Despite Rising Vulnerabilities, Majority of Organizations Don’t Perform Continuous Security Monitoring

Not enough organizations are continuously looking for risks in their IT assets. Interestingly, organizations with immature programs are more confident in their ability to manage their attack surface. Enterprises need to put monitoring regimes in place that can keep pace with technological change.

The rapid shift to digital transformation has strained security teams as much as it’s placed tremendous pressure on application development teams. And recent research from Bugcrowd shows just how strained security teams have become as they try to keep up with the expanding attack surface due to the growing list of applications and digital services they must manage and support.

The report, Attack Surface and Vulnerability Management Assessment found about 61% of survey respondents are attempting to keep up with the technological change in their organizations and how that can impact their attack surface, yet only 40% do so continuously.

The survey categorized respondents, based on criteria detailed below, into three categories: leaders, fast followers, and emerging organizations. Of those organizations surveyed, about 20% qualified as a leader when it came to attack surface and vulnerability management. In contrast, nearly half came in as fast-followers, and 39% are emerging organizations.

“The survey discovered several key differences between leaders and other respondents in their strategy for attack surface and vulnerability management. Of note, nearly three out of four leaders (72%) perform continuous attack surface management, signaling attack surface discovery frequency is a sign of maturity,” Bugcrowd said in a statement.

Not surprisingly, leaders stand above fast-followers and emerging organizations when it comes to monitoring for vulnerabilities and their attack surface. For instance, the survey said 72% of leaders continuously monitor their attack surface, while only 52% of fast followers and 3% of emerging organizations can say the same. “Additionally, 59% of leaders perform penetration testing for vulnerability discovery more often than once per month, while only 23% of fast-followers and 3% of emerging organizations do on the same frequency. However, the less mature companies report higher confidence in their attack surface and vulnerability discovery tooling and technologies, demonstrating a lack of awareness of potential risk,” the report said.

Jon Oltsik, senior principal analyst and fellow at ESG advises the lagging organizations to take notice of the security steps the leaders are taking. “Leading organizations use a diverse combination of tools, automated processes, and integrated workflows to constantly look for problems in their attack surface and vulnerability management,” Oltsik said. “They unify efforts across their organization and are proactive in taking necessary actions to mitigate any risks they discover. Perhaps most important, leaders are aware of their limitations and are much more likely to use bug bounties, crowdsourced penetration testing, and other external services,” he added.

Based on the responses of 200 cybersecurity and IT professionals, this survey was conducted by Bugcrowd in partnership with Enterprise Strategy Group. According to Bugcrowd and ESG, the respondents are directly involved with their organization’s cybersecurity strategies, controls, and operations.

The research objective was to understand the current state of the attack surface and vulnerability management in mid-sized organizations, defined as 100 to 999 employees, and enterprise-sized organizations with more than 1,000 employees. The survey data segmented the respondents by their maturity level. Maturity levels included emerging organizations, fast-following organizations, and leading organizations. The research also attempted to quantify the differences in business outcomes among the three maturity levels.

According to ESG, their maturity model is based on five questions that measure a set of cybersecurity processes, policies, and controls respondents claimed to be in place at the organization. These include the periodicity of their attack surface discovery processes, how satisfied they are with their attack surface discovery program, whether the organization believes that attack surface discovery is more difficult now than two years ago, how many penetration tests the organization conducts across all applications and assets annually, and how often the organization performs penetration tests on its most critical business assets.

Respondent responses determined the organization’s score, with each answer worth 0-3 points, and they could earn a total of 0 to 15 points. Those respondents that scored more than 12 were considered leaders, those between 9 and 11 were fast-followers, and those eight or lower were classified as emerging. Through this process, ESG determined that 20% of those surveyed were leaders, 49% fast-followers, and 32% emerging.

According to the report, organizations across the board, regardless of maturity levels and priorities, have found that attackers growing increasingly skilled and the ever-expansion of their attack surface, believe that it’s grown more difficult monitoring and defending their enterprise. “To counteract these trends, penetration testing holds strong as a standard best practice for all, while more mature organizations increasingly turn to methods that involve crowdsourcing as well as those additionally tuned to discovering and reducing risk from unprioritized assets,” they concluded.

Other significant findings from the report include:

  • Organizations’ satisfaction doesn’t clearly map to greater risk reduction. New risk reduction methods like attack surface discovery as well as evolving methods like penetration testing are handled in very different ways across different organizations. Based on the security maturity model developed for this analysis, less mature or emerging organizations report high confidence in attack surface and vulnerability discovery tooling and technologies, yet also report fewer impactful results than their more mature counterparts.
  • Mature organizations put more into and get more out of these programs. Based upon the security maturity model developed for this analysis, it’s clear that leading organizations proactively look for vulnerable assets and have processes in place to move quickly from problem discovery to remediation. Leaders also seem to have a cybersecurity culture at their organizations where cybersecurity is viewed as a shared responsibility between security, IT operations, DevOps, and software development teams. Interestingly, leading organizations are also most willing to keep investing in their programs with a goal of continuous improvement.
  • Mature organizations know their limits. While cybersecurity teams perform better at leading organizations, they’re also more conservative about their confidence in tooling, and more willing to invest in solutions that alleviate some of the work from internal teams. The data indicates that leaders are far more likely to supplement internal programs with crowdsourced penetration testing, bug bounties, and third-party services.

Additionally, the report found that leaders are more likely to incrementally support their own security efforts with crowdsourced penetration testing and bug bounty programs. “Fifty-nine percent of leaders use bug bounty programs to discover previously unknown or undiscovered attack surface, compared to 43% of fast followers and 34% of emerging organizations. Furthermore, 41% of leaders plan to use crowdsourced security platforms for penetration testing over the next 24 to 36 months compared to just 19% of fast followers and 27% of emerging organizations,” the report found.

That makes perfect sense; as organizations continue to increase their software footprint, they’re going to need all the help they can find keeping up.