Skybox Security has released the results of its 2016 Trends Report: Analyzing the Attack Surface. Prepared for Skybox by the research firm CyberEdge Group, the report details findings from a global survey of 275 IT professionals at enterprises and government agencies with more than 500 employees. It presents data on how IT organizations are using automated tools to identify, analyze and prioritize vulnerabilities and misconfigurations concealed on their networks — physical, virtual and cloud.
Among the key findings: organizations are least automated (and least confident) in areas related to (a) collecting data about virtual and cloud–based systems and applications and (b) analyzing and remediating firewall rules that violate policies and regulations. These are the areas, therefore, with the most room for improvement in the immediate future, especially considering that many organizations are quickly transitioning to hybrid IT networks and regulatory requirements worldwide are increasing and becoming more strict.
For example, while a near-perfect 92 percent of organizations use automated tools to detect vulnerabilities on hosts and servers, only 54 percent use automated tools to assess security controls on cloud–based systems and applications.
The data points to other areas that need improvement, particularly for tasks involving remediation and provisioning. Although most organizations automate the process of pushing patches (between 74 and 81 percent), approximately half of the organizations (between 44 and 53 percent) have primarily or completely manual processes for most other areas. This includes: remediating misconfigurations on servers and network devices, systems and data access rules, and firewall rules that violate policies; provisioning firewalls, firewall rules and security.
“The lack of an automated approach among so many organizations is alarming, especially when you consider that the industry is experiencing a severe shortage of security professionals,” said Skybox Director of Product Marketing Kevin Flynn. “And in the very near future, regulations will become more burdensome — and the consequences of not meeting those regulations more painful — so organizations should really be investigating tools that automate configuration, vulnerability and policy management.”
Additional key findings:
- The extent of satisfaction that IT professionals have with their current capabilities tends to go hand-in-hand with the extent of automation for processes related to vulnerabilities and misconfigurations.
- Having an attack surface visibility tool had a particularly strong impact on an organization’s satisfaction with its ability to address compliance issues and regulatory requirements.