A new report from cybersecurity firm XM Cyber Inc. has found that three-quarters of security exposures don’t put organizations at risk, but a small number of exposures can put more than 90% of critical exposures at risk.

The exposure findings were among various takeaways in XM Cyber’s second annual research report, Navigating the Paths of Risk: The State of Exposure Management. Produced in collaboration with the Cyentia Institute, the report found that with advanced tooling, modern security teams are faced with an overwhelming volume of exposures to validate and analyze, even though most uncovered exposures don’t lead to critical assets.

The research analyzed more than 60 million exposures in more than 10 million entities, both on-premises and in the cloud, finding that the average organization has 11,000 exploitable security exposures in a given month, with up to 250,000 exposures in larger enterprises. The numbers highlight the need for more efficient exposure remediation to remain ahead of the attack curve.

The finding that 75% of exposures along attack paths lead to “dead ends” is somewhat surprising. The dead ends cannot and do not affect critical assets and therefore represent minimal risk. Only 2% of security exposures were found to be located on “choke points” — entities through which multiple attack paths converge en route to critical assets. The report argues that organizations can maximize risk reduction by focusing efforts on remediating exposures at these choke points while minimizing remediation workload amongst security and IT teams.

“Security teams are inundated with increasing volumes of alerts and attackers are actively exploiting this,” Zur Ulianitzky, vice president of Research at XM Cyber, said in a statement. “As illustrated by our research, the vast majority of security alerts are benign and do not lead to critical assets.”

Ulianitzky added that threat actors are not working any harder than they have to and most find success with attack paths that are simple and short. “By diligently focusing remediation efforts on first and foremost eliminating the 2% of exposures which provide attackers with seamless access to critical assets, organizations can significantly reduce their risk without adding any additional strain to security teams,” he said.

Other findings in the report include the importance of having robust security controls for both cloud and on-premises environments. Some 71% of organizations were found to have exposures in their on-premises networks that put their critical assets in the cloud at risk.

The research also reveals that attack techniques targeting credentials and permissions affect 82% of organizations. Many organizations overlook attack paths that leverage credentials and permissions, with attackers preying upon trusted administrative services and identities to execute attacks.

Commenting on the report, Mike Parkin, senior technical engineer at cyber risk management company Vulcan Cyber Ltd., told SiliconANGLE that there are a few significant takeaways from the XM Cyber report, starting with the finding that only a small fraction of exploitable vulnerabilities lead to significant compromise.

“Even when only a few of them could be considered significant, it doesn’t mean we can discount even those minor breaches,” he said. “A threat actor in the environment can still do considerable damage, even if they don’t have immediate access. If they can gain persistence on a low-value target, they have a chance down the line to escalate when a better opportunity presents itself.”

Parkin added that “the second significant finding reinforces something we, in the cybersecurity community, have been saying for a while, namely that misconfigurations and compromised credentials are still a major risk.”

Image: XM Cyber