CyCognito announced new research in partnership with Enterprise Strategy Group (ESG) that revealed most security professionals recognize that attack surface protection is important, but their operational practices and tools used aren’t up to the challenge.

The new report, Gaps in Attack Surface Monitoring and Security Testing for Cyber-risk Mitigation, was based on a survey of 200 cybersecurity and IT professionals who are directly involved with their organization’s cybersecurity strategies, controls, and operations. Respondents came from companies with at least 4,000 employees in industries like technology, manufacturing, financial services, and healthcare, among others. According to 98 percent of survey respondents, attack surface monitoring is a “Top 10” security priority at organizations. But that positive perspective belies what is actually being done. A deeper analysis of survey responses reveals significant gaps across attack surface monitoring coverage and cadence.

The reality is that organizations struggle to get even limited visibility into their complete attack surface, despite investing resources across a broad range of piecemeal solutions and processes. The report finds that organizations focus only on assets they already know exist and therefore never know about significant portions of their attack surfaces. That exposes them to attackers that target blind spots specifically because they are unmonitored by organizations. The practice of scrutinizing the known and ignoring the unknown is a form of “security theater” where security teams are doing something, but it does little to improve the security of their organizations. Additionally, despite its self-evident criticality, many organizations use an assortment of tools and manual processes for attack surface monitoring, making the process fraught with operational complexity, human error, and best-guess analysis.

“Why is attack surface monitoring so critical? To paraphrase an old business adage, ‘You can’t manage what you can’t measure,’” said Jon Oltsik, ESG senior principal analyst and fellow. “By discovering and monitoring these assets, security professionals can then find the ‘path of least resistance’ that hackers may use as a doorway to penetrate corporate networks and commence a cyber-attack. Armed with this intelligence, security teams can close the gaps, fine-tune security controls, and develop countermeasures.”

Other key findings from the report include:

  • Attack surface monitoring typically involves only known attack surface. As a result, attack surface visibility is limited. Many organizations never know about numerous attack surface assets, exposing them to unknown and likely easily fixable cyber-risks.
  • Security testing remains separate, and periodic. Rather than tight integration between attack surface monitoring and security testing, many organizations keep these activities stovepiped and continue to conduct security testing — such as penetration tests — only on a periodic basis. While penetration tests are valuable, they are limited in scope due to costs and rarely identify out-of-scope attack surfaces, leaving organizations open to cyber-attack.
  • Organizations must create a continuous closed-loop process between attack surface monitoring and security testing. The attack surface grows and changes all the time, opening new conduits for attackers to penetrate organizations as well as leaving business systems exposed. To get ahead of this, CISOs must create a closed loop that starts with attack surface monitoring, proceeds immediately to security testing and risk prioritization, and concludes with the right remediation actions like controls adjustments or new security investments.

“It’s great to see the validation that monitoring all aspects of an organization’s attack surface and testing for critical weaknesses has become a point of emphasis across all industries, but the data in this report shows there is still much work to be done,” said Rob Gurzeev, CEO and co-founder, CyCognito. “Because so many organizations are using inefficient and costly legacy processes to manually monitor and test their attack surfaces, they’re not able to discover the paths of least resistance that attackers are likely to target first.”

Key Insights:

  • 68 percent of organizations have experienced an attack originating from an unknown, unmanaged, or poorly managed company asset. Even more (75 percent) expect they will experience this type of attack in the future.
  • Security testing must be done frequently across all vulnerable attack surface assets to maximize benefits. 98 percent say testing is a Top 10 security issue, yet only 43 percent claim they perform penetration testing continuously, and only 9 percent claim to test 100 percent their entire attack surface.
  • Nearly half of organizations do not include SaaS applications and public cloud workloads in their definition of "attack surface." Similarly, less than half consider partners and affiliates as extensions of their “attack surface.” Organizations need scalable methods to continuously discover unknown and unmanaged assets–including those in cloud, vendor, partner, and subsidiary environments.

To download the complete report, visit: