Organizations are facing higher risks of cyberattack as criminals exploit unknown or unmanaged internet-facing assets, says JupiterOne.
IT and security professionals are being asked to manage an increasing number of files, data, apps and other assets. And beyond the sheer volume, assets can reside in a variety of places, from local systems to networks to the cloud. This proliferation creates a security risk, as attackers can take advantage of assets that are poorly managed or even unknown. A report released Tuesday by security provider JupiterOne looks at the security hazards associated with this deluge of cyber assets.
For its “2022 State of Cyber Assets Report,” JupiterOne analyzed cyber asset inventories and user queries from customers of its Cyber Asset Attack Surface Management (CAASM) platform from Sept. 28 to Oct. 5, 2021. The results included more than 372 million security findings from across 1,272 organizations, including enterprise, midsize and small businesses.
In its research, JupiterOne found that cyber assets are growing at a breakneck pace for many organizations. Beyond the scale, assets are increasingly scattered across multiple locations, such as local machines, remote workplaces, large networks and last but not least, the cloud. In terms of security, this situation leads to an expanded attack surface through which cybercriminals can exploit unknown, unmanaged or poorly managed internet-facing assets.
SEE: Quick glossary: Cybersecurity attacks (TechRepublic Premium)
The asset explosion is putting stress and strain on security professionals tasked with their protection. JupiterOne discovered that today’s security teams are responsible for as many as 165,000 cyber assets, including cloud workloads, devices, applications, network assets, data assets and users. The ratio of cyber assets to users is 564 to 1, which means that security professionals are outnumbered.
Spurred on by the pandemic, the growing migration to the cloud has added complexity to cybersecurity. Almost 90% of the device assets seen by JupiterOne are cloud-based, which means that physical devices such as laptops, tablets, smartphones, routers, and IoT hardware account for only 10 percent of total devices. However, among all of the security policies examined, cloud-specific ones represented less than 30%.
The report also examined the relationships between different types of assets to see how they interact with each other. Such assets as data, apps, devices and users can have first-degree relationships, meaning direct access between any of them. More complex are second-degree and third-degree relationships, which take a more circuitous route among different assets but can be exploited by attackers. These more indirect relationships often go unanalyzed by security professionals, as only 8% of the user queries seen by JupiterOne considered them.
SEE: Security threats on the horizon: What IT pro’s need to know (free PDF) (TechRepublic)
“Security practitioners struggle with conflicting data from different tools and constant change,” said Jasmine Henry, field security director at JupiterOne. “The ability to compile asset data and metadata from multiple sources is mandatory to better understand asset relationships and dependencies. True risk is often caused by toxic combinations, such as a misconfigured critical asset with too few access restrictions.”
To help organizations struggling to better manage and secure their cyber assets, Henry offers the following recommendations:
Make security a priority. Make security a priority and not just an afterthought. This means setting up basic cyber hygiene practices, including mandatory security training for all employees, enforcing data governance, managing identity and access controls and gaining insight into all your cyber assets through automated asset inventory.
Automate your security. Security automation is required at every phase of the asset lifecycle. To address security risks, you need the right tools to be able to identify new assets and map out the relationships among them. Security professionals also need to include automated security in the DevOps pipeline so that assets created by developers can be encrypted or protected from the get-go.
Take responsibility for cloud-based security. Although cloud providers are responsible for the security of their own data centers and related functions, security is a shared responsibility. This means that an organization’s security teams are ultimately responsible for cloud data and other assets. Think of it this way. The cloud provider handles the security of the cloud. The organization handles security in the cloud, meaning data, apps and network controls.