What Can We Learn by Analyzing 197 Years of Cumulative Cybersecurity Testing?

By Carolyn Crandall, Chief Security Advocate, Cymulate

Each year, Cymulate releases a Cybersecurity Effectiveness Report that summarizes and analyzes the findings from customers’ security assessments throughout the year. Unlike other cybersecurity research, this report does not focus on the security incidents detected by security controls but rather on those gaps and events that were not detected. The report covers attack surface exposures, vulnerabilities, and attack paths to provide a more holistic view of the threat landscape and the effectiveness of today’s security solutions. It’s no longer enough to know which attacks were detected – organizations need to understand where vulnerabilities remain.

The 2022 State of Cybersecurity Effectiveness report analyzes the equivalent of 197 years of anonymized offensive cybersecurity testing within customer product environments during 2022. Those customers span various locations, sizes, and industries, providing a comprehensive view of cybersecurity resilience. While the full report contains a more thorough analysis of the findings, below, you can find a selection of the most compelling findings included in the study.

Organizations Still Haven’t Mastered the Fundamentals

One of the most concerning findings in the report was that 40% of organizations have vulnerabilities within their environments that have had patches available for more than two years. Of course, this isn’t a new threat—exploiting known vulnerabilities is just about the oldest tactic in the book. But too many organizations lag in basic cyber hygiene, failing to improve their patching cadence. The result is that many organizations have unpatched CVEs, poorly configured Identity and Access Management (IAM) solutions, and other dangerous vulnerabilities just waiting to be taken advantage of.

Part of the reason for this is that headlines too often dictate an organization’s remediation priorities. This is understandable—when a major attack makes the news, it’s only natural to want to protect your network against it. But the State of Cybersecurity Effectiveness report finds that this often leads to tactics seen in media coverage receiving attention vastly disproportionate to their actual risk level—often at the expense of more pressing threats. This is further driven home by the fact that 92% of detected exposures fall within domain security and email security. Rather than focusing on headline-grabbing threats, most organizations would find their efforts better spent doubling down on fundamentals like domain and email security.

Preventing Exfiltration Remains a Challenge

The effectiveness of data protection measures is declining, with data exfiltration risk scores worsening over the past year. This can be partially attributed to the complexity of Data Loss Prevention (DLP) and Cloud Security Access Broker (CSAB) solutions, and the cost associated with their implementation, but also to the simple fact that today’s businesses rely heavily on access to certain cloud storage platforms. Unfortunately, restricting access to those platforms without hampering business operations can be extremely difficult. As a result, cloud service-related assessments received a significantly higher risk score in 2022 than in 2021.

It isn’t all bad news, though: the report’s findings indicate that email restrictions have effectively prevented data exfiltration. A growing share of organizations are now taking advantage of native and third-party solutions to restrict what data can be shared outside the organization via email. While cybercriminals can use other exfiltration methods, this makes their job more difficult—which is always a good thing.

Although email restrictions have helped, Cymulate’s research found that social engineering remains  problematic, and Business Email Compromise (BEC) attacks remain popular among adversaries.

Tactics include CEO fraud, where the attacker impersonates a company’s CEO or other high-ranking executives to request funds or information, false invoice schemes, in which the attacker impersonates a supplier asking for payment. PII misappropriation is another tactic in which the attacker impersonates an employee from another department to gain access to protected data, continue to find success. Email protections can help, but training employees to recognize the signs of these scams will improve the security of your organization.

The Impact of Breach and Attack Simulation on Risk

By comparing data over time, the report reveals that measures like Breach and Attack Simulation (BAS) are highly successful at reducing an organization’s overall risk. By comparing the data between a customer’s first endpoint security assessment and their most recent assessment, it becomes clear that there is a significant improvement in risk reduction over time when BAS testing is performed regularly. Moreover, those results are consistent across all industries and businesses, indicating a strong correlation between BAS implementation and reduced risk.

The initial average risk score for Windows signature-based antivirus scanning was extremely high for most customers but dropped to only moderate risk following BAS implementation. The risk fell from moderate to low for Windows behavioral-based detection (EDR and XDR solutions). MacOS anti-malware defenses and Linux anti-malware defenses both fell from high risk to moderate risk. While this shows that there is still room for improvement, it also serves as a clear indicator that attack simulation has a positive impact on risk across the board.

Making Informed Cybersecurity Decisions

The 2022 State of Cybersecurity Effectiveness report makes it clear that the most dangerous threats organizations face aren’t necessarily the newest or most innovative but the same risky behaviors and poor hygiene practices that have plagued them for years. In order to address and remediate those threats, organizations need to double down on the fundamentals, training employees to recognize the signs of social engineering attacks and implementing stronger password and patching policies. But policies and training aren’t enough—continuous security validation is also needed. As organizations look for ways to reduce risk across the board, running continuous assessments can help ensure that their security solutions work as intended against today’s most pressing threats.

About the Author

Carolyn is the Chief Security Advocate and CMO at Cymulate, a leader in cybersecurity risk validation and exposure management solutions. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of effectively taking companies from pre-IPO through to multi-billion-dollar sales and has held leadership positions at Attivo Networks, Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.