There isn't a security leader today who doesn't worry about resources — be it money, human capital, or tools. Security is often a game of trying to do more with less and staying just enough ahead of the proverbial bear so that malicious actors go for easier, more appealing targets.
Despite their limited resources, security teams regularly approach organizational security with a massive list of exposures that need to be remediated. Based on our internal research on 60 million exposures and thousands of attack paths, organizations typically have over 11,000 security exposures that attackers can exploit (and large organizations often have 20 times that number). To add further color, Cisco found that at 75% of organizations, more than one in four assets can be exploited easily. Most security teams are likely aware of this to a degree, but because the list of exposures expands every hour, it can feel nearly impossible to get ahead of them. This is especially concerning considering the lack of resources, which seems poised to deteriorate even further with current economic headwinds.
The 2023 World Economic Forum Global Cybersecurity Outlook puts it this way: "Many organizations have too many assets on their network to identify the key risk points, or even to map their assets. This makes it difficult to assess where and how much money should be spent. Without a way to clearly map risks to value-creating assets or processes, as well as a plan of action arising from this, it is hard to quantify and justify the resources that should be allocated to mitigating them."
So why continue trying to remediate enormous lists of vulnerabilities?
To do more with less, organizations need to be more targeted in their efforts. Of course, most organizations categorize vulnerabilities (CVEs) by severity, but even trying to address just critical vulnerabilities is more than many organizations can do reliably. Thus, teams need to go one step further and move from a visibility-centric approach to a remediation-centric approach. To accomplish this, the focus should be stopping attackers at choke points.
What Is a Choke Point?
Cutting off the enemy at choke points has been a military strategy for as long as history has been written, immortalized by tales like the one about the 300 Spartans who delayed an enemy army many times its size because it fought in a narrow mountain pass at Thermopylae. In security, this same approach can be used to great effect — teams can defend the places where multiple attack paths must traverse before they reach a critical asset.
By defending at these choke points, you can massively reduce the number of exposures that must be addressed. Our in-house research found that only 2% of exposures lie on choke points, reducing that 11,000 number to just a couple hundred exposures that need to be remediated.
Know Your Environment
Telling teams to defend their choke points is great if they know precisely where to defend. Having an excellently defended point that the enemy completely ignores is a waste of time and resources. To know where to defend, you must map out your organization's assets and attack paths. While providing step-by-step instructions on how to accurately map out your environment would be another — much larger — article, understanding the most common techniques used by attackers is an effective building block.
Our research indicates that one of the most overlooked techniques is attackers leveraging credentials and permissions, with 82% of organizations affected by techniques targeting credentials and permissions.
The other major blind spot we see is Active Directory attacks, which make up 72% of all exposures. This is of particular concern because Active Directory presents a huge attack surface and can be highly complex and difficult to understand. To dive into this issue, I recommend taking a look these examples from Microsoft's Detection and Response Team.
Once you have accounted for common attack paths and have an attack graph, you can see the places where the paths converge — yes, those choke points — and focus the majority of efforts there. Instead of trying to address myriad exposures one by one, you can slash multiple exposures in one fix for more efficient remediation.
Shift Your Mindset
There is much more involved in mapping and understanding your environment, but at minimum I hope I've helped you think about your broader approach to security. It does require you to shift your mindset, but by focusing on remediation rather than visibility, organizations can spend their time more efficiently by defending choke points. When this is done effectively, you can mitigate risk optimally while reducing the security and IT team's workload.