How Effective Were Cybersecurity Controls in 2021?

We’re In an era when quantifying and measuring cyber-risk management effectiveness is usually based on assumptions. As a cyber security veteran, I have always had a respect for in-depth data analysis.

In this spirit, we have dived into our annual study that we call the State of Cybersecurity Effectiveness where I have been able to replace inference with empirical facts and replace subjectiveness with objective findings.

With the thorough overview offered by a global offensive testing platform covering all verticals and organizations’ sizes, such as Cymulate, I benefitted from unfettered access to the metadata generated through the over one million assessments run. Mining these data yielded prime information on organizations’ degree of preparedness, their strengths, and weaknesses, as well as providing a fascinating understanding of the effect of mitigation efforts against the ever-growing tide of cyber-risks. 

 

Key Findings: 

  • Critical takeaways with prescriptive advice per region and industry to ensure 2022 is a successful year with dramatically reduced risk and resiliency against threats.  
  • Interesting overview of the most critical attacks and exploits seen in 2021, including the ones that were most difficult to remediate against. 
  • A fascinating look at 2021s worst attack vector. While todays world heavily relies on web-based applications, organizations across the board had great difficulty protecting against exploits taking advantage of this vector. Fine-tuning Web Application Firewalls (WAF) and strengthening application security are essential for everyone going forward. 
  • The banking and finance, and manufacturing verticals are doing well, the critical infrastructure vertical suffers from specific weaknesses they must improve on, and, despite its presupposed understanding and knowledge of digital technology, the technology vertical fared the worst. 

Industry Risk Score

  • By Region APAC and EMEA have done better than the Americas, which experienced remediation issues. 

Regional charts

  • Looking at the recon phase of the kill-chain, we uncovered critical issues around organizations’ external attack surfaces, laying bare fundamental website issues, such as exposed accounts, hacked email accounts, and lack of good email security hygiene. 

Key Takeaways: 

The research also yielded five top cybersecurity takeaways for 2022, covering every industry and region. The data point at elements that everyone must incorporate to effectively reduce cyber risk within their organization: 

  1. The least Privileges and MFA are essential Many of the attacks seen in 2021 were able to gain access because MFA was not enabled and was subsequently able to expand by leveraging inadequately locked accounts, enabling attackers to install software, open power shells, run unrequited scripts, and more. 
  2. This is the era of EDR and the end of Microsoft macros The majority of attempted attacks are stopped or hampered by effective and updated signature-based detection methodology. Not having EDR installed and tuned on your user and server instances is a grave mistake. Finally looking at the most successful attacks in 2021, Microsoft macros were often used to bypass defenses very effectively. As most enterprises do not utilize them, they should be disabled by default. 
  3. Evaluate and protect your organization’s critical services applications:  Exchange, Active Directory, and Certificate Services. When these services are compromised, we found most enterprises were in a “rip and replace” situation where the ability to remediate became exceedingly difficult to accomplish without a heavy lift in resources. 
  4.  Third-Party, Supply Chain, and DevOps Cybersecurity are necessary. In view of the level of interconnectivity between enterprise partners and vendors, and with SaaS becoming the preferred enterprise architecture, gaining visibility and securing proprietary infrastructures from partners and supply chain-based software is crucial. The rise of DevOps and agile development has been both a blessing and a curse. Though pushing out changes has accelerated dramatically and immensely benefitted business operation and revenue, unfortunately, it also accelerated security drift as misconfigurations and vulnerabilities were also introduced faster. Incorporating efficient security testing and validation into CI/CD pipelines is fundamental to long-term success. One option to reduce risk from emerging threats and newly introduced vulnerabilities is by incorporating actionable intelligence into quick to test routines. The data from Cymulate’s users demonstrates that the ability to assess their infrastructure safely against the latest threats in near real-time enables shoring up defenses and reducing risk. The best proof is that new users reduced their risk exposure by twenty-five points on average within the first three months. 

Monthly Risk Score

In assessing continuous security validation effectiveness, the overall outcomes, despite the rise in the number and severity of vulnerabilities and attacks in 2021, the year-over-year risk score stability demonstrates that organizations who use continuous validation technologies are effective in fighting cyberattacks. Such data includes: 

  • New users, as seen above, quickly see the benefits of continuous security validation. They dramatically reduce risk within 3 months and closely shadow experienced users per vector in results. 
  • Purple teaming practice and advanced testing scenarios became widely adopted in 2021. Those who incorporated purple teaming effectively bridged the communication gap between blue and red teams and saw pen-testers and red teamers teaming up with the SOC ream members, security analysts, and DevSecOps. 
  • Attack-Based Vulnerability Management (ABVM) advanced vulnerability prioritization technology capabilities save users from drowning in data and provide them with a prioritized vulnerability patching schedule that is laserfocused on reducing risks specific to the organization instead of abiding by generic patching cycles.
     

I encourage everyone to read the full report. Here is to a bright and secure 2022.