A new study warns that the vast majority of organizations still struggle with security hygiene and posture management, and 69% of organizations admit they had experienced at least one cyberattack that started through the exploit of an unknown or unmanaged internet-facing asset, including software, cloud-based workloads, user accounts, and IoT devices.
The study, conducted by the Enterprise Strategy Group on behalf of JupiterOne, found that 86% of organizations believe they follow best practices for security hygiene and posture management. However, 70% of organizations say they use more than 10 security tools to manage security hygiene and posture management, which raises concerns about data management and operations overhead.
“The data demonstrates that many organizations continue to address security hygiene and posture management tactically on a technology-by-technology basis,” said Jon Oltsik, principal analyst and ESG Fellow, who wrote the report. “ESG believes that CISOs should take a more holistic approach to security hygiene and posture management by adopting technologies and processes for discovering assets, analyzing data, prioritizing risks, automating remediation tasks, and continuously testing security defenses at scale.”
In a dramatic, but unsurprising finding, some 73% of security professionals admit they still depend on spreadsheets to manage security hygiene and posture at their organizations. As a result, 70% of respondents say that security hygiene and posture management had become more difficult over the past two years as their attack surfaces have grown.
With cloud migration and business agility as the strategy of the decade, it’s not terribly surprising that most organizations have lost control over what their internet-facing perimeter consists of, said Oliver Tavakoli CTO at Vectra. “The ease with which developers can stand up new services and expose them to the internet is one of the realities of the epoch we find ourselves in,” Tavakoli said.
Jake Williams, co-founder and CTO at BreachQuest, said for several years, we’ve known that hardware and software inventory are the pillars of a cohesive security architecture. That’s why hardware and software inventory have been No. 1 and No. 2 on the prioritized list of CIS Critical Security Controls for as long as anyone can remember, Williams said.
“Given the ease with which assets can be provisioned in cloud environments, it’s no surprise that many of those assets end up constituting an unmanaged attack surface,” Williams said. “Many organizations provision cloud assets from images they did not build themselves, such as using base images from Docker Hub. Because they didn’t build the original image, they are often unaware of the underlying software components and as such fail to perform adequate vulnerability management.”
Bud Broomhead, CEO at Viakoo, said as the attack surface has shifted to unmanaged and IoT devices, the traditional IT approaches simply don’t work. Broomhead said it’s not the number of tools used, it’s whether they are the right tools, and many organizations are just beginning to deploy patching, certificate, and password solutions that can work with both unmanaged and IoT devices.
“It’s not surprising that 69% majority of organizations have experienced an incident, but without using cyber hygiene solutions specifically designed for unmanaged and IoT devices, these numbers will continue to grow,” Broomhead said.
John Bambenek, principal threat hunter at Netenrich, added that it isn’t surprising that so many organizations were breached because of an unknown or unmanaged internet-facing resources.
“The legacy of DevOps and agile development has been little if any security review, much less change control, before things ship to production,” Bambenek said. “When engineers tout innovation under the mantra of ‘go fast and break things’ that’s exactly what happens. But on the bright side, I have unlimited job security, so there’s that.”
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!