilities that no technology can. These are the most critical and complicated vulnerabilities that scanners miss.
- Untested or Unavailable Skills: With an industry-wide talent shortage, hiring security talent that understands new technologies, not to mention custom APIs and legacy applications, is challenging. Your organization may have a strong security team, but development resources likely dwarf it. Keeping up is a challenge, leaving no time for offensive exercises or other proactive tests.