2023 Navigating the Paths of Risk

Partner: XM Cyber

Security teams are currently drowning in a sea of 11,000 exploitable exposures per organization. Traditional vulnerability management, which treats each CVE as an isolated issue, fails to see how attackers combine vulnerabilities and misconfigurations to move laterally. This report analyzes over 60 million exposures to shift the focus from individual bugs to “attack paths” that lead directly to critical business assets.

The analysis brings good news: 75% of identified exposures lead to dead ends that cannot reach critical assets. By deprioritizing these, teams can focus on the mere 2% of exposures that lie on “choke points”—the key junctions where multiple attack paths converge. This report rewards the reader by quantifying the extreme efficiency of this approach, showing that focusing on game-over choke points equates to a 99.6% reduction in remediation scope.

Active Directory (AD) and identity management emerge as the primary theaters of risk, affecting 82% of organizations. The ease with which attackers pivot from on-prem to cloud is also a major concern, with 71% of firms having paths that enable this transition. This research provides the evidence needed to move toward “Continuous Threat Exposure Management”.

Key Findings

  • The 11,000-Exposure Load: Organizations typically manage 11,000 security exposures, but larger enterprises can have over 250,000.
  • Dead-End Dominance: 75% of all exploitable exposures lead to dead ends that never reach a critical business asset.
  • Choke Point Efficiency: Remediating just the 2% of exposures that lie on attack path choke points can practically eliminate all paths to critical assets.
  • Short Attack Paths: Attackers can reach 70% of critical assets in on-prem networks in just 3 steps; in the cloud, 90% are just one hop away.
  • The AD Vulnerability: Techniques targeting Active Directory and credentials exploit 82% of all identified security exposures.
  • EDR Coverage Gaps: 38% of firms have endpoint detection and response (EDR) running on less than half of the devices in their environment.

Independent analysis by Cyentia Institute of 60 million exposures affecting 10 million entities across the XM Cyber platform in 2022.

DOwnload