Palo Alto Cortex Xpanse Researchers identify missing metric for a modern SOC

May 24, 2021

Palo Alto Cortex Xpanse research team spent the first three months of 2021 monitoring the activities of attackers to better understand how much of an edge adversaries have in detecting systems that are vulnerable to attack. They followed a benchmark that they call “mean time to inventory” (MTTI), which is simply how long it takes somebody to start scanning for a vulnerability after it’s announced.

Xpanse research found 79% of observed exposures occurred in the cloud. The cloud is inherently connected to the internet and it’s surprisingly easy for new publicly accessible cloud deployments to spin up outside of normal IT processes, which means they often use insufficient default security settings and may even be forgotten. "Asset leak is likely inevitable when an expanding cloud attack surface is combined with more traditional factors that bypass change control (such as mergers and acquisitions), supply chain and the Internet of Things. But that doesn’t mean enterprises should accept the risk. Tracking an ever-changing infrastructure landscape is an almost impossible task for humans and requires an automated approach, both to discover unknown assets and ensure they are secure," Palo Alto researchers say.

Vishal Jain, Co-Founder and CTO at Valtix, says, "I’m not at all surprised at the findings - connectivity in the cloud is ubiquitous, but more importantly, the cloud environment is dynamic. Instantaneous app deployment, responsive infrastructure and self-serve is the norm in the cloud. Such a dynamic environment is a poor fit for security capabilities built during a time when infrastructure was static, and change was highly controlled. So yes, ever-changing infrastructure requires automation, and extensive visibility, but also a different set of assumptions than was common when appliance-based solutions were developed."

"What needs to be done to secure this is the creation of a strong cyber asset management program. Traditional CMDB technologies haven't made the leap to cloud native, and as such, can't properly collect and continuously detect changes in those infrastructure instances," says Tyler Shields, CMO at JupiterOne. "Additionally, the speed at which companies are moving to the cloud is really making the growth of cloud native assets explode. If you don't have a good grasp of your cyber asset infrastructure, and how those infrastructure components all inter relate to each other, it's going to be impossible to secure that environment. This is evidenced by the research done at Expanse.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.