Organizations only prevent six out of 10 cyberattacks
A new report shows that, on average, organizations’ security controls (such as next-gen firewalls and intrusion prevention solutions) only prevent six out of every 10 attacks.
The Blue Report 2023 study from Picus Security is based on an analysis of more than 14 million simulated cyberattacks.
However, some attack types are prevented far more effectively than others. For instance, organizations can prevent 73 percent of malware downloads but only 18 percent of data exfiltration attacks. They also prevent complex, multi-stage attacks less than half the time.
"Like a short blanket that covers either someone's head or feet, not both, security teams can only dedicate their time, money, and resources to so many problems at once," says Picus co-founder and VP of Picus Labs, Dr Suleyman Ozarslan. "They deploy their budgets and resources to cover one exposed spot, but this leaves other areas out in the cold. The Blue Report shines a light on these impossible trade-offs and how they hinder organizations’ readiness to defend themselves against the latest threats."
The report also reveals the limitations of security teams' approach to managing common vulnerabilities and exposures (CVEs). Analysis of the simulated attacks shows that the list of top 10 CVEs to which they remain most exposed includes mainly critical and high risk vulnerabilities as well as CVEs that have been known for years. Some CVEs discovered in 2019 remain a threat to more than 80 percent of organizations.
Users of security event and incident management (SIEM) solutions also face decisions about how much to invest in attack detection. In most cases, organizations routinely prioritize logging over alerting but do neither very well. Simulation data shows that, on average, organizations log four out of 10 attacks but only generate alerts for two in 10 attacks.
"Since preventing and detecting every threat is practically impossible, security teams will always have to prioritize some aspects of security more than others," adds Dr Ozarslan. "Fortunately, there is an approach that can help them improve their performance. By adopting a more unified approach that incorporates insights from attack simulations combined with attack surface and vulnerability data, security teams can allocate resources efficiently and effectively to address their most critical exposures. As a result, they can simultaneously improve their ability to prevent and detect attacks, rather than making trade-offs between them, and sleep better at night."
You can get the full Blue Report 2023 from the Picus site.